Limitations

Some features of map service, feature service, and Web Map Service (WMS) are not fully supported by security.manager NEXT. This depends on the service type and/or the permission type used (layer access, feature restrictions, field restrictions, and spatial restrictions). All known limitations caused by security.manager NEXT for map service, feature service, and web map server are listed here.

General limitations

  • Hosted services are not supported.

  • Tiled services are not supported.

  • OGC API Features services are not supported.

  • Access is only possible via REST, SOAP access is blocked.

  • Access to a service thumbnail, generally available as /info/thumbnail, cannot be controlled by security.manager NEXT. The thumbnail might reveal sensitive information when displayed in the ArcGIS Enterprise portal gallery, for example. In that case, replace the thumbnail by a neutral image before creating and publishing the service. Consult the official Esri ArcGIS Pro documentation to find instruction how to create a thumbnail.

Map Services

  • Access to tiles from cached map services cannot be controlled by SOI and is therefore not subject to any restrictions.

  • Requests containing Dynamic Layers

    • Layer-based permissions (layer access, feature restrictions, field restrictions and spatial restrictions) are only enforced for dynamic map layers. Access to dynamic data layers is always denied without restriction.

  • Field Restrictions

    • HTML Popup requests are blocked.

    • A service may be published with labelling or symbolization rules referencing a field that you intend to hide from a client by defining a field restrictions. In that case the service will still disclose information about the existence or values of hidden fields in legends, labels, or feature symbols.

  • Spatial Restrictions

    • Spatial restrictions do not work, if a layer that contains curve geometries is queried with the option returnTrueCurves=true

    • queryRelatedRecords requests are blocked, if spatial restrictions are defined

    • When using the parameter historicMoment, spatial restrictions affect the geometry of a feature that it has at the specific timestamp of the historicMoment. Features that are be filtered by a spatial restriction can possibly be queried using the parameter historicMoment, if their current geometry differs from the one at the historicMoment.

    • Queries with the parameter spatialRel=esriSpatialRelRelation are not supported for spatial restrictions.

  • Feature Restrictions: When using the parameter historicMoment, feature restrictions affect the attribute values of a feature that it has at the specific timestamp of the historicMoment. Features that are filtered by a valid feature restriction can possibly be queried successfully using the parameter historicMoment, if their current attribute values differ from those at the historicMoment.

  • Query Layer: Query layers published via ArcGIS Pro are not supported and should not be protected and accessed by security.manager NEXT. This includes the following parameters in operations export, identify, find and query:

    • mapRangeValues

    • layerRangeValues

    • layerParameterValues

    • rangeValues

    • parameterValuesQuery

  • The operation <layerID>/query does not support using the parameter lod (feature binning).

Feature Services

  • The createReplica and synchronizeReplica operations are only supported to an extent necessary to allow data synchronization with ArcGIS Field Maps.

    • For a detailed description on these limitations, see the operation section.

  • The extractChanges operation is always blocked, even if the ArcGIS feature service supports it.

  • Adding, updating and deleting feature attachments with ArcMap is not possible.

  • Object Filter: When using the parameter historicMoment, object filters affect the attribute values of a feature that it has at the specific timestamp of the historicMoment. Features that are filtered by a valid object filter can possibly be queried successfully using the historicMoment parameter, if their current attribute values differ from those at the historicMoment.

  • Field Restrictions:

    • A service may be published with labelling or symbolization rules referencing a field that you intend to hide from a client by defining a field restrictions. In that case the service will still disclose information about the existence or values of hidden fields in legends, labels, or feature symbols.

    • Asynchronous execution of the applyEdits operation is not supported when field restrictions apply. The request will be blocked in that case.

  • The applyEdits operation with "splits" is not supported when spatial restrictions apply.

  • The applyEdits operation is not supported, if the editsUploadId parameter is set.

  • Validation layers ("validationSystemLayers") are not supported.

  • Topology layers published together with Feature Layers are not supported.

  • Trace network layers published together with Feature Layers are not supported.

  • The operations queryDataElements and queryContingentValues are not supported.

  • Utility Network Layers cannot be protected by a SOI and are handled as regular feature service, because ArcGIS Pro does not support services containing Utility Network Layers with the option disableCaching set to true.

  • The operation getEstimates is not supported.

  • The operation <layerID>/query does not support using the parameter lod (feature binning).

  • The operation queryAnalytic is not supported.

  • Queries with the parameter spatialRel=esriSpatialRelRelation are not supported for spatial restrictions.

  • File uploads to /FeatureServer/uploads/upload cannot be blocked by security.manager NEXT. All users with access to the feature server are able to upload files, regardless of any policies.

Web Map Services

  • The return values of the GetLegendGraphics and GetStyles operation cannot be restricted.

  • For GetFeatureInfo requests, restrictions of type field cannot be enforced. Respective requests will be denied when a field restriction is set.

  • When using group layers, only sub-layers can be constrained. The capabilities document lists parent layers even if either direct access to them has been restricted or access to all sub-layers has been restricted.

  • Tiled Web Map Services (WMTS) are not supported.

  • The operation queryAnalytic is not supported.

OGC API Features services

  • Any access to the data of OGC API Features services, e. g. /OGCFeatureServer/collections/0/items, will be blocked.

    Because of an ArcGIS Enterprise limitation, metadata requests such as /OGCFeatureServer/collections or /OGCFeatureServer/collections/0 cannot be blocked and thus can expose layer information about unauthorized layers. So please deactivate OGC API Features on services where security.manager NEXT is active.