Bind access to roles

In this tutorial, you will learn how to restrict access to the target service https://services.conterra.de/arcgis/services/common/grenzen/MapServer/WMSServer as follows:

  • Everyone should be able to access the layer World

  • All authenticated users should also be able to access the layers Bundeslaender and Kreise

Prerequisite

This tutorial builds on the files created in the tutorial Allow access to WMS. The following prerequisites apply:

  • You have connected security.manager for OGC to the Identity Service.

  • Identity Service and security.manager for OGC are accessible in the browser via the same domain. In this tutorial, it is assumed that:

    • security.manager for OGC is available as localhost:8080/secman-ogc, and

    • Identity Service is available as localhost:8080/identity.

  • You have an account with the identity provider connected to the Identity Service. This can be, for example, an account in ArcGIS Portal or Keycloak.

Policy for all users

The roles list specifies all roles for which a policy applies. These roles are described in more detail under Roles.

Open the policy file from the tutorial Allow access to WMS. Currently, all layers are accessible to everyone. Restrict the policy to the layer World (Name: 0), as described in the tutorial Control access to layers:

${user.home}/.secman-ogc/policies/policies-grenzen-wms.json
{
  "policies": [{
    "layers": ["0"],
    "roles": ["enhancedSecurity_any"]
  }]
}

Policy for authenticated users

Now a policy for authenticated access is still missing. Therefore, add another policy to the policies list. This should apply to the role enhancedSecurity_authenticated and allow the layers Bundeslaender (Name: 1) and Kreise (Name: 2).

${user.home}/.secman-ogc/policies/policies-grenzen-wms.json
{
  "policies": [
     {
      "layers": ["0"],
      "roles": ["enhancedSecurity_any"]
     },{
      "layers": ["1", "2"],
      "roles": ["enhancedSecurity_authenticated"]
    }
  ]
}

Restart Tomcat

Save the changes and restart Tomcat to apply the changes.

Verify configuration

The next two steps demonstrate how the service response changes depending on whether you are logged out or logged in to the Identity Service.

Access without authentication

For access without authentication, ensure that you are logged out of the Identity Service before calling up the protected service. Open a new private browser window and call the URL of the protected service: localhost:8080/secman-ogc/arcgis/services/common/grenzen/MapServer/WMSServer?request=GetCapabilities&service=WMS.

In the capabilities, you can see that without authentication you can only access the layer World.

Access with authentication

For access with authentication, you must first log in to the Identity Service before calling the protected service again. Call the home page of the configured Identity Service localhost:8080/identity/ and log in under Login. Then call the protected service again: http://localhost:8080/secman-ogc/arcgis/services/common/grenzen/MapServer/WMSServer?request=GetCapabilities&service=WMS

As an authenticated person, you can now access the layers Bundeslaender and Kreise in addition to the layer World.