Security for the Location Intelligence Module

The Location Intelligence Module uses the role-based security that is used for the Spectrumâ„¢ Technology Platform. Because security is handled at the platform level, the Management Console can be used to manage all Location Intelligence Module security activities. This includes setting permissions for named resources in addition to managing user accounts (that is, creating, modifying, and deleting user accounts).

Note: The User Management Service can still be used to set permissions if desired; however, permissions are stored in the platform and not the repository. The User Management Service is set to be deprecated in a future release.

Predefined Spatial Roles

After you install the Location Intelligence Module, three predefined roles are available in Management Console:

spatial-admin
The spatial-admin role provides full permissions (Create/View/Modify/Delete) for all named resources and datasets associated with named tables. These permissions are controlled using the Location Intelligence Module's secured entity types, Location Intelligence.Named Resources and Location Intelligence.Dataset.DML. Users of Location Intelligence Module services must have at least View permissions for the resources they use as well as for any dependent resources. See Access Control for Datasets for more information on controlling dataset permissions.
spatial-user
The spatial-user role provides View permissions to named resources only. These permissions are controlled using the Location Intelligence Module's secured entity type, Location Intelligence.Named Resources. Users of Location Intelligence Module services must have at least View permissions for the resources they use as well as for any dependent resources.
spatial-dataset-editor
The spatial-dataset-editor role provides full permissions (Create/View/Modify/Delete) on datasets. These permissions are controlled using the Location Intelligence Module's secured entity type, Location Intelligence.Dataset.DML. See Access Control for Datasets for more information on this role and controlling permissions on datasets.

Dataflow designers who require access to named resources need additional permissions beyond that of the "designer" role. For instructions on creating a spatial dataflow designer, see Creating a Spatial Dataflow Designer.

Note: The permission settings in the User Management Service are mapped to the Spectrumâ„¢ Technology Platform as follows: Read>View, Modify>Modify, Add>Create, and Remove>Delete.

Custom Spatial Roles and Access Control Settings

You can create custom roles based on the predefined spatial roles, assign them to user accounts, then fine-tune access to named resources for those roles and users by applying access control settings (overrides) to individual named resources, datasets, or to folders or directories. A typical scenario and best practice for setting security for the Location Intelligence Module involves creating a role with no permissions, applying access control settings to that role (for example, allowing modify and delete permissions for named resources in a specific folder), then assigning that custom role as well as one of the predefined spatial roles to a user. Another common scenario involves establishing override permissions for a single user; for example, creating a user account which has view-only permissions to named resources, then applying access control settings to that user that allow modifying and deleting of named resources in a specific folder.

Folders

Folder permissions are inherited by the resources and folders underneath as long as those resources and folders do not have any specific access control settings that override them. This is useful when you want to set permissions on a set of resources. You can make a folder accessible only to specified users or roles; other users will not see that folder or anything underneath it. For the Location Intelligence.Named Resources entity type, all listed resources that end with a forward slash (/) are folders or directories in the repository.

Permissions at the folder level, however, do not override permissions set at the lower, individual resource level. For example, if a folder has Create permissions for a specific role or user, but a single resource in the folder (such as a named table) has an access control setting to View permissions for that same role or user, the View (read-only) permissions for the single resource take precedence over the Create permissions for the folder.