Integrations ============ MapStore has the possibility to share users, user groups and user roles with GeoServer. This integration allow the administrators to configure the access to the data depending on the user logged-in on MapStore. This integration can be done in two ways: 1. Share the users of MapStore in GeoServer 2. Connect both MapStore and GeoServer to the users of LDAP. In the first case, the ADMIN user of MapStore is an administrator also for GeoServer, and you can manage users of both the application from the MapStore user group manager. In the second case, the users and groups are read-only from both MapStore and GeoServer, and the administration of users and user groups is delegated to the LDAP administrator. .. note:: these configuration will make impossible to edit single users/groups from the admin UI of GeoServer, so in this case you will have edit users from MapStore UI or an LDAP client, depending on your configuration. GeoServer --------- The GeoServer data security is based on the ROLE of a user. The basic `data security system `_ of GeoServer allows to associate read/write/admin permissions for a particular workspaces/layers to certain user roles. .. figure:: ./img/data_newrule.jpg :alt: configuring an access rule in GeoServer default data security system :align: center :width: 500 A more advanced system called `GeoFence `_ can be integrated in GeoServer and allows to apply more fine-grained rules to decide to give permission on data for a particular user. - Filtering the data on a particular area - Write rules for a certain range of IPs - Limit the usage of certain styles for a layer - Allowing read write under certain filter conditions - Read/Write/Hide certain attributes of the features - Limiting the usage of certain specific services and requests .. figure:: ./img/rulepage.jpg :alt: Integrated GeoFence rule editor :align: center :width: 280 Rule definition in GeoFence, integrated in GeoServer Selecting the first or the second system is determined by the specific use case, balancing complexity and functionalities. In both the cases, sharing users between MapStore and GeoServer will allow to apply these rules to the user that will use MapStore as entry point to browse data and perform operations, with data secured by GeoServer. .. note:: also MapStore has an interface that can interact with GeoFence to provide a UI to configure GeoFence rules. Both the versions has their limitations MapStore GeoServer User Integration ----------------------------------- The integration between MapStore and GeoServer can be done using `this guide `_. Access to resources in MapStore is based on user **groups**. You can assign the read/write permissions to a particular group from the "Save" dialog of the resource you are editing (this is valid for maps, dashboards, stories...). The **roles** in MapStore are only *USER*, *ADMIN* and *GUEST* (implicit for not-logged users). GeoServer instead associate permissions to user **roles**. To fulfill this mismatch, the integration with GeoServer maps al the user groups in MapStore as roles in GeoServer. This allows to use the same user-groups for sharing maps and limit the access to layers. .. note:: Maps and Layers are completely independent even with the integration activated. When you share a map that contains a layers with a certain group of users on MapStore you have to make sure that all the data in the map is accessible to the same users on GeoServer. Otherwise, if the layer access is completely denied, some users will see anyway an error in the map. With the integration with GeoServer you can provide a fine grained access to the users. You can allow some users to : - Execute some processes (via `WPS security `_) - Edit Styles (by default allowed only to administrators, but you can change it acting on ``/rest/`` Filter Chains). - Access to layers based on users using `standard GeoServer layer security `_ or more advanced and fine grained using `GeoFence `__ - Allow editing of layers to certain MapStore users (GeoServer Security). The editing can be enabled in the `plugin settings of MapStore `_ Integration with LDAP --------------------- The `guide about LDAP integration `_ explains how to integrate LDAP with MapStore. .. note:: From 2021.02.xx MapStore has also an `experimental LDAP integration `_ that provides an experimental **Direct connection mode** .. todo:: "Common setups" section a couple of charts of common setups - MapStore + GeoServer - MapStore + LDAP + GeoServer (different setups?) - MapStore + LDAP + GeoServer + GeoFence