Managing Users, Resources and Permissions¶
qwc-docker
has a QWC configuration backend. That backend can be reached by default at http://localhost:8088/qwc_admin.
The configuration backend allows to assign users and groups to roles. The roles in their turn can receive permissions on resources. These configuration settings will be stored in the configuration database. Out of the box qwc-docker
comes with with a container qwc-postgis
that contains the configuration database.
Users, groups and roles¶
Roles can be given permissions on resources. That means that if you want to give users or groups permissions on resources, then you have to first create a role, configure the permissions that the roles has on some resources, and then assign the role the users or groups.
Resources¶
The following resource types are available:
Map
: WMS corresponding to a QGIS ProjectLayer
: Layer of a mapAttribute
: Attribute of a map layer (i.e. for WFS)
Print template
: Print composer template of a QGIS ProjectData
: Data layer for editingAttribute
: Attribute of a data layer
Data (create)
: Data layer for creating featuresData (read)
: Data layer for reading featuresData (update)
: Data layer for updating featuresData (delete)
: Data layer for deleting featuresViewer task
: Permittable viewer tasksFeatureInfo service
: Feature info serviceFeatureInfo layer
: Feature info layerAttribute
: Attribute of a info layer
The resource name corresponds to the technical name of its resource (e.g. WMS layer name). Most notably, the name of a map
resource corresponds to the relative path to the project below qgs-resources
without .qgs
extension (so i.e. the resource name for qgs-resources/subfolder/project.qgs
will be subfolder/project
).
Note: If your QGIS project is configured to return the field aliases rather than the field names in GetFeatureInfo
, the resource name for layer attribute
resources corresponds to the alias of the field.
Available map
, layer
, attribute
and print_template
resources are determined from WMS GetProjectSettings
and the QGIS projects.
The data
and their attribute
resources define a data layer for the Data service.
For more detailed CRUD permissions data_create
, data_read
, data_update
and data_delete
can be used instead of data
(data
and write=False
is equivalent to data_read
; data
and write=True
is equivalent to all CRUD resources combined).
The viewer_task
resource defines viewer functionalities (e.g. printing or raster export) that can be restricted or permitted.
Their name
(e.g. RasterExport
) will be matched against:
- The key
in menuItems
and toolbarItems
in the QWC2 config.json
.
- The name
of a plugin entry in config.json
.
- The task
configuration property of a TaskButton
plugin entry in config.json
Note: You can restrict tasks entires which specify a mode (i.e. {"key": "Measure", "mode": "LineString"}
) by concatenating the task key and the mode as the viewer_task
resource name, i.e. MeasureLineString
.
The FeatureInfo service
, FeatureInfo layer
and subordinate Attribute
resources allow controlling whether an entire WMS service, its layers or its attributes are queryable via GetFeatureInfo.
Restricted viewer task items are then removed from the menu and toolbar in the map viewer. Viewer tasks not explicitly added as resources are kept unchanged from the config.json
.
Note: The resource types, i.e. for custom QWC2 plugins, can be extended by inserting new types into the qwc_config.resource_types
table.
These can be queried, e.g. in a custom service, by using PermissionClient::resource_permissions()
or
PermissionClient::resource_restrictions()
from QWC Services Core.
Permissions¶
Permissions are based on roles. Roles can be assigned to groups or users, and users can be members of groups. A special role is "public". The "public" role applies always, no matter whether a user is signed in or is not signed in.
Roles can be assigned permission for resources.
The write
flag is only used for data
resources and determines whether a data layer is read-only.
Based on the user's identity (user name and/or group name), all corresponding roles and their permissions and restrictions are collected. The service configurations are then modified according to these permissions and restrictions.
By using the permissions_default_allow
configuration setting in tenantConfig.json
, some resources can be set to be permitted or restricted by default if no permissions are set (default: false
). Among affected resources are Map
, Layer
, Print template
, Viewer task
, FeatureInfo service
, FeatureInfo layer
. E.g.:
permissions_default_allow=true
: all maps and layers are permitted by defaultpermissions_default_allow=false
: maps and layers are only available if their resources and permissions are explicitly configured
Restricted themes¶
The display behaviour of restricted themes can be configured in the mapViewer
service configuration in tenantConfig.json
as follows:
{
"name": "mapViewer",
"config": {
"show_restricted_themes": false,
"show_restricted_themes_whitelist": [],
"redirect_restricted_themes_to_auth": false,
"internal_permalink_service_url": "http://qwc-permalink-service:9090"
}
}
show_restricted_themes
: Whether to show placeholder items for restricted themes. Default:false
.show_restricted_themes_whitelist
: Whitelist of restricted theme names to display as placeholders. If empty, all restricted themes are shown. Only used ifshow_restricted_themes
enabled. Default:[]
.redirect_restricted_themes_to_auth
: Whether to redirect to login on auth service if requesting a restricted theme in URL params, if not currently signed in. Default:false
.internal_permalink_service_url
: Internal permalink service URL for getting the theme from a resolved permalink for redirecting to login (default:http://qwc-permalink-service:9090
). This is used only ifredirect_restricted_themes_to_auth
is enabled andpermalink_service_url
is set.
Permissions file¶
The QWC Config Generator generates a JSON file for all permissions from the QWC ConfigDB. See READMEs of QWC services for service specific contents in permissions.json
.
Group registration¶
Using the optional Registration GUI allows users to request membership or unsubscribe from registrable groups. These requests can then be accepted or rejected in the Admin GUI.
Workflow:
- Admin GUI
- admin user creates new groups with assigned roles and permissions on resources
- admin user configures registrable groups
- Registration GUI
- user select desired groups from registrable groups and submits application form
- admin users are notified of new registration requests
- Admin GUI
- admin user selects entry from list of pending registration requests
- admin user accepts or rejects registration requests for a user
- user is added to or removed from accepted groups
- user is notified of registration request updates
- Map Viewer
- user permissions are updated for new groups