Securing data in public surveys (Survey123 Connect)

IsmaelChivite · ‎05-11-2020

[Updated October 27, 2021. Screenshots updated to reflect latest state of Connect and website]

By definition, a public survey is accessible to anyone who wants to submit data to it, but that does not mean you need to make your survey results public as well. In fact, the default configuration of a public survey always keeps your survey results private. This ensures that users in the public domain cannot view, query, download or update already submitted data.

Unfortunately, it is not uncommon to find public surveys where the security configuration of the survey is not set appropriately, allowing unauthorized access to the survey’s data. This article describes best practice for securing the data of surveys published with Survey123 Connect.

If you are interested in securing data for a public survey published with the Survey123 web designer, refer to https://community.esri.com/groups/survey123/blog/2020/05/11/securing-data-in-public-surveys-survey12...

If you are not familiar with the basics of public surveys, refer to https://community.esri.com/groups/survey123/blog/2016/11/10/getting-started-with-public-surveys.

A bit of context before we start

To properly secure your survey results it is important to understand first some basic concepts. When you publish a survey using Survey123 Connect, a new folder is created in your ArcGIS account. This folder includes the name of your survey so you can easily find it. Inside this folder, you will find a Form item and a Feature layer item:

Form item: The Form item contains the definition of the questionnaire presented to users: The labels of your questions, the calculations, media files and other resources needed to render your form.
Feature layer: The feature layer is the item where responses to your survey are stored.

In short, the survey folder contains one item (the form item) for the survey questions and one item (the feature layer) for the survey responses.

If you are working with sensitive data, you never want to share your surveys source feature layer. Instead, you will want to keep your survey feature layer private, and build feature layer views on top where you can better control the sharing and privilege properties. At the very least, you will want to create two feature layer views:

A view for the Survey123 web and field apps to use. This view will allow the apps to add, and if appropriate to edit records in your feature layer.
A view for the Survey123 website to use. This view will control who can access the survey results through the Survey123 website, and with what privileges: just view, or also view and edit.

Additionally, you may want to create extra views to support other applications, such as ArcGIS Dashboards, Web AppBuilder apps, etc.

This article describes in detail how to build these feature layer views and associate them with your survey. If you are not familiar with the concept of feature layer views, I suggest read the Create hosted feature layer views—ArcGIS Online Help | Documentation help topic.

Do not create the views too early.

As stated above, my recommendation is that you always use feature layer views when your survey is shared with people, but from a practical perspective you do not want to create the views too early. Survey design is an iterative process where you will be adding, changing and removing questions from your survey frequently. Some of these changes affect the schema of the surveys feature layer. If your survey is configured with views, Connect will not be able to change the schema of the source layer.

For this reason, I suggest you keep your survey without views for as long as you are working on is design. Configure the views when you are ready to put your survey in production, right before you share your survey with users.

Create a view for the Survey123 website first

I said before you will want to create at least two views: One for users who will look at your survey results through the Survey123 website, and another one for users to submit data through the Survey123 web and/or field apps. It is best to start with the view to control access to the survey results.

To build the view:

Login into the Survey123 website
Navigate to the Collaborate tab of your survey
Switch to the Share results panel, select who should have access to your survey results and what privileges you want to grant to these users. Click Save.

If you return now to the Survey123 folder under Content in ArcGIS.com, and refresh it, you will notice that a new view has been created for your survey. This view has a 'stakeholder' suffix.

This new view will control who can use the Survey123 website to look at your survey results. You will want to use the Share results panel in the Collaborate tab of the Survey123 website to control this. For example, say that users in a group called 'City of Cilantro' need to be able to look at the results of your survey, create reports and download data. Then you will go into the Collaborate tab, switch to the Share results panel and share your survey results with that group. At that point, 'City of Cilantro' users can log into the Survey123 website and use the Overview, Data and Analyze tabs to do what they need.

I would not recommend that you modify the sharing of this newly created view through ArcGIS.com. For the Survey123 website to properly work, the sharing of the Form and stakeholder view items must be in sync. The Collaborate tab in the Survey123 website takes care of that.

Create a view for the Survey123 web and field apps next

Configuring the view for the Survey123 web and field apps is a bit more involved. We need to create this view manually, then associate the view with the Survey123 Connect survey.

Log into the arcgis.com website and click on the My Content tab.
Click on the Form item to open its item details page.
Look for the Layers section and click on your survey feature layer link. This will open the item details page for your surveys feature layer.
Click on Create View Layer. You can choose any title for your feature layer view.

Go into the Settings tab
Enable Public Data Collection and save.
Make sure Enable editing is checked and save.

Now that your feature layer has been created, you will need to use it in your survey.

