Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
The following sections cover JMap Server management tasks.
This type of user account management records users and groups directly into JMap Server’s System database or in an external database containing the required tables and fields. The JMap administrator must create and manage all user accounts and groups.
Click on the User manager tab from the Users / Groups section. Select JMap DB user manager to indicate that user accounts will be managed within a relational database. To store information in JMap Server’s System database, select the JMap Server database option.
You can also use any relational database that contains at least the required tables and fields by selecting the External database option. When you do this, an interface displays, allowing you to define the configuration parameters. Using this configuration interface, select the database you wish to use. Afterwards, select the tables and fields containing the various information pertaining to users and groups. If needed, you can select Read-only mode to prevent account information from being modified by JMap Admin.
Once this configuration has been defined, you can create, modify and delete user accounts directly from JMap Admin.
In JMap Admin, the user manager configuration can be accessed by clicking on Users / Groups in the JMap Server section. Select the User manager tab.
The user manager allows you to define how JMap will manage user accounts and groups. There are two ways to manage this information with JMap:
Using the JMap user account database you create and delete the user accounts directly from JMap Admin;
By connecting to an existing database of user accounts such as a Windows Active Directory system, an LDAP compatible system or a relational database or by connecting to an identity manager using protocols such as SAML2 or Open Id Connect.
Several systems can also be combined to be used simultaneously (e.g. the JMap database and Windows Active Directory). These systems are then used as a single system. When JMap Server connects to an existing database, user account management is simplified because no account or user group needs to be created and managed in JMap.
The following sections describe each available option.
When you connect to a user or identity manager that is external to JMap (Active Directory, LDAP, OIDC, SAML2 or an external relational database), it is useful to synchronize JMap Server with the database for 2 reasons :
When users or groups are deleted from the database and those deleted users or groups had been given permissions in JMap (e.g. to open a project or view certain layers), the permissions are not deleted from JMap Server permission lists. This can happen because JMap Server is not aware the users or groups have been deleted from the database. When synchronizing, JMap Server removes all existing permissions for deleted users and groups. However, even if you don’t synchronize, there is no security problem because deleted users will fail at login.
When the contents of user groups are modified (members added or removed), so that JMap Server can reload the lists of users that belong to the groups. JMap Server keeps the group member lists in memory for performance reasons.
You can automate the synchronization by selecting the option Synchronize automatically every… and specifying a time period.
This type of user management allows you to combine several managers together. You can add as many user managers as necessary. All user managers will function as a single user manager. Refer to the previous sections for information on user manager configuration.
A composite user manager is recommended if your system integrates several managers or if you wish to transition towards a web-based single-sign on system.
Security management in JMap encompasses several aspects.
Identity management can be handled by JMap Server or assigned to another system, such as Microsoft Active Directory, an LDAP directory, or identity managers with web-based single sign-on (SSO) such as OpenID Connect or SAML. See the Managing Users and Managing User Accounts and Groups sections for more information. JMap also supports single sign-on for JMap Pro users. See the Single Sign-On for JMap Pro section for more information.
Access management, or rather permission management, is applied to all the resources handled by JMap. This includes user access to JMap applications as well as the access permissions of JMap administrators. See the Managing Permissions section for more information.
JMap allows you to easily use the HTTPS protocol for JMap Admin and for the various applications. See section Using HTTPS with JMap for more information.
You can allow users who already have an account in an identity manager that uses SAML2 to connect to JMap Web and JMap NG applications using that account.
SAML is an open standard that establishes a single sign-on between an identity manager and an application server such as JMap. This site provides details on SAML2.
Configuring a SAML2 user manager is complex. Your organization’s IT department will provide the settings related to SAML2. The following table describes the settings related to JMap.
The Status section of JMap Admin provides a lot of useful information for monitoring JMap Server. Additionally, this section provides detailed information on your license agreement. Each part is explained below.
You can allow users who already have an account in OpenID Connect (OIDC) user managers to connect to JMap Web and JMap NG applications using that account.
For detailed information on this protocol, visit the website.
Configuring an OIDC user manager is complex. Your organization’s IT department will provide the OIDC settings. The following table describes the settings related to JMap.
SAML2 user manager
Friendly name
This name allows you to easily identify the SAML2 user manager in JMap Server and identify the users from this manager.
Administrator password
An administrator is automatically created when this manager is used. You must enter the password of this account in this field.
Groups
Unlike with Active Directory and LDAP, user accounts from the SAML2 manager are not known in advance because they are created as the users connect to a JMap Web or JMap NG application. That said, how can permissions be granted on JMap’s resources to users who are not known in advance? Groups that are defined in advance allow you to grant permissions related to JMap’s resources. When a user connects to a JMap application for the first time, SAML2 assigns the user to one or more of the groups defined in Groups attribute based on the information in that user’s profile. Since the SAML2 user manager is in read-only mode, you cannot create users or groups in JMap’s Users and Groups sections. This setting allows you to create groups by entering their names. Afterwards, you can grant permissions to these groups, which contain the users from SAML2. There must be an exact match between the names of the groups in SAML2 and the groups you create using this setting. If a user connects to an application for the first time via SAML2 and his/her profile indicates a group that doesn’t exist in JMap, the group will be created automatically and will be displayed in the Groups section.
