Integrations

MapStore has the possibility to share users, user groups and user roles with GeoServer. This integration allow the administrators to configure the access to the data depending on the user logged-in on MapStore.

This integration can be done in two ways:

  1. Share the users of MapStore in GeoServer
  2. Connect both MapStore and GeoServer to the users of LDAP.

In the first case, the ADMIN user of MapStore is an administrator also for GeoServer, and you can manage users of both the application from the MapStore user group manager. In the second case, the users and groups are read-only from both MapStore and GeoServer, and the administration of users and user groups is delegated to the LDAP administrator.

Note

these configuration will make impossible to edit single users/groups from the admin UI of GeoServer, so in this case you will have edit users from MapStore UI or an LDAP client, depending on your configuration.

GeoServer

The GeoServer data security is based on the ROLE of a user.

The basic data security system of GeoServer allows to associate read/write/admin permissions for a particular workspaces/layers to certain user roles.

configuring an access rule in GeoServer default data security system

A more advanced system called GeoFence can be integrated in GeoServer and allows to apply more fine-grained rules to decide to give permission on data for a particular user.

  • Filtering the data on a particular area
  • Write rules for a certain range of IPs
  • Limit the usage of certain styles for a layer
  • Allowing read write under certain filter conditions
  • Read/Write/Hide certain attributes of the features
  • Limiting the usage of certain specific services and requests
Integrated GeoFence rule editor

Rule definition in GeoFence, integrated in GeoServer

Selecting the first or the second system is determined by the specific use case, balancing complexity and functionalities.

In both the cases, sharing users between MapStore and GeoServer will allow to apply these rules to the user that will use MapStore as entry point to browse data and perform operations, with data secured by GeoServer.

Note

also MapStore has an interface that can interact with GeoFence to provide a UI to configure GeoFence rules. Both the versions has their limitations

MapStore GeoServer User Integration

The integration between MapStore and GeoServer can be done using this guide.

Access to resources in MapStore is based on user groups. You can assign the read/write permissions to a particular group from the “Save” dialog of the resource you are editing (this is valid for maps, dashboards, stories…). The roles in MapStore are only USER, ADMIN and GUEST (implicit for not-logged users).

GeoServer instead associate permissions to user roles. To fulfill this mismatch, the integration with GeoServer maps al the user groups in MapStore as roles in GeoServer. This allows to use the same user-groups for sharing maps and limit the access to layers.

Note

Maps and Layers are completely independent even with the integration activated. When you share a map that contains a layers with a certain group of users on MapStore you have to make sure that all the data in the map is accessible to the same users on GeoServer. Otherwise, if the layer access is completely denied, some users will see anyway an error in the map.

With the integration with GeoServer you can provide a fine grained access to the users.

You can allow some users to :

  • Execute some processes (via WPS security)
  • Edit Styles (by default allowed only to administrators, but you can change it acting on /rest/ Filter Chains).
  • Access to layers based on users using standard GeoServer layer security or more advanced and fine grained using GeoFence
  • Allow editing of layers to certain MapStore users (GeoServer Security). The editing can be enabled in the plugin settings of MapStore

Integration with LDAP

The guide about LDAP integration explains how to integrate LDAP with MapStore.

Note

From 2021.02.xx MapStore has also an experimental LDAP integration that provides an experimental Direct connection mode