We’re using GeoServer for a GIS project where a lot of different partners input data in our system though a web client.
We have public layers available with limited data, but partners should be able to get ‘private’ layers which contain all of their data.
Partners should not be able to view the private data of other partners under any circumstance.
Every partner will have an account on GeoServer.
The ‘private’ layer for a partner would be an sql view containing information of every partner with a filter on partner id.
We could create a private layer for every partner containing only the information they have access to, but because we’re working with over 200 partners this could be quite cumbersome because we’d have to create over 200 separate layers and link each layer to the correct single account.
The only difference between these layers would be the partner id.
It’s possible in GeoServer to add CQL filters to a layer, but as far as we could see it’s only possible to append the actual filter id to the request URL which would enable partners to change the filter id to get data from other partners.
We noticed it’s possible to add properties to a user account. Is it possible to create a CQL filter which reads a property from the current user account?
This would enable us to create one ‘private layer’ and allow for each account to use the same layer but only see the information associated with their account without being able to alter the filter.
If that’s not possible, what would be the recommended way to implement this use case?
Consider automating the creation of those private layers with the rest api, at least they can all share the same styling.
One thing that may work (or may be terrible) is the creation of a layer group with all of the private layers. Each web app can refer to the layergroup, but the partners would only see the data from the “one” layer they have access rights to see…
We’re using GeoServer for a GIS project where a lot of different partners input data in our system though a web client.
We have public layers available with limited data, but partners should be able to get ‘private’ layers which contain all of their data.
Partners should not be able to view the private data of other partners under any circumstance.
Every partner will have an account on GeoServer.
The ‘private’ layer for a partner would be an sql view containing information of every partner with a filter on partner id.
We could create a private layer for every partner containing only the information they have access to, but because we’re working with over 200 partners this could be quite cumbersome because we’d have to create over 200 separate layers and link each layer to the correct single account.
The only difference between these layers would be the partner id.
It’s possible in GeoServer to add CQL filters to a layer, but as far as we could see it’s only possible to append the actual filter id to the request URL which would enable partners to change the filter id to get data from other partners.
We noticed it’s possible to add properties to a user account. Is it possible to create a CQL filter which reads a property from the current user account?
This would enable us to create one ‘private layer’ and allow for each account to use the same layer but only see the information associated with their account without being able to alter the filter.
If that’s not possible, what would be the recommended way to implement this use case?
Thanks in advance,
Robin K.
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
With GeoFence, you could setup one access rule for each partner with a CQL filter like “partner_id = 100” and apply it to any restricted layer you have (supposing they all have a “partner_id” column).
We’re using GeoServer for a GIS project where a lot of different partners input data in our system though a web client.
We have public layers available with limited data, but partners should be able to get ‘private’ layers which contain all of their data.
Partners should not be able to view the private data of other partners under any circumstance.
Every partner will have an account on GeoServer.
The ‘private’ layer for a partner would be an sql view containing information of every partner with a filter on partner id.
We could create a private layer for every partner containing only the information they have access to, but because we’re working with over 200 partners this could be quite cumbersome because we’d have to create over 200 separate layers and link each layer to the correct single account.
The only difference between these layers would be the partner id.
It’s possible in GeoServer to add CQL filters to a layer, but as far as we could see it’s only possible to append the actual filter id to the request URL which would enable partners to change the filter id to get data from other partners.
We noticed it’s possible to add properties to a user account. Is it possible to create a CQL filter which reads a property from the current user account?
This would enable us to create one ‘private layer’ and allow for each account to use the same layer but only see the information associated with their account without being able to alter the filter.
If that’s not possible, what would be the recommended way to implement this use case?
Thanks in advance,
Robin K.
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
Best regards,
Stefano Costa
==
GeoServer Professional Services from the experts! Visit
[http://goo.gl/it488V](http://goo.gl/it488V) for more information.
==
Dott. Stefano Costa
Senior Software Engineer
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
[http://www.geo-solutions.it](http://www.geo-solutions.it)
[http://twitter.com/geosolutions_it](http://twitter.com/geosolutions_it)
-------------------------------------------------------
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate.
Il loro utilizzo è consentito esclusivamente al destinatario del
messaggio, per le finalità indicate nel messaggio stesso. Qualora
riceviate questo messaggio senza esserne il destinatario, Vi preghiamo
cortesemente di darcene notizia via e-mail e di procedere alla
distruzione del messaggio stesso, cancellandolo dal Vostro sistema.
Conservare il messaggio stesso, divulgarlo anche in parte,
distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità
diverse, costituisce comportamento contrario ai principi dettati dal
D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely
for the attention and use of the named addressee(s) and may be
confidential or proprietary in nature or covered by the provisions of
privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New
Data Protection Code).Any use not in accord with its purpose, any
disclosure, reproduction, copying, distribution, or either
dissemination, either whole or partial, is strictly forbidden except
previous formal approval of the named addressee(s). If you are not the
intended recipient, please contact immediately the sender by
telephone, fax or e-mail and delete the information in this message
that has been received in error. The sender does not give any warranty
or accept liability as the content, accuracy or completeness of sent
messages and accepts no responsibility for changes made after they
were sent or for other risks which arise as a result of e-mail
transmission, viruses, etc.
Could create a really simple servlet filter that inspects the GetMap or GetFeatureInfo requests and modifies the cql_filter parameter based on the user’s login. Custom code, but straightforward deployment. Insures nobody can spoof the partner id.
With GeoFence, you could setup one access rule for each partner with a CQL filter like “partner_id = 100” and apply it to any restricted layer you have (supposing they all have a “partner_id” column).
Hope this helps.
