Spectrum Spatial (SSA/LIM)

Expand all | Collapse all

Guest account has access to all Projects upgrade to 2019.2

Jump to Best Answer
  • 1.  Guest account has access to all Projects upgrade to 2019.2

    Posted 22 days ago
    Hi all,

    As far as i can tell the upgrade went without any major hiccups. However one thing i noticed is that LIM access for the guest account has been removed. This was unchecked for view...
    User-added image
    After re-enabling this option and restarting the services the guest account has access again, but now to all map projects. Regardless of the AnalystGuestRole not listed under permissions in certain map projects settings, nor are the projects ticked under Spatial Manager > Resource Permissions > Projects.

    Any ideas appreciated.

    KR
    Kieran
    .

    ------------------------------
    Kieran McGowan
    IT/GIS Officer
    Corangamite Shire Council
    Camperdown
    ------------------------------


  • 2.  RE: Guest account has access to all Projects upgrade to 2019.2

    Moderator
    Posted 21 days ago
    Hi Kieran,

    We have seen similar issues in some other environments too and our Engineering team is looking into this.

    We will keep this thread updated with all the recent signs of progress on this issue.

    ------------------------------
    Nalin Mathur
    Pitney Bowes Software India PVT. Ltd
    Noida
    ------------------------------



  • 3.  RE: Guest account has access to all Projects upgrade to 2019.2

    Pitney Bowes
    Posted 21 days ago
    Hi Kieran,
    This is an expected behavior. These permission are for all Named Resources (Map-projects are also Named Resources now).
    You are not supposed to change the access of guest role on LIM. We are managing the permission on resource level. Please let us know if you find any in-consistency after removing this access.

    ------------------------------
    Vivek Tyagi
    Knowledge Community Shared Account
    Shelton CT
    ------------------------------



  • 4.  RE: Guest account has access to all Projects upgrade to 2019.2

    Posted 20 days ago
    Edited by Kieran McGowan 20 days ago
    Hi vivek,

    Here is the problem. In my test environment, when i make a change to the Resource Permissions  (or within the permissions tab of the project settings), these changes take effect immediately it seems. i.e. If i add a project, i simply have to refresh the page to see it then available for Guest. Same if i remove a project access

    When i make these same changes in my production environment, nothing happens. i.e
    -If i remove a project from the AnalystguestRole in Resource Permissions in Spatial Manager, nothing happens after applying changes, the project is still there.
    -If i remove the Guest permission from the Project settings and apply changes, its still there when i check again.

    This is not expected behavior

    ------------------------------
    Kieran McGowan
    IT/GIS Officer
    Corangamite Shire Council
    Camperdown
    ------------------------------



  • 5.  RE: Guest account has access to all Projects upgrade to 2019.2

    Pitney Bowes
    Posted 20 days ago
    Hi Kieran,
    Could you please remove view permission on named resources for Guest Role in managementconsole.
    This step should not be there in the documentation. We are working to update the documentation.
    User-added image
    This should resolve your issue. If you still face this issue let me know.

    ------------------------------
    Vivek Tyagi
    Knowledge Community Shared Account
    Shelton CT
    ------------------------------



  • 6.  RE: Guest account has access to all Projects upgrade to 2019.2

    Posted 18 days ago
    Edited by Kieran McGowan 16 days ago
    At the recommendation our PB support I removed the GuestAnalystRole within the Management Console under Access Control, then readded it within Spatial Manager.

    This resolved the issue within Resource Permissions, were adding/removing projects wasn't working after clicking 'apply changes'.

    However this hasn't fixed the problem were the guest still sees and has access to all projects in analyst. again the guest does not have permissions to all these projects either within Resource Permissions or the Project Settings. I removed the LIM access as suggested above but this hasn't made a difference Any other suggestions?

    ------------------------------
    Kieran McGowan
    IT/GIS Officer
    Corangamite Shire Council
    Camperdown
    ------------------------------



  • 7.  RE: Guest account has access to all Projects upgrade to 2019.2

    Pitney Bowes
    Posted 16 days ago
    ​Kieran,
    In Spatial Manager there is a new Permissions tab. Have you checked under any of the projects you say Guest has access to and see if they are listed there? This could be under Folder or Resource permissions.

    ------------------------------
    Eric Blasenheim
    Spectrum Spatial Technical Product Manager
    Troy, NY
    ------------------------------



  • 8.  RE: Guest account has access to all Projects upgrade to 2019.2

    Posted 15 days ago
    Hi Eric, sorry uploading images keeps failing for whatever reason. Here is a summary of the relevant settings
    >  Management Console > System Security > Edit Role (AnalystGuestRole) = no access given to LIM database resource
    >  Spatial Manager > Permissions > Resource Permissions = AnalystGuestRole given access to only 6 projects
    >  Spatial Manager > Permissions > Folder Permissions = AnalystGuestRole not listed (no permissions)
    >  SSA > Project Settings > Permissions = AnalystGuestRole only listed under permissions for those 6 projects

    Despite this, guest can see all projects and open them

    ------------------------------
    Kieran McGowan
    IT/GIS Officer
    Corangamite Shire Council
    Camperdown
    ------------------------------



  • 9.  RE: Guest account has access to all Projects upgrade to 2019.2

    Posted 6 days ago
    Edited by Kieran McGowan 6 days ago
    Just to sign off this thread. The issue seems to be with the following file/setting recommended by pb support

    <Spectrum_Platform_Install_DIR>/Spectrum/server/conf/pectrum-container.properties

    spectrum.security.authentication.webservice.enabled.REST=false

    Having changed the setting to true and restarted the server, the permissions issues seem to have gone. With that said my WMTS imagery now does not work for our inspection clients and i think the cause is this authentication change, so perhaps consult support before making this change

