Lets say I have 3 services: service1, service2 and service3 (each with 2 layers, but I don't think it matters). For each service I have editor tracking enabled. My Server is federated with Portal, so each time I publish a service it gets automatically added as an item in Portal. Server and Portal are version 10.5.
I want to properly assign permissions for each user, say: user1 has access to service1, service2 and service3, and user2 does not (while both have access to some other services). Both users are level 2 users, so they can edit data in all 3 services.
As long as I know such permissions are set in arcgis manager ([Arcgis Server]/arcgis/manager) and in case of federated server in Portal (it is possible to do that over Arcgis Server api, but any changes are reflected on respective Portal item). Also I am aware, that an item in Portal can be shared with a group, not with a role.
I tested 3 slightly different options, this is how:
I created a map (lets call it map1) as administrator, and I do not share it with anyone.
Now I open My Content on Portal, click Add Item->From the Web. I paste url of service2, and I get a popup similar to the one in the attachment. I choose "Store credentials" and fill in my administrator password - I expected only administrator can access that service. I named the created item "service2_stored".
Now I add service3 the same way as service2 in previous point, but I choose to not store credentials of my admin account. This way I created item service3_notStored.
Next I open map1 in mapviewer ([Portal for Arcgis]/arcgis/home/webmap), click on Add->Search for Layers->Find "service1" in "My Content" (this is item automatically added to Portal when I published service), and it was never shared with anyone. Then I add service2_stored and service3_notStored in a similar way.
Now I log in as user2 and open map1 in mapviewer - I just copy the link from the browser, I did not bother to look for it in My Content. First suprise it that user2 can access map1 at all - I expected some sort of insufficient permission error. Even more astounding, user2 was able to access and edit data in service1 and service3_notStored - although I never granted ANYONE permission to do it, on the Server or Portal. Now the interesting part is that I was not able to access service2_stored, which is exactly what I wanted. My question is, why does this work differently when I store credentials???
I wanted to add all services the way I explained service2_stored, but now I realized when I do it, the editor tracking assigns username and password I stored. If I could just switch it, so it stores user who actually made the changes, it would be enough to solve my problems.
Still, I think something is not working properly here. Did I forget about some step?