Limitations

Some features of services of different types are not fully supported by security.manager NEXT. This depends on the service type and/or the permission type used, which includes layer access, feature restrictions, field restrictions or spatial restrictions. All known limitations caused by security.manager NEXT for the different service types are listed here.

General limitations

Hosted services are not supported.
Tiled services are not supported.
OGC API Features services are not supported.
Access to services is only possible via REST, while SOAP access is blocked.
Access to a service thumbnail, generally available as /info/thumbnail, cannot be controlled by security.manager NEXT. The thumbnail might reveal sensitive information, for example when displayed in the ArcGIS Enterprise portal gallery. In that case, replace the thumbnail by a neutral image before creating and publishing the service. Consult the official Esri ArcGIS Pro documentation to find instruction how to create a thumbnail.
Requests are blocked if they are using WKT2 strings to define coordinate reference systems.
If a spatial restriction is used, errors may occur when paging services in ArcGIS Enterprise (Esri Case 03700042). As a result, an error may occur in ArcGIS Pro when the attribute table is opened (Esri Case 03700077).

Most of the limitations mentioned below can be bypassed for certain user roles by defining a grant-all policy and omitting any other policy for this user role.

Map Services

Access to tiles from cached map services cannot be controlled by SOI and is therefore not subject to any restrictions.
Requests containing Dynamic Layers
- Layer-based permissions like layer access, feature restrictions, field restrictions and spatial restrictions are only enforced for dynamic map layers.
- Access to dynamic data layers is always denied without restriction.
Field Restrictions
- HTML Popup requests are blocked.
- A service may be published with labelling or symbolization rules referencing a field that you intend to hide from a client by defining a field restrictions. In that case the service will still disclose information about the existence or values of hidden fields in legends, labels, or feature symbols.
- Field restrictions for the reserved field names FID, AREA, LEN, POINTS, NUMOFPTS, ENTITY, EMINX, EMINY, EMAXX, EMAXY, EMINZ, EMAXZ, MIN_MEASURE, and MAX_MEASURE are not supported if these field names occur multiple times as fully qualified names in a layer.
  For example, if a layer contains the fields egdb.sde.cities.AREA and egdb.sde.countries.AREA, adding a field restriction for either egdb.sde.cities.AREA or egdb.sde.countries.AREA is not supported.
Spatial Restrictions
- Spatial restrictions do not work, if a layer that contains curve geometries is queried with the option returnTrueCurves=true
- queryRelatedRecords requests are blocked, if spatial restrictions are defined
- Queries with the parameter spatialRel=esriSpatialRelRelation are not supported for spatial restrictions.
Query Layer: Query layers published via ArcGIS Pro are not supported and should not be protected and accessed by security.manager NEXT. This includes the following parameters in the operations export, identify, find and query:
- mapRangeValues
- layerRangeValues
- layerParameterValues
- rangeValues
- parameterValuesQuery
The operation <layerID>/query does not support using the parameter lod, which will be used for feature binning.

Feature Services

The createReplica and synchronizeReplica operations are only supported to an extent necessary to allow data synchronization with ArcGIS Field Maps.
- For a detailed description on these limitations, see the operation section.
- One-way feature service-to-feature service sync is also not supported.
Adding, updating and deleting feature attachments with ArcMap is not possible.
Shared templates are not supported.
File uploads to /FeatureServer/uploads/upload cannot be blocked by security.manager NEXT. All users with access to the feature server are able to upload files, regardless of any policies.
Field restrictions:
- A service may be published with labelling or symbolization rules referencing a field that you intend to hide from a client by defining a field restrictions. In that case the service will still disclose information about the existence or values of hidden fields in legends, labels, or feature symbols.
- Asynchronous execution of the applyEdits operation is not supported when field restrictions apply. The request will be blocked in that case.
- Replica creation is blocked when field restrictions are defined.
- Field restrictions for the reserved field names FID, AREA, LEN, POINTS, NUMOFPTS, ENTITY, EMINX, EMINY, EMAXX, EMAXY, EMINZ, EMAXZ, MIN_MEASURE, and MAX_MEASURE are not enforced correctly if these field names occur multiple times as fully qualified names in a layer.
  For example, if a layer contains the fields egdb.sde.cities.AREA and egdb.sde.countries.AREA, adding a field restriction for either egdb.sde.cities.AREA or egdb.sde.countries.AREA is not enforced correctly.
Spatial restrictions:
- Queries with the parameter spatialRel=esriSpatialRelRelation are not supported for spatial restrictions.
The applyEdits operation is not supported, if the editsUploadId parameter is set.
The <layerID>/query operation does not support using the parameter lod, which will be used for feature binning.
Unsupported operations
- extractChanges
- getEstimates
- queryAnalytic
- queryContingentValues ***as a result, customers do not have to respect rules defined by conditional values
- queryDataElements
Unsupported layers
- Catalog layers
- Topology layers published together with Feature Layers
- Trace network layers published together with Feature Layers
- Utility Network Layers cannot be protected by a SOI and are handled as regular feature service, because ArcGIS Pro does not support services containing Utility Network Layers with the option disableCaching set to true.
- Validation layers, which are listed as "validationSystemLayers" in the service metadata

Version Management Service

Operations, that are called asynchronously by using the parameter async=true, are not supported. This differs from the default behavior of ArcGIS Server.
The /differences operation does not support the fromMoment parameter.
The operations /purgeLock and /locks are not supported.
The operation /diagnostics/verify and the resource diagnostics are not supported.
Users may not be able to resolve certain conflicts, post changes or see differences due to a lack of permission. This happens if restricted layers, features, or attributes are involved in the changes being made. Users with a higher access level can resolve these conflicts.
When posting changes to the default version, security.manager NEXT will perform an automatic reconcile operation for security reasons. This means that changes that happened in the default version will also be visible in the current version immediately after posting.

Web Map Services (WMS)

The return values of the GetLegendGraphic and GetStyles operation cannot be restricted.
For GetFeatureInfo requests, Field Restrictions cannot be enforced. Respective requests will be denied when a field restriction is set.
When using group layers, only sub-layers can be constrained. The capabilities document lists parent layers even if either direct access to them has been restricted or access to all sub-layers has been restricted.
Tiled Web Map Services (WMTS) are not supported.
The operation queryAnalytic is not supported.

OGC API Features services

Any access to the data of OGC API Features services, e. g. /OGCFeatureServer/collections/0/items, will be blocked.

Because of an ArcGIS Enterprise limitation, metadata requests such as /OGCFeatureServer/collections or /OGCFeatureServer/collections/0 cannot be blocked and thus can expose layer information about unauthorized layers. So please deactivate OGC API Features on services where security.manager NEXT is active.