I wanted to post a couple of issues that I’ve come across regarding the ‘Editing’ options for a hosted Feature Layer being used by a publicly shared survey. I’m not sure that they’re bugs as such, but they are not at all obvious and may impact on the security of people’s data.
When I create a new survey using the web designer the editing settings for the related ‘fieldworker’ Feature Layer are as below:
If I choose to make the survey public, my interpretation of the above would be that an anonymous user (i.e. one not signed into ArcGIS Online), would be able to add records to my survey, but only view the features they had entered (or not see any features that had been entered, including their own, if that’s how you interpret ‘What access do anonymous editors (not signed in) have?’ when set to ‘Only add new features, if allowed above (requires tracking)’).
In reality though, when an anonymous user goes to view the data held within the Feature Layer through ArcGIS Online they don’t just see the data they’ve entered, but all the data entered by anyone anonymously (i.e. not signed in).
I guess that anyone entering data anonymously is being recorded in the data as ESRI_Anonymous (see here) and that the security is allowing a person not logged into to view all of that data collected by ESRI_Anonymous, but this isn’t made clear anywhere if it is – indeed interpreting the settings for anonymous users is clouded enough by the phasing used in the settings page.
In some use cases you can get around this by changing the ‘What features can editors see?’ to ‘Editors can’t see any features, even those they add’, which then stops any user seeing any features.
This approach is fine, but I’ve also noticed that if you republish your survey at any point the settings revert to their default settings (it goes back to ‘Editors can only see their own features (requires tracking)’. Again this isn’t made clear and means you need to re-set your settings each time you publish. This is inconvenient, but more importantly in the time between you publishing and re-setting the edit settings your anonymously entered data are essentially publicly viewable. If you’re not aware of these two issues it can be very easy to make data available publically in a way you had not intended.
If this is how things have to work, is there any way this could be made more explicit in the guidance?