WebOffice usermanagement System Architecture |
  
|
WebOffice usermanagement System Architecture |
|
To understand how WebOffice usermanagement works in combination with WebOffice 10.4 SP2, take a look to the figure below. The WebOffice usermanagement administration work is done by two applications that are involved in maintaining the rights repository:
WebOffice author not only administers WebOffice 10.4 SP2 project and application configuration but also saves base data (like map service entries, project entries, layer entries, etc.) into the Usermanagement database. The connection to a Usermanagement database has to be defined in the Basic Settings. On the other hand, the UserManagement Admin Web application serves as the administration tool to manage the role respectively the group definitions (like group rights for projects, restrictions for layers and templates, etc.) in the rights repository. The connection parameters for UserManagement Admin Web are defined in web.config.
Finally, WebOffice 10.4 SP2 reads the rights from the Usermanagement database using JDBC in order to enable users access to projects, tools, data, etc. according to the configuration in the Usermanagement database. The connection to a Usermanagement database has to be configured in the Application Configuration.
WebOffice usermanagement system architecture
Implementing Role Based Security
First of all you need to analyze carefully which different user roles you want to implement. You should, e.g. set up an excel sheet that contains all relevant information. This will serve for later documentation as well. Analysis is necessary, otherwise it will not be possible to set up and maintain efficiently your WebOffice usermanagement rights repository.
In order to be able to minimize administrative work you should make use of a multi-level access rights approach: From course grained control towards fine grained rights control. This way you will be able to implement your needs with a minimum of work and time.
WebOffice usermanagement level of access control
As you can see in the figure above, there are different access rights levels:
•WebOffice project level:
On this level you need to determine whether the role you currently specify should have access to a specific WebOffice 10.4 SP2 project or not.
You should check all available WebOffice 10.4 SP2 projects concerning this aspect.
•Tool level:
On this level you need to analyze and check only those WebOffice 10.4 SP2 projects that are accessible for the role you currently specify.
On this level you need to determine which toolbar tools are available for the role you currently specify. Each different tool setting will get stored into a WebOffice 10.4 SP2 application role.
•Layer level:
On this level you need to analyze and check only those WebOffice 10.4 SP2 projects that are accessible for the role you currently specify.
On this level you need to analyze and check only those layer aspects which are relevant for the accessible tools, e.g. if the Edit tool is not accessible (available) then you do not need to analyze or specify layer edit rights at all.
On this level you need to check (in the order given below) for the role you currently specify which
oMap services should be
▪visible or not
oLayer groups should be
▪visible or not
oLayer should be
▪visible or not
▪searchable (search based on attributes)
▪available for identify- or select operation (search based on spatial location)
▪available for edit operation (create object, edit object, delete object)
•Object Level:
On this level you need to analyze and check only those WebOffice 10.4 SP2 projects that are accessible for the role you currently specify.
On this level you need to analyze and check only those Layer aspects which are relevant for the accessible tools, e.g. if the Edit tool is not accessible (available) then you do not need to analyze or specify Layer edit rights at all.
On this level you need to analyze and check only those Layers which are at least visible and on which you can either search, spatially select or edit.
On this level you need to check for the role you currently specify, according to which filter expression the user role is granted to access the layers objects, i.e. you only need to analyze those layers for which at least part of the objects should NOT be accessible/available for the role.