Managing users

Before your users can interact with the GeoSpock database, you will need to give them the permissions they need.

All database operations (both administration tasks and submitting queries) are controlled by using user groups. Permissions are assigned to groups, and users are added to those groups. The permissions of a user are determined by which groups that user belongs to. To manage these permissions, you use the GeoSpock CLI.

Using the CLI, you can:

• set up user groups (group-create, group-add-user, etc.); see Managing user groups
• control permissions allocated to user groups (group-permission-grant etc.); see Controlling group permissions.

Once you have ingested some data, you can

• manage access to your datasets; see Managing dataset access.

Note that you do not use the GeoSpock CLI to add users to the system. Users must be added directly to the Identity Provider (IdP) that is integrated with the GeoSpock database (see Authentication and authorization). Once users have been added to the IdP, you can use the GeoSpock CLI to add those users to groups and allocate permissions to those groups.

Setting up user groups and permissions using the root account

A designated "root account" is granted administrator rights when the GeoSpock database is initially deployed.

This account has the ability to create new groups, add users to those groups, and control the permissions allocated to those groups. Note that the root account does not have permission to query any datasets by default.

The root account should be used to set up the initial user groups and permissions. It is anticipated that, once user groups exist with administrative permissions, and other users have been added to those groups, the root account need not be used any further.

To create an initial set of user groups using the root account, first log in to the GeoSpock CLI using the "root" username and password (refer to Getting started with the GeoSpock CLI)

Create a group for user administrators

1. Create a group for user administrators using group-create (refer to Creating a group)
2. Add all user administrator usernames to this group using group-add-user (refer to Adding users to a group)
3. Grant user MODIFY and GRANT access to this user group using group-permission-grant (refer to Granting user administration permissions to groups)

Note that separate groups with user MODIFY and/or GRANT can be used if a segregation of duties is required for these functions. In this case, multiple groups should be created in the steps above.

Create a group for dataset administrators

1. Create a new group for dataset administrators using group-create
2. Add all dataset administrator usernames to this group using group-add-user
3. Grant dataset MODIFY and GRANT access to this user group using dataset-permission-grant (refer to Granting dataset permissions to groups)
   • Note that separate groups with dataset MODIFY and/or GRANT can be used if a segregation of duties is required for these functions. In this case, multiple groups should be created in the steps above.
4. Grant user VIEW access to the group using group-permission-grant so that users in the group have the rights to view user groups. This is required in order to grant dataset rights to those user groups.