Why can anyone with REST Url access my services in ArcMap?

MattCashen · ‎01-22-2019

So I'm currently trying to set up an ArcGIS Open Data site for my organization. It is going to be a public facing site so all my layers have to be shared with everyone. The problem one of my users brought to my attention was that once you have the REST URL for one of the services you can then plug that URL into ArcMap under "Add Arcgis Server" and then you will be given access to all of my organizations public layers without even logging in. There are certain layers in my organization that I use with public facing web maps, so due to those web maps being public I have to share those layers with everyone. But since they are shared with everyone, then anyone who uses a REST URL they obtain from our Open Data site they can then access the layers in ArcMap. I don't want anyone outside our organization to have access to those layers. Why doesn't arcmap make you enter login info when you try to connect to our AGO Organization? Is there a way to lock access to our AGO organization when connecting through ArcMap?

AdamEversole1 · ‎01-23-2019

Hi Matt,

I understand the concern that every public layer is exposed and easy to browse if a connection to ArcMap is made, but this fact is also true for anyone with a web browser who visits the rest endpoint. Its kinda like hanging your laundry in the front yard, everyone can take a look if they want to.

So, ya, public facing layers are shared with everyone including anonymous users. it's by design Its important to ask ourselves "Am I willing to share this with Everyone?" For any items that we are not willing to share; we set sharing to Organization, groups or Private. This will hide them from the public, and only the desired people with a Username and Password can view/use them.

I would also be careful with Public content that is enabled for Editing. because it is also publicly editable. For items like this, we can make a Public Hosted feature layer view that is disabled for editing, then disable the sharing on the original editable Hosted Feature Layer, this is a way the public can see the data, but won't be able to edit it.

Hope this helps

-Adam

MattCashen · ‎01-24-2019

I appreciate the reply. And I understand the logic. I just wish you had a little more security control over layers. Since discovering this I have started using view layers for my publicly available maps. But even that name of view layer is a little misleading because once again anyone with access to the rest endpoint can download that layer. What I really would like to see is a true "view only" layer that can be put in public maps, but have no way of being downloaded by anonymous users with the rest endpoint. Right now our organization is only using ArcGIS Server internally. If you are using Server in a public facing way, do you have more control over the access of your layers or is anything that's shared publicly accessible this same way? I'm asking for future reference in case my organization wants to look at implementing a public facing ArcGIS Server.

AdamEversole1 · ‎01-29-2019

Hi Matt,

I know a few things, I'm not a Server expert, hopefully if someone else reads this they can advise better than me about ArcGIS Server and its public data security.

Using ArcGIS Server we do have additional controls for instance, we can disable your REST directory, this would keep visitors from resolving the REST directory in a browser, however ArcMap users with a connection will still have the ability to read and process any layers they have access to.

You can also disable exports in both ArcGIS Server and ArcGIS online, this disables the REST options to export, but still ArcGIS desktop could still read copy what it it sees.

Example from Sample Server 6 has no REST option to extract, but can be copied in Desktop.

- Layer: Damage to Commercial Buildings (ID: 0)

As an alternative if you wanted to make it harder for copy you could disable the feature access, and publish a Cached Map service or hosted tile layer.

I hope this helps identify some of the usage angles, It still all comes back to our willingness to share publicly everything in the data we share.

-Adam