Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
This type of user account management records users and groups directly into JMap Server’s System database or in an external database containing the required tables and fields. The JMap administrator must create and manage all user accounts and groups.
Click on the User manager tab from the Users / Groups section. Select JMap DB user manager to indicate that user accounts will be managed within a relational database. To store information in JMap Server’s System database, select the JMap Server database option.
You can also use any relational database that contains at least the required tables and fields by selecting the External database option. When you do this, an interface displays, allowing you to define the configuration parameters. Using this configuration interface, select the database you wish to use. Afterwards, select the tables and fields containing the various information pertaining to users and groups. If needed, you can select Read-only mode to prevent account information from being modified by JMap Admin.
Once this configuration has been defined, you can create, modify and delete user accounts directly from JMap Admin.
In JMap Admin, the user manager configuration can be accessed by clicking on Users / Groups in the JMap Server section. Select the User manager tab.
The user manager allows you to define how JMap will manage user accounts and groups. There are two ways to manage this information with JMap:
Using the JMap user account database you create and delete the user accounts directly from JMap Admin;
By connecting to an existing database of user accounts such as a Windows Active Directory system, an LDAP compatible system or a relational database or by connecting to an identity manager using protocols such as SAML2 or Open Id Connect.
Several systems can also be combined to be used simultaneously (e.g. the JMap database and Windows Active Directory). These systems are then used as a single system. When JMap Server connects to an existing database, user account management is simplified because no account or user group needs to be created and managed in JMap.
The following sections describe each available option.
When you connect to a user or identity manager that is external to JMap (Active Directory, LDAP, OIDC, SAML2 or an external relational database), it is useful to synchronize JMap Server with the database for 2 reasons :
When users or groups are deleted from the database and those deleted users or groups had been given permissions in JMap (e.g. to open a project or view certain layers), the permissions are not deleted from JMap Server permission lists. This can happen because JMap Server is not aware the users or groups have been deleted from the database. When synchronizing, JMap Server removes all existing permissions for deleted users and groups. However, even if you don’t synchronize, there is no security problem because deleted users will fail at login.
When the contents of user groups are modified (members added or removed), so that JMap Server can reload the lists of users that belong to the groups. JMap Server keeps the group member lists in memory for performance reasons.
You can automate the synchronization by selecting the option Synchronize automatically every… and specifying a time period.
This type of user management allows you to combine several managers together. You can add as many user managers as necessary. All user managers will function as a single user manager. Refer to the previous sections for information on user manager configuration.
A composite user manager is recommended if your system integrates several managers or if you wish to transition towards a web-based single-sign on system.
You can allow users who already have an account in an identity manager that uses SAML2 to connect to JMap Web and JMap NG applications using that account.
SAML is an open standard that establishes a single sign-on between an identity manager and an application server such as JMap. This site provides details on SAML2.
Configuring a SAML2 user manager is complex. Your organization’s IT department will provide the settings related to SAML2. The following table describes the settings related to JMap.
SAML2 user manager
Friendly name
This name allows you to easily identify the SAML2 user manager in JMap Server and identify the users from this manager.
Administrator password
An administrator is automatically created when this manager is used. You must enter the password of this account in this field.
Groups
Unlike with Active Directory and LDAP, user accounts from the SAML2 manager are not known in advance because they are created as the users connect to a JMap Web or JMap NG application. That said, how can permissions be granted on JMap’s resources to users who are not known in advance? Groups that are defined in advance allow you to grant permissions related to JMap’s resources. When a user connects to a JMap application for the first time, SAML2 assigns the user to one or more of the groups defined in Groups attribute based on the information in that user’s profile. Since the SAML2 user manager is in read-only mode, you cannot create users or groups in JMap’s Users and Groups sections. This setting allows you to create groups by entering their names. Afterwards, you can grant permissions to these groups, which contain the users from SAML2. There must be an exact match between the names of the groups in SAML2 and the groups you create using this setting. If a user connects to an application for the first time via SAML2 and his/her profile indicates a group that doesn’t exist in JMap, the group will be created automatically and will be displayed in the Groups section.
