Managing users
You use the GeoSpock CLI to manage access to the GeoSpock database. This command line tool enables you to set up administrator rights and grant access to read data. For instructions on how to set up and use this command line interface, see The GeoSpock CLI.
Using the GeoSpock CLI to manage the GeoSpock database users, you can:
- set up user groups (
group-create,group-add-user, etc.); see Managing group access - grant administrator access to user groups (
group-permission-grant, etc.): see User administration - grant administrator access to datasets (
dataset-permission-grant, etc.); see Dataset administration - grant dataset read access; see Data Security
Be aware that a designated "root" account is granted administrator rights during the deployment of the Geospock database
account; refer to Setting up the Root account. This "Root" account is
not granted READ access to any datasets by default.
Setting up the Root account
When deploying the GeoSpock database, the variable root_admin_username should be given the username of an appropriate
account that already exists in your identity provider. For example:
# Username of root user administrator (string)
# default: "Administrator"
root_admin_username = "root.user@geospock.com"
This account is given GRANT access with regards to dataset administration (refer to Dataset administration)
and both GRANT and MODIFY access with regards to user group administration (refer to User administration).
We recommend that the account chosen for the Root account is a service account, and once appropriate user groups for dataset and user administration have been set up, this Root account is no longer used.
Setting up user groups and permissions using the root account
When first using the GeoSpock DB, the only account in your Identity Provider (IdP) with access will be the specified "Root" account. It is then anticipated that this "Root" account is used to set up the required user groups and permissions as follows:
- Log in to the GeoSpock CLI using the "Root" username and password (refer to Getting started with the GeoSpock CLI)
- Create a group for user administrators using
group-create(refer to Creating a group) - Add all user administrator usernames to this group using
group-add-account(refer to Adding GeoSpock database users to a group) - Grant user
MODIFYandGRANTaccess to this user group usinggroup-permission-grant(refer to Granting user administration permissions to groups)- Separate groups with user
MODIFYand/orGRANTcan be used if a segregation of duties is required for these functions, in which case multiple groups should be created in the steps above
- Separate groups with user
- Create a group for dataset administrators using
group-create - Add all dataset administrator usernames to this group using
group-add-account - Grant dataset
MODIFYandGRANTaccess to this user group usinggroup-permission-grant(refer to Granting dataset administration permissions to groups)- Separate groups with dataset
MODIFYand/orGRANTcan be used if a segregation of duties is required for these functions, in which case multiple groups should be created in the steps above
- Separate groups with dataset
- Grant user
VIEWaccess to any dataset administration groups so that they have the rights to view user groups. This is required in order to grant dataset rights to those user groups
These user administrators can then perform user administration tasks such as creating groups and adding/removing users from those groups.
These dataset administrators can then perform dataset administration tasks such as creating datasets and granting
READ permission to individual datasets or schema-wide.
Removing access for a user account
Deleting or disabling a user's account in your Identity Provider (IdP) will prevent access via either the GeoSpock CLI
or to the SQL cluster (i.e. READ access via the Presto CLI or a BI Tool).
To remove a user's access to both the GeoSpock CLI and the SQL cluster, use the group-all-remove-user command; refer
to Removing a user from all groups.