Spectrum Spatial (SSA/LIM)

Expand all | Collapse all

Issue With Newly Created User

Jump to Best Answer
  • 1.  Issue With Newly Created User

    Posted 20 days ago
    Edited by Abdul Rauf 19 days ago
    Dear GIS Peeps,

    Totally new to SSA platform so bear with me with my question.

    At the moment issue at hand is the newly created user with AnalystCouncil role, saved password and active, gives "wrong username and password" when signed in at  localhost/connect/analyst/mobile. 

    What could be wrong?

    Secondly,

    My idea is to create following roles for EACH map Config.

    1) Create, Edit, Modify (admin)
    2) Modify tables only (surveyor)
    3) General User (viewer)

    Replicating the predefined roles and renaming Analyst+MapTitle+roletype.  i.e "AnalystTrafficAdmin"

    So when the roles are assigned to a user, A user can be admin of 2 maps, editor of 3 maps and viewer of 15 maps.
    So the question is, Is this a right approach? or there are any better approaches?

    Regards,



    ------------------------------
    Abdul Rauf
    ICT GIS Specialist
    City of Marion
    Sturt
    ------------------------------


  • 2.  RE: Issue With Newly Created User

    Pitney Bowes
    Posted 20 days ago
    Hi Abdul,

    In regards to your first query, from what you mentioned it sounds like the user is 'enabled' in the Management Console?

    In that case, the issue could be related to the caching of data in the browser. This can often be resolved by firstly clearing the browser cache. For Google Chrome, this setting can be found under Settings > More tools > Clear browsing data... and likewise for Internet Explorer, under Settings > Safety > Delete browsing history...

    *Note - For both options, there is no need to delete the browser history, just the cookies/website data and temporary cached images/data files.

    Therefore, can you please try to clear the browser cache and then try to sign in again as the user to see if this works?

    If this does not work, we would need to check for other possible reasons.

    ------------------------------
    Dave Kuo
    Pitney Bowes Australia Pty Ltd
    Australia
    ------------------------------



  • 3.  RE: Issue With Newly Created User

    Posted 20 days ago
    Thanks for Contact Dave.

    Clearing cache does not help, in both the browsers, same error. New user is enabled/active.
    Any other tweaks?

    Regards,

    ------------------------------
    Abdul Rauf
    ICT GIS Specialist
    City of Marion
    Sturt
    ------------------------------



  • 4.  RE: Issue With Newly Created User

    Pitney Bowes
    Posted 20 days ago
    Sorry to hear it is still not working after the above actions. I have created a support case on your behalf in regards to the login issue and will contact you directly to investigate this.

    ------------------------------
    Dave Kuo
    Pitney Bowes Australia Pty Ltd
    Australia
    ------------------------------



  • 5.  RE: Issue With Newly Created User

    Posted 19 days ago
    ​Hi Abdul,

    I recall an omission I made as an SSA newcomer that you might like to check.
    In Spatial Analyst Administrator go to the "Permissions" tab and ensure that "AnalystCouncil" role has been moved from "Available Roles" to "Assigned Roles" for the selected Map Configuration.

    Regards,

    ------------------------------
    David Murphy
    GIS Officer
    Swan Hill Rural City Council
    Swan Hill
    ------------------------------



  • 6.  RE: Issue With Newly Created User

    Posted 19 days ago
    Thanks David for chipping in.
    This new user has a role "AnalystCouncilTraffic" that is a copy of "AnalystCouncil" role both are added in the in the permissions. But still authentication fails.

    Can you give ideas about the second part of the question?

    Regards,

    ------------------------------
    Abdul Rauf
    ICT GIS Specialist
    City of Marion
    Sturt
    ------------------------------



  • 7.  RE: Issue With Newly Created User

    Moderator
    Posted 13 days ago
    Hi Abdul,

    I was following this post from a few days and found this healthy discussion really engaging!
    I had a suggestion regarding the second part of your question. As I have understood, you need to give a single user different permissions on different maps. Correct me if I am wrong!

    In place of creating so many roles, you can create a single role and still achieve it using the 'access control'.

    Access control settings work in conjunction with roles to define the permissions for a user. Roles define the permissions for categories of entities, such as all dataflows or all database resources, and access control settings define the permissions for specific entities, such as specific jobs or specific database connections.

    In order to configure access controls you must have View and Modify permissions to these secured entity types:
    • Security - Access Control
    • Security - Roles
    • Security - Users

    To configure access control:

    1. In the Management Console, go to System > Security.
    2. Click the Access Control tab.
    3. Click the Add button.
    4. Do one of the following:
      • If you want to specify access controls for a role, click Role. The access control permissions you specify will affect all users who have the role you choose.
      • If you want to specify access controls for a single user, click User. The access control permissions you specify will only affect the user you choose.
    5. Select the role or user for which you want to define access controls.
    6. Click the Add button.
    7. Select the secured entity type that contains the secured entity you want, in our case, it is Location Intelligence.Dataset.DML
    8. Choose the secured entity you want to configure access controls for, then click the >> button to add it to the Selected Entities list.
    9. Click Add.

