Roles, user types, and permissions

SuperMap iPortal can use, create, share and manage a variety of geographic information resources, including: maps, services, scenarios, data, projects and so on. The ability of each iPortal user to access and use resources in the iPortal portal in different ways depends on the permissions he has in the portal, and permissions are assigned to iPortal users through roles.

• Roles
  • Built-in roles
  • Custom roles
  • Differences and connections between the PORTAL_VIEWER role and PORTAL_USER role
• User types
• Permissions
  • Built-in Permissions
  • Custom Permissions

Roles

SuperMap iPortal's roles include built-in roles and custom roles.

For newly registered users, iPortal's administrators can make the following role settings:

1. Newly registered users are assigned with default roles, including: PORTAL_USER and PORTAL_VIEWER. By default, the PORTAL_USER role is assigned to all newly registered user.The iPortal administrator can set default roles.
2. The newly registered users are assigned with the DATA_CENTER role by default. The iPortal administrator can set don't assign the DATA_CENTER role to newly registered user, for details, refer to: Set whether to assign DATA_CENTER role to registered users by default.

Built-in roles

SuperMap iPortal provides the following built-in roles by default, among which ADMIN, PORTAL_USER, PORTAL_VIEWER are mutually exclusive. In theory, a user cannot have two or three roles at the same time. If they exist at the same time, the roles with lower priority will be ignored. The priority order is ADMIN > PORTAL_USER > PORTAL_VIEWER.

• ADMIN: Built-in system administrator. This role has the use and management rights of the entire SuperMap iPortal by default. Users associated with the ADMIN role can add, edit and delete other users with ADMIN role, which should be used with caution. The system administrator account initially created by SuperMap iPortal cannot be edited or deleted. If you forget the password, you can refer to the FAQ to reset the administrator account.
• PORTAL_USER: The built-in SuperMap iPortal common user role, which has permissions to use the portal, including using, creating, and sharing portal resources.
• PORTAL_VIEWER: The built-in SuperMap iPortal viewer role, which has the right to log in to the portal and view the resources shared with him. For example, a portal viewer can log in to the iPortal to view the maps, services, scenes, projects, data resources, etc. shared with him. While users associated with the PORTAL_VIEWER role cannot create and manage resources by themselves, for example, they cannot register services, create maps, create groups, upload data, etc.
• NOPASSWORD: The role corresponding to the third-party login user. Including QQ, Weibo, CAS accounts, and other users who are not stored through SuperMap iPortal, these users cannot change their passwords through iPortal.
• DATA_CENTER: Built-in SuperMap iPortal data uploader role. The role has the permission to upload data and publish services. Users who are associated with this role also need to be associated with the PORTAL_USER role to log in to the iPortal portal and upload data. While users with this role cannot be associated with the ADMIN and PORTAL_VIEWER roles.

Custom roles

SuperMap iPortal supports the addition of custom roles which can be assigned certain, certain classes or collections of certain types of permissions. For example, you can grant portal domain configuration permissions for a custom role, so the user who associates the role will have portal site configuration capabilities, including home page customization, personal center customization, DataViz customization, directory management, and so on. You can also customize a departmental administrator role and assign permissions to it for resource management and user management, so the department administrator who associates with role can manage the resources and users of the department. For more information about the permission assignment of custom roles, see: Roles mangement.

Differences and connections between the PORTAL_VIEWER role and PORTAL_USER role

In some practical business applications, there are often such users who only need to browse and use the resources in the iPortal without assigning them permission to create and share resources. Such users usually account for a large proportion. If you associate the PORTAL_USER role with them, not only will the permissions assigned to them be too large, but also a large number of user licenses will be taken up, which will outweigh the gains. Based on this, SuperMap iPortal provides the PORTAL_VIEWER role.

The PORTAL_VIEWER role is a newly added viewer role in SuperMap iPortal 9D, which is aimed at users who only need to browse and use the resources shared with them in the iPortal portal. Users whose user type is Viewer can only be associated with the PORTAL_VIEWER role or a custom role with lower permissions than PORTAL_VIEWER and do not occupy the iPortal user license.

1. The differences between the PORTAL_VIEWER role and the PORTAL_USER role are as follows:

• They have different permissions

Users who are only associated with the PORTAL_VIEWER role only have permission to view the resources shared with them. While users who are associated with the PORTAL_USER role have more capabilities. In addition to the permissions of the PORTAL_VIEWER role, they also have the permission to create and share portal resources. For details, see: Roles management.

2. Connections between the PORTAL_VIEWER role and the PORTAL_USER:

• The PORTAL_VIEWER role can be upgraded to the PORTAL_USER role. The administrator needs to remove the PORTAL_VIEWER role and then associate the user with the PORTAL_USER role. The upgraded user will occupy the iPortal user license and have permission to create and share portal resources.
• The PORTAL_USER role can also be downgraded to the PORTAL_VIEWER role. The administrator needs to remove the PORTAL_USER role and then associate the user with the PORTAL_VIEWER role.

User types

The user types of SuperMap iPortal include creators and viewers. The user type determines the roles that a iPortal user can be associated with. The differences between the two are as follows:

• Creator: can associate all built-in roles and custom roles in iPortal, and occupy the number of users license of iPortal
• Viewer: Only the PORTAL_VIEWER role or a custom role with lower permissions than PORTAL_VIEWER can be associated, and does not consume iPortal's user license

iPortal administrators can change the user type of iPortal users in the user management page.

Permissions

The permissions of SuperMap iPortal can be divided into built-in permissions and custom permissions.

Built-in Permissions

The built-in permissions in SuperMap iPortal are divided into very small granularities by different modules, resources, and operations. For permission division, please refer to: Roles management. This facilitates users to assign sufficient and necessary permission sets to custom roles according to their business needs.

Custom Permissions

How are the development results of user extensions controlled by permissions? For example, the front-end extension pages should control the visibility of UI based on custom permissions, and back-end custom RestAPI  should be controlled based on custom permissions  RestAPI  whether it has access rights. In this case, the user can extend the fine-grained permission control item to achieve.

Edit the permissions.json file in the %SuperMap iPortal_HOME%\webapps\iportal\resources\admin-ui\extend directory and write the custom permission expressions in json format. This file can add permission settings for accessing extended pages to the permission list in Roles management, supporting Chinese and English, as follows:

{

    "permissions":[

      {

        "permission": "portal:custom:admin:extendsPage:viewPage1",

        "label": {

          "zh": "View iframe extension example page",

          "en": "View iframe extends page"

        }

      }

    ]

}

• permissions：Permission array
• permission：Single permission name, The definition format of permission expressions needs to be distinguished from the built-in permission expressions in the system, specific recommendations are as follows:

• • Customize regular permission format: portal:custom:user:xxx

  • Customize management authority format: portal:custom:admin:xxx

• label: The description of this permission in the role management permission list. where "zh" is the description in Chinese environment, "en" is the description in English environment

After saving, log in to iPortal as an administrator, and you can see the extended content in the menu items of the administration page.

Regarding how to use custom permission expressions in the frontend, please refer to: Case 1: Extending new management pages in iFrame form, The back-end custom RestAPI determines whether the current user has a certain (custom) permission, which can be determined by the following line of code.

boolean isPermitted = ThreadContext.getSubject().isPermitted("portal:custom:admin:extendsPage:viewPage1");