1.33. Managing access rights

This section will help you set up access to your Web GIS for various users. Below you’ll find an overview of the permissions system and some common cases of setting up access.

1.33.1. Terms

../../_images/resource_permissions_tab_en.png

Pic. 1.166. Permissions tab

There are two base rules:

  1. Resource approach

Main (root) resource group (0) > Group 1 > Group 2 > Layer.

Permission for the root group > Permission for Group 1 > Permission for Group 2 > Permission for the layer.

Important

! Without permission to read the main resource group user cannot view any files it contains.

Resource

Root (0)

Folder 1

Folder 2

Layer

Permission

Read

Read

Read

Read

You can select a specific resource type that will be affected by the permission.

Other than that, there are two main options to apply a permission:

  • This resource only - it will only affect the resource itself.

  • This and subresources - it will affect all resources within, subgroups and their contents.

../../_images/permission_apply_en.png

Pic. 1.167. Menu to select what permission applies to

  1. By default users have NO permissions.

Important

! Everything is forbidden unless explicitly allowed by the administrator.

The only way a user gets access to data is by having access granted by a permission.

1.33.1.1. Types of principals (users)

  • Administrator - Web GIS user with administrative rights

  • Owner - Web GIS user who has created the particular resource for which the permission is given

  • Guest - user that has not logged in

  • Authenticated - Web GIS user who’s logged in with any existing account (a.k.a. not a guest)

  • Everyone - this includes both guests and users logged in with existing account

1.33.1.2. Types of rules - what can be allowed or denied

Resource: All permissions

Any actions with resources, except resource groups

Resource: Read

Read resources

Resource: Create

Create resources

Resource: Modify

Edit resources

Resource: Delete

Delete resources

Resource: Manage subresources

Configure included (child) resource

Resource: Configure permissions

Edit access permissions for the resources

Metadata: All permissions

Any actions on metadata

Metadata: Read

Edit metadata

Metadata: Modify

Read metadata

Data structure: All permissions

Any actions with the data structure

Data structure: Read

Read data structure

Data structure: Modify

Edit data structure

Data: All permissions

Any actions with the data

Data: Read

Read data

Data: Modify

Edit data

Connection: All permissions

Any actions with the connections

Connection: Read

Read connection settings

Connection: Configure

Edit connections

Connection: Use

Use connections (gives to the user access to the layers and data of the connection)

Service: All permissions

Any actions with the service

Service: Access

Connect to the service

Service: Configure

Edit service settings

Web Map: All permissions

Any actions with the Web Maps

Web Map: Open

View Web Map

Web Map: View annotations

View Web Map annotations

Web Map: Draw annotations

Add annotations to Web Maps

Web Map: Manage annotations

Edit Web Map annotations

Collector: All permissions

Any actions with the Collector project

Collector: Read

Read Collector data

1.33.2. Common cases

1.33.2.1. Allow Guests to view the entire Web GIS

Go to the Main resource group, select the Update action and set up the following permissions:

  • Action: Allow

  • Principal: Guest

  • Apply to This and subresources

  • Permission to Read for the resource, metadata, data structure and data.

../../_images/allow_guest_webGIS_en.png

1.33.2.2. Allow Guests to view just one Web Map

  • Action: Allow

  • Principal: Guest

  1. For the Main resource group Resource: Read;

../../_images/allow_guest_main_en.png

  1. For the resource group containing data for the Web Map: Resource: Read, Data: Read and Data structure: Read;

../../_images/allow_guest_data_group_en.png

  1. For the resource group containing the Web Map, if it is not the same group that contains the data, also assign permission Resource: Read;

../../_images/allow_guest_webmap_group_en.png

  1. For the Web Map: Resource: Read and Web Map: Display.

../../_images/allow_guest_webmap_en.png

Important

We recommend keeping Web Map in a separate group from its layers, it will make setting up access rights more easy. If the Web Map is in the same group as the data, for the group only assign Resource: Read, then assing reading permission for every layer that has to be included.

If there are other Web Maps in the group that you wish to keep hidden from guests, make sure that the Resource: Read permission for the group is not propagated to the subresources and set to This resource only.

../../_images/guest_webmap_forbid_open_en.png

Pic. 1.168. There are three Web Maps in the group. One is available to guests. The other is visible in the resource list, but cannot be opened. The third one is not visible in the list

1.33.2.3. Allow logged in users to use WMS service

  • Action: Allow

  • Principal: Authenticated

  1. For the Main resource group: Resource: Read, apply to This resource only.

../../_images/allow_auth_main_en.png

  1. For the group containing the data and the WMS service: Resource: Read, Data: Read, Data structure: Read and Service: Access, apply to This and subresources.

../../_images/allow_authorized_WMS_en.png

Pic. 1.169. Permissions for the group containing both the data and the WMS service

1.33.2.4. Allow to view PostGIS layer on a Web Map

  • Action: Allow

  • Principal: Guest (if the map needs to be available unauthorized users), Authenticated (if it needs to be available only to users who have logged in) etc.

  • Apply to This resource

  1. For the Main resource group Resource: Read;

../../_images/allow_auth_main_en.png

  1. For the resource group containing data for the Web Map and the PostGIS layer: Resource: Read, Data: Read, Data structure: Read and Connection: Use;

../../_images/allow_auth_postgis_group_en.png

  1. For the resource group containing the Web Map, if it is not the same group that contains the data, also assign permission Resource: Read;

../../_images/allow_auth_webmap_group_en.png

  1. For the Web Map: Resource: Read and Web Map: Display.

../../_images/allow_auth_webmap_en.png

Important

We recommend keeping Web Map in a separate group from its layers, it will make setting up access rights more easy. If the Web Map is in the same group as the data, for the group only assign Resource: Read, then assing reading permission for every layer that has to be included.

If there are other Web Maps in the group that you wish to keep hidden from guests, make sure that the Resource: Read permission for the group is not propagated to the subresources and set to This resource only.