      The secured entities you chose are displayed. The check boxes indicate the permissions in effect for the selected role or user.

    10. Specify the permissions that you want to grant for each secured entity. Each secured entity can have one of the following permissions:
     
    Permissions
    Just give it a try and let me know if this helps.


    ------------------------------
    Nalin Mathur
    Pitney Bowes Software India PVT. Ltd
    Noida
    ------------------------------



  • 8.  RE: Issue With Newly Created User

    Moderator
    Posted 12 days ago
    Hi All,

    The following documentation talks about Configuring Access Control and contains illustrations too :

    https://support.pb.com/help/spectrum/18.2/en/webhelp/AdministrationGuide-WebUI/index.html#ClientTools/ManagingUserAccounts/CreatingSecuredEntityOverride.html

    ------------------------------
    Nalin Mathur
    Pitney Bowes Software India PVT. Ltd
    Noida
    ------------------------------



  • 9.  RE: Issue With Newly Created User

    Posted 12 days ago
    Hi Nalin,
    And thanks for your insight. What I understood from your instructions is that a role or a user's access can be overridden by "Access Control". But I am unable to understand how it is going to limit the number of roles to be created for each map. I have created a small slide that makes a comparison between ANALYST roles with the custom roles I want to create.
    Please do correct me if I am wrong but my understanding is that when I will assign "AnalystCouncil" role to a user he will be admin of all the maps, which I don't want  it to happen. So I want to create admin, editor, viewer roles for each map.  now  let say if I have 10 Maps and have 3 main roles, admin, editor, and viewer. the total roles will automatically shoot to 30. As in the slide below:
    So how "Access Control" will limit the roles. Actually Access Control is helping to create these roles.
    Note: Drawing Is bit uncomplete at the left side, but hope it gives the idea.

    So in my example User 1 is admin of First Map while can view all the remaining maps.
    Now if I don't create these roles then I have to set "Access Control" for each user. Users could be 100s but Roles 20-30 Max. So does this flow chart work or their could be much easier way to achieve this?

    Regards,

    ------------------------------
    Abdul Rauf
    ICT GIS Specialist
    City of Marion
    Sturt
    ------------------------------



  • 10.  RE: Issue With Newly Created User

    Moderator
    Posted 12 days ago
    Hi Abdul,

    Thanks for the explanatory diagram. Although I do not have much knowledge about your requirements of users and roles, the way I visualized it is, say we have three maps map1, map2, map3 and three roles Role1, Role2, Role3. And say we want 3 kinds of operations(say):

    Admin Permissions - Create Edit Modify
    Surveyor Permissions - Modify only
    General Permissions - view Only

    We have Role1 ( Admin - Map1, Surveyor - Map2, General -Map3 )( Assigned via Access Control )
    We have Role2 ( General - map 1,2,3 )                         ( Assigned via Access Control )
    We have Role3 ( Surveyor - Map 1,2,3 )                       ( Assigned via Access Control )

    Further, new roles can come into picture when there are more combinations like admin rights on map1 and viewing rights on others and so on.
    There can be hundreds of users but if Role1 is assigned to them, they must be able to perform the given task. My assumption is that there will be numerous users but there may not be that many combinations.

    Say you have 10 maps. This makes 10x3=30 roles as per your initial questions. But with the above approach, if there are say 15 such combinations, we still save 15 roles.

    ------------------------------
    Nalin Mathur
    Pitney Bowes Software India PVT. Ltd
    Noida
    ------------------------------



  • 11.  RE: Issue With Newly Created User
    Best Answer

    Pitney Bowes
    Posted 10 days ago

    Hi Abdul, Nalin,

     

    For the 2018.2 version of SSA and Spectrum there is no need to set permissions in Spectrum Management Console. Management Console should only be used for the creation of users and roles and assignment of users to roles.

     

    For SSA projects all permission management is performed in SSA itself by granting role permissions to map projects, and optionally you can grant extra permissions in Spectrum Spatial Manager to allow users to edit data or browse and add additional maps or layers to their projects.

     

    Setting secured Location Intelligence secured entity overrides in Management Console will break the permissions that SSA and Spectrum Spatial manages. We plan to remove the pages in Management Console for Location Intelligence permissions so that they are no longer available.

     

    I have provided an overview below as this is an area that is difficult to understand as a newbie. Please let me know if you need further details on any aspect.

     

    The steps can broadly be broken into 3 as follows:

     

    (1) Create your user and role

     

    Logged in as admin in Management Console, create a role (for example AnalystEditorRole) and a user (for example PlanningUpdateUser), and assign the user to the AnalystEditorRole. Roles must start with the word "Analyst" if you want them to be available in SSA (we may remove this limitation in future)

     

    (2) Create your SSA project and give the role permission on it

     

    Logged in as admin in SSA, create a map project (for example PlanningProject) that references various named maps and layers from Spectrum. On the project settings panel under permissions pick from the available roles and add them to the project.

