Roles & User Authentication
Overview
iShare GIS may be used to display information that is sensitive or requires filtering from general use; for example: locations of domestic abuse crimes must not be widely available, detailed planning applications should only be available to those in the planning department.
Roles
In order to ensure that only the correct people can view information via a MapSource, iShare has the concept of Roles. Roles are configured through Studio and assigned to MapSources as required. Only those users that are members of one or more of the roles in a MapSource will be permitted to query the data using that MapSource.
It is possible to configure the same data to be accessed using two MapSources and to have completely different roles associated with each MapSource.
A single .map file may be used for multiple MapSources - you don’t need to configure a new map file for each Role.
User Authentication
iShare does not maintain lists of users associated with Roles, instead the Roles map to sets of users configured in another provider. Currently the only supported third-party provider is MS Windows.
Using Windows to authenticate users
When a Role is created in Studio, it is associated with a local Windows group, i.e. configured on the server running the Web Service application. This Windows group is then used to manage membership of the Role, for example through Administrative Tools->Users and Groups on the server. This means that, for example, an Active Directory Domain group, and therefore their users, can be added to Roles through making them members of the appropriate local groups.
As iShare checks a person's Roles it simply asks Windows whether they are a member of the associated groups which gives this method the following benefits:
- iShare makes use of existing proven Windows and Active Directory technology to authenticate the user.
- Seamless integration into the browser - no username/password prompt.
- Reuse of existing user hierarchy from the domain.
- Familiar tools and utilities for user management.
Beware of Local users with the same name as Domain users
If the iShare GIS server has Local users with the same name as Domain users it can cause issues with iShare GIS when it comes to determining if a user has access to Map Sources with Roles. In some instances Map Sources with Roles are not available to users even when their Domain user is a member of the appropriate group. To resolve the issue either arrange for the Local users to be renamed or removed or add the Local and Domain user to the relevant groups.
Requirements
Domain membership:Â In order to make use of Windows Authentication, the server that the iShare front-end Web application must be able to authenticate the members of the local groups that are configured on the server that the back-end Web Service application runs on -- e.g. be a member of the same domain or be a member of a domain that is trusted by the internal server's domain. This is not an issue when both applications are run on the same server.
Authentication by IIS: The Astun.iShareGISn.n.Web website (where n.n is the version number) needs to have integrated Windows authentication enabled and Anonymous access disabled in order to force checking of user credentials when making MapSource requests (right-click on the page and select Properties->File Security).
Impersonation on Internal Server: The internal web service should be be running as a user that will have the privileges to query Active Directory, if the server is a member of a domain. In practice, this will require a configuration setting in the system.web node of the web.config for the Web Service:
<identity impersonate="true" userName="<username>" password="<password>"/>
Impersonation is not needed and should not be used in the case when the server is not connected to Active Directory.