Bind access to roles

In this tutorial, you will learn how to restrict access to the target service https://services.conterra.de/arcgis/services/common/grenzen/MapServer/WFSServer as follows:

  • Everyone should be able to access the FeatureType World

  • All authenticated users should also be able to access the FeatureTypes Bundeslaender and Kreise

The use of roles provided by the identity provider is described in the How-to Reference roles from an identity provider in policies.

Prerequisite

This tutorial builds on the files created in the tutorial Allow access to WFS. The following prerequisites apply:

  • You have connected security.manager for OGC to the Identity Service.

  • Identity Service and security.manager for OGC are accessible in the browser via the same domain. In this tutorial, it is assumed that:

    • security.manager for OGC is available as localhost:8080/secman-ogc, and

    • Identity Service is available as localhost:8080/identity.

  • You have an account with the identity provider connected to the Identity Service. This can be, for example, an account in ArcGIS Portal or Keycloak.

Policy for all users

The roles list specifies all roles for which a policy applies. These roles are described in more detail under Roles.

Open the policy file from the tutorial Allow access to WFS. Currently, all FeatureTypes are accessible to everyone. Restrict the policy to the FeatureType World, as described in the tutorial Control access to FeatureTypes:

${user.home}/.secman-ogc/policies/policies-grenzen-wfs.json
{
  "policies": [{
    "layers": ["World"],
    "roles": ["enhancedSecurity_any"]
  }]
}

Policy for authenticated users

Now, a policy for authenticated access is still missing. Therefore, add another policy to the policies list. This should apply to the role enhancedSecurity_authenticated and allow the FeatureTypes Bundeslaender and Kreise.

${user.home}/.secman-ogc/policies/policies-grenzen-wfs.json
{
  "policies": [
    {
      "layers": ["World"],
      "roles": ["enhancedSecurity_any"]
    },{
      "layers": ["Bundeslaender", "Kreise"],
      "roles": ["enhancedSecurity_authenticated"]
    }
  ]
}

Restart Tomcat

Save the changes and restart Tomcat to apply the changes.

Verify configuration

The next two steps demonstrate how the service response changes depending on whether you are logged out or logged in to the Identity Service.

Access without authentication

For access without authentication, ensure that you are logged out of the Identity Service before calling up the protected service. Open a new private browser window and call the URL of the protected service: http://localhost:8080/secman-ogc/arcgis/services/common/grenzen/MapServer/WFSServer?request=GetCapabilities&service=WFS.

In the capabilities, you can see that without authentication, you can only access the FeatureType World.

Access with authentication

For access with authentication, you must first log in to the Identity Service before calling the protected service again. Call the home page of the configured Identity Service localhost:8080/identity/ and log in under Login. Then call the protected service again: http://localhost:8080/secman-ogc/arcgis/services/common/grenzen/MapServer/WFSServer?request=GetCapabilities&service=WFS

As an authenticated person, you can now access the FeatureTypes Bundeslaender and Kreise in addition to the FeatureType World