Default group
Select the group to which you will assign all users who are not assigned to a group in SAML2 (in Groups attribute). Example: you can create a group called Guests; all users who connect to a JMap Web or JMap NG application for the first time and whose profile in SAML2 doesn’t indicate a group will be assigned to this Guests group. You can grant access permissions to the Guests group for a specific project.
Button image
This image appears in the homepage of the JMap Web or JMap NG application and identifies the access to the SAML2 manager to log in.
Press Choose to select the image.
The image must have a maximum size of 100*100 pixels.
Button label
This text appears in the identification button with the image.
SSO callback URL
Your IT department will provide this information.
Client name
The name given by JMap to the SAML2 user manager. This name integrates and completes the URL of the SAML2 manager.
IdP Metadata
Your IT department will provide this information.
SP Entity ID
Your IT department will provide this information.
Username / ID attribute
Optional setting. Indicates the attribute containing the user name in SAML2. Your IT department will provide this information.
Email attribute
Optional setting. Indicates the attribute containing the email address in SAML2. Your IT department will provide this information.
First name attribute
Optional setting. Indicates the attribute containing the user’s first name in SAML2. Your IT department will provide this information.
Last name attribute
Optional setting. Indicates the attribute containing the user’s last name in SAML2. Your IT department will provide this information.
Groups attribute
Optional setting. Indicates the customizable attribute that allows you to define groups in SAML2 to which the users are assigned. These groups are displayed in the Users and Groups sections in JMap. Your IT department will assist you with this setting.
General |
|
Version | Complete information on the JMap Server version. Provide this information when requesting technical support. |
IP Address | IP address of the host running JMap Server. |
Port | TCP/IP port used by JMap Server for connections with JMap Pro and other JMap Server instances. |
Sessions |
|
Total active sessions | Number of currently active user sessions. |
Active JMap Pro sessions | Number of current user sessions for JMap Pro applications. The maximum number of sessions authorized by the license for this type of application is indicated. |
Active JMap NG sessions | Number of current user sessions for JMap NG applications. The maximum number of sessions authorized by the license for this type of application is indicated. |
Active JMap Web sessions | Number of current user sessions for JMap Web applications and WFS and WMS services. The maximum number of sessions authorized by the license for this type of application is indicated. |
Active JMap Survey sessions | Number of current user sessions for JMap Survey. The maximum number of sessions authorized by the license for JMap Survey is indicated. |
Active JMap Server sessions | Number of current JMap Server sessions. The maximum number permitted for this type of session is indicated. |
Administrators | User names of administrators currently connected to JMap Admin. The computer host name or IP address from which the administrators are connected are also indicated. |
Resources |
|
Java VM | Version of the Java virtual machine used by JMap Server. |
Process Id | The ID number of JMap Server’s system process. |
Available processors | Number of processors used by the JMap Server process. |
Memory usage | Portion of the allocated memory actually used by JMap Server. |
Memory allocated | Total amount of memory allocated for JMap Server by the operating system. If the memory usage reaches this limit, more memory (if available) will be allocated by the operating system. The maximum memory that can be used by JMap Server is defined in the startup parameters during installation. |
Thread pool usage | Number of simultaneous request processors (threads) currently in use (compared to number of initialized threads). |
Thread pool usage peak | Maximum usage value reached since server startup (helps determine optimal size of initial pool). |
Started since | Date and time JMap Server was last started. |
Cache |
|
Memory cache usage | Proportion of the memory data cache used by JMap Server compared to the defined limit and relative percentage. |
Memory cache efficiency | Number of times requested data is found in the memory cache, expressed as a percentage of the total number of data requests. |
Disk cache usage | Proportion of the disk data cache used by JMap Server compared to the defined limit and relative percentage. |
Disk cache efficiency | Percentage of times requested data is found in the disk cache compared to the total number of data requests. |
Update(s) available |
|
|
Extension | Installed version | New version available |
OIDC user manager |
|
Friendly name | This name allows you to easily identify the OIDC user manager in JMap Server and identify the users from this manager. |
Administrator password | An administrator is automatically created when this manager is used. You must enter the password of this account in this field. |
Groups | Unlike with Active Directory and LDAP, user accounts from the OIDC manager are not known in advance because they are created as the users connect to a JMap Web or JMap NG application. That said, how can permissions be granted on JMap’s resources to users who are not known in advance? Groups that are defined in advance allow you to grant permissions related to JMap’s resources. When a user connects to a JMap application for the first time, OIDC assigns the user to one or more of the groups defined in Groups attribute based on the information in that user’s profile. Since the OIDC user manager is in read-only mode, you cannot create users or groups in JMap’s Users and Groups sections. This setting allows you to create groups by entering their names. Afterwards, you can grant permissions to these groups, which contain the users from OIDC. There must be an exact match between the names of the groups in OIDC and the groups you create using this setting. If a user connects to an application for the first time via OIDC and his/her profile indicates a group that doesn’t exist in JMap, the group will be created automatically and will be displayed in the Groups section. |
Default group | Select the group to which you will assign all users who are not assigned to a group in OIDC (in Groups attribute). Example: you can create a group called Guests; all users who connect to a JMap Web or JMap NG application for the first time and whose OIDC profile doesn’t indicate a group will be assigned to this Guests group. You can grant access permissions to the Guests group for a specific project. |
Button image | This image appears in the homepage of the JMap Web or JMap NG application and identifies the access to the OIDC manager to log in.
