How would I go about granting a third-party access to REST APIs of ArcGIS Online items (e.g., feature layers, maps, etc.)?

Vinzafy · ‎07-27-2023

Hey all,

Hoping that someone can help me answer a question regarding REST APIs and third-party access.

Overview

Currently, my organization uses an MS Access Database as a datastore for client records. My predecessor setup a Python script that runs a comparison between the Access Database and the corresponding AGO hosted feature layer (HFL) and updates the HFL if any discrepancies arise by using the Access Database as the source of truth. It also updates any view layer queries and attributes in two separate HFLs if any companies change their names. This workflow was created as the client records are visualized spatially and on a dashboard in our AGO site.

Currently, my organization is moving the database away from MS Access onto a third party data management platform that is managed by the respective company, however the above workflow still needs to be recreated. The way forward that we figured would work best is by utilizing the REST API. The onus will be on the data management company to build out the process, but I'm not sure how to grant a third-party access to add, edit, and remove data, and alter settings of items (e.g., adjust view layer queries) via the REST API.

Question

How can I grant a third-party the ability to add, edit, and remove data in HFLs, update view layer queries, replace items in AGO (e.g., CSVs for choice lists in S123), etc. via the REST API? Is some/all of this possible?

My current train of thought is to create a data editor account for them in my organization that they could utilize, but is there a better way to achieve this without having to create an account for them?

I did a brief skim of the authentication documentation but admittedly, it's quite foreign to me at the time. I figure I'd ask here first before diving into documentation in case anyone is able to answer the question or point me in the right direction.

Thanks all!

SparrowData · ‎07-31-2023

It sounds like the current script runs using the Python API rather than the Rest API if you don't have a requests call to access a token. The tokens needed to access things expire and you can only hard code the ID and Secret which need a request to generate the OAuth token.

I know for certain they can add, edit, and remove data from the HFLs using the rest API and token access process. I am not sure about updating the view layer queries and choice lists. I think those would probably need to run in the python API, but if you are already creating the user, the API still reflects the access granted to it. So if you don't give them access to certain resources, as long as they are not given an administrator role, it should protect the rest of your data set.

If they are willing to run a python script and integrate their data pipelines into the current system, you may be able to simply replace their user login information and share the python script (granted any legal contracts for ownership you may or may not need) since the python API has more access than rest does. https://developers.arcgis.com/python/api-reference/

View solution in original post

SparrowData · ‎07-28-2023

Vinzafy,

I develop a lot of similar API bridges using python for organizations which work great if you trust those developing the tool, however I would assume that the current tool uses an application token generation tool that would potentially give the third party access to your ArcGIS admin account if you follow these steps without creating a user. If you create a user, you can use the following steps to generate a key and give them access to only the HFL that they should have access to.

With that said, you would always start in the developers area where you can create a new application. Give it a title that you can find and description to help others know what it is for if you ever need to remove access. Once it is created, you will be given a Client ID and Client Secret the third party would use to generate the token they would need to access and update the HFL. From there you would use the documentation here to generate the token using a cURL request and then the documentation here and here to find and edit the data respectively.

Vinzafy · ‎07-31-2023

Thanks so much for your response @SparrowData! Really appreciate the overview and links to documentation.

Currently, the process that was created by my predecessor is just via a Python script running on task scheduler. Credentials are stored within the script itself so there wasn't any token generation required.

If I'm understanding correctly, upon creation of an application in the developer site, if I passed along the clientID and clientSecret to the third party, and also provided them the endpoints of the respective feature layers (gathered from the item page of the HFL by copying the URL?), they would be able to generate tokens and thus carry out HTTP operations?

Hopefully I'm not misunderstanding this process and what the OAuth capabilities can grant the third party!

SparrowData · ‎07-31-2023

It sounds like the current script runs using the Python API rather than the Rest API if you don't have a requests call to access a token. The tokens needed to access things expire and you can only hard code the ID and Secret which need a request to generate the OAuth token.

I know for certain they can add, edit, and remove data from the HFLs using the rest API and token access process. I am not sure about updating the view layer queries and choice lists. I think those would probably need to run in the python API, but if you are already creating the user, the API still reflects the access granted to it. So if you don't give them access to certain resources, as long as they are not given an administrator role, it should protect the rest of your data set.

If they are willing to run a python script and integrate their data pipelines into the current system, you may be able to simply replace their user login information and share the python script (granted any legal contracts for ownership you may or may not need) since the python API has more access than rest does. https://developers.arcgis.com/python/api-reference/

Vinzafy · ‎07-31-2023

That's correct! The current script does use the Python API which we were able to use as the database was hosted internally. Ideas of using the REST API came up since the database will now be hosted externally.

However, as you mentioned with things like updating choice lists, view layers, etc. from what I've looked through it doesn't seem like we'd be able to recreate that via REST API, especially given that one of the main functions used is gis.content.search() to find the proper items.

It's super helpful to know that the add, edit, and removal process can be done via REST API, but I think your idea of sharing the script, updating credentials, and having the third party utilize the Python API may be the best way forward.

Thank you again for your time and detailed answers to help with this! It's very much appreciated.