ACL and Accessing Services and Applications

Service and application access is restricted depending on the ACL that has been granted. The following list describes the permissions needed by users. Full details are provided under each service method in REST and SOAP guide for each service.
  • Mapping Service (REST and SOAP): Users can list, describe and render the maps and layers on which they have resource EXECUTE permission. Permission is not required for underlying resources to render a specific map or layer (but will be needed if a client application also needs to describe or access the underlying resources if they are presented to users).
  • Map Tiling Service (REST and SOAP): Users can list, describe and render the named tiles on which they have resource EXECUTE permission. Permission is not required for underlying resources to render a specific tile (but will be needed if a client application also needs to describe or access the underlying resources if they are presented to users).
  • Feature Service (REST and SOAP): Users can list, describe and query features from the named tables and views on which they have dataset EXECUTE permission. Users can insert, update and delete features from the named tables on which they have dataset CREATE, MODIFY or DELETE permission
  • Named Resource Service (SOAP): In order to use any operation in the Named Resource Service a user must have folder permissions on at least one folder (and they must have READ or WRITE on the folders to see or manage the resources)
  • ACL Service (REST): The listDatasetPermissions and listFolderPermissions in the ACL service are available to all users. In order to use the other “ACL” operations (to list, add or delete any resource, folder or dataset permissions) a user must have folder permissions on at least one folder (and they must have READ or WRITE on the folders to see or manage the resources).
  • WMTS: There are no ACL permissions applied to Named WMTS tiles. If a Named WMTS tile is created this implies READ access to it via the WMTS service. ACL permissions are not required for the underlying resources. A user will be able to access the tile via the WMTS service (but not via the other services, unless they have specific resource permissions).
  • WMS: For the WMS service adding a layer to service implies read access to it via the WMS service. ACL permissions are not required on the underlying Named Layer resource. The layer will be listed in the capabilities file and users will be able to render the map and legend and get feature info via the WMS service (but not via the other services, unless they have specific resource permissions)
  • WFS: For the WFS service adding a table to service implies read access to it via the WFS. ACL permissions are not required on the underlying Named Table resource. The table will be listed in the capabilities file and users will be able to query features via the WFS service (but not via the other services, unless they have specific resource permissions)
  • Spatial Manager: In order to manage resources in the Spatial Manager application, a user must have spatial admin permissions. Currently users who are sub-admins can manage resources using the service APIs. Resources that a logged-in user can see depend on their roles. Following are the business rules for permissions:
    1. An admin user can see all the resources or folders as before.
    2. A sub-admin can see all the folders on which they have at least EXECUTE permission.
    3. A generic user can see the root with an empty folder if they do not have permissions on any folders or resources.

    The user needs to have appropriate permissions to perform operations like modify or delete on resources.

  • Map Uploader:The user's ability to login and upload maps to the Spatial Server using Map Uploader utility is governed by the following constraints:

    The user can log into the Map Uploader utility if:

    • The user has admin or spatial-admin privileges. In this case, the user has full permission on the repository
    • The user has WRITE permission on any of the folders in the repository

    Once logged on:

    • The user can only see folders they have WRITE permission on
    • The user can only upload the maps to these folders
    • If the data (NamedConnections or NamedTables) is not available in these folders, then the user will not be able to upload the map
    • If the data (NamedConnections or NamedTables) is available in other folders, then the user must have READ permission to these other folders
    • The user will see the full repository path even if they don’t have permission. For instance if and user has WRITE permission to folder TEST1 that belongs to USER1 (i.e. /USER1/TEST1), then the user will see the whole path (/USER1/TEST1), but will only be able to upload the map into folder TEST1 as it has WRITE permission on it. An attempt to upload the map into folder /USER1 will fail as the user doesn’t have WRITE permission on it.
  • Dataflows in Enterprise Designer: In order to execute dataflows, a user must have admin or spatial admin along with designer role permissions. The user must have EXECUTE permissions on NamedTables and Create/Modify/Delete on the dataset to perform DML operations for the supported writable table.