Restricted Acces to the Attach file, ArcGIS Enterprise

Feature Service Permissions: The Foundation: Think of these as the gatekeepers to your data. The ArcGIS Server admin (or whoever owns the feature layer) can decide who gets to do what. We’re talking Create, Delete, and Update privileges.

• Create: This lets folks add new features, and if attachments are enabled, tack files onto those new entries. Makes sense, right?
• Update: Want to let people change existing features and their attachments? This is your permission. Crucially, it’s also needed to update or delete attachments.
• Delete: Handle with care! This one lets users wipe out features and their attachments. Here’s a gotcha: even if someone only has “Delete” permissions, they can still nuke attachments. So, if you want to prevent accidental (or malicious) deletions, keep this permission away from them. I learned that one the hard way after a colleague accidentally deleted a bunch of critical inspection photos!

Hosted Feature Layer Views: Tailoring Access: These are like custom windows into your data. You’re not changing the original, but you’re showing different things to different people. Each view inherits the attachment setting of the hosted feature layer it was created from. You can hide attachments in a view, which means some users see them, and others don’t. Imagine creating a public view of your data that shows locations of parks, but hides internal documents about park maintenance. Boom, instant security.

No Anonymous Guests Allowed: This is a no-brainer. Shutting down anonymous access to your ArcGIS Enterprise portal forces everyone to log in. No login, no access. Period. This stops random internet lurkers from stumbling upon your sensitive attachments.

HTTPS: The Encryption Shield: Think of HTTPS as putting your data in an armored car. It encrypts everything moving between your server and users. Without it, passwords and attachment data can be intercepted, especially when people are accessing things from outside your office network. Make sure HTTPS is enforced on your web server, too!

File Type Restrictions: The Bouncer at the Door: This isn’t a direct access control, but it’s still super important. By limiting the file types people can upload (e.g., only allowing JPGs and PDFs), you can block potentially harmful files from sneaking in. If you don’t specify a list of allowed file extensions, the types of files that can be attached are limited by your ArcGIS organization configuration.

Lock Down the Proxy: This is a bit technical, but crucial. Restricting the portal’s proxy capability to approved web addresses prevents bad actors from using your portal to launch attacks on other systems.

The Related Table Trick: Okay, this is a bit of a workaround, but it’s a clever one. Instead of directly attaching photos to your feature layer, you can use a related table. Give users “Create” permissions on that table to add records with photos. The downside? The photos aren’t as easy to see in the pop-up. But the upside? It’s a more secure way to manage those attachments.