Access Control for Datasets

What is a Dataset?

A dataset is a collection of data values in a tabular form that typically consists of rows (or records) and columns. In the Location Intelligence Module, a dataset can take the form of a .TAB file, a shapefile, a GeoPackage file, or a JDBC-based table such as an MS SQL Server table.

Benefits of Dataset Access Control

Dataset access control allows administrators to disassociate the permissions of a named table from the editing permissions of the dataset that the named table points to. For example, as an administrator you can grant full editing (Create/Modify/Delete) permissions to a dataset while keeping read-only (Execute) permissions on the named table. When a user attempts to perform a data manipulation language (DML) operation (an insert, update, or delete operation using the Feature service or the Write Spatial Data stage), the user's permissions will be verified not only against the specified named table in the Location Intelligence.Named Resources entity type but also against the Location Intelligence.Dataset.DML entity type. If Execute permissions are denied, the named table will not appear in the user's repository.

What is a Dataset Secured Entity?

The LocationIntelligence.Dataset.DML secured entity is one of the two types of secured entities for the Location Intelligence Module. It controls DML permissions to datasets that are associated with named tables. When a named table is created or uploaded (using any tool, including Spatial Manager, the Administration Utility, the Named Resource Service, and WebDAV), a new LocationIntelligence.Dataset.DML secured entity is automatically created for the associated dataset of that named table. A user must have Execute permissions on a named table and Create/Modify/Delete permissions on the dataset in order to perform DML operations on writable (JDBC-based) tables. DML operations include insert, update, and delete operations performed using the Write Spatial Data stage or the Feature Service.

Note: Although you can set Create/Modify/Delete permissions on dataset secured entities for non-writable datasets such as .TAB files or shapefiles, you still cannot perform DML operations on these datasets.

Tip: The Execute permission on the secured entity for the dataset has no impact on its permissions. If you turn the Execute permission off on a dataset secured entity you will still be able to view the data in the table. If you do not want a user to see a table, remove Execute permissions on the secured entity for the named resource instead.

When a named table is renamed, moved, or deleted, Spectrum Spatial will rename or delete the associated secured entity for the dataset.

Spatial Roles and Dataset Access

Roles are used to grant or deny access to different parts of the system and help make permissions management easier. Three predefined roles for users of the Location Intelligence Module are available in Management Console:

spatial-admin: The spatial-admin role provides full permissions (Execute/Create/Modify/Delete) for all named resources and datasets. A user with a spatial-admin role can view named resources as well as edit datasets.
Note: Additional file-server access is required to create or edit the source folder for named connections that are file-system based as well as certain settings in service configuration files (such as the image directory for the Mapping Service). For more information, see Creating a Named Resources Administrator.
spatial-user: The spatial-user role provides the Execute permissions to named resources only. A user with a spatial-user role can view resources but cannot edit datasets.
spatial-dataset-editor: The spatial-dataset-editor role provides full permissions (Execute/Create/Modify/Delete) on datasets. For example, an administrator can easily grant full permissions to datasets by adding the spatial-dataset-editor role to a user who currently has the spatial-user role.

These predefined roles cannot be modified. You can, however, create custom roles based on the predefined spatial roles, assign them to user accounts, then fine-tune access on those roles and users by applying access control settings (overrides) to datasets, individual named resources, or folders containing named resources. See Configuring Access Control for more information.