SuperMap iServer provides service-level permission control, which can perform role authorization for each service instance and batch authorize for multiple service instances. There is a many-to-many relationship between service instances and roles. If a system administrator grants access to a service to a role, all users and user groups associated with the role (primarily users belonging to the user group) have access to the service.

Service authorization

Log in to the Web Manager of the service management server, click service ->service management in turn, click a specific service on the service page, enter the basic information description page of the service, and then select "security". The security status of each service instance can be viewed. If the lock ID is open, it means that the service instance is anonymously accessible, that is, it is not locked. If the lock ID is closed, the service can be accessed only after login verification. Place the mouse on the lock and click to view and modify the authorization information of the service instance. You can also select multiple service instances and click the batch authorize button in the upper left corner of the page.

The service authorization has two options:

  • Anonymously accessible, that is, accessible by any anonymous user. The demonstration services provided by SuperMap iServer are available to all anonymous users can access by default.
  • Specified users can access, that is, only the users associated with the specified role can access this service. Select the required role in the table to specify. In addition, there are three additional options when the service is only accessible to designated users:
  • Accessible by any logged-in user: All logged-in users can access the current service after checking.
  • Set the role that can access the service instance: This only works when the "Any login user can access" button is not checked. It is used to bind the role to the service instance. Only the users and user groups associated with the role (mainly the users belonging to the user group) have access to the service
  • Prohibit access to role: if checked, the specified role will be prohibited from accessing the current service. The service authorization mechanism uses a forbidden priority policy, so as long as a role is in the forbidden access list, the associated user cannot access the service until the role is removed from the forbidden list.

 

User has been granted access to the service

If the role associated with the user has obtained the authorization of the specified service instance, SuperMap iServer will automatically jump to the login page when accessing the service, and the user can access the resources of the service after entering his own user name and password and passing the authentication.

For example, if the role "role1" has been authorized for the service "data-world/rest", the user "user1" associated with the role automatically inherits the scope permissions of the service and can successfully log in when accessing the service.

If an authorized user logs in directly when accessing the service, or if the development of an application requires frequent access to the service, there may be a risk that the account will be exposed. To prevent authorized users from exposing their accounts when using the service, SuperMap iServer provides Token-based authentication to secure user accounts.