Default group
Select the group to which you will assign all users who are not assigned to a group in SAML2 (in Groups attribute). Example: you can create a group called Guests; all users who connect to a JMap Web or JMap NG application for the first time and whose profile in SAML2 doesn’t indicate a group will be assigned to this Guests group. You can grant access permissions to the Guests group for a specific project.
Button image
This image appears in the homepage of the JMap Web or JMap NG application and identifies the access to the SAML2 manager to log in.
Press Choose to select the image.
The image must have a maximum size of 100*100 pixels.
Button label
This text appears in the identification button with the image.
SSO callback URL
Your IT department will provide this information.
Client name
The name given by JMap to the SAML2 user manager. This name integrates and completes the URL of the SAML2 manager.
IdP Metadata
Your IT department will provide this information.
SP Entity ID
Your IT department will provide this information.
Username / ID attribute
Optional setting. Indicates the attribute containing the user name in SAML2. Your IT department will provide this information.
Email attribute
Optional setting. Indicates the attribute containing the email address in SAML2. Your IT department will provide this information.
First name attribute
Optional setting. Indicates the attribute containing the user’s first name in SAML2. Your IT department will provide this information.
Last name attribute
Optional setting. Indicates the attribute containing the user’s last name in SAML2. Your IT department will provide this information.
Groups attribute
Optional setting. Indicates the customizable attribute that allows you to define groups in SAML2 to which the users are assigned. These groups are displayed in the Users and Groups sections in JMap. Your IT department will assist you with this setting.
Security management in JMap encompasses several aspects.
Identity management can be handled by JMap Server or assigned to another system, such as Microsoft Active Directory, an LDAP directory, or identity managers with web-based single sign-on (SSO) such as OpenID Connect or SAML. See the Managing Users and Managing User Accounts and Groups sections for more information. JMap also supports single sign-on for JMap Pro users. See the Single Sign-On for JMap Pro section for more information.
Access management, or rather permission management, is applied to all the resources handled by JMap. This includes user access to JMap applications as well as the access permissions of JMap administrators. See the Managing Permissions section for more information.
JMap allows you to easily use the HTTPS protocol for JMap Admin and for the various applications. See section Using HTTPS with JMap for more information.
You can allow users who already have an account in OpenID Connect (OIDC) user managers to connect to JMap Web and JMap NG applications using that account.
For detailed information on this protocol, visit the website.
Configuring an OIDC user manager is complex. Your organization’s IT department will provide the OIDC settings. The following table describes the settings related to JMap.
OIDC user manager |
|
Friendly name | This name allows you to easily identify the OIDC user manager in JMap Server and identify the users from this manager. |
Administrator password | An administrator is automatically created when this manager is used. You must enter the password of this account in this field. |
Groups | Unlike with Active Directory and LDAP, user accounts from the OIDC manager are not known in advance because they are created as the users connect to a JMap Web or JMap NG application. That said, how can permissions be granted on JMap’s resources to users who are not known in advance? Groups that are defined in advance allow you to grant permissions related to JMap’s resources. When a user connects to a JMap application for the first time, OIDC assigns the user to one or more of the groups defined in Groups attribute based on the information in that user’s profile. Since the OIDC user manager is in read-only mode, you cannot create users or groups in JMap’s Users and Groups sections. This setting allows you to create groups by entering their names. Afterwards, you can grant permissions to these groups, which contain the users from OIDC. There must be an exact match between the names of the groups in OIDC and the groups you create using this setting. If a user connects to an application for the first time via OIDC and his/her profile indicates a group that doesn’t exist in JMap, the group will be created automatically and will be displayed in the Groups section. |
Default group | Select the group to which you will assign all users who are not assigned to a group in OIDC (in Groups attribute). Example: you can create a group called Guests; all users who connect to a JMap Web or JMap NG application for the first time and whose OIDC profile doesn’t indicate a group will be assigned to this Guests group. You can grant access permissions to the Guests group for a specific project. |
Button image | This image appears in the homepage of the JMap Web or JMap NG application and identifies the access to the OIDC manager to log in.
Press Choose to select the image.