Configuring your survey to use the view you just created

To make your survey work against your own feature layer view, you need to configure the submission_url and form_id XLSForm settings in your survey. This can be an error prone process at first. Once you are familiar with this I am sure you will do this with your eyes closed, but here I am going to follow a long but safe route:

In Survey123 Connect, from the survey gallery, click on New Survey and then choose the Feature Service option.
Look for the feature layer view you just created and give your new survey a throw-away name, such as temp or delete_me.

Open the XLSForm of your temporary new survey and switch to the settings worksheet. Then copy the values in the form_Id and submission_url cells into a text editor or a safe place, so we can paste them later into the original survey.

The submission_url value defines the feature layer (or feature layer view) that the survey is targeting. If empty, Survey123 Connect will create a new feature layer when you publish the survey. If a value is provided, the survey is published targeting the specified layer by the submission_url . The form_id value defines the sub-layer in your feature layer that drives the questions in your survey.

Back in Survey123 Connect go back to survey gallery, and open the survey that you want to make public.
Open the XLSForm, paste the submission_url and form_id values.
Save your XLSForm and publish your survey again.

The Publish dialog will indicate that your existing survey will be updated to use a custom feature service as specified by the submission URL, as shown in the next screenshot.

Now that your survey has been updated to target your own feature layer view, you can share your survey publicly with confidence. We will do that from the Survey123 website.

Sharing your survey publicly

Log into the Survey123 website at survey123.arcgis.com.
From the survey gallery, open the Collaborate tab of your survey

The Share survey panel controls who can submit data to your survey. While in the Share survey panel, look for the section named 'Who can submit to this survey?' and check the Everyone (Public) option to share your survey publicly.

Scroll down the page and look for the What can submitters do? section. Note that by default, the selected option is 'Only add new records'. This guarantees that your survey layer will not expose your survey results.
Click on Save at the bottom to persist all changes.

At this moment, your survey is shared publicly, allowing anyone to submit data through both the Survey123 web and field apps. You can get the link to your survey from the top of the Collaborate tab and distribute the link with your users. Since you have restricted access to 'Only add new records' in the Collaborate tab, it will not be possible to query, update, delete or download your survey data through the Survey123 web or field apps. Your survey's feature layer will also be secure, preventing any type of access (other than adding new records) from other Esri apps, third party apps or programmatic access.

If you go back to My Content in arcgis.com and check your survey folder, you will find that your feature layer view and the Form item are now shared publicly, while the feature layer remains shared only with you, the owner. This is the way you want it. Do not share the source feature layer if you want to keep your data safe.

Sharing your survey results in web applications and dashboards

The same technique we used to create a feature layer view for the Survey123 web and field apps can be replicated to support other apps and uses. It is not good practice to reuse the feature layer view we just created or to share the source feature layer. Build new views, restrict access to data as appropriate to the needs of the web app and share accordingly.

Here are a few links to learn more about feature layer views:

Anonymous User · ‎05-12-2020

Thanks for the step-by-step! I'm definitely keeping this in my back pocket! Question though: what about public surveys (with views) that are already published (with the radio button "always use the latest version" marked)? I've created a survey in Connect 3.7 that can only display correctly if that radio button is marked, and have used views to keep data private. I've tested these views/layers for privacy concerns and they worked in 3.8.

ColinCampbell · ‎05-13-2020

Thanks for this Ismael Chivite‌. I have two questions:

Firstly, you say 'Connect does not create views, and does not handle them well when you delete or modify the survey. This is something that is going to change,'. Is there an rough estimate when this might be the case?

Secondly, in the past when doing public surveys we've been guided to use the feature layer directly (i.e. not creating a view) and to alter the settings on that to prevent public access to the data (using a settings setup like shown in the attached image). Whilst we'll use views in the future, has our data been insecure if we have shared the feature service publicly but using the settings as shown below?

IsmaelChivite · ‎05-13-2020

Hi. Generally speaking, I would recommend that you publish your survey again when you want it to be on the latest version. The issue with the 'always use the latest version' option is that 1) the upgrade process happens dynamically at runtime, potentially slowing down the initial load of the form and 2) you always run into the risk of having new versions alter the behavior of your form.

You can use the version query parameter to try your form in different versions: ?version=3.8 for example. If you feel comfortable, simply publish again and the webform will be upgraded to the latest release. Of course, make sure you also have the latest copy of Survey123 Connect installed.

The version of the web app used to render your form should not have any play into how feature layer views are used.