Press Choose to select the image.
The image must have a maximum size of 100 |
Button label | This text appears in the identification button with the image. |
SSO callback URL | Your IT department will provide this information. |
Client name | The name given by JMap to the OIDC user manager. This name integrates and completes the URL of the OIDC manager. |
Discovery URI | Your IT department will provide this information. |
Client ID | Your IT department will provide this information. |
Client secret | Your IT department will provide this information. |
Scope | Your IT department will provide this information. |
Response type | Your IT department will provide this information. |
Response mode | Your IT department will provide this information. |
Use nonce | Your IT department will provide this information. |
With state | Your IT department will provide this information. |
Disable PKCE | Your IT department will provide this information. |
Username / ID attribute | Optional setting. Indicates the attribute containing the user name in OIDC. Your IT department will provide this information. |
Email attribute | Optional setting. Indicates the attribute containing the email address in OIDC . Your IT department will provide this information. |
First name attribute | Optional setting. Indicates the attribute containing the user’s first name in OIDC. Your IT department will provide this information. |
Last name attribute | Optional setting. Indicates the attribute containing the user’s last name in OIDC. Your IT department will provide this information. |
Groups attribute | Optional setting. Indicates the customizable attribute that allows you to define groups in OIDC to which the users are assigned. These groups are displayed in the Users and Groups sections in JMap. Your IT department will assist you with this setting. |
License information |
|
Model | Licensing model in use. Click on the link to view the content of the license agreement. |
Licensed to | Organization licensed to use JMap Server. |
Serial number | Unique serial number of JMap Server. |
Maximum users | Maximum number of users that can be created in JMap, according to license. |
Maximum concurrent JMap Pro sessions | Maximum number of concurrent sessions that can be opened by JMap Pro applications, according to license. |
Maximum concurrent JMap NG sessions | Maximum number of concurrent sessions that can be opened by JMap NG applications, according to license. |
Maximum concurrent JMap Web sessions | Maximum number of concurrent sessions that can be opened by JMap Web applications, according to license. |
Maximum concurrent JMap Survey sessions | Maximum number of concurrent sessions that can be opened by JMap Survey, according to license. |
Maximum projects | Maximum number of projects that can be created in JMap, according to license. |
Multiple sessions | Authorization to have multiple concurrent sessions for the same user. |
Expiration | Expiration date of the license. Beyond this date, JMap Server will refuse to start. |
Licensed products | List of JMap modules that are authorized by the license. |
Browse |
Reload | Click on this button to have the license file reread by JMap Server without interrupting its operation. |
Each user that is connected to JMap Server using a JMap application has an open session on the server. The session remains open as long as the JMap application is not closed. Sessions contain information about the identity of the user. Depending on your license agreement, you may be limited to a certain number of simultaneous sessions.
To access the session management section, click on Sessions in the JMap Server section.
Six different types of sessions are possible:
You can view the list of open sessions. By selecting the Active sessions tab, the list of current sessions will be displayed along with useful information on each session. You can close open sessions by selecting them and clicking on Close session(s).
Reserved sessions are special sessions for users who have priority over the other users. These users can always open a JMap Pro, NG, Web or Survey session, even if the maximum number of sessions is reached, according to your license. These reserved sessions are recorded separately from the rest of the sessions.
If your JMap user license permits it, you can assign a certain number of reserved sessions to the users of your choice. Press to select a user and assign him/her a reserved session. Once the maximum number of reserved sessions has been assigned, you cannot assign any to other users. You can remove a reserved session from a user by selecting that person’s name and clicking on .
Session statistics provide basic information on user activity over time. You can determine the total number of sessions over a given period and the highest number of concurrent sessions reached over a period of time. Statistics are displayed in a bar graph. Click on Update to generate the graph.
The sessions information is stored in the JMap System database for a period of 18 months. Sessions that are older than 18 months are automatically deleted from the System database.
Click on this button to upload the license file in JMap Server.
Display
Select the information to display, either the Total number of sessions or the Highest number of concurrent sessions.
Users
Select one or more users for which the information will be displayed.
Time unit
Select the time unit to be used to display information. Possible units are Hour, Day, Week or Month.
Single sign-on provides a secure way for users to access JMap Pro applications without authentication. The Windows session authentication is used to automatically launch the JMap session.
Single sign-on is only available for Windows environments using Active Directory. A special configuration is required on the Windows server and on each computer where single sign-on is wanted.
The Enable single sign-on option must also be selected when deploying a JMap Pro application.
For more details on single sign-on configuration, refer to this article.
JMap Pro
This type of session is used when a user connects to JMap Server using a JMap Pro application. The number of concurrent sessions of this type is defined by your JMap license.
JMap Survey
This type of session is used when a user connects to JMap Server using JMap Survey. The number of concurrent sessions of this type is defined by your JMap license.
JMap Web
This type of session is used when a user connects to JMap Server using a JMap Web application or a WMS or WFS service. The number of concurrent sessions of this type is defined by your JMap license.
JMap NG
This type of session is used when a user connects to JMap Server using a JMap NG application. The number of concurrent sessions of this type is defined by your JMap license.
JMap Admin
This type of session is opened when a user connects to JMap Admin to administrate JMap Server. This type of session is not controlled, therefore the number of concurrent JMap Admin sessions is unlimited.
