My organization would like to have Applications that are available to view by all Users within our Portal, but have editing privileges for the Layer(s) available only to named Group(s) and/or named User(s). My plan to go about doing this is to create a custom Widget to incorporate into all such Applications through which the publisher can specify either named Group(s) and/or User(s), as well as the Layer(s) that can be edited through the Application.
I'm not very far along on this project, but I'd like to get some information before beginning:
Thank you!
Solved! Go to Solution.
I think this is typically why Create hosted feature layer views—Portal for ArcGIS | ArcGIS Enterprise were implemented. Allowing to create views on a single hosted feature layer and assign different permissions on the views will should allow you to do this.
If you have access to the ArcGis Servers a Server Object Interceptor (SOI) might work for you. We implemented a Feature Level security for a client. When the request for an edit/update/delete came in, we grabbed it, looked up the user to see if they had access to that feature, if so, we let the call go through, if not, we send back an error.
It's an entirely different toolset than your using on the client side.
A simpler option is to have two sets of Services, one for viewing and one for editing. Then lock the editable services down to just the groups you wish to have edit privileges.
Another option is to set up a proxy - send your calls through the proxy, check security and pass or reject. Again, probably a different toolset than you might be used to. This solution also has the Client-Side only issues listed below.
Your current option is not a bad one either. But with a client-side only solution is that you still will have a back door. The widget might be disabled, but the rest endpoint would still be active and open.
I think this is typically why Create hosted feature layer views—Portal for ArcGIS | ArcGIS Enterprise were implemented. Allowing to create views on a single hosted feature layer and assign different permissions on the views will should allow you to do this.