Can a shared feature layer be "locked" when opened in AGOL?

681
5
Jump to solution
02-27-2019 03:26 PM
ErikHerberg
New Contributor III

I have a Survey123 form built on top of an existing feature layer in ArcGIS Online. We exclusively use Inbox to pre-populate a list of site for the user to choose, essentially adding routine repeat visits to the same sites. To share the survey, I created a group in AGOL with the members of our organization that need to use the survey, and then shared the feature layer and published Survey123 form with that group. The editing settings of the feature layer is set to "Add and update features" so the users can submit new surveys for any of the existing sites and fix any mistakes they made on past surveys from their Sent box.

By sharing the feature layer, I realized that these users could then sign in to their AGOL account, open the feature layer from My Groups, and then edit any data that is in the feature layer tables. Here, they could accidentally change the metadata of the pre-existing site we have setup. Editing directly in the feature layer also circumvents all of the constraints and safety checks we have coded into the Survey123 form.

Is there any way to prevent users from editing the feature layer through AGOL or even "hide" shared feature layers from their AGOL account completely? I understand it's probably a catch-22, because I need to share the feature layer so they can add data to it from Survey123, but I also want to restrict access to that same feature layer if they happen to open it up through AGOL. 

I understand that publishing the survey publicly would allow users to use the app without a login, which conveniently means they have no login to AGOL, but making these surveys public is not an option. 

Thanks in advance for any suggestions! 

1 Solution

Accepted Solutions
JohnathanHasthorpe
Esri Regular Contributor

Hi Erik - yes permissions are user based and not app based. If a user can see and edit records in the Survey123 app, they will be able to see and edit records in AGOL.

Thanks

John

View solution in original post

5 Replies
JohnathanHasthorpe
Esri Regular Contributor

Hi Erik - you have a couple of options:

1) Use editor tracking to ensure that users can only see the features they have collected

2) Disable query, so users can't see any existing features.

See the following for more information on these options:

Manage hosted feature layers—ArcGIS Online Help | ArcGIS 

  1. If you want editors to only see the features they create, select Editors can only see their own features (requires tracking) under the What features can editors see? setting. Enable this option if the layer contains sensitive or proprietary information such as medical records or research data for which editors might only have clearance to work with the data they collect.
  2. If you don't want editors to see any features, including those they add, choose Editors can't see any features, even those they add under the What features can editors see? setting

Thanks

John

ErikHerberg
New Contributor III

Thanks for the information Johnathan! I guess I'm asking more about AGOL settings rather than Survey123 settings. Since we only use existing sites in our feature layer, the users need to be able to query the feature layer from Inbox, select one, and then add a new repeat to it. To make that work, we have to have query enabled so they can access the list of sites in the feature layer. And their access can't be limited to only the features they submit, because they are not actually adding new features, just adding a repeat to features that I've already setup.

However, this also then means that if they log on to AGOL, they can open and edit the entire feature layer. So I was curious if there was a way to simultaneously let a user query and update a feature layer via Survey123, but then also limit their access or hide the feature layer entirely when they log on to AGOL directly. I think what I'm asking is impossible, but I'm just looking to confirm that.

-Erik

0 Kudos
JohnathanHasthorpe
Esri Regular Contributor

Hi Erik - yes permissions are user based and not app based. If a user can see and edit records in the Survey123 app, they will be able to see and edit records in AGOL.

Thanks

John

ErikHerberg
New Contributor III

Thanks for confirming that Johnathan!

0 Kudos
Sierra
by
New Contributor II

Hi All!

Has anyone submitted this to the "ideas" page? This is a serious issue -- imagine a similar scenario on a different platform: having granular permission roles and data validation on the front end, say, of a web application, and then allowing users, using the same credentials, to login to the data server and make changes directly in the database tables?? Unheard of!!!!

The documentation says that "editors can edit their own records only", but  our users have the same group login (they identify themselves within the survey), which makes them all able to edit ANY record in the feature layer.

Exposing the data of the feature layer is DANGEROUS!!!

Thanks,

Sierra

0 Kudos