JMap Server
This type of session is used when a JMap Server connects to another JMap Server. The session opens on the server that accepted the connection. This type of session is used for JMap to JMap data sharing. This type of session must be authorized by your JMap user license.
You can connect to Windows Active Directory (in read-only mode).
In order for the Active Directory user manager option to be available in the User manager tab of the Users / Groups section in JMap Admin, you must include the following line in the JMAP_HOME/conf/jmapserver.properties file:
usermanager.ad=com.kheops.jmap.server.security.ActiveDirectoryUserManager
We recommend you use the Composite user manager instead of simply using the Active Directory user manager. This will allow you to maintain access to JMap Admin even if errors arise in the configuration of Active Directory.
In the User manager section, select the Composite user manager and add the Active Directory user manager. A new interface opens, allowing you to enter the settings to configure the connection to the Active Directory server.
Log files contain information on the activities that are performed in JMap Server. The quantity of events written in the log files depends on the selected logging level. By default, a new log file is created every day but this parameter can be adjusted. By default, log files are located in the directory JMAP_HOME/logs. You may need to periodically check the volume of the log files and archive or delete old ones.
Log files (and error files) can be viewed directly in JMap Admin. Select the name of a file from the list to open it. The content of the file is displayed. Note that error files are also listed along with log files. The error files contain only error messages that can sometimes complement the log files to help solve a problem.
The view window allows you to filter the content by event type, date, keyword, etc. You can also download the file by clicking on Download.
Log files can be analyzed in order to provide a summary of the activity of JMap Server. For instance, they can inform you of the number of sessions for each user, the number of server shutdowns, authentication failures, etc. To analyze log files, select one or more files in the list and click on Analyze.
You can connect to any LDAP compliant directory (in read-only mode). Unix, Linux and Windows systems offer many LDAP compliant directories.
In order for the JMap LDAP user manager option to be available in the User manager tab of the Users / Groups section in JMap Admin, you must include the following line in the JMAP_HOME/conf/jmapserver.properties file:
usermanager.ldap=com.kheops.jmap.server.security.LDAPUserManager
We recommend you use the Composite user manager instead of simply using the LDAP user manager. This will allow you to maintain access to JMap Admin even if errors arise in the configuration of LDAP.
In the User manager section, select the Composite user manager and add the JMap LDAP user manager. A new interface opens, allowing you enter the settings to configure the connection to the LDAP server.
For more information on the LDAP protocol, refer to http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol.
In JMap, user accounts and groups are used for access control and collaboration purposes. You can manage users and groups in JMap Admin by clicking on Users / Groups from the JMap Server section.
This section presents three tabs: Users, Groups and User Manager.
Two special users and two special groups always exist in JMap: administrator, anonymous, everyone, and authenticated users.
You can create a new user or group by pressing Create from the Users / Groups section. This will bring you to the new user or group configuration section.
You can only create users and groups if you are using the JMap account database or an external database that is not in read-only mode.
You can modify an existing user or group by clicking on its name in the list.
Once a user is created, its user name cannot be modified.
You can delete a user or group by selecting it in the list and pressing Delete.
Permissions in JMap are divided into two families: permissions for the users of applications (Pro, Web, NG and Survey) and permissions for the administrators (JMap Admin).
User permissions determine what the users can do inside JMap Pro, JMap Web, and JMap Survey applications.
The following table presents the different permission groups that are available for the users.
Administrator permissions determine what JMap administrators are authorized to do in JMap Admin. Some permissions are global (permissions to do some tasks) while other permissions apply to specific resources.
Several of the global permissions are configured in the Permissions subsection of the JMap Server section. The following table describes the global administration permissions:
Administration permissions that are specific to resources determine what an administrator can do with each resource. The following table describes those permissions:
Most resources managed in JMap Admin have one or more owners. Owners of a resource are the only ones that are allowed to:
manage administration permissions for the resource;
manage the list of owners for the resource;
delete the resource.
Super administrators are special accounts that can do everything in JMap Admin. They are the only ones who are allowed to:
manage the list of super administrators;
manage global administration permissions;
manage users and groups;
modify JMap Server’s working parameters;
display the log files;
import and export configurations.
You can manage the list of super administrators from subsection Permissions in section JMap Server. Select the Super administrators tab.
The following table presents administration tasks with examples, and indicates which profile or permission is required to perform each task.
To add users to a group, press and a list of available users will be displayed. Select the users to add to the group and press Add.
To remove users from a group, select the users to remove and press .
Permission reports allow you to view all the permissions that a user or a group has on a single report. A permission report is a convenient way to get the information without checking every resource. The reports are accessible from the Users and Groups tabs in the Users / Groups section, by clicking on .
Active Directory
Friendly name
Name used to easily identify the Active Directory user manager.
Server address
Address of the Windows domain controller server configured with Active Directory. You can add several Active Directory servers by separating them with a space.
Example
ldap://host1 ldap://host2
where host1 and host2 are the Active Directory server URL. Active Directory is based on LDAP.
DN
Unique identifier (Distinguished Name) pointing at the root of the directory. Composed of a list of DC (Domain Component) entries.
Example
dc=k2,dc=com
Domain
Name of the Windows domain.
Example
k2.com
User / SPN
User name that JMap Server will use to connect to the Active Directory. It is recommended to create a user especially for JMap. Its password should never expire. If you wish to use single sign-on, you will have to create an SPN (Service Principal Name) associated with this user. See Single Sign-On for more details.
