Authorizing for services

SuperMap iServer provides service level permission control. Each service instance can authorize roles separately, multiple service instances can be batch authorized. The relationship between the service instances and the roles is many-to-many. If the system administrator has granted service access permissions to a role, all users and user group associated with this role will also have the access permissions to the service.

Authorizing for services

Log in to iServer Manager, click Service>Service Management, you can view the security status of each service instance: the gray lock identification represents the service instance is accessible anonymously, that is, the service is not locked. The blue lock identification means that the service requires login authentication before access. Click the "Authorization" button to view and modify the authorization information of the service instances, and you can select multiple service instances and click "Authorize" button at the top right of the page for authorization.

Service authorization includes two options:

• Any anonymous user can access. All anonymous users can access SuperMap iServer sample services offered by default.
• The specified user can access, that is, users associated with the specified roles can access this service. Select the desired roles in the table to specify. In addition, there are two additional options available when the service is accessable only by specified users:
• Any logged in user can access, after checking this option all logged in users can access this service.
• No access role, check this option will prohibit specified roles to access current service. Service authorization mechanism takes "Forbidden List" as a priority strategy. So if some roles are listed in the forbidden list, the associated users can't access the service, until the roles are removed from the list.

Access service with the authorized user

If the users associated roles has obtained the authorization of specified service instance, SuperMap iServer will automatically jump to the login page when accessing the service. After users entering their user name, password and got verified, the resources of the service can be accessed.

E.g., if the role "Role1" has obtained the service "data-world/rest" authorization, the role associated user "User1" will automatically inherit the scope of permission of the service, users can login successfully when accessing the service.

If authorized users log in directly when accessing the service, or the applications need to access the service frequently, there may be risk of exposure accounts. In order to avoid the accounts exposure when the authorized users using the service, SuperMap iServer provides Token-based authentication to ensure security of user accounts.