Kieran
I think I understand a little better now. I believe that at some time you did have the rest authentication disabled. This is common for users of map tiling including WMTS as many web clients who have minimal JavaScript experience don't need or have the time to figure out how to pass credentials in the headers. For many years many customers have asked to turn this off and that is probably the primary reason for this feature in Spectrum existing. So with it off, map tiles are access with no credentials and on the server side no access rights are checked since there is no known user.
However, this setting is global to ALL rest services. So when you now use Analyst, any user, including guest, should have full access to anything done via a rest call and this would include most of what Spectrum Spatial Analyst sends to Spectrum. Once upon a time, most of the interaction was via SOAP but that has changed. I think SOAP is completely gone but I would have to check.
I have also never tried setting access rights when REST authentication is turned off. I will ask if others have.
To summarize, when you turn authentication back on, Guest no longer has rights but whatever client you are using for WMTS now needs to provide credentials to use the WMTS tiles.
In MapInfo Pro, for example, you would be prompted for credentials and WMTS should work fine. It depends on the client.
------------------------------
Eric Blasenheim
Spectrum Spatial Technical Product Manager
Troy, NY
------------------------------
Original Message:
Sent: 02-13-2020 00:07
From: Kieran McGowan
Subject: Guest account has access to all Projects upgrade to 2019.2
Hi Eric,
Yes setting this value to true resolved my issue were users(inc guest) had all access. I never changed this value and assumed something funky happened during upgrade to change it to false.
Now what i've noticed since changing it to 'true' is that WMTS requests authentication(whereas it didnt before). I'm thinking this setting may have been set to false by a previous admin so that our tablets which use the imagery via WMTS wouldn't have to authenticate as documented:
https://support.pb.com/help/spectrum/18.2/en/webhelp/Spatial/index.html#WebServicesGuide/source/Tokens.html
https://support.pb.com/help/spectrum/18.2/en/webhelp/Spatial/index.html#Spatial/source/Administration/config/repository/turnoffsecurity.html
I also must note that before upgrading to 2019.1, user access was restricted and WMTS worked perfect. Sorry if this explanation is a bit vague, many of these protocols/tech is new to me
KR
Kieran
------------------------------
Kieran McGowan
IT/GIS Officer
Corangamite Shire Council
Camperdown
Original Message:
Sent: 02-12-2020 23:52
From: Eric Blasenheim
Subject: Guest account has access to all Projects upgrade to 2019.2
Kieran,
Turning off authentication in the spectrum-container.properties means that any user is operating with the permissions of admin. There is not checking of anything. I assumed you wanted to have control over the guest role so I would not do this.
I do not have any idea how this could affect WMTS. Can you describe more of what problems you are having?
------------------------------
Eric Blasenheim
Spectrum Spatial Technical Product Manager
Troy, NY
Original Message:
Sent: 02-12-2020 21:30
From: Kieran McGowan
Subject: Guest account has access to all Projects upgrade to 2019.2
Just to sign off this thread. The issue seems to be with the following file/setting recommended by pb support
<Spectrum_Platform_Install_DIR>/Spectrum/server/conf/pectrum-container.properties
spectrum.security.authentication.webservice.enabled.REST=false
Having changed the setting and restarted the server, the permissions issues seem to have gone. With that said my WMTS imagery now does not work for our inspection clients and i think the cause is this authentication change, so perhaps consult support before making this change
------------------------------
Kieran McGowan
IT/GIS Officer
Corangamite Shire Council
Camperdown
Original Message:
Sent: 02-03-2020 22:28
From: Kieran McGowan
Subject: Guest account has access to all Projects upgrade to 2019.2
Hi Eric, sorry uploading images keeps failing for whatever reason. Here is a summary of the relevant settings
> Management Console > System Security > Edit Role (AnalystGuestRole) = no access given to LIM database resource
> Spatial Manager > Permissions > Resource Permissions = AnalystGuestRole given access to only 6 projects
> Spatial Manager > Permissions > Folder Permissions = AnalystGuestRole not listed (no permissions)
> SSA > Project Settings > Permissions = AnalystGuestRole only listed under permissions for those 6 projects
Despite this, guest can see all projects and open them
------------------------------
Kieran McGowan
IT/GIS Officer
Corangamite Shire Council
Camperdown
Original Message:
Sent: 02-03-2020 09:29
From: Eric Blasenheim
Subject: Guest account has access to all Projects upgrade to 2019.2
Kieran,
In Spatial Manager there is a new Permissions tab. Have you checked under any of the projects you say Guest has access to and see if they are listed there? This could be under Folder or Resource permissions.