Password
Password of the user JMap Server will use to connect to the Active Directory.
Admin. password
A user named administrator must always exist in JMap. If no administrator user exists in the Active Directory, JMap will simulate one. In such a case, provide the password associated with this user. If the user administrator does exist in the Active Directory and a password is entered, this password will simply be ignored.
Enable single sign-on
Enables the single sign-on option. See Single Sign-On for more details.
Default / Custom LDAP configuration
Active Directory is based on LDAP. This option allows for the use of LDAP parameters that are most commonly used for Active Directory. However, if those parameters don’t match the ones in use, it is possible to specify custom values. The settings are described in the following section, JMap LDAP user manager.
Max page size
Active Directory limits the transaction size to a maximum number of records at a time (page size). The value of this parameter must not be greater than the maximum size authorized by Active Directory (1000 is the default value in Active Directory). If the size is too small, this can reduce performance. A size greater than the authorized limit will cause missing data in the user list.
Log level
The maximum level of the messages added to the log files. For example, if Warning is selected, only messages with a level of Warning, Error or Fatal will be written in the log files. The following log levels are available (listed in descending order): All: Every event is written. Use only to solve a problem. Debug: Debug level events are written. Use only to solve a problem. All lower level events are also written. Info: Information level events are written. This includes user logins. All lower level events are also written. Warning: Warning (non serious) level events are written. All lower level events are also written. Error: Error (serious) level events are written. All lower level events are also written. Fatal: Only fatal error (very serious) events are written. Off: Nothing is written.
Log file directory
Directory where to create the log files. Default is under JMAP_HOME/logs. Make sure there is sufficient disk space to hold log files.
File age limit
The file age limit determines how often new log files are created. The current log file is always called jmap_log. When a new file is created, the current log is renamed to include the date (e.g. jmap_log_2006_05_23.log).
Messages to console
Determines if events will also be written in JMap Server screen console. This is useful for tests or development but should be turned off during production. Moreover, when JMap Server has no output console (started as a background process or as a service on Windows), this option is useless and consumes server resources for nothing.
JMap LDAP user manager
Friendly name
Name used to easily identify the LDAP user manager.
Server URL
LDAP server address. You can add several LDAP servers by separating the addresses with a space.
Example
ldap://host1 ldap://host2
where host1 and host2 are the URLs of the LDAP servers.
DN
Unique identifier (Distinguished Name) used to define the root of the directory. Includes a list of Domain Component entries.
Example
dc=k2geospatial,dc=com
User
User name that will be used by JMap Server to connect to the LDAP directory. It is recommended to have a user created specifically for JMap purposes. This user’s password should never expire.
The user name must be accompanied by the domain the user belongs to.
Example
cn=admin,dc=k2geospatial,dc=com
Password
The user password that JMap Server will use to connect to the LDAP directory.
Admin. password
A user named administrator must always exist in JMap. If there is no administrator user in the LDAP directory, JMap will simulate one. In this case, you must provide the password associated with this user. If the administrator user exists in the LDAP directory and a password is entered, it will be ignored.
Use prefix and suffix
Select this option if the LDAP server uses a prefix and a suffix for user authentication.
Authentication prefix
Some LDAP servers require a prefix to be concatenated with the user name in order to proceed with authentication.
Example
Prefix: a_domain\
User: a_user
Result: a_domain\a_user
Authentication suffix
Some LDAP servers require a suffix to be concatenated with the user name to proceed with authentication.
Example
Suffix=@a_domain
User=a_user
Result: a_user@a_domain
User class
This setting and the ones that follow depend on the internal structure of the LDAP server, i.e. the way the users are organized into groups. This information is used to identify the LDAP users and groups. You must indicate the corresponding parameters in the LDAP server to which you connect. Name of the LDAP object class used to identify a user in the LDAP directory.
Group class
Name of the LDAP object class used to identify a group in the LDAP directory.
User filter
Search filter used to extract users from the LDAP directory. This filter must be formatted according to the standard LDAP syntax.
Group filter
Search filter used to extract groups from the LDAP directory. This filter must be formatted according to the standard LDAP syntax.
User attribute
The attribute of an LDAP user that defines this user’s identity.
Group attribute
The attribute of an LDAP group that defines this group’s identity.
Member attribute
The attribute of an LDAP group that defines which users are members of this group.
Full name attribute
The attribute of an LDAP user that defines this user’s full name.
Email attribute
The attribute of an LDAP user that defines this user’s email address.
Max page size
In LDAP directories, the size of transactions is limited to a maximum number of recordings at once (the size of the page). The value of this parameter must not exceed the maximum size permitted by the directory (1000 is the default value in LDAP directories). If the size is too small, this could affect performance. If the size is larger than the authorized limit, data will be missing in the user list.
Administrator
The administrator user allows you to access JMap Admin following a new installation (this user has administration rights in JMap). This user’s password field is left blank, therefore, it is highly recommended to add a password as soon as possible. Read below for more information. The administrator user always exists in JMap and cannot be deleted.
Anonymous
The anonymous user allows users who are not authenticated to access certain resources. It can be used to configure access to a project without authentication, for instance. The anonymous user always exists in JMap and cannot be deleted. In addition, this user’s password (blank) cannot be modified.
