I have been dealing with a problem for some time and I have not been able to solve it. I have not found documentation about it anywhere either.
To be specific, I have a service published as MapServer and FeatureServer. I need this because in some webmaps the data need to be updated but in some others not.
In a webmap I have added the Map Image Layers, so that users cannot edit the content of the map. However, a malicious user could manually access the url of the Feature Layers and thus make modifications From the description option you can get the layer's url and navigate down to the server folder and up to the feature layer url, then add it to the map and "play" with it. This happens even if the users only have granted access to the Map Image layer, and not to the Feature layer.
One solution I can think of is to create different services for the Map Image Layers and the Feature Layers, but it is not viable due to the amount of services that it would imply. Is there a solution, either through an application option that I have not seen, or by a "dirt trick" such as modifying a configuration file?
Many thanks in advance.
@EloyBonillaPerez I take it you're working with a Portal (Enterprise platform) seeing as you have a map image layer? If so, are you managing access to the map image layer and the feature layer via groups? You should be able to prevent users from gaining any form of access to the feature layer if it is only shared to a group that contains users with editing rights for that service. Then you can manage access to the web map separately.
That way, users with map image layer access wouldn't be able to navigate to the feature servers rest endpoint.
Thanks a lot for your answer,
yes, I am working with a Portal, and the access is managed via groups. Currently only the map image is used in a webmap, so there is no "official" possible access to the feature layers (there will be, but not yet). However, the users of the group that has access to that webmap can indeed navigate to the feature layer.
As a test, I created a user that is the only one in the group and only has access to that webmap.
Is that user a Portal administrator, or a publisher/editor/viewer?
Admins have access to all users content regardless of group permissions.
@EloyBonillaPerez i just tested this quickly, and if you have published a registered map/feature service to portal, you can control the access to the feature service url separately to the map image service. So it looks like you just need to sort your access permissions via your groups, and test with a user without admin rights. Please do respond with more information if you feel this isn't the problem and you're still having issues 👍
The feature service and map image service do indeed have different sharing settings in the portal.
I had assumed that restricting the sharing settings on the feature service would simply hide that URL from users not in the groups shared with. However, in the situation shown above, I was able to see all services in the REST directory as an anonymous user.
Even more troubling was that as an anonymous user, the query and edit capabilities were also available to me, and worked without issue.
I have seen the reverse of this problem as well, when a user who had access to the feature service, but not the map image layer, was unable to access the feature service at all.
This feels a bit like a bug to me. For now, I think the safest option is to publish the map image layer separately from your feature service to guarantee that unauthorized users cannot touch the data.
If you're concerned about strain on your server machine, consider making one or both of the layers part of the shared instance pool. For everything but our most important layers that need dedicated instances, we've moved our services to the shared instance, and have seen a large improvement in our server machine's performance, especially during hours of peak usage.
thank you all for your answers. I really appreciate them. We continue to carry out different tests but without success yet. We are using a "Creator" user, who only has access to that webmap and is the only one who has access to it.
Using different services is the first idea we came up with, but since we have a lot of them we are a little bit afraid of putting too much stress on the servers. We wil take a look at the shared instance pool.
Again, thank you very much for your support.