The image must have a maximum size of 100 |
Button label | This text appears in the identification button with the image. |
SSO callback URL | Your IT department will provide this information. |
Client name | The name given by JMap to the OIDC user manager. This name integrates and completes the URL of the OIDC manager. |
Discovery URI | Your IT department will provide this information. |
Client ID | Your IT department will provide this information. |
Client secret | Your IT department will provide this information. |
Scope | Your IT department will provide this information. |
Response type | Your IT department will provide this information. |
Response mode | Your IT department will provide this information. |
Use nonce | Your IT department will provide this information. |
With state | Your IT department will provide this information. |
Disable PKCE | Your IT department will provide this information. |
Username / ID attribute | Optional setting. Indicates the attribute containing the user name in OIDC. Your IT department will provide this information. |
Email attribute | Optional setting. Indicates the attribute containing the email address in OIDC . Your IT department will provide this information. |
First name attribute | Optional setting. Indicates the attribute containing the user’s first name in OIDC. Your IT department will provide this information. |
Last name attribute | Optional setting. Indicates the attribute containing the user’s last name in OIDC. Your IT department will provide this information. |
Groups attribute | Optional setting. Indicates the customizable attribute that allows you to define groups in OIDC to which the users are assigned. These groups are displayed in the Users and Groups sections in JMap. Your IT department will assist you with this setting. |
You can connect to Windows Active Directory (in read-only mode).
In order for the Active Directory user manager option to be available in the User manager tab of the Users / Groups section in JMap Admin, you must include the following line in the JMAP_HOME/conf/jmapserver.properties file:
usermanager.ad=com.kheops.jmap.server.security.ActiveDirectoryUserManager
We recommend you use the Composite user manager instead of simply using the Active Directory user manager. This will allow you to maintain access to JMap Admin even if errors arise in the configuration of Active Directory.
In the User manager section, select the Composite user manager and add the Active Directory user manager. A new interface opens, allowing you to enter the settings to configure the connection to the Active Directory server.
Active Directory
Friendly name
Name used to easily identify the Active Directory user manager.
Server address
Address of the Windows domain controller server configured with Active Directory. You can add several Active Directory servers by separating them with a space.
Example
ldap://host1 ldap://host2
where host1 and host2 are the Active Directory server URL. Active Directory is based on LDAP.
DN
Unique identifier (Distinguished Name) pointing at the root of the directory. Composed of a list of DC (Domain Component) entries.
Example
dc=k2,dc=com
Domain
Name of the Windows domain.
Example
k2.com
User / SPN
User name that JMap Server will use to connect to the Active Directory. It is recommended to create a user especially for JMap. Its password should never expire. If you wish to use single sign-on, you will have to create an SPN (Service Principal Name) associated with this user. See Single Sign-On for more details.
Password
Password of the user JMap Server will use to connect to the Active Directory.
Admin. password
A user named administrator must always exist in JMap. If no administrator user exists in the Active Directory, JMap will simulate one. In such a case, provide the password associated with this user. If the user administrator does exist in the Active Directory and a password is entered, this password will simply be ignored.
Enable single sign-on
Enables the single sign-on option. See Single Sign-On for more details.
Default / Custom LDAP configuration
Active Directory is based on LDAP. This option allows for the use of LDAP parameters that are most commonly used for Active Directory. However, if those parameters don’t match the ones in use, it is possible to specify custom values. The settings are described in the following section, JMap LDAP user manager.
Max page size
Active Directory limits the transaction size to a maximum number of records at a time (page size). The value of this parameter must not be greater than the maximum size authorized by Active Directory (1000 is the default value in Active Directory). If the size is too small, this can reduce performance. A size greater than the authorized limit will cause missing data in the user list.
The HTTPS protocol allows you to use JMap in a more secure way by encrypting all communication between JMap applications, JMap Admin, and JMap Server.
In order to use HTTPS with JMap Admin, you must install a security certificate in JMap Server. A security certificate is required for data encryption.
During the JMap installation process, an option is available to create and automatically install a temporary security certificate. This type of certificate ensures communication will be well secured, but it will cause warning messages to display in web browsers because it is not issued by a recognized security organization (CA or Certificate Authority).