Everyone
The everyone group is used to give all users access to a resource, provided they are authenticated. The everyone user is not displayed in the list of JMap groups. It is only visible in interfaces that allow you to define permissions, where applicable.
Authenticated users
The authenticated users group is used to allow all users except anonymous to access a resource. Authentication is required for this group.
Users
User name
Enter a unique user name (login name) for the new user. You will not be able to save it if the name already exists.
Password
Enter a password for the new user. The password field can be empty but this is not recommended. Passwords are encrypted. Users of JMap Web applications can change their password from the application. This is only possible if the user accounts are managed with JMap DB user manager.
Confirm password
Enter the password a second time to confirm.
Full name
Enter the full name (first name and last name) for the new user. This is optional.
Enter the email address of the new user. It is used when sending maps to the user. This is optional.
Hidden
Select this option if you want the new user to be hidden from user directories.
Groups
Group name
Enter a unique group name for the new group. You will not be able to save it if the name already exists.
Permissions on projects
See section Project Permissions for more information.
Permissions on layers
See section Layer Permissions for more information.
Permissions on personal layers
Create personal layers This permission gives a user the right to create personal layers in JMap Pro applications. By default, JMap users are not allowed to create personal layers. You can configure this permission in subsection Permissions of the JMap Server section.
Permissions on forms
See section Database Forms for more information.
Access JMap Admin
This permission is required for an administrator to access JMap Admin.
After the installation of JMap, only the administrator user has this permission.
Note that the password is initially left empty for this user. It is strongly recommended to enter a password for the administrator user. See section Users and Groups for more information on modifying passwords. Also make sure to leave at least one user with this permission and with a known password. Otherwise, it will be impossible to access JMap Admin.
Create database
This permission is required for an administrator to create new databases in JMap Admin.
Create remote connection
This permission is required for an administrator to create new connections to remote JMap Server instances in JMap Admin.
Create deployment
This permission is required for an administrator to create new application deployments in JMap Admin.
Create metadata templates
This permission is required for an administrator to create new metadata templates in JMap Admin.
Create style templates
This permission is required for an administrator to create new style templates in JMap Admin.
Create project
This permission is required for an administrator to create new projects in JMap Admin.
Create data source
This permission is required for an administrator to create new spatial data sources in JMap Admin.
Access …
The administrator can view the detailed information of a resource and use the resource, but cannot modify it. Example To use a spatial data source in order to create a layer, the administrator must at least have the Access permission on the data source.
Administrate …
Allows the administrator to modify the resource and manage the user permissions for the resource. Does not allow the administrator to delete the resource or manage its administration permissions. Example To add a layer in a project, the administrator must have the Administrate permission for the project.
Use SQL console
(Applies only to databases) Allows the administrator to use the SQL console on the database. The SQL console is used to show the database structure and to execute SQL queries on the database.
Remote access
Allows the administrator to access the resource from another instance of JMap Server. This permission is generally granted to a generic account used to open communication sessions between different instances of JMap Server. For more information, see sections Sharing Layers and Sharing Spatial Data Sources.
Tasks
Super Administrator
Administrator
Access JMap Admin
YES
If permission Access JMap Admin
Manage the list of Super administrators
YES
NO
Manage global administration permissions • Give an administrator permission to create projects • Remove an administrator’s permission to create spatial data sources • Give an administrator permission to create metadata templates for layers.
YES
NO
Perform management tasks for JMap Server • Modify JMap Server’s working parameters (ports, memory, etc.) • Manage users and groups •Import and export JMap Server configurations • View log files or modify their settings
YES
NO Can change user account password
Create a resource • Create a project • Create a database • Create an application deployment
YES
If permission Create …
Use a resource • Use a database to create a spatial data source • Use a data source to create a layer • Use a connection to JMap Server to create a layer by reference
YES
If permission Access …
View detailed information about a resource • Click on a database and view all of its parameters • Click on a project to view all of its parameters
YES
If permission Access …
Modify a resource • Change the name of a project • Add a layer in a project • Modify the connection parameters for a database • Modify the projection of a spatial data source
YES
If permission Administrate …
Delete a resource • Delete a project • Delete an application deployment • Delete a style template
YES
If owner of the resource
Manage user permissions of a resource • Give a user permission to open a project • Give a user permission to edit the elements of a project layer • Remove a user’s permission to copy the data of a project layer
YES
If permission Administrate
Manage the administrator permissions of a resource • Give an administrator permission to use a spatial data source • Give an administrator permission to modify a project • Remove an administrator’s permission to modify a database
YES
If owner of the resource
Manage the list of owners of a resource
YES
If owner of the resource
These parameters have an impact on the behaviour and performances of a JMap Server system.
Press Save to save all modifications.
Click on to reread parameters from configuration files if they have changed.
The configuration files are located in JMAP_HOME/conf.
Usage statistics offer the JMap administrator information on the usage of projects, layers, and contexts. JMap Server records some of the users’ activity and allows you to generate reports, which contain statistics on the use of resources in JMap Pro, JMap NG and JMap Web applications. This data can be useful to assess the relevance of projects or layers that are seldom or never used.
In order for usage data to be recorded, you must select the Usage statistics option when creating or editing a project. For more details on this topic, refer to the section. When exporting or importing your project, your choice will be saved in the exported configuration.
