Access Control in MapServer

Daniel Morissette dmorissette at MAPGEARS.COM
Wed Jan 17 15:23:17 EST 2007 

We are working on a proposal that, if it is accepted, would lead to the 
addition of access control in MapServer. More specifically, we need to 
provide the ability for MapServer to control which data layers, shapes 
or attributes can be accessed by a given authenticated user. This would 
be mostly useful when accessing data through OGC interfaces (WMS, WFS, 
WCS and SOS), but if possible we should look at how this can also apply 
in the regular CGI mode.

Here are some example of access control rules that might become 
available through this for a given authenticated user:

1- Layer-level restrictions:
   - GetCapabilities and other OGC Web Service (OWS) operations would
     filter the list of available layers based on the privileges of
     the authenticated user.

2- BBOX-baed restrictions:
   - Restrict users to a bbox which is a subset of the extents of a
     whole map or of given layers

3- Geometry-based restrictions:
   - Restrict users to access features that intersect with a given
     polygon

4- Shape-level restrictions:
    - Restrict users to shapes that match a given attribute expression

5- Attribute restrictions:
    - Restrict the list of attribute fields that a given user can see
      in a given layer

We could also imagine other rules based on scale, etc. The complete list 
of rules that would be supported remain to be determined in light of the 
use cases that will be provided by the partners of the project.

For this we are considering the integration of DACS 
(http://dacs.dss.ca/what_is_dacs.html) in MapServer since this is what 
is used already by some of the partners in the project. DACS would be 
used to define rules that would be evaluated as MapServer is executing a 
request. However if possible we would like to setup a generic access 
layer on top of DACS so that other access control systems can also be 
integrated in the future.

I am writing to ask the opinion of other PSC members on this, and 
perhaps get a motion of support for this feature from the PSC if there 
is enough interest. I realize that we cannot get a final commitment to 
integrate the feature in MapServer at this point, but at least we would 
like to know whether the PSC would be supportive of the idea... and then 
getting a formal motion of support could help our proposal.

Also, if you or your organization has deployed OGC services with 
MapServer and has a need for this kind access control then we might be 
interested in hearing from you, possibly even to include your group as a 
partner in the proposal to define the use-cases that need to be 
supported, help with testing, etc. Of course financial support from 
interested parties would also be welcome since this is not a fully 
funded proposal.

Looking forward to your feedback...

Daniel
-- 
Daniel Morissette
http://www.mapgears.com/

More information about the mapserver-dev mailing list