    ------------------------------
    Kieran McGowan
    IT/GIS Officer
    Corangamite Shire Council
    Camperdown
    ------------------------------



  • 10.  RE: Guest account has access to all Projects upgrade to 2019.2

    Pitney Bowes
    Posted 6 days ago
    Kieran,
    Turning off authentication in the spectrum-container.properties means that any user is operating with the permissions of admin. There is not checking of anything. I assumed you wanted to have control over the guest role so I would not do this.
    I do not have any idea how this could affect WMTS. Can you describe more of what problems you are having? ​

    ------------------------------
    Eric Blasenheim
    Spectrum Spatial Technical Product Manager
    Troy, NY
    ------------------------------



  • 11.  RE: Guest account has access to all Projects upgrade to 2019.2

    Posted 6 days ago
    Edited by Kieran McGowan 6 days ago
    Hi Eric,

    Yes setting this value to true resolved my issue were users(inc guest) had all access. I never changed this value and assumed something funky happened during upgrade to change it to false.

    Now what i've noticed since changing it to 'true' is that WMTS requests authentication(whereas it didnt before). I'm thinking this setting may have been set to false by a previous admin so that our tablets which use the imagery via WMTS wouldn't have to authenticate as documented:
    https://support.pb.com/help/spectrum/18.2/en/webhelp/Spatial/index.html#WebServicesGuide/source/Tokens.html
    https://support.pb.com/help/spectrum/18.2/en/webhelp/Spatial/index.html#Spatial/source/Administration/config/repository/turnoffsecurity.html

    I also must note that before upgrading to 2019.1, user access was restricted and WMTS worked perfect. Sorry if this explanation is a bit vague, many of these protocols/tech is new to me

    KR
    Kieran

    ------------------------------
    Kieran McGowan
    IT/GIS Officer
    Corangamite Shire Council
    Camperdown
    ------------------------------



  • 12.  RE: Guest account has access to all Projects upgrade to 2019.2
    Best Answer

    Pitney Bowes
    Posted 6 days ago
    Kieran
    I think I understand a little better now.  I believe that at some time you did have the rest authentication disabled. This is common for users of map tiling including WMTS as many web clients who have minimal JavaScript experience don't need or have the time to figure out how to pass credentials in the headers. For many years many customers have asked to turn this off and that is probably the primary reason for this feature in Spectrum existing.  So with it off, map tiles are access with no credentials and on the server side no access rights are checked since there is no known user.

    However, this setting is global to ALL rest services. So when you now use Analyst, any user, including guest, should have full access to anything done via a rest call and this would include most of what Spectrum Spatial Analyst sends to Spectrum.  Once upon a time, most of the interaction was via SOAP but that has changed. I think SOAP is completely gone but I would have to check.
    I have also never tried setting access rights when REST authentication is turned off. I will ask if others have.
    To summarize, when you turn authentication back on, Guest no longer has rights but whatever client you are using for WMTS now needs to provide credentials to use the WMTS tiles.
    In MapInfo Pro, for example, you would be prompted for credentials and WMTS should work fine. It depends on the client. ​

    ------------------------------
    Eric Blasenheim
    Spectrum Spatial Technical Product Manager
    Troy, NY
    ------------------------------



  • 13.  RE: Guest account has access to all Projects upgrade to 2019.2

    Pitney Bowes
    Posted 6 days ago
    Edited by Vivek Tyagi 6 days ago
    Eric,
    Thank you for this explanation.It helped me to understand why we have this property. As Analyst works with Map Projects which we earlier calls  map configs. Till Analyst 18.2 we were managing map project authorization at Analyst side, that's why guest user had access to project on which that role had access permissions. In 19.1 we migrated all Analyst resources into Spectrum Repository so with Rest authentication disabled, all users are admin now. All permission on all resources.

    ------------------------------
    Vivek Tyagi
    Knowledge Community Shared Account
    Shelton CT
    ------------------------------



  • 14.  RE: Guest account has access to all Projects upgrade to 2019.2

    Pitney Bowes
    Posted 5 days ago
    Correct. This basically means that you cannot turn off rest authentication for use cases like map tiling and use Analyst with Access Control permissions anymore because, as you said, permissions uses to be handled in the Analyst application and now are integrated in Spectrum Spatial. We will have to look into this.  ​

    ------------------------------
    Eric Blasenheim
    Spectrum Spatial Technical Product Manager
    Troy, NY
    ------------------------------



  • 15.  RE: Guest account has access to all Projects upgrade to 2019.2

    Posted 5 days ago
    Thanks for the explanation Eric, it all makes sense now. I will have to look for a workaround. It would be great in future if we could permit this access again just for the WMTS service.

    Many thanks

    ------------------------------
    Kieran McGowan
    IT/GIS Officer
    Corangamite Shire Council
    Camperdown
    ------------------------------



  • 16.  RE: Guest account has access to all Projects upgrade to 2019.2

    Pitney Bowes
    Posted 5 days ago
    One workaround and is more secure, is to find a simple proxy for the WMTS part. That leaves the Spectrum part secure but the proxy only allows WMTS requests through to Spectrum and embeds credentials that allow the Tile service to work.  It does not have to be admin.  ​In this case it does not have to touch the response.
    So it just has to add credentials and forward to the real host.

    ------------------------------
    Eric Blasenheim
    Spectrum Spatial Technical Product Manager
    Troy, NY
    ------------------------------