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
We’re using GeoServer for a GIS project where a lot of different partners input data in our system though a web client.
We have public layers available with limited data, but partners should be able to get ‘private’ layers which contain all of their data.
Partners should not be able to view the private data of other partners under any circumstance.
Every partner will have an account on GeoServer.
The ‘private’ layer for a partner would be an sql view containing information of every partner with a filter on partner id.
We could create a private layer for every partner containing only the information they have access to, but because we’re working with over 200 partners this could be quite cumbersome because we’d have to create over 200 separate layers and link each layer to the correct single account.
The only difference between these layers would be the partner id.
It’s possible in GeoServer to add CQL filters to a layer, but as far as we could see it’s only possible to append the actual filter id to the request URL which would enable partners to change the filter id to get data from other partners.
We noticed it’s possible to add properties to a user account. Is it possible to create a CQL filter which reads a property from the current user account?
This would enable us to create one ‘private layer’ and allow for each account to use the same layer but only see the information associated with their account without being able to alter the filter.
If that’s not possible, what would be the recommended way to implement this use case?
Thanks in advance,
Robin K.
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
Best regards,
Stefano Costa
==
GeoServer Professional Services from the experts! Visit
[http://goo.gl/it488V](http://goo.gl/it488V) for more information.
==
Dott. Stefano Costa
Senior Software Engineer
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
[http://www.geo-solutions.it](http://www.geo-solutions.it)
[http://twitter.com/geosolutions_it](http://twitter.com/geosolutions_it)
-------------------------------------------------------
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate.
Il loro utilizzo è consentito esclusivamente al destinatario del
messaggio, per le finalità indicate nel messaggio stesso. Qualora
riceviate questo messaggio senza esserne il destinatario, Vi preghiamo
cortesemente di darcene notizia via e-mail e di procedere alla
distruzione del messaggio stesso, cancellandolo dal Vostro sistema.
Conservare il messaggio stesso, divulgarlo anche in parte,
distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità
diverse, costituisce comportamento contrario ai principi dettati dal
D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely
for the attention and use of the named addressee(s) and may be
confidential or proprietary in nature or covered by the provisions of
privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New
Data Protection Code).Any use not in accord with its purpose, any
disclosure, reproduction, copying, distribution, or either
dissemination, either whole or partial, is strictly forbidden except
previous formal approval of the named addressee(s). If you are not the
intended recipient, please contact immediately the sender by
telephone, fax or e-mail and delete the information in this message
that has been received in error. The sender does not give any warranty
or accept liability as the content, accuracy or completeness of sent
messages and accepts no responsibility for changes made after they
were sent or for other risks which arise as a result of e-mail
transmission, viruses, etc.
It looks like GeoFence has the functionality we need, we didn’t see that one yet.
We’re probably going to generate GeoFence rules with the GeoFence REST API which will probably make the system more maintainable.
With GeoFence, you could setup one access rule for each partner with a CQL filter like “partner_id = 100” and apply it to any restricted layer you have (supposing they all have a “partner_id” column).
We’re using GeoServer for a GIS project where a lot of different partners input data in our system though a web client.
We have public layers available with limited data, but partners should be able to get ‘private’ layers which contain all of their data.
Partners should not be able to view the private data of other partners under any circumstance.
Every partner will have an account on GeoServer.
The ‘private’ layer for a partner would be an sql view containing information of every partner with a filter on partner id.
We could create a private layer for every partner containing only the information they have access to, but because we’re working with over 200 partners this could be quite cumbersome because we’d have to create over 200 separate layers and link each layer to the correct single account.
The only difference between these layers would be the partner id.
It’s possible in GeoServer to add CQL filters to a layer, but as far as we could see it’s only possible to append the actual filter id to the request URL which would enable partners to change the filter id to get data from other partners.
We noticed it’s possible to add properties to a user account. Is it possible to create a CQL filter which reads a property from the current user account?
This would enable us to create one ‘private layer’ and allow for each account to use the same layer but only see the information associated with their account without being able to alter the filter.
If that’s not possible, what would be the recommended way to implement this use case?
Thanks in advance,
Robin K.
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
Best regards,
Stefano Costa
==
GeoServer Professional Services from the experts! Visit
[http://goo.gl/it488V](http://goo.gl/it488V) for more information.
==
Dott. Stefano Costa
Senior Software Engineer
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
[http://www.geo-solutions.it](http://www.geo-solutions.it)
[http://twitter.com/geosolutions_it](http://twitter.com/geosolutions_it)
-------------------------------------------------------
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate.
Il loro utilizzo è consentito esclusivamente al destinatario del
messaggio, per le finalità indicate nel messaggio stesso. Qualora
riceviate questo messaggio senza esserne il destinatario, Vi preghiamo
cortesemente di darcene notizia via e-mail e di procedere alla
distruzione del messaggio stesso, cancellandolo dal Vostro sistema.
Conservare il messaggio stesso, divulgarlo anche in parte,
distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità
diverse, costituisce comportamento contrario ai principi dettati dal
D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely
for the attention and use of the named addressee(s) and may be
confidential or proprietary in nature or covered by the provisions of
privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New
Data Protection Code).Any use not in accord with its purpose, any
disclosure, reproduction, copying, distribution, or either
dissemination, either whole or partial, is strictly forbidden except
previous formal approval of the named addressee(s). If you are not the
intended recipient, please contact immediately the sender by
telephone, fax or e-mail and delete the information in this message
that has been received in error. The sender does not give any warranty
or accept liability as the content, accuracy or completeness of sent
messages and accepts no responsibility for changes made after they
were sent or for other risks which arise as a result of e-mail
transmission, viruses, etc.