Transactional Web Feature Service (WFS-T)

Learn about how security.manager secures OGC WFS-T and what effect this has on editing permissions.

Web Feature Services can optionally support transactional operations. This allows users to create, edit, replace, and delete features in the WFS data store.

On an unprotected WFS-T, all users can edit all features. If a WFS-T is secured with security.manager for OGC, only users with full access to the service are allowed to edit the features of the service. If users can only access parts of a WFS-T, transactional operations are blocked. This prevents users from modifying data in the data store without being authorized to make such changes.

To allow a role with full access to the WFS to have read-only access to the data, this role requires an edit restriction.

Full access to services

Full access to a service means, within the context of security.manager for OGC, that a role has unrestricted access to all layers of a service. The corresponding policy is as follows:

{
  "policies": [{
    "layers": ["*"],
    "roles": ["enhancedSecurity_any"]
  }]
}

Requests to the service still pass through security.manager for OGC for this role, so its limitations still apply. Users with such a role can only access all layers of a service without restrictions and, in the case of WFS-T, perform transactional operations.