ACL and Repository

The Access Control List (ACL) permissions granted via Spectrum Spatial™ Manager or the ACL REST service fall into three categories, folder ACL, resource ACL, and dataset ACL.

  • Folder ACL: Grants Write and Read permissions for managing the content of the repository (including uploading, creating, and deleting named resources, and setting further permission on them). These permissions are granted on repository folders. Users with these permissions can view or modify named resources within the folders they have permission on.
    • Users who also have the spatial-sub-admin role can manage any named resources in the folders they can write to using Spectrum Spatial™ Manager or the Map Uploader utility. An administrator (admin) delegates managing sections of the repository by controlling which folders sub-administrators (spatial-sub-admin) can manage.
    • Users who do not have the spatial-sub-admin role but have write permission on a folder can save Spectrum Spatial™ Analyst map projects and load them again later. Since these users are not spatial-sub-admins, they cannot manage other types of resources. A user requires permission to save projects.
    Note: Any Spectrum user can log into the Spectrum Spatial™ Manager, but you must be an admin, spatial-admin, or spatial-sub-admin to log into the Map Uploader.
  • Resource ACL: Grants permissions for rendering named tiles, named maps, and named layers. These permissions are on named resources. Users with these permissions can use the mapping and tiling services to render and describe mapping resources. Users who have folder permissions also inherit permissions to render resources that are within their folders. It is not necessary to grant separate resource permissions to users for resources located in a folder that they have read or write permission on.
  • Dataset ACL: Grants permissions to query or edit named tables (such as CRUD operations for Create, Read, Update, and Delete). These permissions are on the named table resources. Users with these permissions can query features from tables or modify (insert, update, and delete) features. Users who have folder permissions also inherit dataset permissions to query tables. However, they do not inherit the dataset insert, update, or delete permissions. Users must be given permissions to edit tables in addition to the folder permissions.

In Spectrum Spatial™ Manager, both Resource and Dataset ACL are managed under the resource permissions menu. Folder permissions are managed under the folder permissions menu. A third menu lets you create user folders and set whether a user is a spatial-sub-admin.

The following table summarizes the three categories, the named resources they affect, and the specific permissions that can be assigned under each category. Some named resources do not have permissions (shown in the following table).

Table 1. Summary of ACL Permissions
Type of Permission Granted On Permissions set using ACL Services or Spectrum Spatial™ Manager Activities that users can perform
Folder Permission Repository Folders READ The user can view folders, subfolders, and their content as a spatial-sub-admin. The user can render any maps and layers within their folders, and query any tables within their folders.
WRITE The user can create, delete, or modify resources within their folders including uploading resources and setting new ACL permissions on them.
Resource Permission Named Map Projects, Named Tiles, Named Maps, Named Layers, and Named Label Sources EXECUTE The user can render the maps and layers on which they have this permission.
Dataset Permission Named Tables and Named View Tables EXECUTE The user can query the data from the tables on which they have this permission.
CREATE User can insert new records into the tables on which they have this permission.
DELETE The user can delete records from the tables on which they have this permission.
MODIFY The user can update records in the tables on which they have this permission.
No permissions required Named Styles There is no ACL applied to the Named Styles. A named style referenced in a layer or WMS can be accessed when rendering the layer.
Named Connections There is no ACL applied to Named Connections. When querying data from a Named Table, a Named Connection can be used. Named Connections can only be seen by a spatial-sub-admin (or higher) who has folder permissions on the folder where the named connection is located.
Metadata Resources There is no ACL applied to the Named Metadata Resource. Only an admin or spatial-sub-admin (or higher) with folder permissions on the folder where the resource is located can view Named Metadata Resources.
Resources referenced by Spectrum Spatial™ Analyst Projects There is no ACL applied to the following Named Resources which are referenced by Map Projects in Spectrum Spatial™ Analyst.
  • Named External Tile Configurations
  • Named External WMS Configurations
  • Named External Routing Configurations
  • Named External Geocoding Configurations
  • Named Functionality Profiles
  • Named Print Templates
  • Named Data Binds