ACL and Repository

The ACL permissions that can be granted using the ACL services fall into three categories.

  • Folder ACL: Grants permissions for managing the content of the repository (including uploading, creating, and deleting named resources, and setting further permission on them). These permissions are granted on repository folders. Users with these permissions are able to view or modify named resources within the folders on which they are granted permission. Users who have permissions on one or more folders are called sub-admins because they can manage a sub-set of the repository.

    Sub-admins:

    • have access to the Named Resource and ACL services and in future releases will be also able to log into the Spatial Manager and Map Uploader to manage resources
    • are able to log into Spatial Manager and Map Uploader in the current release.
      Note: Any Spectrum user can log into the Spatial Manager but you must be a sub-admin to be able to log into the Map Uploader.
  • Resource ACL: Grants permissions for rendering specific named tiles, named maps and named layers. These permissions are granted on the resources themselves. Users with these permissions are able to use the mapping and tiling services to render and describe mapping resources. Users who are sub-admins will also inherit resource permissions to render resources that are within their folders.
  • Dataset ACL: Grants permissions for querying or editing specific named tables (i.e. CRUD operations for create, read, update, delete). These permissions are granted on the named table resources themselves. Users with these permissions are able to query features from the tables or to insert/update/delete features. Users who are sub-admins will also inherit dataset permissions to query any tables.. However, they do not inherit the dataset insert, update or delete permissions. To edit tables, they must be given these permissions in addition to the folder permissions.

The following table summarizes the three categories, the named resources they affect and the specific permissions that can be granted under each category. There are also some named resources which do not have permissions granted on them. These are also listed in the table.

Table 1. Summary of ACL Permissions
Type of Permission Granted On Permissions set using ACL Services Permissions that are persisted to the Spectrum Platform Activities that users can perform
Folder Permission Repository Folders READ NamedResource.EXECUTE NamedResource.VIEW The user can view folders, subfolders, and their content as sub-admin. The user can render any maps and layers within their folders. The user can query any tables within their folders.
WRITE NamedResource.CREATE NamedResource.DELETE NamedResource.MODIFY The user can create, delete, or modify resources within their folders including uploading resources and setting new ACL permissions on them.
Resource Permission Named Tiles, Named Maps, Named Layers, and Named Label Sources EXECUTE NamedResource.EXECUTE The user can render the maps and layers on which they have this permission.
Dataset Permission Named Tables and Named View Tables EXECUTE NamedResource.EXECUTE The user can query the data from the tables on which they have this permission.
CREATE Dataset.DML.CREATE User can insert new records into the tables on which they have this permission.
DELETE Dataset.DML.DELETE The user can delete records from the tables on which they have this permission.
MODIFY Dataset.DML.MODIFY The user can update records in the tables on which they have this permission.
No permissions required Named Styles There is no ACL applied to the Named Styles. Any named style referenced in a layer or WMS can be accessed when rendering the layer.
Named Connections There is no ACL applied to the Named Connections. Any Named connection can be used when querying data from a Named Table. However, a Named Connections can only be seen by the users who are sub-admins (i.e. who have folder permissions) via the Named Resource Service.
Metadata Resources There is no ACL applied to the Named Resource Metadata. Currently these can only be viewed by the admins or the users who are sub-admins (i.e. who have folder permissions) via the Named Resource Service.