IsmaelChivite · ‎05-13-2020

Two great questions:

When will Connect be tolerant to views? My statement above was to acknowledge that we do not feel comfortable with the way Connect behaves today. I do not have an exact timeframe for when this will be addressed, but it is present in our planning. At this moment we are focused on 3.10 for release in July and there is no room for us to incorporate this into the release. It will be after 3.10 for sure. We will probably have more details about this later in the year.
In the past I was told to set permissions in the feature layer and now you tell me to set permissions in a view. Can you describe why? You can certainly set permissions in your feature layer as you describe and not use a view. That will work and be secure, but only as long as you never change these permissions in the feature layer. You as the owner of the survey will always be able to query, delete and update features in the survey but nobody else will. Your data is really locked down to your account right now. It is secure, but so locked down only you as the owner can see it. If in the future someone asks you to create a web application to display the results, you will be forced to change these privileges and at that point, anyone will be able to query your data. That puts your data at risk, at that moment. Using views and unsharing your source feature layer gives you more flexibility to tailor the privileges granted to each group of people needing access to your survey and or data.

Hope it helps.

JeremyJohnson5 · ‎05-14-2020

Thank you for Ismael Chivite for sharing this process. This is definitely the process that i will be using now. Previously i would change the settings of the feature layer but by taking the time to follow the steps and create views will allow me to share the data more confidently with out the worry of the data being altered inadvertently.

Todd · ‎07-18-2020

Great write up Ismael Chivite‌. Interested if you will be updating this post, particularly the Create a view for the Survey123 web and field apps next section?

After creating my survey and related objects I decided to do a complete forklift/overhaul, for security sake, and follow these directions as it relates to the views. However, this step: Click on the Form item to open its item details page, then click on Create View Layer. You can choose any title for your feature layer view. does not track. If you click on the form item there is no 'Create View Layer'. Instead you'd have to click on the Feature Layer.

Thanks!

JamesTedrick · ‎07-20-2020

Hi Todd,

There is an intermediate step - Click on the form item, then click on the entry in the 'Layers' section. That will take you to the feature layer from which views can be created (if published by Survey123 Connect).

Todd · ‎07-23-2020

Thanks James, figured it out, but it could cause confusion for someone who may not be familiar with the software. Appreciate the reply.

Todd · ‎07-27-2020

Hey James, are you able to get this process to work with 3.9? I decided to revisit this and create a project from scratch but it will not allow data submissions.

Note: In survey123.arcgis.com I'm using the 'Open the survey in the Survey123 field app directly.' option.

This is what my ArcGIS Online Content folder contains after following the above post:

Form - public shared
Feature Layer (hosted, view) - public shared
Feature Layer_stakeholder (hosted, view) - owner shared
Web Map - owner shared
Feature Layer (hosted) - owner shared

Scratching my head. Thanks for any input!

Todd

Todd · ‎07-27-2020

UPDATE: In ArcGIS Survey123 online under 'Share Survey' - when I changed the 'What can submitters do?' option from 'Only add new records' to 'Add and update records' it works fine. However, as Ismael Chivite mentioned you cannot edit the schema at this point unless you want to start over.

BritaVespere · ‎11-12-2020

Does the Collaboration settings (for example, to specify survey open/close dates) work for the latest Survey123 Connect version 3.11. created surveys? I get the error "Cannot read property 'success' of undefined"...

Also:

I understand that if I desire to add a Thank You screen info, theme - I have to do it for a survey before I download it and create its content in Connect?

The images for background, for Thank You screen are lost after download to Connect - if uploaded. From link works fine.

When I download Web Designer created survey to Connect the Excel file is still the old version (lighter green look, no added tabs etc.)

Would the workflow for public, securely used in browser surveys be changed in the near future?

Otherwise, really enjoy the S123 functionality!

chaims · ‎02-15-2021

I'm still not sure I understand the need for creating the first view - the one that is intended for the web/mobile app to use, and requires updating the submission url: As pointed out, by changing the permissions on the original feature layer (either directly through arcgis.com, or through the survey123 website), the same functionality can be secured. If at a later point the need arises to share the data with another user, or through another app, I would then create the view, at that point, and make any required updates on that view. In a previous response, it was mentioned that this would compromise the security of the source feature layer, but I can't see how that would be the case?

SanFranciscoBayConservationDev · ‎07-12-2021

Hi, thanks for helping address this need. Curious if the workflow/guidance has changed at all in recent versions. When I go to the Collaborate tab in website from a survey published in Connect 3.9, I don't see the Submitter/Viewer tabs. Instead, Share Survey/Share Results are available options. Is this where you control the permissions now?

MarcusVDSilva · ‎08-05-2021

Hi @IsmaelChivite !

Is this workflow is still valid at version 3.12?

Thanks in advance!