------------------------------
Eric Blasenheim
Spectrum Spatial Technical Product Manager
Troy, NY
Original Message:
Sent: 02-01-2020 03:41
From: Kieran McGowan
Subject: Guest account has access to all Projects upgrade to 2019.2
At the recommendation our PB support I removed the GuestAnalystRole within the Management Console under Access Control, then readded it within Spatial Manager.
This resolved the issue within Resource Permissions, were adding/removing projects wasn't working after clicking 'apply changes'.
However this hasn't fixed the problem were the guest still sees and has access to all projects in analyst. again the guest does not have permissions to all these projects either within Resource Permissions or the Project Settings. I removed the LIM access as suggested above but this hasn't made a difference Any other suggestions?
------------------------------
Kieran McGowan
IT/GIS Officer
Corangamite Shire Council
Camperdown
Original Message:
Sent: 01-30-2020 10:33
From: Vivek Tyagi
Subject: Guest account has access to all Projects upgrade to 2019.2
Hi Kieran,
Could you please remove view permission on named resources for Guest Role in managementconsole.
This step should not be there in the documentation. We are working to update the documentation.
This should resolve your issue. If you still face this issue let me know.
------------------------------
Vivek Tyagi
Knowledge Community Shared Account
Shelton CT
Original Message:
Sent: 01-29-2020 16:55
From: Kieran McGowan
Subject: Guest account has access to all Projects upgrade to 2019.2
Hi vivek,
Here is the problem. In my test environment, when i make a change to the Resource Permissions (or within the permissions tab of the project settings), these changes take effect immediately it seems. i.e. If i add a project, i simply have to refresh the page to see it then available for Guest. Same if i remove a project access
When i make these same changes in my production environment, nothing happens. i.e
-If i remove a project from the AnalystguestRole in Resource Permissions in Spatial Manager, nothing happens after applying changes, the project is still there.
-If i remove the Guest permission from the Project settings and apply changes, its still there when i check again.
This is not expected behavior
------------------------------
Kieran McGowan
IT/GIS Officer
Corangamite Shire Council
Camperdown
Original Message:
Sent: 01-29-2020 01:58
From: Vivek Tyagi
Subject: Guest account has access to all Projects upgrade to 2019.2
Hi Kieran,
This is an expected behavior. These permission are for all Named Resources (Map-projects are also Named Resources now).
You are not supposed to change the access of guest role on LIM. We are managing the permission on resource level. Please let us know if you find any in-consistency after removing this access.
------------------------------
Vivek Tyagi
Knowledge Community Shared Account
Shelton CT
Original Message:
Sent: 01-28-2020 05:48
From: Kieran McGowan
Subject: Guest account has access to all Projects upgrade to 2019.2
Hi all,
As far as i can tell the upgrade went without any major hiccups. However one thing i noticed is that LIM access for the guest account has been removed. This was unchecked for view...
After re-enabling this option and restarting the services the guest account has access again, but now to all map projects. Regardless of the AnalystGuestRole not listed under permissions in certain map projects settings, nor are the projects ticked under Spatial Manager > Resource Permissions > Projects.
Any ideas appreciated.
KR
Kieran
.
------------------------------
Kieran McGowan
IT/GIS Officer
Corangamite Shire Council
Camperdown
------------------------------