ArcGIS Online has a lot of great features to help engage audiences with data, usually spatial data—for example, exploring a dataset with an interactive legend, searching for an address and finding the nearest location, or using clustering and layer blending to show patterns in your data. Although the interactive tools shape the experience, your data is what draws an audience to your application. People come to your applications to discover facts and insights in your data. For this reason, it is essential to understand how to secure public datasets, to ensure that only known and approved data is shared with the public by you and your organization members.
Effectively managing feature layer capabilities is an easy way to ensure that your public applications securely show up-to-date information. Hosted Feature Layer views enable you to create layers (views of the same data) that have different editing capabilities and sharing levels, so your editors and viewers can interact with the same dataset in different ways. As an example you can have a view only layer (view) that is shared with the public in an application that cannot be edited, while having another layer (view) that has editing capabilities that is only shared with specific users in your organization. Using hosted feature layer views will enable you to protect your data, and follow the 4 simple tips outlined in this article.
When publishing hosted feature layers to ArcGIS Online and ArcGIS Enterprise, editing is primarily* controlled by two mechanisms: the layer editing setting and the sharing level. The editing setting can be found on the Settings tab (Editing section) of the hosted feature layer or feature layer view item page. After editing is enabled on the layer, any user who has access to the layer can edit it. For example, if a road construction editing app that contains an editable construction status layer is shared with a road maintenance group, then only members of the group can access and edit (that is, add features to or update features in) the layer.
*Administrators and members of update capability groups within the organization have some additional editing capabilities in some circumstances
1. Protect your data: Only share editable hosted feature layer (views) with a group that contains approved members of your organization.
In most public applications, the featured data is updated over time, such as when showing election results, wildfire evacuation zones, or construction project status. With the example of a wildfire evacuation zone app, the wildfire boundary and status of evacuations will change over the duration of the event. This data is used to inform the public whether it is safe to be in their homes or whether it is time to leave. Ensuring that this data is only modified by an approved group of people is critical to providing true and accurate information to the public (especially those who may need to evacuate).
2. Protect your data: Use read only hosted feature layer (views) in your public applications.
When sharing data to inform the public, it is important that layers that are used to edit and update the data are not shared with everyone. Editable layers that are shared with everyone can also be edited by anyone, including those who shouldn’t be editing your data and may have malicious intent. When you are sharing an application with the public, it is important to use hosted feature layer views to share view-only capabilities with the public, and editing capabilities with a group of trusted editors. As hosted feature layer views created from the same source layer point to the same dataset, the view of the data that is not editable will immediately have access to updated data from the private editable view. This article provides additional details about using hosted feature layer views.
3. Protect your data: Do not share editable hosted feature layers with the public! (unless they are specifically for public data collection, like with Survey123 and Crowdsourcing)
In some instances, sharing editable layers with everyone is needed, such as when sharing applications for the purpose of public data collection, like crowdsourcing apps or public surveys. To ensure that editable layers are intentionally shared with the public, a new setting called Public Data Collection has been added to hosted feature layers, starting with the September 2020 update of ArcGIS Online. By enabling this setting, you are approving the layer to be shared publicly with editing capabilities turned on. When this setting is not turned on and the layer is not shared publicly, you cannot change the layer’s sharing level to everyone (public). This new setting is an extra safeguard to help ensure that publicly editable data is being shared intentionally for the purpose of data collection. When collecting data from the public, you are encouraged to follow the best practices outlined in this Survey123 article.
4. Protect your data: Follow best practices for data collection when using hosted feature layers for Public Data Collection
As this is a new setting for feature layers that was not available prior the September 2020 update, you’ll see a banner notifying you of this on any layers that you own and that are editable and shared with the public. This includes layers that are shared with everyone and layers on which editing is enabled when publishing from ArcGIS Pro or programmatically.
As maintaining data integrity is critical at all times, but especially over the first week of November with the 2020 U.S. Election, we encourage you to verify that no layers that are being used in public applications accidentally have editing turned on without the intention of collecting data from the public. The ArcGIS Security Advisor has a new Beta feature, named public FS Edit Check that allows administrators to quickly view all of the organizations public feature layers(including Views) and inspect the capabilities, like editing that are enabled. If you want to double check which publicly shared items are editable in your organization, and designate the appropriate layers as Public Data Collections please test out Security Advisor. We are excited to see the great data and apps that our users share to keep the public informed, next week and in the future. Check out the related articles below for more to best practices for viral applications.