Managing users
Before your users can interact with the GeoSpock database, you will need to give them the permissions they need.
All database operations (both administration tasks and submitting queries) are controlled by using user groups. Permissions are assigned to groups, and users are added to those groups. The permissions of a user are determined by which groups that user belongs to. To manage these permissions, you use the GeoSpock CLI.
Using the CLI, you can:
- set up user groups (
group-create
,group-add-user
, etc.); see Managing user groups - control permissions allocated to user groups (
group-permission-grant
etc.); see Controlling group permissions.
Once you have ingested some data, you can
- manage access to your datasets; see Managing dataset access.
Note that you do not use the GeoSpock CLI to add users to the system. Users must be added directly to the Identity Provider (IdP) that is integrated with the GeoSpock database (see Authentication and authorization). Once users have been added to the IdP, you can use the GeoSpock CLI to add those users to groups and allocate permissions to those groups.
Setting up user groups and permissions using the root account
A designated "root account" is granted administrator rights when the GeoSpock database is initially deployed.
This account has the ability to create new groups, add users to those groups, and control the permissions allocated to those groups. Note that the root account does not have permission to query any datasets by default.
The root account should be used to set up the initial user groups and permissions. It is anticipated that, once user groups exist with administrative permissions, and other users have been added to those groups, the root account need not be used any further.
To create an initial set of user groups using the root account, first log in to the GeoSpock CLI using the "root" username and password (refer to Getting started with the GeoSpock CLI)
Create a group for user administrators
- Create a group for user administrators using
group-create
(refer to Creating a group) - Add all user administrator usernames to this group using
group-add-account
(refer to Adding users to a group) - Grant user
MODIFY
andGRANT
access to this user group usinggroup-permission-grant
(refer to Granting user administration permissions to groups)
Note that separate groups with user MODIFY
and/or GRANT
can be used if a segregation of duties is required for these functions. In this case, multiple groups should be created in the steps above.
Create a group for dataset administrators
- Create a new group for dataset administrators using
group-create
- Add all dataset administrator usernames to this group using
group-add-account
- Grant dataset
MODIFY
andGRANT
access to this user group usingdataset-permission-grant
(refer to Granting dataset permissions to groups)- Note that separate groups with dataset
MODIFY
and/orGRANT
can be used if a segregation of duties is required for these functions. In this case, multiple groups should be created in the steps above.
- Note that separate groups with dataset
- Grant user
VIEW
access to the group usinggroup-permission-grant
so that users in the group have the rights to view user groups. This is required in order to grant dataset rights to those user groups.