Is feature-level authorisation even remotely possible when accessing ArcGIS (10) via the REST APIs? From what I understand I can secure individual services but at most this gives me control over who can read / write data across the service, and doesn't cover individual layers or features. Is this the case?
I was surprised that there are lots of REST-based (e.g. JavaScript) examples on editing but nothing obvious that looks at who is allowed to edit data – a primary concern in any real-world application.
If feature-level security is not possible what are my options? So far it seems like I must implement my own editing service (possibly through a Server Object Extension?) which can consult Access Control Lists whenever an edit operation is requested. I imagine I could reuse a lot of what's already in the JS API for editing via the Geometry Service but just point it at my own service and fill in the gaps.
Best Answer
I believe in ArcGIS Server 10.1 there is feature-level ownership-based access control. See this video for a demo (starts at about 40 minutes in): http://video.esri.com/watch/1175/building-web-editing-applications-with-arcgis-10.1-for-server