Managing users

You use the GeoSpock CLI to manage access to the GeoSpock database. This command line tool enables you to set up administrator rights and grant access to read data. For instructions on how to set up and use this command line interface, see The GeoSpock CLI.

Using the GeoSpock CLI to manage the GeoSpock database users, you can:

Be aware that a designated "root" account is granted administrator rights during the deployment of the Geospock database account; refer to Setting up the Root account. This "Root" account is not granted READ access to any datasets by default.

Setting up the Root account

When deploying the GeoSpock database, the variable root_admin_username should be given the username of an appropriate account that already exists in your identity provider. For example:

# Username of root user administrator (string)
# default: "Administrator"
root_admin_username = "root.user@geospock.com"

This account is given GRANT access with regards to dataset administration (refer to Dataset administration) and both GRANT and MODIFY access with regards to user group administration (refer to User administration).

We recommend that the account chosen for the Root account is a service account, and once appropriate user groups for dataset and user administration have been set up, this Root account is no longer used.

Setting up user groups and permissions using the root account

When first using the GeoSpock DB, the only account in your Identity Provider (IdP) with access will be the specified "Root" account. It is then anticipated that this "Root" account is used to set up the required user groups and permissions as follows:

  1. Log in to the GeoSpock CLI using the "Root" username and password (refer to Getting started with the GeoSpock CLI)
  2. Create a group for user administrators using group-create (refer to Creating a group)
  3. Add all user administrator usernames to this group using group-add-account (refer to Adding GeoSpock database users to a group)
  4. Grant user MODIFY and GRANT access to this user group using group-permission-grant (refer to Granting user administration permissions to groups)
    • Separate groups with user MODIFY and/or GRANT can be used if a segregation of duties is required for these functions, in which case multiple groups should be created in the steps above
  5. Create a group for dataset administrators using group-create
  6. Add all dataset administrator usernames to this group using group-add-account
  7. Grant dataset MODIFY and GRANT access to this user group using group-permission-grant (refer to Granting dataset administration permissions to groups)
    • Separate groups with dataset MODIFY and/or GRANT can be used if a segregation of duties is required for these functions, in which case multiple groups should be created in the steps above
  8. Grant user VIEW access to any dataset administration groups so that they have the rights to view user groups. This is required in order to grant dataset rights to those user groups

These user administrators can then perform user administration tasks such as creating groups and adding/removing users from those groups.

These dataset administrators can then perform dataset administration tasks such as creating datasets and granting READ permission to individual datasets or schema-wide.

Removing access for a user account

Deleting or disabling a user's account in your Identity Provider (IdP) will prevent access via either the GeoSpock CLI or to the SQL cluster (i.e. READ access via the Presto CLI or a BI Tool).

To remove a user's access to both the GeoSpock CLI and the SQL cluster, use the group-all-remove-user command; refer to Removing a user from all groups.