You can also install a security certificate issued specifically for your organization, if you have one. For detailed steps on how to install a certificate, read the following article: https://k2geospatial.atlassian.net/wiki/x/EQAtAQ.
Once the security certificate has been installed in JMap Server, you can launch JMap Admin with a URL similar to the following:
https://myserverjmap (assuming the default port 443 is used)
At any time, if you wish to force the use of the HTTPS protocol for JMap Admin, you can enable automatic redirection. For more information, refer to the JMap Server Settings section.
When you deploy JMap Pro or Web applications with JMap Admin, you can indicate which protocol (HTTP or HTTPS) will be used for communication between the application and JMap Server. If the deployment type is local (app hosted on JMap Server), the HTTPS protocol is available only if a security certificate is installed on the JMap Server. It is the same certificate as that which is used for JMap Admin (read above). If the deployment type is external (app hosted on another Web server), the 2 protocols are always offered.
For JMap Pro, the HTTP and HTTPS protocols are used only if the Proxy connection option is selected during deployment.
You can connect to any LDAP compliant directory (in read-only mode). Unix, Linux and Windows systems offer many LDAP compliant directories.
In order for the JMap LDAP user manager option to be available in the User manager tab of the Users / Groups section in JMap Admin, you must include the following line in the JMAP_HOME/conf/jmapserver.properties file:
usermanager.ldap=com.kheops.jmap.server.security.LDAPUserManager
We recommend you use the Composite user manager instead of simply using the LDAP user manager. This will allow you to maintain access to JMap Admin even if errors arise in the configuration of LDAP.
In the User manager section, select the Composite user manager and add the JMap LDAP user manager. A new interface opens, allowing you enter the settings to configure the connection to the LDAP server.
For more information on the LDAP protocol, refer to http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol.
JMap LDAP user manager
Friendly name
Name used to easily identify the LDAP user manager.
Server URL
LDAP server address. You can add several LDAP servers by separating the addresses with a space.
Example
ldap://host1 ldap://host2
where host1 and host2 are the URLs of the LDAP servers.
DN
Unique identifier (Distinguished Name) used to define the root of the directory. Includes a list of Domain Component entries.
Example
dc=k2geospatial,dc=com
User
User name that will be used by JMap Server to connect to the LDAP directory. It is recommended to have a user created specifically for JMap purposes. This user’s password should never expire.
The user name must be accompanied by the domain the user belongs to.
Example
cn=admin,dc=k2geospatial,dc=com
Password
The user password that JMap Server will use to connect to the LDAP directory.
Admin. password
A user named administrator must always exist in JMap. If there is no administrator user in the LDAP directory, JMap will simulate one. In this case, you must provide the password associated with this user. If the administrator user exists in the LDAP directory and a password is entered, it will be ignored.
Use prefix and suffix
Select this option if the LDAP server uses a prefix and a suffix for user authentication.
Authentication prefix
Some LDAP servers require a prefix to be concatenated with the user name in order to proceed with authentication.
Example
Prefix: a_domain\
User: a_user
Result: a_domain\a_user
Authentication suffix
Some LDAP servers require a suffix to be concatenated with the user name to proceed with authentication.
Example
Suffix=@a_domain
User=a_user
Result: a_user@a_domain
User class
This setting and the ones that follow depend on the internal structure of the LDAP server, i.e. the way the users are organized into groups. This information is used to identify the LDAP users and groups. You must indicate the corresponding parameters in the LDAP server to which you connect. Name of the LDAP object class used to identify a user in the LDAP directory.
Group class
Name of the LDAP object class used to identify a group in the LDAP directory.
User filter
Search filter used to extract users from the LDAP directory. This filter must be formatted according to the standard LDAP syntax.
Group filter
Search filter used to extract groups from the LDAP directory. This filter must be formatted according to the standard LDAP syntax.
User attribute
The attribute of an LDAP user that defines this user’s identity.
Group attribute
The attribute of an LDAP group that defines this group’s identity.
Member attribute
The attribute of an LDAP group that defines which users are members of this group.
