ACL and Accessing Services and Applications

Service and application access is restricted depending on the Access Control List (ACL) granted.

The following list describes the permissions that users need. Full details are available under each service method in the REST and SOAP guide for each service.

  • Mapping Service (REST and SOAP): Users can list, describe, and render the maps and layers on which they have resource Execute permission. Permission is not required for underlying resources to render a specific map or layer (but is required if a client application needs to describe or access the underlying resources to present them to users).
  • Map Tiling Service (REST and SOAP): Users can list, describe, and render the named tiles on which they have resource Execute permission. Permission is not required for underlying resources to render a specific tile (but is required if a client application needs to describe or access the underlying resources to present them to users).
  • Feature Service (REST and SOAP): Users can list, describe, and query features from the named tables and views on which they have dataset Execute permission. Users can insert, update, and delete features from the named tables on which they have dataset Create, Modify, or Delete permission.
  • Named Resource Service (SOAP): To use an operation in the Named Resource Service, a user must be a spatial-sub-admin (or higher) and have folder permissions on at least one folder. They require Read or Write permission on folders to see or manage resources.
  • ACL Service (REST): Different operations have different behavior.
    • The listDatasetPermissions and listFolderPermissions in the ACL service are available to all users.
    • To use the other ACL operations (to list, add or delete any resource, folder or dataset permissions) a user must be a spatial-sub-admin and have folder permissions on at least one folder. They require Read or Write permission on the folders to see or manage resources.
  • WMTS: There are no ACL permissions applied to Named WMTS tiles. If a Named WMTS tile is created this implies Read access to it via the WMTS service. ACL permissions are not required for the underlying resources. Users can access the tile via the WMTS service (but not via other services without resource permissions).
  • WMS: For the WMS service adding a layer to service implies read access to it via the WMS service. ACL permissions are not required on the underlying Named Layer resource. The capabilities file lists the layer and users can render the map and legend and get feature information via the WMS service (but not via other services without resource permissions).
  • WFS: For the WFS service adding a table to service implies read access to it via the WFS. ACL permissions are not required on the underlying Named Table resource. The capabilities file lists the table and users can query features via the WFS service (but not via the other services, unless they have specific resource permissions).
  • Spectrum Spatial™ Manager: To manage resources in Spectrum Spatial™ Manager, you must be a spatial-sub-admin and have at least one folder permission. Depending on the user’s role, the following resources are visible:
    • An administrator (spatial-admin or higher) can see all the resources or folders.
    • A spatial-sub-admin can see only the folders that they have Read permission on and can manage (modify resources) in folders that they have Write permission on.
    • Any other role can log into Spectrum Spatial™ Manager but sees the root with an empty folder. To see more, the user must have the spatial-sub-admin role in addition to any folder permissions.
  • Map Uploader: The following users can log into the Map Uploader utility and upload maps to the Spatial Server:
    • An administrator (spatial-admin or higher).
    • A spatial-sub-admin (with Write permission on at least one folder) can only upload resources into folders that they have Write permission on. They can see and reference resources, such as Named Connections, in folders that they have Read permission on.
    • Any other user cannot log into the Map Uploader utility.
  • Dataflows in Enterprise Designer: To execute dataflows, a user must have the spatial-dataset-editor role and be either an admin or spatial-admin. To perform DML operations for the supported writable table, the user requires Execute permissions on Named Tables, and Create and/or Modify and/or Delete permissions on the dataset.