Skip to main content
Version: 1.0

The platform's dataspace concept in GeoServer

The Geoserver manages access geospacial content using Roles, Users, Permissions, and Groups.

How the Platform's Dataspace Concept Maps to Geoserver

For each dataspace, we implement a own set of roles which get permissions on geospacial data (Layers, Layergroups) granted, by assigning the permissions to the role in Geoserver.

  • Layers: Layers are the finest level where permissions to roles in the Geoserver can be granted. On this level, you can specify Read, Write or Administrative Access individually to each layer. Additionally, Layers are assined to workspaces in Geoserver and inherit the permissions from there, if no individual configuration is done on layer Level.
  • Layergroups: Layergroups are from the security perspective special Layer types. Layergroups are managed in the same way as layers.
  • Permission: Permissions in Geoserver (Standard, without Plugins) can be assigned in three levels: Read, Write and Admin. Read and Write grant only access to existing Layers (unsing them). The Admin Permissions grant the right to manage a layer.
  • Groups The Geoserver allows to work with Groups within the Geoserver. These are not used for the CIVITAS/CORE Platform.
  • Workspaces Workspaces in Geoserver are a hierarchical structure above many Geoserver entities like Layers and Layergroups. The are only used to structure the content. In CIVITAS/CORE we use them to group all Entities of one dataspace. With this grouping, it it possible to define the permissions and role assignments directly on workspace level and inherit them to the entities assigned to them.

This mapping is illustrated in the following image by using the same color for matching objects.

GeoServer-Entities

Setting Up Dataspaces in Geoserver

After completing the initial platform setup (refer to the Admin Guide), GeoServer is automatically configured to synchronize roles from Keycloak, ensuring it recognizes all existing platform roles.

During each user login, their assigned roles are also synced with GeoServer.

The only remaining manual step is to assign the appropriate permissions to these synced roles at the workspace level.

Once this is done, permissions are validated each time a user requests access to any content.

For further details on GeoServer administration, please consult the Admin Guide.