Full name attribute
The attribute of an LDAP user that defines this user’s full name.
Email attribute
The attribute of an LDAP user that defines this user’s email address.
Max page size
In LDAP directories, the size of transactions is limited to a maximum number of recordings at once (the size of the page). The value of this parameter must not exceed the maximum size permitted by the directory (1000 is the default value in LDAP directories). If the size is too small, this could affect performance. If the size is larger than the authorized limit, data will be missing in the user list.
Single sign-on provides a secure way for users to access JMap Pro applications without authentication. The Windows session authentication is used to automatically launch the JMap session.
Single sign-on is only available for Windows environments using Active Directory. A special configuration is required on the Windows server and on each computer where single sign-on is wanted.
The Enable single sign-on option must also be selected when deploying a JMap Pro application.
For more details on single sign-on configuration, refer to this article.
In JMap, user accounts and groups are used for access control and collaboration purposes. You can manage users and groups in JMap Admin by clicking on Users / Groups from the JMap Server section.
This section presents three tabs: Users, Groups and User Manager.
Two special users and two special groups always exist in JMap: administrator, anonymous, everyone, and authenticated users.
You can create a new user or group by pressing Create from the Users / Groups section. This will bring you to the new user or group configuration section.
You can only create users and groups if you are using the JMap account database or an external database that is not in read-only mode.
You can modify an existing user or group by clicking on its name in the list.
Once a user is created, its user name cannot be modified.
You can delete a user or group by selecting it in the list and pressing Delete.
To add users to a group, press and a list of available users will be displayed. Select the users to add to the group and press Add.
To remove users from a group, select the users to remove and press .
Administrator
The administrator user allows you to access JMap Admin following a new installation (this user has administration rights in JMap). This user’s password field is left blank, therefore, it is highly recommended to add a password as soon as possible. Read below for more information. The administrator user always exists in JMap and cannot be deleted.
Anonymous
The anonymous user allows users who are not authenticated to access certain resources. It can be used to configure access to a project without authentication, for instance. The anonymous user always exists in JMap and cannot be deleted. In addition, this user’s password (blank) cannot be modified.
Everyone
The everyone group is used to give all users access to a resource, provided they are authenticated. The everyone user is not displayed in the list of JMap groups. It is only visible in interfaces that allow you to define permissions, where applicable.
Authenticated users
The authenticated users group is used to allow all users except anonymous to access a resource. Authentication is required for this group.
Users
User name
Enter a unique user name (login name) for the new user. You will not be able to save it if the name already exists.
Password
Enter a password for the new user. The password field can be empty but this is not recommended. Passwords are encrypted. Users of JMap Web applications can change their password from the application. This is only possible if the user accounts are managed with JMap DB user manager.
Confirm password
Enter the password a second time to confirm.
Full name
Enter the full name (first name and last name) for the new user. This is optional.
Enter the email address of the new user. It is used when sending maps to the user. This is optional.
Hidden
Select this option if you want the new user to be hidden from user directories.
Groups
Group name
Enter a unique group name for the new group. You will not be able to save it if the name already exists.
Permissions in JMap are divided into two families: permissions for the users of applications (Pro, Web, NG and Survey) and permissions for the administrators (JMap Admin).
User permissions determine what the users can do inside JMap Pro, JMap Web, and JMap Survey applications.
The following table presents the different permission groups that are available for the users.
Administrator permissions determine what JMap administrators are authorized to do in JMap Admin. Some permissions are global (permissions to do some tasks) while other permissions apply to specific resources.
Several of the global permissions are configured in the Permissions subsection of the JMap Server section. The following table describes the global administration permissions:
Administration permissions that are specific to resources determine what an administrator can do with each resource. The following table describes those permissions:
Most resources managed in JMap Admin have one or more owners. Owners of a resource are the only ones that are allowed to:
manage administration permissions for the resource;
manage the list of owners for the resource;
delete the resource.
Super administrators are special accounts that can do everything in JMap Admin. They are the only ones who are allowed to:
manage the list of super administrators;
manage global administration permissions;
manage users and groups;
modify JMap Server’s working parameters;
display the log files;
import and export configurations.
