Users and Roles

Spatial administrators and sub-administrators grant permissions on roles and users to access or edit individual named resources and folders in the Spectrum Spatial repository.

The Spectrum Technology Platform Management Console has settings for managing users and roles. There are two kinds of roles that are relevant to Spectrum Spatial:

  1. Predefined roles that are present when you install Spectrum. These confer certain default permissions to users who belong to them.
  2. Custom roles that an administrator (admin) creates. A custom role has no permissions until specified in the Spectrum Spatial Manager.

Predefined Spatial Roles

After you install the Spectrum Spatial, four predefined roles are available in the Spectrum Management Console: two roles grant admin related privileges to users so they can manage content in Spectrum Spatial (spatial-admin and spatial-sub-admin), and two roles override resource permissions normally assigned in Spectrum Spatial Manager (spatial-user and spatial-dataset-editor).

spatial-admin
The spatial-admin role has full permissions to see and manage (view, create, delete, modify, and set permissions on) all content within the Spectrum Spatial repository. This role can edit data sets associated with named tables using the Feature Service (insert, update, and delete methods).
Users assigned to this role can log into Spectrum Spatial Manager, create new named connections, use the ACL REST API, use Map Uploader. The key difference between the spatial-admin role and the Spectrum Technology Platform admin role is that a spatial-admin cannot manage users or roles in Management Console.
spatial-sub-admin
The spatial-sub-admin role is similar to spatial-admin, but it cannot view all of the content within the Spectrum Spatial repository. This role views content in folders that it has read permission to. Users assigned to the spatial-sub-admin role must have permission to at least one folder.
Users assigned to this role can only manage (read, create, delete, modify, and set permissions on) folders that this role has to write permission to. However, a user may have more than one role, which means they can manage the folders those roles have permission on as well. The spatial-sub-admin role cannot edit datasets associated with named tables without granting additional permissions. They can log into Spectrum Spatial Manager, use the ACL REST API, and use Map Uploader, but only sees resources that are in the folders they have permission to.
The spatial-sub-admin role only has read access to named connections even when there is write access to folders in the named connection. This prevents these users from creating named connections in Spectrum Spatial Manager so they cannot browse the file system for files and create named tables circumventing the restrictions on what data they can see. To give the spatial-sub-admin role permission to create named connections, to delegate the connection creation, see The Spatial Sub-Administrator Role and Named Connections.
You can also assign users to the spatial-sub-admin role in Spectrum Spatial Manager.
spatial-user
The spatial-user role provides read permissions to all named resources in the Spectrum Spatial repository and overrides read permissions granted to named resources in Spectrum Spatial Manager. Do not assign users to this role if they require specific permissions.
Users assigned to this role can use the Spectrum Spatial web services to render tiles, maps, and layers and use the Feature Service to query tables. They cannot edit datasets associated with named tables. They do not have folder permissions, so they cannot manage resources.
spatial-dataset-editor
The spatial-dataset-editor role provides edit permissions (insert, update, and delete) to all datasets associated with named tables and overrides permissions granted to named tables in Spectrum Spatial Manager. Do not assign users to this role if they require specific permissions.
Users assigned to this role can use the Spectrum Spatial Feature Service (insert, update, and delete methods) to edit and query tables. They do not have folder permissions, so they cannot manage resources.

Dataflow designers who are creating data flows must have a designer role (which is preset in Management Console). This is in addition to any permissions to access named resources, which are assigned by making them a member of spatial-user (so they can see all resources) or by using Spectrum Spatial Manager to grant permissions on specific named resources. For instructions on creating a spatial dataflow designer, see Creating a Spatial Dataflow Designer.

Custom Spatial Roles and Access Control Settings

Access control in Spectrum Spatial is managed using custom roles assign to users, which simplifies managing multiple users. Roles have specific permissions set. A user inherits the permissions of the roles that they are assigned. To specify permissions for access to specific named resources, use Spectrum Spatial Manager.

There are three kinds of permissions to view, edit, or manage data in Spectrum Spatial. We suggest creating roles for the following scenarios to grant:

  • Read-only access to maps, layers, and tables available to the entire organization.

    Name this role GeneralAcces. All users may belong to this role, allowing any user in the organization to see these maps and layers.

  • Read-only access to sensitive maps and layers.

    Add specific users to this role. Other users would not be able to see this data.

  • Edit access to named tables.

    For example, you may have a table called Property Site Inspections that some users update, such as site inspectors who edit the data after visiting a property. You can grant edit permissions to this role and then assign your site inspectors to the role. Any other users viewing the table would not be able to edit the data.

  • Write access to manage resources in a folder in the repository.

    As an example, you might create a role called SalesManagers with write permission to a folder in the Spectrum repository called SalesData. You could assign the spatial-sub-admin and SalesManagers roles to one or two users in the sales department. These users would then be able to use Spectrum Spatial Manager and the Map Uploader utility to manage named resources in the SalesData folder.