Versions Compared

Old Version 2

changes.mady.by.user Marcin Goralski

Saved on

compared with

New Version Current

changes.mady.by.user Wojciech Mozolewski

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Definitions:

  • Layer – a file that is referencing a data source; due to this fact not only access to the Layer configuration but also access to the Layer data has to be controlled
    • Layer configuration - vector, raster, group or annotation layer properties. Layer configuration includes information from all Layer Properties tabs.
    • Layer data – data stored in the data source that is referenced by a Layer. For vector layer that would be the business attributes and geometries (table records), for raster layer it would be the images stored on the server’s HDD.  
  • Resource – a file that is stored in Earthlight and does not have any linking to a data source, e.g. maps, styles, print templates, scripts, etc.

  • Reference – a strong data source reference that controls both Layer configuration and Layer data permissions
  • Link – a weak data source reference that controls only Layer configuration permissions

  • Read – allows to view Resource or Layer configuration information
  • Write – allows to modify Resource or Layer configuration information
  • List – allows to list folders and files (Resources and Layers) in all Earthlight file browsers
  • Publish - allows file owners to publish their files (Resources and Layers) to a specific location
  • View – allows to view Layer data
  • Edit – allows to modify Layer data
  • Print – allows to print Layer data
  • Export – allows to export Layer data
  • Own – represents the ownership of a file (Resource or Layer)

...

  1. File ownership: Own
  2. File control: Read, Write, List and Publish
  3. Data control: View, Edit, Print and Export

We will cover each of the permissions in detail later.

...

Earthlight is using a multiple tier permission model. It means that you can control access rights on any of the three levels shown above. To speed up and simplify access management there is a group called ‘Everyone’, which contains all Earthlight users. Groups are inheriting permissions from the ‘Everyone’ entity. Users are inheriting permissions from groups.


Permissions:

Own

Own is the file ownership permission. This permission should be set by the system administrator on the repository root to allow them to set permission of any kind to any file. For newly created files (e.g. freshly referenced data source, created layers, designed maps, modified styles, etc.) the Own permission is applied for the user who created it.

Info

Please note that Ownership permission excludes users from each individual permission and denial of permission which means that the Owner of a specific resource cannot be selectively denied any permission. It will always allow full control over a resource.


Read

This permission allows users to view a Resource (like point style, page layout, etc.) or the Layer configuration (layer properties). If a user has Read permission:

...

Publish can only be applied on folders, not files. It designates a location for a user or group of users where they can publish private (Owned) resources or layers, effectively making them departmental or corporate and available to others.

...


The four permissions described below are specific to References and even though they can be applied on folders, they only affect the References. The first two are the most obvious. Some users can only ‘View’ data, others are charged with ‘Edit’-ing the data as well. The latter two were created to improve security. Both those permissions limit user’s ability to extract data from the system without sacrificing access to the data within the Earthlight system.

...

This permission, just as the name suggests, allows users to view the business data stored by a data source. Having View permission is a requirement to be able to interact with the data in any form – inspect it, run attribute query, view it on the map, etc. Users who do not have View permission on a particular Reference will see a red circle with a white dash (similar to ‘no access’ road sign) next to its name. They will also see ‘Access to this layer is denied’ message when they hover the mouse cursor above the aforementioned symbol.

Image RemovedImage Added

Edit

When Earthlight administrator wants to allow a user to amend layer’s data, this user has to have the ‘Edit’ permission on the specific Reference. Users who do not have Edit permission on a particular Reference are not able to start editing session on this dataset. This includes all adding, modifying or deleting records.

...

As mentioned earlier this and the next permission limit user’s ability to extract data from the system without sacrificing access to the data within the Earthlight system. Print permission controls whether or not record data is included in a print out. The user is also informed about the lack of permissions to print records and all inaccessible layers are listed.

Image RemovedImage Added

Export

Just as the previous one this permission improves granularity of data access and publishing. It controls all data exportation tool as well as all available formats within Earthlight. Upon trying to export data without appropriate permission a user is shown a message informing them about a lack of sufficient permissions.

Image RemovedImage Added

Allow / Deny a permission:

Any permission can be either allowed or denied. Denying a permissions to a file takes precedence over allowing it. Not setting a permission on a file in any way (either directly or via inheritance from the parent folder / group) is treated like denying it.

...

When a file is denied to an individual user on a folder level, it cannot be allowed for them directly on the file level. From the permission point of view the closeness of the permission application is irrelevant.Image Removed

Image Added

Permissions configuration

The ‘Shares’ tool protects all files in Earthlight. Since Resources are self-contained files the ‘File control’ and ‘File ownership’ permissions apply to each and every one of them independently. As mentioned earlier the model for Layers is based on Master – Link paradigm. This means that ‘File control’ and “File ownership’ permissions act on them in similar way to Resources but ‘Data control’ permission can only be applied in one place (on the Reference) for all users.


Important:

Unlike the previous Earthlight security model where each Layer carried the data access permissions the new model simplifies data access control as it creates a single point of entry to particular dataset. 


‘Shares’ window contains 3 tabs. See the screenshot below for reference.

...

We cover each tab in detail next.

Manage shares

We can divide the ‘Manage Shares’ tab into 5 sections which we are describing below.

...

    •  - a grey tick in front of a permission name represents inherited permission.  
    •  - a green tick shows that a permission is set on the current level. 
Info
titlePlease note

If there is any permission set on the current level, then bold style will be applied to that item name e.g.Image Added


On the screenshot above user jerry (Jerry Doroszkiewicz) inherits ‘List’ permission from a parent folder or a group he belongs to. The ‘Read’ and ‘Write’ permissions are applied directly on the user level.

...

In order to find locations of references for particular table, please type the name of the table in box on the bottom right of the Shares window, or manually scroll the list to find wanted table there.

Permissions auditing

Next two tabs are extremely useful when auditing permissions. They allow Earthlight administrators to quickly determine:

  • What resources a particular user has access to?
  • What level of access the user has to each resource?
  • Who has permission to a particular resource?
  • What permissions are set on a resource?

Report permission by user

‘Report permissions by user’ tool returns all files and folders that the selected user has any permissions on. In essence it provides answers to the first two of the questions raised a minute ago.

...

Allows the report to be saved as CSV file for further processing.

Report permission by resource tab

‘Report permissions by resource’ returns all users and groups that have permissions set on the selected file. It provides answers to the last two questions raised earlier.

...

Allows the report to be saved as CSV file for further processing

Managing security for Metadata forms and data

Below you can find how different permissions works with Metadata:

Own - self explanatory. Owner can do anything with the schema and the underlying table
List - controls if particular schema shows up in File Explorer or Open / Save window in Metadata tab
Read - allows viewing of a metadata schema in Metadata tab
Write - allows modifying of an existing metadata schema in Metadata tab
View - enables viewing of the metadata content in Layer Properties / Browse Metadata
Edit - enables editing of the metadata content in Layer Properties / Browse Metadata

Please note that only "View" and "Edit" permissions controls metadata access for end users in Layer properties