The Platform's Dataspace Concept
The dataspace concept on the platform provides a fine-grained approach to managing user access across various platform components (e.g., FROST, Superset, Stellio, Geoserver). Dataspaces are thematic areas that contain specific data and resources. This allows specific access rights, based on users, groups, roles, and permissions, for each dataspace. Each one has its own set of roles that define appropriate permissions. Dataspaces can be visualised as silos. Data can then be stored in exactly one dataspace and users are assigned access to the dataspace via dataspace-specific roles.
The Platform's Dataspace Concept - Entities
- User: Any individual or entity that accesses the platform.
- A user belongs to one or multiple groups.
- A user can have one or multiple roles.
- Group: A collection of users that inherit roles assigned to that group.
- A group can have one or multiple users.
- Role: A set of permissions granted to either a user or group. These roles are specific to each dataspace and define what actions the user or group can perform. Hence, a dataspace defines a set of roles that are used to assign access rights to users. These roles determine access to the data sources and all other linked objects in the dataspace.
- A role can be assigned to one or multiple users.
- A role can be assigned to one or multiple groups.
- A role can have one or multiple permissions.
- Permission: Defines the authorization to perform a specific action, such as reading, writing, or administering resources within a dataspace. Permissions are assigned within roles.
- A permission can be assigned to one or multiple roles.
- Dataspace: A thematic area containing specific data and resources. Roles within a dataspace control what users and groups can do within that space.
- A dataspace can have one or multiple roles.
Example Dataspace for Soil Moisture Analysis
A use case for the CIVITAS/Core platform could be the sustainable irrigation of urban trees using sensor-based demand assessment. For this use case, there may be a dataspace called 'Soil Moisture'.
The 'Soil Moisture' dataspace contains all the data and resources related to soil moisture analysis. It requires specific roles that control what users and groups can do with the data across various components of the platform (e.g., dashboards in Superset). The roles within this dataspace define access rights, for example, to view or edit the data.
The 'Soil Moisture' group represents a collection of users with access rights to data and resources related to soil moisture analysis. This group will have assigned roles that grant specific permissions. Hence, a user can have specific roles in the dataspace.
For example, there may be a role called "Editor." This role grants permissions to edit and update data related to soil moisture analysis and includes the necessary permissions. The "Viewer" role in this dataspace grants read-only access to the data related to soil moisture analysis.
Let’s take Alice and Bob as examples:
- Alice is a data analyst and works with soil moisture data. For example, she creates charts and dashboards in Superset to visualize the data. She is assigned the "Editor" role, which allows her to edit, delete, and add new records for her analysis.
- Bob also works on the sustainable irrigation of urban trees. He is a project manager and wants to check information, for example, about the sensors used. Therefore, he only needs to view the records and search through the data, but he does not need to modify or delete any information. Hence, he is assigned the "Viewer" role.