Thus, whenever a user opens a project, views a layer, or views or creates a context in a JMap Pro, JMap NG or JMap Web application, this activity will be automatically recorded in a temporal table of the System database.
Every night, at a set time, the data will be aggregated into two tables (JMAP_STATISTICS_MONTHLY and JMAP_STATISTICS_YEARLY), and it will then be displayed in this section of JMap Admin.
The data aggregation frequency can be configured in JMap’s settings. To do so, you must modify the server.statistics.config.cron variable in the jmapserver.properties file that is found in the JMap_HOME/conf folder. If server.statistics.config.cron variable is not in the jmapserver.properties file, by default the aggregation frequency is every day at 2 am (server.statistics.config.cron=0 2 * * *). If you want to change the aggregation frequency the server.statistics.config.cron variable needs to be manually added in the properties file. This page offers details about cron expressions.
Information about the activity of users who were deleted is recorded in both tables. The details of the aggregation functions are found in JMap Admin’s REST API.
Information entered in the temporal table will differ slightly between JMap Pro and JMap Web applications. Usage data originating from JMap Pro will be saved when the JMap Pro application is closed, or when the project is closed because the user has switched to another project.
Click on Apply to generate the statistics by project. Click on Reset to delete the statistics.
Click on Apply to generate the statistics by layer. Click on Reset to delete the statistics.
Select the filter you wish to use and click on Apply to display the settings used to define the calculation. Once the settings have been completed, click on Apply again to produce the statistics. Click on Reset to delete the statistics.
You can export the generated report in Excel or PDF format. To do so, once the statistics have been calculated, click on Excel or PDF to automatically download a file in the selected format.
HTTP Proxy |
|
Host | Host name or address of HTTP proxy server. Is used if JMap Server must go through an HTTP proxy to access systems outside of the local network. |
Port | TCP/IP port used to connect to the HTTP proxy server. |
Username | Username used to connect to the HTTP proxy server. |
Password | Password used to connect to the HTTP proxy server. |
SMTP (Mail server) |
|
Host | Host name or address of SMTP server. JMap Server requires an SMTP server to send emails. |
Port | TCP/IP port used to connect to SMTP server. |
Username | Username used to connect to the SMTP server (if needed). |
Password | Password used to connect to the SMTP server (if needed). |
Encryption | Select an encryption method if required by the SMTP server. |
File browser |
|
Allow upload | Select this option if you allow uploading files to JMap Server directly from JMap Admin. |
Max. upload file size | Specify the maximum size of a file to upload. Select the Unlimited option if you do not set a limit on file size. |
Upload root folder | Specify the directory where the uploaded files will be copied. Each administrator account in JMap has a subdirectory automatically created in the JMAP_HOME/Data/Uploads directory. Uploaded files are accessible to all JMap Admin users. The Uploads directory is also available when creating spatial data sources. |
WebSocket server |
|
Enabled | Check this option to enable the WebSocket server inside Tomcat. The option is disabled by default. |
Type | Indicate the type of server: Local or External. |
URL | Enter the URL of the WebSocket server. |
Route Logistics Service |
|
URL | Enter the URL of the RLS service to use (e.g. https://rls.jmaponline.net/rls/rest/v1.0). This service allows you to geocode addresses and calculate optimal routes. |
Client ID | Enter your organization’s unique key that allows you to use the RLS services. |
Loaded parameters |
|
Database drivers | List of loaded database drivers. New drivers can be added by creating new configuration files in the directory JMAP_HOME/conf/db on the server. |
Custom spatial data sources | Spatial data sources related to certain specific applications. |
Projections | List of loaded projections. New projections can be created by adding entries in the file JMAP_HOME/conf/projections.properties on the server. |
Element factories | Map element generation modules related to certain specific applications. |
User managers | List of loaded user manager modules. User managers are used to manage users and groups and they provide the authentication service used in JMap Server. |
From | Select the start date of the period for which the statistics will be calculated. |
To | Select the end date of the period for which the statistics will be calculated. |
Project name | Select the project that contains the layer(s) whose statistics you want to calculate. |
User | Select the user whose statistics you want to obtain. If the user who opened the project was eliminated from JMap, his or her usage statistics will be added to the System user and displayed under this user. |
Layer name | Enter the name or part of the name of the layer(s) whose statistics you want to calculate. |
View count | The result indicates the number of times the user viewed the layer(s) in a JMap Pro, JMap NG or JMap Web application. One view will be counted for each user session. When the layer is visible in the map, one view is counted. If the user disables the layer’s visibility and enables it again during a session, only one view will be counted. Note that the data originating from JMap Pro will be saved when the application is closed, or when the project is closed because the user has switched to another project. |
From | Select the start date of the period for which the statistics will be calculated. |
To | Select the end date of the period for which the statistics will be calculated. |
Filter | Three filters allow you to calculate various statistics. Created by user: Calculates the number of contexts created by the user for a given project. Used by project: Calculates the number of times a public context is opened by all JMap Pro users for a given project. Used by project and user: Calculates the number of times a public context is opened by a JMap Pro user for a given project. JMap Web and JMap NG contexts are private. JMap only calculates the statistics for public contexts, used in JMap Pro applications. |
User | Select the user whose statistics you want to obtain. If the user who opened the project was eliminated from JMap, his or her usage statistics will be added to the System user and displayed under this user. |
Project name | Enter the name of the project for which you wish to obtain statistics on the contexts. |
Create count | Calculates the number of contexts created during the selected period for the user and project selected in JMap Web, JMap NG and JMap Pro applications. |
Context name | Enter the name of the public context for which you wish to obtain statistics. |
Use count | Indicates the number of times the public context was opened, either by all users of a project in a JMap Pro application, or by a specific user of a project in a JMap Pro application. |
From | Select the start date of the period for which the statistics will be calculated. |
To | Select the end date of the period for which the statistics will be calculated. |
User | Select the user whose statistics you want to obtain. If the user who opened the project was eliminated from JMap, his or her usage statistics will be added to the System user and displayed under this user. |
Project name | Enter the name of the project for which you want to obtain statistics. You can enter part of the project’s name, and all the projects whose names coincide in part with the name you entered will be displayed. |
Open count | The result indicates the number of times that the user opened the project in a JMap Pro, JMap NG or JMap Web application. Note that the data originating from JMap Pro will be saved when the application is closed, or when the project is closed because the user has switched to another project. |
The HTTPS protocol allows you to use JMap in a more secure way by encrypting all communication between JMap applications, JMap Admin, and JMap Server.
