Restrict editing to authorized users while leaving the map viewable to the public

BrettGreenfield__DNR_ · ‎11-21-2013

I've created a service that will be made available to the public which expects to see fairly regular updates. Unfortunately, now that I've created the dataset it's leaving my hands, and the group that plans on making the updates doesn't have anyone with ArcMap on their computer, thus any updates would have to go through an ArcGIS Online map. I know I can configure a service to allow editing, but my concern is that ANYONE (with the know-how) could also edit the service and make unwanted changes. I also know I can allow access only to a private group, but then the public can't view the service.

Is there a way to limit the editing capabilities to certain people, while keeping the service viewable to the public? I was thinking there might be a way to create a separate version of the service with editing capabilities, open it to a private group, and synch the public version of the service to the private version, but I'm not sure if that's possible.

MikeMinami · ‎08-05-2014

There is an option to disable editing on layers inside a web map. This option is meant primarily for layers, such as shapefiles, that have been uploaded and stored directly in the map (and not as an item in my content). Lindsey, you are correct in saying that if you have a hosted feature layer and editing is enabled on it, disabling it with the option inside the map will only prevent edits from within that particular map. If you add the layer to another map, it would be editable. In order to disable editing on a feature layer, you have to do it from the item itself, by editing the item details of the feature layer. Then it will not be editable via a map or programmatically via REST calls.

The current solution in a pure hosted environment is to create a matching tile layer published with your feature layer. This is not an optimal solution because the tiles will quickly become out of date as edits are made, and you will need to recreate the tiles. We are currently working to better support this scenario in the hosted environment, where organizations want public access to view the layer, but limited editing access.

If you have your own ArcGIS Server, you can publish a map service with features access enabled. The public map would reference the map service, while those that need editing would access the features.

Thanks,

Mike

TracyGarrison · ‎08-05-2014

Mike, none of those solutions solve the problem.

I have a Winter road condition map as the snow plow drivers clear portions of the road he radios in his progress the lines are then updated. There are 30 to 50 drivers plowing the highways each calling in their progress the data is changing constantly a tiled map to go along with an editable feature services is not realistic.

The reason a lot of users want to use the hosted feature service is because they don't have access to ArcGIS Server. If they did they probably would not NEED ArcGIS Online for Organizations.

I brought this problem up to ESRI staff at the last three User conferences and to the staff of the Minneapolis office many times. It is the ONE thing holding us back from using ArcGIS online.

I could not believe it when I heard the following at this years User Conference:

ArcGIS Online Achieves Federal Information Security Management Act (FISMA) Authorization and Accreditation

They need to read this thread.

MikeMinami · ‎08-05-2014

There is one other option that may or may not be viable for you. A hosted feature layer can have editing disabled, but any administrator in the organization can open the layer with full editing control from the item page of the feature layer (open button). I haven't set this up myself, but you can create a custom role in the organization with limited administrative privileges, which would allow the editors to edit the data, but not, for example, delete other members of the organization. With the fact that the feature layer effectively has editing disabled, any viewing of the layer by non administrators and the public will not allow editing.

We do hear what you're asking for. It is a project under active development.

Thanks for your patience.

Mike

ThomasColson · ‎01-17-2015

We are having the same issue. I have a hosted feature service that I want restricted editing on so the public can see facility closures. We're using the raw GeoJSON output of the feature service in a custom web map application, and unfortunately, hiding the FS from the public...hides the GeoJSON as well. Enabling editing enables anyone to stumble across the FS in AGOL and make edits. Making the editors administrators is a non-starter in our organizations security model.

MikeMinami · ‎01-20-2015

The Angry Geographer‌

We will be adding a new privilege that will allow a member to have "manage" access to hosted feature layers. So, if a given member of your organization has this privilege, and they have access to the feature layer, they will be able to override the edit settings of the layer and have full editing access to the layer. Thus, you'll be able to share a hosted feature layer with editing disabled, but allow the members you grant the privilege, to edit any feature layer they can access.

This should be coming in our next update, due out in March 2015.

Thanks,

Mike

MelissaVega · ‎05-26-2015

Has this update been released by Esri? I do not see in ArcGIS Online how this privilege is delegated to and accessed by members of an organization.

MikeMinami · ‎05-26-2015

If you are an administrator of your organization, you'll see the privileges under Edit Settings>Roles. You can assign the Edit with full control privilege to any member of the organization. It will allow them full editing on the layer. However, the layer must have some level of editing enabled on it already. Thus, a member with this privilege will not be able to turn on editing for any hosted layer, where the layer has editing disabled.

MelissaVega · ‎05-26-2015

Thank you for your response. Previously you mentioned this new feature would allow for a layer to be shared with editing disabled, but that a member could continue to "edit with full control". Is this still the case? Your most recent post stated a layer must have some level of editing enabled, which would eliminate the functionality of this feature for me. Like many other users I am looking for a solution to have members of my organization maintain layer edits, while the general public is limited to viewing.

TracyGarrison1 · ‎05-27-2015

Mike, as Melissa stated, the solution you provided will not work because you stated that we have to have some sort of editing already enabled. Is this the added functionality you were talking about in January? You called it "manage" access? If so, this still will not work for us because of the risk of unauthorized edits. Hopefully the "manage" access has just not came out yet and this is not it.

MikeMinami · ‎05-27-2015

This is the implementation of the capability I mentioned in January. Unfortunately, it doesn't go as far as you want, or I was originally thinking. It addresses a 311 style of application, where the public can provide input (anyone can edit), but they can only add features. A data curator (someone with the Edit with full control privilege) could then go in and process any feedback from the public.

The reason we changed our thinking about this privilege--and thus reduced its scope--is that we felt it granted too much control to members of this role across *all* hosted feature layers in an organization. It would have allowed anyone with this privilege to edit any hosted feature layer in the organization, even if it had editing disabled.

We are aware that this is a big issue for people and are working on different ways to solve this problem. Thank you for your continued patience.

Mike