IsmaelChivite · ‎10-27-2021

@MarcusVDSilva @SanFranciscoBayConservationDev The workflow is still valid. I just updated the screenshots so they reflect some minor changes in the user experience of the website and Connect.

Lea_DyrholmHansen · ‎01-03-2022

Hi @IsmaelChivite and @Anonymous User

I would like to secure the data of my survey published with Survey123 Connect. For the survey I use a feature service published from a feature class in an SDE database. I cannot see the option of creating a view layer.

Is there another way of securing the data of the survey when using data from an SDE database?

Secondly, because I use a none-hosted feature service I cannot choose ”Only add new records” under “What can submitters do?” If I want to successfully save my settings the only option is “Add, update and delete…”

Is this a limitation when using a none-hosted feature service (FS linked to SDE database)?

It seems like I need to rethink my solution and accept using a hosted feature service even though it challenges our IT security.

I ended up just publishing my survey within our ArcGIS Enterprise Portal and downloading data with a Python script.

/Lea

AnnetteDoonan · ‎05-23-2022

Hi Ismael @IsmaelChivite

This article was very interesting.

You mention you can use the same methodology for dashboards? I created a view layer for my survey which was designed in survey 123 connect which is working well. How do I now create another view layer for the dashboard as I'm unsure what to do with the submission url and form id that gets created as there is already a submission url and form id in the survey that was published and you mentioned it is not good practice to reuse the same view layer or is it ok to reuse it in a dashboard?

Any advice would be greatly appreciated

Regards

Annette

KateJin · ‎08-30-2022

I followed the above instructions and created a public survey using Connect. When I opened the survey in a browser, it gave me the following message in a pop-up window: “Please sign in to access the item on ArcGIS Online”. There are two consecutive sign in pop-up windows and users have to “cancel” it two times in order to start the public survey. Is there any way to get rid of the “sign in” pop-up widows?

MaryleeMurphy · ‎09-07-2022

@KateJin When I went to "Linked Content" in the Survey123 Connect app and unlinked the web map, the two popups stopped happening.

ZachBodenner · ‎10-05-2022

Thanks for all the good info! Can you make any recommendations on security for surveys that are build from Connect using a pre-published, referenced feature service?

My use case is this: I've been asked if Survey123 can allow for public submissions of non-violent crime reports. I think I would like to have these submissions automatically written to the underlying geodatabase, but that would require the feature service to be publicly available (for submission purposes). But in order to be BCA compliant, any personal information we would ask the submitter to provide needs to be encrypted/unavailable to anyone outside of our organization. Are these two requirements incompatible from the standpoint of ESRI's security capabilities?

MVpes · ‎01-18-2023

This post really helped me a lot - thanks! I was wondering the following: If after a time I note, for example, a spelling error in one of the texts/questions, do I have to re-do the whole process of creating views after making the small text correction?

Thanks in advance 🙂

Tiff-Maps · ‎01-24-2023

Hi @IsmaelChivite, thank you for this guide. I have a question about using the public view created from Survey123 (with the ability to only add new records). Is it best practice to use this public view in a web map/app intended to be shared to the public, or is it best to create a separate public view layer for those public maps/apps?

AnnaScholl · ‎06-06-2023

Hi, is this blog now out of date?
I am trying to deploy an absolutely secure survey where everyone can submit and no one can view anything except their own records. According to the post, when I publish through connect, I should just get a Feature layer (hosted) and a Form. However, I end up with these three... why would the feature layer with hosted, view be created? Am I missing something here? I have ensured that the viewing settings are correct (see also below).

This is also opposite of what the Esri security document says should happen when I publish from connect...

Any tips here @IsmaelChivite ?
Many thanks.

MuneerMajid1 · ‎10-08-2023

Hi @Ismael

Do you have any recommendations for accomplishing the same level of security incase you have a Survey that's using a Feature Layer stored in an Enterprise Geodatabase ? The above workflow for sharing a survey publicly works pretty well for hosted feature layers and the Fieldworker/Surveyor views are also created seamlessly when you manage the sharing of the survey via the Collaborate tab like you describe in this blogpost, but the same is not applicable incase the layer is stored in a SQL SDE database. Appreciate your inputs.

IsmaelChivite · ‎10-09-2023

@MuneerMajid1 You will need to publish the feature service twice and configure the capabilities of the feature services differently.

MuneerMajid1 · ‎10-09-2023

@IsmaelChivite I see, so the duplicate feature service will work as the view I suppose ? Is there any detailed documentation around this that I can follow, any help will be much appreciated. I also recently opened a premium ticket hoping to get some support with this requirement. Thanks Ismael !

ChrisWoodward · ‎11-02-2023

I agree with @MuneerMajid1, some specific documentation from the Survey123 team would be greatly appreciated.