Roles, Permissions and Resources

Description

From the Administration Backoffice, you can manage QWC2 roles, permissions and resources.

Warning

Role, permission and resource management from the Administration Backoffice is only relevant if the authentication method is qwc-db-auth. If the authentication method is some type of SSO (Single Sign-On) or LDAP, roles, permissions and resources are managed in those systems and not in this section.

In QWC2, you can assign permissions to roles over resources. This means that if you want to grant permissions to users or groups over resources, you first need to create a role, configure the permissions that role will have on certain resources, and then assign the role to users or groups.

Roles

The first section we find is Role Management. Here we can create, edit and delete roles.

../../../../_images/roles_1.png

Resources

There are different types of resources, but the most used is Map, which corresponds to the WMS service for a QGIS project. The Import maps button is available to obtain the published maps.

Permissions for the Map resource control whether a theme is visible and whether the corresponding WMS is accessible via qwc-ogc-service.

Note: The visual behavior of restricted themes can be customized with the following options in the mapViewer service configuration within tenantConfig.json:

  • show_restricted_themes: Indicates whether placeholder elements for restricted themes should be shown. Default value: false.

  • show_restricted_themes_whitelist: Whitelist of names of restricted themes that will be shown as placeholders. If it is empty, all restricted themes will be shown. Only used if show_restricted_themes is enabled. Default value: [].

  • redirect_restricted_themes_to_auth: Indicates whether the authentication service should be redirected to start the login process when a restricted theme is requested via URL parameters and the user has not logged in. Default value: false.

../../../../_images/recursos_1.png

Permissions

Permissions are role-based. Roles can be assigned to groups or users, and users can be members of groups. A special role is public. The public role is always applied, regardless of whether a user has logged in or not.

Roles can receive permissions for resources.

The write marker is only used for resources of type Data and WFS Layer and determines whether the dataset or WFS layer is read-only or editable.

Using the configuration parameter permissions_default_allow in tenantConfig.json, some resources can be configured as allowed or restricted by default if no explicit permissions are assigned (default value: false). Among the affected resources are:

  • Map

  • Layer

  • Print template

  • Viewer task

  • FeatureInfo service

  • FeatureInfo layer

For example:

  • permissions_default_allow=true: all maps and layers are allowed by default.

  • permissions_default_allow=false: maps and layers are available only if their resources and permissions are explicitly configured.

Based on the user’s identity (username and/or group name), all corresponding roles and their permissions and restrictions are collected from the QWC configuration database by the QWC Config Generator service, which generates a permissions.json file.

QWC services will read the permissions.json file to filter the responses according to these permissions and restrictions, using PermissionClient::resource_permissions() or PermissionClient::resource_restrictions() from QWC Services Core.

../../../../_images/permisos_1.png