Hi Abdul, Nalin,
For the 2018.2 version of SSA and Spectrum there is no need to set permissions in Spectrum Management Console. Management Console should only be used for the creation of users and roles and assignment of users to roles.
For SSA projects all permission management is performed in SSA itself by granting role permissions to map projects, and optionally you can grant extra permissions in Spectrum Spatial Manager to allow users to edit data or browse and add additional maps or layers to their projects.
Setting secured Location Intelligence secured entity overrides in Management Console will break the permissions that SSA and Spectrum Spatial manages. We plan to remove the pages in Management Console for Location Intelligence permissions so that they are no longer available.
I have provided an overview below as this is an area that is difficult to understand as a newbie. Please let me know if you need further details on any aspect.
The steps can broadly be broken into 3 as follows:
(1) Create your user and role
Logged in as admin in Management Console, create a role (for example AnalystEditorRole) and a user (for example PlanningUpdateUser), and assign the user to the AnalystEditorRole. Roles must start with the word "Analyst" if you want them to be available in SSA (we may remove this limitation in future)
(2) Create your SSA project and give the role permission on it
Logged in as admin in SSA, create a map project (for example PlanningProject) that references various named maps and layers from Spectrum. On the project settings panel under permissions pick from the available roles and add them to the project.
Below I have given 3 roles including the AnalystEditorRole read access to my "PlanningProject".
For most use cases this is all you need to do. Any user who belongs to these 3 roles will be able to open the map project (but not edit data, I will cover the editing case further down as step 3)
When you save the project SSA will
- Grant read permission on the PlanningProject to the 3 specified roles.
- Grant read permission on all of the named maps, layers and tables used by the PlanningProject to these same roles
In Spectrum Spatial Manager you can see the permissions granted by SSA to the named maps, layers and tables under the permissions section. Below is an image showing layer permissions all of which have been set by SSA to the AnalystEditorRole
As an SSA customer you do not normally need to modify these permissions for read access. You should not normally remove them as it may break an SSA project (but you can remove them if there are no active SSA projects using those resources).
You can also grant additional read access to other name layers (which are not in and SSA projects) here if desired. An SSA user will then be able to browse and add those layers to an SSA project themselves if that functionality is enabled in the project.
(3) Setting edit permissions on named tables
SSA and Spectrum Spatial support end user editing of tables (both geometry and attribute data)
To allow a user to edit data in a named table you do need to give them (or ideally a roe they belong to) extra permissions in Spectrum Spatial Manager as a prerequisite.
This is done on the "permissions" - "resource permissions" page in the "tables" tab. You can specify Insert, Update and Delete permissions. If the table is already referenced by a layer in a project that you have granted read permissions on, then it should appear in the list with read access already. If not, you can add the table and then grant the project permissions later.
Once these permissions are given, and if the SSA project has enabled the editing functionality (in the functionality profile used by the project), then the user who belongs to the role will be able add, modify and delete individual records (features) in SSA.
Below I have given the AnalystEditorRole ability to perform any editing on the SQL server planning applications table. Any user who belongs to this role can edit this table if the SSA project allows editing. If a user who is in one of the other roles opens the same project (say the user in the AnalystTrainingRole) then they wont be given the ability to edit the data.
And below my user who belongs to the AnallystEdtorRole is in edit mode.
Allowing other users to create and manage SSA projects.
Currently for SSA 2018.2 only the admin user can create new projects and grant permissions on them. The project settings option in SSA is not available to any other users.
In the upcoming release 2019.1 we are also supporting the concept of sub-admins in SSA. It will be possible for admins to designate other users as sub-admins and to give them write access to specific folders in the spectrum repository. This concept is already available for Spectrum now but is not exposed to SSA. From 2019.1 sub-admins will also be able to create map projects, save them and also grant read permissions on them to other users.
We are also integrating SSA permission management into Spatial Manager as well, so that can manage and see all relevant permissions for projects as well as maps, layers and tables.
Hierarchy of projects, maps and permissions.
When working with permissions it is useful to picture the following hierarchy.
- SSA Map Projects can reference Named Tiles, Named Maps and Named Layers from Spectrum Spatial
- In Spectrum Spatial
- Named Tiles reference Named Maps
- Named Maps reference Named Layers and
- Named Layers reference Named Tables
Permissions are propagated from the higher level to the lower level. So, setting read permission in SSA on a project propagates those permissions to maps, layers and tables
Setting permission on a named layer in Spatial Manager will propagate that permission to the named table (this default behaviour can be disabled, but is required when using SSA.
Users vs roles
Finally, it is worth mentioning that for SSA you can only grant permissions to roles. Users who belong to that role inherit the role's permissions. A user can belong to many roles and they get the collective permissions of all those roles.
In Spatial manager it is also possible to grant permissions to users as well. This is not needed for SSA since a user gets all the read permissions, they need through the prorogation of the project permissions. We recommend setting permissions only to roles for simplicity, however for certain circumstances (say edit permissions) you could set permissions to only users if required.
The relevant docs are here
Managing users and roles in Management Console
http://support.pb.com/help/spectrum/18.2/en/webhelp/AdministrationGuide-WebUI/index.html#ClientTools/ManagingUserAccounts/user_adding.html
http://support.pb.com/help/spectrum/18.2/en/webhelp/AdministrationGuide-WebUI/index.html#ClientTools/ManagingUserAccounts/CreatingModifyingRoles.html
Setting permissions on SSA projects
https://support.pb.com/help/analyst/2018.2/user_guide/en/concepts/permissions.html
Permission management in Spectrum Spatial (overview and using spatial manager)
http://support.pb.com/help/spectrum/18.2/en/webhelp/Spatial/index.html#Spatial/source/Administration/Users/SpatialSecurity.html
http://support.pb.com/help/spectrum/18.2/en/webhelp/Spatial/index.html#Spatial/source/Resources/resources/repoman/Permission_Management/PermissionManagement.html
------------------------------
Mustafa Ismail
Product Architect
Pitney Bowes
London UK
------------------------------
Original Message:
Sent: 06-04-2019 03:40
From: Abdul Rauf
Subject: Issue With Newly Created User
Dear GIS Peeps,
Totally new to SSA platform so bear with me with my question.
At the moment issue at hand is the newly created user with AnalystCouncil role, saved password and active, gives "wrong username and password" when signed in at localhost/connect/analyst/mobile.
What could be wrong?
Secondly,
My idea is to create following roles for EACH map Config.
1) Create, Edit, Modify (admin)
2) Modify tables only (surveyor)
3) General User (viewer)
Replicating the predefined roles and renaming Analyst+MapTitle+roletype. i.e "AnalystTrafficAdmin"
So when the roles are assigned to a user, A user can be admin of 2 maps, editor of 3 maps and viewer of 15 maps.
So the question is, Is this a right approach? or there are any better approaches?
Regards,
------------------------------
Abdul Rauf
ICT GIS Specialist
City of Marion
Sturt
------------------------------