Dynamic feature restrictions with user attributes

In this tutorial, you will learn to define a feature restriction based on the user name. Users should only see cities starting with the same letter as the user’s name.

This tutorial was tested for ArcGIS Enterprise 11.5 in December, 2025.

Prerequisites

This tutorial is based on the Fallback policy tutorial. The preconditions are the same for both. You can do this tutorial separately but keep in mind that your policy file might look different.

security.manager NEXT is installed.
You can use five user accounts:
- An administrative user account to administer security.manager and Portal.
- 4 non-administrative user accounts to test the access:
  - Alex is in groupX
  - Bob is in groupY
  - Charlie is in both groupX and groupY
  - Dana is neither in groupX nor groupY
You can use the service SampleWorldCities for this tutorial. So, you can restrict access to the service.

Clean up

The policy has become quite long over the course of the tutorials. For the next tutorials, it is sufficient to use only the fallbackPolicies. Therefore, delete all segments except for the fallbackPolicies and the restrictions used there.

{
    "fallbackPolicies": [{
        "layers": [
            "0"
        ],
        "restrictions": ["cities_only_names"]
    }],
    "restrictions": {
        "cities_only_names":{
            "type": "field",
            "allowedfields": [
                "CITY_NAME"
            ]
        }
    }
}

Add a dynamic feature restriction

security.manager NEXT provides feature queries that are based on user attributes like the user name. The easiest way is to add a feature restriction template and then modify the query.

You can add templates by pressing Ctrl+Space. This function displays available examples, descriptions, and code snippets.

Add a feature restriction

First create a feature restriction without replacing the query placeholder and reference it to the existing fallback policy.

Add a new line at the top of the restrictions object.
Type "cities_username_filter": and select Feature restriction from the autocompletion list.
After the cities_only_names restriction reference of the fallback policy, add a comma and a reference to the cities_username_filter restriction.

Now, you have created a feature restriction for the fallback policy. Your policy will look like this:

{
    "fallbackPolicies": [{
        "layers": [
            "0"
        ],
        "restrictions": ["cities_only_names", "cities_username_filter"]
    }],
    "restrictions": {
        "cities_username_filter":{
            "type": "feature",
            "query": ""
        },
        "cities_only_names":{
            "type": "field",
            "allowedfields": [
                "CITY_NAME"
            ]
        }
    }
}

Adjust the query

To get a valid policy, you have to define a query for the feature restriction.

To compare the city name with the user name, replace the empty string of the query property with "CITY_NAME LIKE ${user.username}".
To compare only the first letter of the user name, add the SUBSTRING function:
```
CITY_NAME LIKE SUBSTRING('${user.username}', 1, 1)
```
Currently the city name has to match the first letter of the user name.
To define that the city name should start with the first letter, add || '%' at the end of the query.

The || concatenates strings in the SQL query. You use it to concatenate the % wildcard character with the first letter of the user name. Now the city name has to start with the first letter of the user name, rather than matching it completely.
The city names start with capital letters. So, add the UPPER function to make sure the first letter of the user name is also capitalized. The SQL query looks like:
```
CITY_NAME LIKE UPPER(SUBSTRING('${user.username}', 1, 1)) || '%'
```
Click Save changes and restart.

The complete policy with dynamic restrictions should now look like:

{
  "fallbackPolicies": [
    {
      "layers": [
        "0"
      ],
      "restrictions": ["cities_only_names", "cities_username_filter"]
    }
  ],
  "restrictions": {
    "cities_username_filter": {
      "type": "feature",
      "query": "CITY_NAME LIKE UPPER(SUBSTRING('${user.username}', 1, 1)) || '%'"
    },
    "cities_only_names": {
      "type": "field",
      "allowedfields": [
        "CITY_NAME"
      ]
    }
  }
}

You defined a query that filters the city names based on the user’s name. If a user with user name sasha requests the SampleWorldCities service, the SQL query is CITY_NAME LIKE UPPER(SUBSTRING('sasha', 1, 1)) || '%'. This query resolves to CITY_NAME LIKE 'S%'. The user gets the cities starting with S like San Diego, Seattle or Stockholm.

Verify configuration

To verify the previous configuration, access the SampleWorldCities service with all four users.

Open a private browser.
Go to the ArcGIS REST Services Directory and log in as user Alex.
Navigate to the service metadata of the SampleWorldCities service.
Click on View in: ArcGIS JavaScript.
You will see all cities whose names start with an A, like Austin, Amsterdam or Auckland.

Redo the steps with the other users to verify that the cities are filtered correctly.

Bob sees cities starting with B, like Brasilia, Barcelona or Beirut.
Charlie sees cities starting with C, like Calgary, Cairo or Cologne.
Dana sees cities starting with D, like Denver, Dallas or Dhaka.

Summary

You learned to create a feature restriction that grants access to features based on the user name. You created a restriction that filters the cities to those whose names match the first letter of the user’s name.

In the tutorial Dynamic spatial restrictions with user attributes you will learn to use a dynamic filter in a spatial restriction instead of a feature restriction.