Understanding Access Control List (ACL)

The Access Control List (ACL) in Spectrum Spatial is a list of permissions attached to named resources or folders in the Spectrum Spatial repository. Permissions allow users to render maps, query or edit features, or manage folders and resources within the repository.

Permissions to resources or folders are assigned to either users or roles in Spectrum Spatial Manager. Users may have one or more roles assigned to them and inherit all of the permissions from the roles to which they belong. Spectrum Spatial Manager ensures permissions correctly propagate to dependent resources.

In the following situations, setting permissions to users or roles in the Spectrum Management Console overrides the permissions set in Spectrum Spatial Manager.

  • Granting Spectrum Spatial permissions to roles that you create on the Spectrum Management Console's Roles tab (on the System menu, select Security, and click the Roles tab) breaks permissions set in Spectrum Spatial Manager. Instead, create and manage permissions on specific resources or folders in Spectrum Spatial Manager. Setting Spatial permissions on a role created in the Management Console gives that role full permission to read all named resources (including maps, layers, tables, and projects) and to edit all tables when granting data manipulation language (DML) permissions, which override permission set for the role in Spectrum Spatial Manager.
  • Adding or modifying permissions for Access Control Lists (ACL) for Spatial resources, such as Location Intelligence.Named Resources and Location Intelligence.DataSet.DML, on the Management Console's Access Control tab (on the System menu, select Security, and click the Access Control tab) breaks permissions set in Spectrum Spatial Manager. Instead, manage Access Control Lists (ACL) permissions for Spatial resources in Spectrum Spatial Manager, which correctly propagates permissions (such as from maps to layer tables).
  • Spectrum Spatial installs with two predefined roles, spatial-user and spatial-dataset-editor, that have permission to read or edit data. These roles override the permissions set in Spectrum Spatial Manager, so do not assign these roles when a user requires specific permission.

Setting override permissions in the Spectrum Management Console is not appropriate when you want to set per resource permissions and you plan to use the Spectrum Spatial Analyst application (which depends on per resource permissions).