ArcGIS Online: opening hosted feature layers in ArcGIS Desktop

1691
7
07-20-2017 11:28 AM
Status: Open
GregBazhaw
New Contributor III

In ArcGIS Online, it seems impossible to prevent a user from opening a Hosted Feature Layer (or any of its Views) in ArcGIS Desktop. Once a Hosted Feature Layer (or any of its Views) is opened in ArcGIS Desktop, the user is able to export that data. This is a severe security issue.

There should be a way for ArcGIS Administrators to prevent users (named users and/or Everyone) from opening Hosted Feature Layers (or any of their Views) from within ArcGIS Desktop (including Pro), and through extension, being able to download the data.

7 Comments
EricPescatore

Agreed, surprised this still hasn't got attention, and only recently did I try and take a look into this issue with the 2017 update. With the addition of layer views in Dec 2016, we were so very close to creating a fake "map service", where data is publicly available yet not downloadable. The Rest Service exposure on public enabled feature services should allow us the ability to toggle/show the Source: Feature Service in the corner. Would also like the ability of the feature service to toggle visibility in ArcGIS Desktop or ArcGIS Pro, and disable the "Open in ArcGIS Desktop" button on the description. Even though you can sort of work your way to the rest service thru various methods. Not letting users add to ArcMap or add through searching in the AGOL in ArcMap or ArcPRo would be a quick step in the right direction.

KhaledHassen

Online feature service supports different capabilities that would prevent querying or even export the data.

If you want to prevent the user from export your data in online feature service, just do not add the "Extract" capabilities to the feature service. You can also prevent your user from even querying your data, by remove the "Query" capabilities from the feature service. Admin and service owner can adjust the feature service security from the UX and from the admin API.

These security settings are enforced by the feature service logic. This security setting does not apply to the owner or the org admin.

If you still see any issue after setting removing the capabilities, pl. let us know. 

Khaled Hassen

Online Feature Service Lead

by Anonymous User

Disabling the query capability worked well for an editable layer that I did not want to publicly show. I was able to create a feature layer view to show the data publicly with a filter. The issue is that you cannot visually share a feature layer without an end user being able to open the layer in ArcGIS Desktop. For example, I have a data use agreement that states we cannot share data past a certain spatial extent. I can set that extent for the feature layer, which applies the limitation to my web map and my feature layer, but when my feature layer is opened in ArcGIS Desktop anyone could export the data, create a new shapefile and view the data without the extent limitation/obtain the entire data set and all lat/longs by running a calculation. There are cases when sensitive information can be shared with restrictions publicly and an enhancement to disable ArcGIS Desktop download is an important enhancement I hope to see in the future.

KhaledHassen

If you share only the view that has the spatial extent filter, desktop will export only the data within that extent.

So the desktop will not be able to export the data outside the spatial filter you set on the view.

If you enable query on the view, you can only see the data within the extent.

Not sure how the desktop can export data ourside the spatial extent of the view since the server enfoce what data to export. Can you pl. add more details about this issue.

Khaled Hassen

Online Feature Service Lead

by Anonymous User

I created a feature layer view and added a spatial extent filter of 1:200,000 on the layer. The layer disappears when I zoom in past the spatial extent filter when I open it in ArcMaps desktop, but I can easily right click the AGO layer in ArcGIS Desktop and click data>export data and create a new shapefile. This newly created shapefile now has no extent parameters. Is there a way to avoid and keep a layer private?

KhaledHassen

The normal flow usually is to keep the source data private and not shared with the public. Only share the view with everyone where they can see only the subset of the data. If you enable query on the view the desktop uses the query to export the data. Arcmap should check for the extract capabilities before the export but it does seem it does not.

>This newly created shapefile now has no extent parameters. Is there a way to avoid and keep a layer private?

Do you mean the view? if so since the view is public, you can remove "Extract" from the feature service view capabilities. A client like desktop should have checked the extract capabilities, however, any client can use the query with pagination to export the data.

Khaled

Cameron_Smith

I would say to not make the layer public, just secure it to a group or a set of named users.  If you are able to see data in a map then you will be able to export it even with view extents setup.