One challenge that larger organizations may face as they migrate to the use of enterprise GIS as the framework for their inventory is how to enable appropriate access to both employees and contractors. The simplest deployment of WSG Inventory Management System is to utilize a single feature service and to provide all cruisers access to all data by inviting them to join one or more groups and then sharing the service to that group or groups. The problem with this approach is that all users can view, edit and delete any data. While careful backup policies can ensure that any data that are accidentally changed or deleted can be restored, there are many scenarios where users should not even be able to view or edit some data within the feature service. This document presents several approaches to preventing inappropriate viewing, editing or deleting of data by specific users.
The simplest way to restrict data that cruiser has access to apply download filters on their device via Download Parameters in MobileMap. These can be configured manually, or imported along with other settings from a settings file or settings stored within the metadata of a feature service. This is useful when all users are trusted and the main goal is to avoid clutter and reduce download times. Examples of this are when a trusted employee only wants to see cruise data for a specific tree farm. To avoid accidentally modifying data from a tree farm managed by other employees, and to reduce the time to download data, they can apply a download filter to make sure the data from that other tree farms is never downloaded. See https://woodlandsg.atlassian.net/wiki/spaces/MD/pages/952598533 for more information on using download parameters. Note that all layers must include appropriate attribute fields and values to enable download parameters to function properly.
Hosted Feature Layer Views
A more secure and consistent approach to restricting data access can be achieved using ArcGIS Hosted Feature Layer Views. Hosted Feature Layer Views act just like a typical Feature Service, but they provide a ‘view’ of that service that limits data according to pre-defined spatial or attribute subsets. Typical examples are to create Hosted Feature Layer Views that are read-only for all users, that only include data for a specific geographic region (e.g., National Forest, tree farm, work center, or contractor ID). When users create and edit data in a Hosted Feature Layer View, the data can be accessed from the ‘master’ Feature Service that was used to create the Hosted Feature Layer Views. This allows data managers to access all of the data in one Feature Service, even if many different Hosted Feature Layer Views are used to provide the level of data security needed for all users and groups.
Keep in mind that multiple Hosted Feature Layer Views can be created from a single Feature Service, so your implementation may look more like the image below in which data managers have access to all data in the master Feature Service, Cruisers have access to all data that are a part of active cruise projects, and contractors only have access to those data that have been assigned to them or their contracting company.
When setting up MobileMap for use with Hosted Feature Layer Views, simply make sure that a Hosted Feature Layer View has been created, that is has been shared with the appropriate group (e.g., Contractor A) and that all of the appropriate users have been invited to, and have accepted membership to, the correct group. When a user configures MobileMap, they will only see the approprate Hosted Feature Layer Views in the Select Feature Service dialog.
When setting up InventoryManager WSG or LMSS will typically configure a map page for each Hosted Feature Layer View, and ensure that each InventoryManager user is assigned the correct Role, such that they only see the maps corresponding to the Hosted Feature Layer View(s) that have been shared with them.
Contractor Data ‘Delivery’
When contractors are collecting field data, there is often an expectation that collect the data, perform a range of data quality control checks, then deliver a final approved dataset. When using an Enterprise GIS, however, contractor data will be uploaded data and thus could be visible to their client. One approach to ensuring that only approved data are accessed and used by the client is to use a status field to indicate once data are considered final and delivered. For example, the Stands and Plots layers typically have a Status field that helps to control symbology and indicates whether a the Stand or Plot is just planned or whether it has been Cruised. By adding an additional Status values such ‘Approved’ a contractor can indicate when all of data collected by their field staff has been QCed by changing the status of each Stand and Plot from Cruised to Approved. It is possible to configure Hosted Feature Layer Views to filter based on these values, making sure that a Contractor cannot edit the data after they have approved it, and that a client data manager cannot compile the data until it is approved (because their compilation tool draws from a Hosted Feature Layer View that only includes Approved data).
Another workflow that can be helpful for clients that utilize contractors is to add a ‘Needs Check’ status to Stands and Plots. After receiving ‘Approved’ data from a contractor, the client can identify a subset of plots per contractor or cruiser that should be check cruised, and can set these to ‘Needs Check’. Another Hosted Feature Layer View can then be used make these data available to check cruisers (employees or contractors).
There are many possible variations on these workflows and WSG and LMSS are happy to help you implement the most appropriate workflows for your organization.