Hi Eugene Lamnek ,
'You can however (as far as I now) add layers on the fly on a Web App that is published on a local web server.'
By local web server, do you mean a web server on the internet as opposed to having the app running from AGOL/Portal?
And do you mean, you can add layers that require authentication, as long as the map is not publicly shared?
It can be a web server inside your own infrastructure or in the cloud, accessible from outside your organization or only available inside your organization. If you download for instance a template application you can modify it or use for instance Web AppBuilder for ArcGIS (Developer Edition) | ArcGIS for Developers . What you cannot do is configure an application in ArcGIS Online and share it publicly and consume content that is not publicly available. If you create a webmap in ArcGIS Online and share that publicly, it cannot contain services that are only available behind your firewall. If you add those layers on the fly, the web map on ArcGIS Online will not have any layers that are not publicly available.
With your second point, I understand sharing named users is not allowed. But (my knowledge is limited on this because I haven't tested it) if you are loading layers from a non-federated ArcGIS Server, they would not need to be authenticated by the named user and so no named user sharing would take place??
That may be the case, but if you are going to implement ArcGIS Enterprise, the base deployment (Server, Portal, DataStore and WebAdaptor) will require Federation between the ArcGIS Server and Portal. I think I read this in the slide notes from the presentation on Architecting Your Deployment: See video here: ArcGIS Enterprise: Architecting Your Deployment - YouTube
I will CC Philip Heede hopefully he can clarify this for you.
There is also a great document that might be interesting to read (updated last month): https://www.esri.com/~/media/Files/Pdfs/products/arcgis-platform/architecting-the-arcgis-platform.pd...
Third point, I agree that the named user system would work well, but as the system grows, from what I understand, large costs are involved in having so many named users, many of which may only access the application very infrequently
From "architecting-the-arcgis-platform.pdf ": An ArcGIS Identity is managed as a named user credential within the platform. This credential is used to sign into any app, on any device, at any time, and to provide access to all maps, apps, data, and analysis a particular user is entitled to. As users sign into the ArcGIS platform with their named user credentials, their identity gives them access to authoritative data, GIS capabilities, shared content, apps, and their saved maps and items. The named user model allows an organization to securely and appropriately extend the reach of its geospatial capabilities to everyone who needs them.
So by implementing the named user model, you avoid developing some access to data and applications and you probably miss out on some really good stuff. There are two levels of named users. As far as I understand from your explanation, you will have many users that will simply use the application but not create any content. Those users can use a named user of level 1 which is about 1/5th of a level 2 named user.