Once you enable and configure access control in one of the configuration files, you make all of your geospatial data unavailable to non-administrator users. Only the administrator can access all data. None of the other users have access permissions. From that starting point, you can choose between three access control workflows, depending on your data security needs:

  • A restrictive access control workflow: you have a limited number of Data resources for which you want to allow non-administrator access. You configure access rules for those Data resources only.

  • A non-restrictive workflow: you have a limited number of Data resources for which you want to restrict non-administrator access. You want to grant access to all Data resources initially, and then limit access to specific Data resources only, and as needed.

  • A combination of the restrictive and non-restrictive workflows: the number of Data resources you want to secure is evenly balanced with the number of Data resources you want to make more generally available.

If you’re not familiar with access control, see the Access control in LuciadFusion article. This article discusses each access control workflow in more detail.

Restrictive access control workflow

When you enable access control, none of the data is available to non-administrator users. To allow users with particular roles access to specific Data resources, you must configure access rules that define the permissions granted to particular user roles for particular Data resources. You do so by calling the REST API endpoint /api/data/{id}/access-rules/{access-rule-id}.

This type of workflow ensures maximum data security.

Non-restrictive access control workflow

The restrictive workflow can be tedious when you want to do the reverse: allow access to all Data resources for all users, and restrict access to a few Data resources for some users only.

To achieve such broad access, you can set up a new data root in which every Data resource is accessible to all users. This REST API request creates a data root at the location of your generally available data, and applies an "LFN_ANY" role to the crawl job. : 

POST /api/data-roots
Accept: application/json
Content-Type: application/json

{
  "rootPath": "/path/to/data/root",
  "crawlJob": {
    "ignoreDeletedFiles": true,
    "forceRecrawlFiles": false,
    "jobSchedule": "0 0 0 * * *",
    "decodeFailureResolution": "Keep",
    "enqueueJob": true,
    "accessRuleTemplates": [
      {
        "role": "LFN_ANY",
        "permissions": [
          "READ"
        ]
      }
    ]
  }
}

Creating the data root starts a crawl job that applies the "LFN_ANY" role to all data crawled in this data root.

Next, you can limit access to other Data resources by calling their REST API endpoints /api/data/{id}/access-rules/{access-rule-id}.

Combination of both workflows

If you have a lot of data that you want to secure and a lot of data that you want to make available to everyone, you can set up two data roots:

  • A public data root with a path to /path/to/data/public: this data root contains data that is accessible to everyone. Use the "LFN_ANY" role when creating the data root or configuring the crawl job.

  • A secure data root with a path to /path/to/data/protected: this data root contains data that is not accessible to everyone. Use roles that only get assigned to authorized users.