Securing feature layers on public sites

422
3
08-05-2020 09:16 AM
TracySchloss
Frequent Contributor

I know this is counter intuitive, but we are being asked if we can limit access to the underlying feature layers on a public facing web application.  I know the first thing that gets checked is whether or not the data is also shared to the public.  The requester doesn't want that, they only want the public to get to the information by way of the application, and nothing else.

Is there any way to prevent the public from navigating to our  underlying data and using it in it's more raw form?  Perhaps having some sort of group set up?  All we've managed so far is to keep people from downloading it.  

Tags (2)
0 Kudos
3 Replies
Peter_Klingman
Esri Regular Contributor

Hi Tracy Schloss‌ this is a good question. Would the requester be open to hiding certain features and fields through a public, non-editable hosted feature layer view? 

Set hosted feature layer view definition—ArcGIS Online Help | Documentation 

A solution that doesn't scale as well (this option does not take advantage of the CDN which enables ArcGIS Online apps to handle millions of hits) is to add the secure hosted feature service URL (or view) back to ArcGIS Online with stored credentials. Then you can limit usage to specific application URLs as explained in the documentation linked below. This option should be only pursued for an application with a moderately small audience. 

Best practices for sharing—ArcGIS Online Help | Documentation 

Hope this helps,

-Peter 

0 Kudos
TracySchloss
Frequent Contributor

We're exploring any options that give us the combination we're looking.  It's pretty common in our world that people don't want to make the data available, even though all the same information is presented on the apps or dashboards.   There's always that concern that something bad is going to happen.  I assume if the app needs it for popups, etc, it's going to have to be something that's not hidden?

All content is within our ArcGIS organization, and traffic from arcgis.com is not something you can limit, correct?

I'm pretty sure the answer is "you can't do that", but I needed to ask.  

0 Kudos
Peter_Klingman
Esri Regular Contributor

Hi Tracy,

I think this suggestion would indeed give you what you're looking for. This would give the app access to all of the data, but prevent any referrer besides the app accessing it:

"A solution that doesn't scale as well (this option does not take advantage of the CDN which enables ArcGIS Online apps to handle millions of hits) is to add the secure hosted feature service URL (or view) back to ArcGIS Online with stored credentials. Then you can limit usage to specific application URLs as explained in the documentation linked below. This option should be only pursued for an application with a moderately small audience. "

 

All content is within our ArcGIS organization, and traffic from arcgis.com is not something you can limit, correct?

>This is correct. This is why going through the above configuration steps is necessary. It will give the new item the URL "utility.arcgis.com...", in a similar way as adding ArcGIS Enterprise services to ArcGIS Online and storing credentials. 

Once you have the above configuration set up, this dialog is exposed on the settings page:

Please keep in mind that this does not take advantage of ArcGIS Online's scaling technology and should not be used for a large audience. 

Thanks,

-Peter 

0 Kudos