You can manage the list of super administrators from subsection Permissions in section JMap Server. Select the Super administrators tab.
The following table presents administration tasks with examples, and indicates which profile or permission is required to perform each task.
Permission reports allow you to view all the permissions that a user or a group has on a single report. A permission report is a convenient way to get the information without checking every resource. The reports are accessible from the Users and Groups tabs in the Users / Groups section, by clicking on .
Permissions on projects
See section Project Permissions for more information.
Permissions on layers
See section Layer Permissions for more information.
Permissions on personal layers
Create personal layers This permission gives a user the right to create personal layers in JMap Pro applications. By default, JMap users are not allowed to create personal layers. You can configure this permission in subsection Permissions of the JMap Server section.
Permissions on forms
See section Database Forms for more information.
Access JMap Admin
This permission is required for an administrator to access JMap Admin.
After the installation of JMap, only the administrator user has this permission.
Note that the password is initially left empty for this user. It is strongly recommended to enter a password for the administrator user. See section Users and Groups for more information on modifying passwords. Also make sure to leave at least one user with this permission and with a known password. Otherwise, it will be impossible to access JMap Admin.
Create database
This permission is required for an administrator to create new databases in JMap Admin.
Create remote connection
This permission is required for an administrator to create new connections to remote JMap Server instances in JMap Admin.
Create deployment
This permission is required for an administrator to create new application deployments in JMap Admin.
Create metadata templates
This permission is required for an administrator to create new metadata templates in JMap Admin.
Create style templates
This permission is required for an administrator to create new style templates in JMap Admin.
Create project
This permission is required for an administrator to create new projects in JMap Admin.
Create data source
This permission is required for an administrator to create new spatial data sources in JMap Admin.
Access …
The administrator can view the detailed information of a resource and use the resource, but cannot modify it. Example To use a spatial data source in order to create a layer, the administrator must at least have the Access permission on the data source.
Administrate …
Allows the administrator to modify the resource and manage the user permissions for the resource. Does not allow the administrator to delete the resource or manage its administration permissions. Example To add a layer in a project, the administrator must have the Administrate permission for the project.
Use SQL console
(Applies only to databases) Allows the administrator to use the SQL console on the database. The SQL console is used to show the database structure and to execute SQL queries on the database.
Remote access
Allows the administrator to access the resource from another instance of JMap Server. This permission is generally granted to a generic account used to open communication sessions between different instances of JMap Server. For more information, see sections Sharing Layers and Sharing Spatial Data Sources.
Tasks
Super Administrator
Administrator
Access JMap Admin
YES
If permission Access JMap Admin
Manage the list of Super administrators
YES
NO
Manage global administration permissions • Give an administrator permission to create projects • Remove an administrator’s permission to create spatial data sources • Give an administrator permission to create metadata templates for layers.
YES
NO
Perform management tasks for JMap Server • Modify JMap Server’s working parameters (ports, memory, etc.) • Manage users and groups •Import and export JMap Server configurations • View log files or modify their settings
YES
NO Can change user account password
Create a resource • Create a project • Create a database • Create an application deployment
YES
If permission Create …
Use a resource • Use a database to create a spatial data source • Use a data source to create a layer • Use a connection to JMap Server to create a layer by reference
YES
If permission Access …
View detailed information about a resource • Click on a database and view all of its parameters • Click on a project to view all of its parameters
YES
If permission Access …
Modify a resource • Change the name of a project • Add a layer in a project • Modify the connection parameters for a database • Modify the projection of a spatial data source
YES
If permission Administrate …
Delete a resource • Delete a project • Delete an application deployment • Delete a style template
YES
If owner of the resource
Manage user permissions of a resource • Give a user permission to open a project • Give a user permission to edit the elements of a project layer • Remove a user’s permission to copy the data of a project layer
YES
If permission Administrate
Manage the administrator permissions of a resource • Give an administrator permission to use a spatial data source • Give an administrator permission to modify a project • Remove an administrator’s permission to modify a database
YES
If owner of the resource
Manage the list of owners of a resource
YES
If owner of the resource
