Limitations

Some features of map service, feature service, and Web Map Service (WMS) are not fully supported by security.manager NEXT. This depends on the service type and/or the permission type used (layer access, feature restrictions, field restrictions, and spatial restrictions). All known limitations caused by security.manager NEXT for map service, feature service, and web map server are listed here.

General limitations

  • Hosted services are not supported.

  • Tiled services are not supported.

  • OGC API Features services are not supported.

  • Access is only possible via REST, SOAP access is blocked.

  • Access to a service thumbnail, generally available as /info/thumbnail, cannot be controlled by security.manager NEXT. The thumbnail might reveal sensitive information when displayed in the ArcGIS Enterprise portal gallery, for example. In that case, replace the thumbnail by a neutral image before creating and publishing the service. Consult the official Esri ArcGIS Pro documentation to find instruction how to create a thumbnail.

  • WKT2 strings are not supported.

  • If a Spatial Obligation is used, errors may occur when paging services in ArcGIS Enterprise (Esri Case 03700042). As a result, an error may occur in ArcGIS Pro when the attribute table is opened (Esri Case 03700077).

Most of the limitations mentioned below can be bypassed for certain user roles by defining a grant-all policy and omitting any other policy for this user role.

Map Services

  • Access to tiles from cached map services cannot be controlled by SOI and is therefore not subject to any restrictions.

  • Requests containing Dynamic Layers

    • Layer-based permissions (layer access, feature restrictions, field restrictions and spatial restrictions) are only enforced for dynamic map layers. Access to dynamic data layers is always denied without restriction.

  • Field Restrictions

    • HTML Popup requests are blocked.

    • A service may be published with labelling or symbolization rules referencing a field that you intend to hide from a client by defining a field restrictions. In that case the service will still disclose information about the existence or values of hidden fields in legends, labels, or feature symbols.

    • Field restrictions for the reserved field names FID, AREA, LEN, POINTS, NUMOFPTS, ENTITY, EMINX, EMINY, EMAXX, EMAXY, EMINZ, EMAXZ, MIN_MEASURE, and MAX_MEASURE are not supported if these field names occur multiple times as fully qualified names in a layer.
      For example, if a layer contains the fields egdb.sde.cities.AREA and egdb.sde.countries.AREA, adding a field restriction for either egdb.sde.cities.AREA or egdb.sde.countries.AREA is not supported.

  • Spatial Restrictions

    • Spatial restrictions do not work, if a layer that contains curve geometries is queried with the option returnTrueCurves=true

    • queryRelatedRecords requests are blocked, if spatial restrictions are defined

    • When using the parameter historicMoment, spatial restrictions affect the geometry of a feature that it has at the specific timestamp of the historicMoment. Features that are be filtered by a spatial restriction can possibly be queried using the parameter historicMoment, if their current geometry differs from the one at the historicMoment.

    • Queries with the parameter spatialRel=esriSpatialRelRelation are not supported for spatial restrictions.

  • Feature Restrictions: When using the parameter historicMoment, feature restrictions affect the attribute values of a feature that it has at the specific timestamp of the historicMoment. Features that are filtered by a valid feature restriction can possibly be queried successfully using the parameter historicMoment, if their current attribute values differ from those at the historicMoment.

  • Query Layer: Query layers published via ArcGIS Pro are not supported and should not be protected and accessed by security.manager NEXT. This includes the following parameters in operations export, identify, find and query:

    • mapRangeValues

    • layerRangeValues

    • layerParameterValues

    • rangeValues

    • parameterValuesQuery

  • The operation <layerID>/query does not support using the parameter lod (feature binning).

Feature Services

  • The createReplica and synchronizeReplica operations are only supported to an extent necessary to allow data synchronization with ArcGIS Field Maps.

    • For a detailed description on these limitations, see the operation section.

    • One-way feature service-to-feature service sync is also not supported.

  • The extractChanges operation is always blocked, even if the ArcGIS feature service supports it.

  • Adding, updating and deleting feature attachments with ArcMap is not possible.

  • Object Filter: When using the parameter historicMoment, object filters affect the attribute values of a feature that it has at the specific timestamp of the historicMoment. Features that are filtered by a valid object filter can possibly be queried successfully using the historicMoment parameter, if their current attribute values differ from those at the historicMoment.

  • Field restrictions:

    • A service may be published with labelling or symbolization rules referencing a field that you intend to hide from a client by defining a field restrictions. In that case the service will still disclose information about the existence or values of hidden fields in legends, labels, or feature symbols.

    • Asynchronous execution of the applyEdits operation is not supported when field restrictions apply. The request will be blocked in that case.

    • Replica creation is blocked when field restrictions are defined.

    • Field restrictions for the reserved field names FID, AREA, LEN, POINTS, NUMOFPTS, ENTITY, EMINX, EMINY, EMAXX, EMAXY, EMINZ, EMAXZ, MIN_MEASURE, and MAX_MEASURE are not enforced correctly if these field names occur multiple times as fully qualified names in a layer.
      For example, if a layer contains the fields egdb.sde.cities.AREA and egdb.sde.countries.AREA, adding a field restriction for either egdb.sde.cities.AREA or egdb.sde.countries.AREA is not enforced correctly.

  • The applyEdits operation with "splits" is not supported when spatial restrictions apply.

  • The applyEdits operation is not supported, if the editsUploadId parameter is set.

  • Validation layers ("validationSystemLayers") are not supported.

  • Topology layers published together with Feature Layers are not supported.

  • Trace network layers published together with Feature Layers are not supported.

  • The operation queryDataElements is not supported.

  • The operation queryContingentValues are is not supported. As a consequence, clients will not respect rules defined via contingent values.

  • Utility Network Layers cannot be protected by a SOI and are handled as regular feature service, because ArcGIS Pro does not support services containing Utility Network Layers with the option disableCaching set to true.

  • Catalog layers are not supported.

  • Shared templates are not supported.

  • The operation getEstimates is not supported.

  • The operation <layerID>/query does not support using the parameter lod (feature binning).

  • The operation queryAnalytic is not supported.

  • Queries with the parameter spatialRel=esriSpatialRelRelation are not supported for spatial restrictions.

  • File uploads to /FeatureServer/uploads/upload cannot be blocked by security.manager NEXT. All users with access to the feature server are able to upload files, regardless of any policies.

Web Map Services

  • The return values of the GetLegendGraphics and GetStyles operation cannot be restricted.

  • For GetFeatureInfo requests, restrictions of type field cannot be enforced. Respective requests will be denied when a field restriction is set.

  • When using group layers, only sub-layers can be constrained. The capabilities document lists parent layers even if either direct access to them has been restricted or access to all sub-layers has been restricted.

  • Tiled Web Map Services (WMTS) are not supported.

  • The operation queryAnalytic is not supported.

OGC API Features services

  • Any access to the data of OGC API Features services, e. g. /OGCFeatureServer/collections/0/items, will be blocked.

    Because of an ArcGIS Enterprise limitation, metadata requests such as /OGCFeatureServer/collections or /OGCFeatureServer/collections/0 cannot be blocked and thus can expose layer information about unauthorized layers. So please deactivate OGC API Features on services where security.manager NEXT is active.