ACL Management

It is recommended to use the ACL services to add and remove ACL rather than using the Spectrum Management Console. The ACL service APIs are documented in the REST API section of the Spectrum Spatial guide. The services will ensure that the correct combination of permissions is persisted to Spectrum Platform.

The ACL services can also propagate (recurs) permissions to the dependent resources. This is important when using Spectrum Spatial with client applications (such as Spectrum Spatial Analyst) where users need to render maps, render the layers that the maps reference, and also need permissions to query features for the tables that the layers reference.

The Spectrum Management Console can be used to view the permissions that are granted. If the Spectrum Management Console is used to modify permissions then these rules must be followed to ensure the consistency of the permissions granted:
  • There should not be any deny permissions granted on any resources or folders. Deny permissions will prevent:
    • users inheriting permissions from roles
    • sub-admins inheriting permissions from folders
  • To provide render and query access to named resources only NamedResource.EXECUTE should be granted. Never grant NamedResource.VIEW, NamedResource.CREATE, NamedResource.DELETE or NamedResource.MODIFY to named resource directly (these permissions convey sub-admin privileges and should only be granted on folders).
  • To provide dataset edit permissions to named tables, grant any one of Dataset.DML.CREATE, Dataset.DML.DELETE, or Dataset.DML.MODIFY permissions as appropriate.
  • To provide READ access to repository folders to sub-admins, grant both NamedResource.EXECUTE, NamedResource.VIEW on the folders. These permissions should always be granted together. Do not grant one without the others.
  • To provide WRITE access to repository folders to sub-admins grant all three of the NamedResource.CREATE, NamedResource.DELETE and NamedResource.MODIFY permissions. These three permissions should always be granted together. Do not grant one or two without the others.
  • Do not grant any permissions on Named Connections, Named Styles, Named WMTS Tiles, or on any metadata resources.
  • If client applications are accessing maps, layers, and tables then permissions need to be set on all of the dependent named resources that are to be used.