     

    Below I have given 3 roles including the AnalystEditorRole read access to my "PlanningProject".

    For most use cases this is all you need to do. Any user who belongs to these 3 roles will be able to open the map project (but not edit data, I will cover the editing case further down as step 3)




    When you save the project SSA will

     

    • Grant read permission on the PlanningProject to the 3 specified roles.
    • Grant read permission on all of the named maps, layers and tables used by the PlanningProject to these same roles

     

    In Spectrum Spatial Manager you can see the permissions granted by SSA to the named maps, layers and tables under the permissions section. Below is an image showing layer permissions all of which have been set by SSA to the AnalystEditorRole



    As an SSA customer you do not normally need to modify these permissions for read access. You should not normally remove them as it may break an SSA project (but you can remove them if there are no active SSA projects using those resources).

     

    You can also grant additional read access to other name layers (which are not in and SSA projects) here if desired. An SSA user will then be able to browse and add those layers to an SSA project themselves if that functionality is enabled in the project.

     

    (3) Setting edit permissions on named tables

     

    SSA and Spectrum Spatial support end user editing of tables (both geometry and attribute data)

     

    To allow a user to edit data in a named table you do need to give them (or ideally a roe they belong to) extra permissions in Spectrum Spatial Manager as a prerequisite.

     

    This is done on the "permissions" - "resource permissions" page in the "tables" tab. You can specify Insert, Update and Delete permissions. If the table is already referenced by a layer in a project that you have granted read permissions on, then it should appear in the list with read access already. If not, you can add the table and then grant the project permissions later.

     

    Once these permissions are given, and if the SSA project has enabled the editing functionality (in the functionality profile used by the project), then the user who belongs to the role will be able add, modify and delete individual records (features) in SSA.

     

    Below I have given the AnalystEditorRole ability to perform any editing on the SQL server planning applications table. Any user who belongs to this role can edit this table if the SSA project allows editing. If a user who is in one of the other roles opens the same project (say the user in the AnalystTrainingRole) then they wont be given the ability to edit the data.


    And below my user who belongs to the AnallystEdtorRole is in edit mode.



    Allowing other users to create and manage SSA projects.

     

    Currently for SSA 2018.2 only the admin user can create new projects and grant permissions on them. The project settings option in SSA is not available to any other users.

     

    In the upcoming release 2019.1 we are also supporting the concept of sub-admins in SSA. It will be possible for admins to designate other users as sub-admins and to give them write access to specific folders in the spectrum repository. This concept is already available for Spectrum now but is not exposed to SSA. From 2019.1 sub-admins will also be able to create map projects, save them and also grant read permissions on them to other users.

     

    We are also integrating SSA permission management into Spatial Manager as well, so that can manage and see all relevant permissions for projects as well as maps, layers and tables.

     

    Hierarchy of projects, maps and permissions.

     

    When working with permissions it is useful to picture the following hierarchy.

     

    • SSA Map Projects can reference Named Tiles, Named Maps and Named Layers from Spectrum Spatial

    • In Spectrum Spatial
      1. Named Tiles reference Named Maps
      2. Named Maps reference Named Layers and
      3. Named Layers reference Named Tables 


    Permissions are propagated from the higher level to the lower level. So, setting read permission in SSA on a project propagates those permissions to maps, layers and tables

     

    Setting permission on a named layer in Spatial Manager will propagate that permission to the named table (this default behaviour can be disabled, but is required when using SSA.

     

    Users vs roles

     

    Finally, it is worth mentioning that for SSA you can only grant permissions to roles. Users who belong to that role inherit the role's permissions. A user can belong to many roles and they get the collective permissions of all those roles.

     

    In Spatial manager it is also possible to grant permissions to users as well. This is not needed for SSA since a user gets all the read permissions, they need through the prorogation of the project permissions. We recommend setting permissions only to roles for simplicity, however for certain circumstances (say edit permissions) you could set permissions to only users if required.

     

    The relevant docs are here

     

    Managing users and roles in Management Console

     

    http://support.pb.com/help/spectrum/18.2/en/webhelp/AdministrationGuide-WebUI/index.html#ClientTools/ManagingUserAccounts/user_adding.html

     

    http://support.pb.com/help/spectrum/18.2/en/webhelp/AdministrationGuide-WebUI/index.html#ClientTools/ManagingUserAccounts/CreatingModifyingRoles.html

     

    Setting permissions on SSA projects

     

    https://support.pb.com/help/analyst/2018.2/user_guide/en/concepts/permissions.html

     

    Permission management in Spectrum Spatial (overview and using spatial manager)

     

    http://support.pb.com/help/spectrum/18.2/en/webhelp/Spatial/index.html#Spatial/source/Administration/Users/SpatialSecurity.html

     

    http://support.pb.com/help/spectrum/18.2/en/webhelp/Spatial/index.html#Spatial/source/Resources/resources/repoman/Permission_Management/PermissionManagement.html

     

     



    ------------------------------
    Mustafa Ismail
    Product Architect
    Pitney Bowes
    London UK
    ------------------------------