Security Model Overview

The Spectrum Technology Platform uses a role-based security model to control access to the system. The following diagram illustrates the key concepts in the Spectrum Technology Platform security model:

A user is an account assigned to an individual person which the person uses to authenticate to Spectrum Technology Platform, either to one of the client tools such as Enterprise Designer or Spectrum Management Console, or when calling a service through web services or the API. An administrator creates a user in the Management Console. A user may have one or more roles assigned to them.

A role is a collection of permissions that grant or deny access to different parts of the system. Roles reflect the kinds of interactions that a user has with the system. For example, you may have a role for dataflow designers that grants access to create and modify dataflows, and another role for people who only need to process data through existing dataflows. There are two kinds of roles:
  • Predefined roles are present when you install Spectrum. These confer certain default permissions to users who belong to them. The permissions for these roles cannot be changed.
  • Custom roles are defined by the administrator (admin) in the Management Console with specific permissions.
Access control is managed in the Management Console for two categories of permissions that a user can have:
  • secured entity type is a category of items to grant or deny access to. An example of this is the secured entity type called "Dataflows" controls the default permissions for all dataflows on the system. Only roles are granted permissions on secured entity types. Permission is set when editing a role on the Roles tab in the Management Console.
  • secured entity is a specific item within a category to grant Access Control List (ACL) for. An example of this would be specific dataflow jobs. You can grant permissions on secured entities to both roles and users on the Access Control tab in the Management Console.

There are preset permission types for the Spectrum Technology Platform and preset permission types that install with each Spectrum module.

Security and Spectrum Spatial

Spectrum Spatial secured entities are individual named resources, such as maps, layers and tables, that are managed within the Spectrum Spatial Manager. To grant users or roles permissions for entities at the platform level or for other modules, use the settings in the Management Console under the Access Control tab.

The Spectrum Management Console sets Spectrum Technology Platform permissions in two places.
  • Roles tab: to grant platform-wide permission to roles, which includes two secured entity types that apply to Spectrum Spatial called “Location Intelligence – Named Resources” and “Location Intelligence – Dataset.DML”. If you assign a role with these permissions, it overrides the permissions that are set in the Spectrum Spatial Manager or via the Spectrum Spatial REST API.
  • Access Control tab: to set permissions to individual named resources under the “Location Intelligence – Named Resources” and “Location Intelligence – Dataset.DML” entities. Making changes here overrides permissions set in Spectrum Spatial.
Do not set permissions for Spectrum Spatial in the Management Console. The Management Console is unaware of the hierarchical relationships between resources when Access Control List (ACL) is set; for example, ensuring that Named Layers have ACL propagated to them when setting ACL for a Named Map. You can view permissions in the Management Console but changing them could break the Access Control List (ACL) set in Spectrum Spatial.