Administration of Rights

security.manager Administrator allows for the maintenance of policies employed by the WSS when testing authorization for a protected service.

The Administrator maintains access policies as so-called policy sets. These policy sets group the policies for a specific secured service together and are of a particular form. The installed version of the security.manager contains the following types: WMS, WFS, WFS-T, ArcGIS Server, INSPIRE View Service, INSPIRE Feature Download Service, and URL.

A set of policies is set up for each service in the policy management area of the Administrator. This set contains all policies relevant to the service and their assignment to roles (and thereby owners). Contents, attributes and settings options available for a set depend on the service type. A policy as used by security.manager is a combination of:

  • Resources: Objects to be protected against unauthorized access; dependent on type, for example URL of secured service, layer, feature type

  • Actions: Operations that can be performed on resources; dependent on type, for example GetMap, GetCapabilities, DisplayMap

  • Subjects: Subjects which access the resource with certain actions; in security.manager, subjects are referenced by way of roles.

The policy manager of security.manager is a so-called "closed, positive system". This means that all permissions need to be formulated as a policy (positive). If the WSS is unable to locate any policies for a service, access is completely blocked. Any queries that cannot be responded to unambiguously by the formulated policies are interpreted as a forbidden (deny).

The following section presents an example of how to create a policy set with several policies for a secure WMS.