In order to use HTTPS with JMap Admin, you must install a security certificate in JMap Server. A security certificate is required for data encryption.
During the JMap installation process, an option is available to create and automatically install a temporary security certificate. This type of certificate ensures communication will be well secured, but it will cause warning messages to display in web browsers because it is not issued by a recognized security organization (CA or Certificate Authority).
You can also install a security certificate issued specifically for your organization, if you have one. For detailed steps on how to install a certificate, read the following article: https://k2geospatial.atlassian.net/wiki/x/EQAtAQ.
Once the security certificate has been installed in JMap Server, you can launch JMap Admin with a URL similar to the following:
https://myserverjmap (assuming the default port 443 is used)
At any time, if you wish to force the use of the HTTPS protocol for JMap Admin, you can enable automatic redirection. For more information, refer to the JMap Server Settings section.
When you deploy JMap Pro or Web applications with JMap Admin, you can indicate which protocol (HTTP or HTTPS) will be used for communication between the application and JMap Server. If the deployment type is local (app hosted on JMap Server), the HTTPS protocol is available only if a security certificate is installed on the JMap Server. It is the same certificate as that which is used for JMap Admin (read above). If the deployment type is external (app hosted on another Web server), the 2 protocols are always offered.
For JMap Pro, the HTTP and HTTPS protocols are used only if the Proxy connection option is selected during deployment.
JMap Cloud |
Host | Must be a valid URL. A test is done by calling /server-info when saving. |
API Key | Enter the API key of your organization. This API key is used to authenticate you to connect to JMap Cloud. |
Organisation identifier | Enter the unique identifier of your organization allowing you to connect to JMap Cloud. Must be a valid UUID. The validation is done only if a valid API key is given. |
Default owner’s identifier of newly created resources | Enter the email to identify the user that will be assigned the synched resources. The validation is done only if a valid API key is given. |
API Keys |
Enter the API key of your organization that allows you to use Google services. |
Bing | Enter the API key of your organization that allows you to use Bing services. |
Mapbox | Enter the API key of your organization that allows you to use Mapbox cache and layers. |
GeoWebCache |
|
URL (1-4) |
Username | User name used to connect to the GeoWebCache server. |
Password | Password used to connect to the GeoWebCache server. |
General |
|
JMap Server name | You can give a name to this JMap Server instance. This name will be displayed in the authentication screen and in the JMap Admin header. |
Default language | You can select the default language that will be selected automatically when creating new projects. |
Available languages | You can select the available languages that will be automatically selected when creating new projects. |
Network |
|
Preferred external service address | The proxy address used to deploy the applications. When configuring a new deployment, you can change the local address to this external address. |
Preferred JMap Server address | The local address of JMap Server used to deploy the applications. When configuring a new deployment, you can change the external address to this local address. |
Server port | TCP/IP port used by JMap Server for connections with JMap Pro and other instances of JMap Server. |
Web server port | TCP/IP port used by the integrated JMap Server web server for HTTP requests. Used for JMap Admin and local application deployments. |
Web server port (https) | TCP/IP port used by the integrated JMap Server web server for HTTPS requests. |
Caching |
|
Memory size | Size of memory cache. Holds previously loaded vector data tiles to minimize data source queries. This helps improve JMap Server performances. Cache statistics can be viewed in JMap Server Status section. |
Disk size | Size of disk cache. Its operation is similar to the memory cache. Unlimited size is recommended. |
Imaging size | Size of memory cache dedicated to imaging operations. This cache is used by JMap Server when processing image files (raster data sources that read image files). It dramatically helps improve JMap Server performances when working with high volume images. |
HTTPS |
|
Redirect |
Enter the URL of JMap Cloud. The default value is .
For more details, visit the following page:
For more details, visit the following page:
For more details, visit the following page: .
Enter one or more URLs to connect to the GeoWebCache server. Only one URL is necessary, but entering several URLs that point to the same server will optimize the use of this type of server. Configuring settings for GeoWebCache is optional but offers better performance for JMap Web applications. Refer to the section for more information.
Automatically redirects JMap Admin users to a secure connection (https). This option is only available if there is a security certificate. For more information, refer to .
