<div dir="ltr"><div><br></div><div>Glad to hear that it worked! <br></div><div><br></div><div>If you feel like the documentation should include an example, feel free to add some more content to the <a href="https://docs.qgis.org/testing/en/docs/user_manual/auth_system/auth_workflows.html">https://docs.qgis.org/testing/en/docs/user_manual/auth_system/auth_workflows.html</a></div><div><br></div><div>There is also a section on organizations that might be relevant for this kind of information.</div><div><a href="https://docs.qgis.org/testing/en/docs/user_manual/introduction/qgis_configuration.html#deploying-qgis-within-an-organization">https://docs.qgis.org/testing/en/docs/user_manual/introduction/qgis_configuration.html#deploying-qgis-within-an-organization</a><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 1, 2020 at 5:29 PM Cliff Patterson <<a href="mailto:cpatterson@psdrcs.com">cpatterson@psdrcs.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Tested this solution and it works perfectly. When using the same ID in the authentication settings, the projects saved to the DB do not retain the creator's per-layer permissions. <div><br></div><div>Thanks for the help! </div><div><br></div><div>Cliff</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 1, 2020 at 11:19 AM Cliff Patterson <<a href="mailto:cpatterson@psdrcs.com" target="_blank">cpatterson@psdrcs.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Karl and Alessandro,<div><br></div><div>This is helpful but DEFINITELY not intuitive. I will test this configuration and report back. </div><div><br></div><div>Cheers,</div><div>Cliff</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 1, 2020 at 9:51 AM Karl Magnus Jönsson <<a href="mailto:Karl-Magnus.Jonsson@kristianstad.se" target="_blank">Karl-Magnus.Jonsson@kristianstad.se</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="SV">
<div>
<p class="MsoNormal"><a name="m_7291774620206724704_m_1659471629441315938_m_8831101397474556384_T_Default_Reply"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" lang="EN-GB">Hi!<u></u><u></u></span></a></p>
<p class="MsoNormal"><span><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" lang="EN-GB">Alessandro, you where quicker!
</span></span><span><span style="font-size:11pt;font-family:Wingdings;color:rgb(31,73,125)" lang="EN-GB">J</span></span><span><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" lang="EN-GB">
<u></u><u></u></span></span></p>
<p class="MsoNormal"><span><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" lang="EN-GB"><u></u> <u></u></span></span></p>
<p class="MsoNormal"><span><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" lang="EN-GB">If I understand correct, the actual credentials isn’t stored to the project.
Just the auth config ID. If the user doesn’t have this in his local authentication database, or has it with other credentials(read) the project will not open with admin credentials.<u></u><u></u></span></span></p>
<p class="MsoNormal"><span><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" lang="EN-GB"><u></u> <u></u></span></span></p>
<p class="MsoNormal"><span><b><span style="font-size:10pt;font-family:"Franklin Gothic Book",sans-serif;color:black">Karl-Magnus Jönsson</span></b></span><span></span><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11pt;font-family:Calibri,sans-serif">Från:</span></b><span style="font-size:11pt;font-family:Calibri,sans-serif"> Qgis-user <<a href="mailto:qgis-user-bounces@lists.osgeo.org" target="_blank">qgis-user-bounces@lists.osgeo.org</a>>
<b>För </b>Cliff Patterson<br>
<b>Skickat:</b> den 1 juni 2020 15:36<br>
<b>Till:</b> Alessandro Pasotti <<a href="mailto:apasotti@gmail.com" target="_blank">apasotti@gmail.com</a>><br>
<b>Kopia:</b> qgis-user <<a href="mailto:qgis-user@lists.osgeo.org" target="_blank">qgis-user@lists.osgeo.org</a>><br>
<b>Ämne:</b> Re: [Qgis-user] Save projects to DB without creator's permissions<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">That's exactly the problem with the auth system. If you connect to a DB using the auth system and store a map in the DB (or anywhere for that matter), the map contains your credentials/permissions for EVERY layer that you added. So if you
create a map while logged in as DB owner (i.e. full perms for every layer), any user who opens it will have full permissions on every layer in the map. The only workaround for this is to remember to use basic auth and uncheck "store" beside password whenever
creating a shared project. <u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Any other less vulnerable workarounds would be very helpful, though I doubt any exist. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Cliff<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Fri, May 29, 2020 at 3:03 PM Alessandro Pasotti <<a href="mailto:apasotti@gmail.com" target="_blank">apasotti@gmail.com</a>> wrote:<u></u><u></u></p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<p class="MsoNormal">Maybe all that you need is in the QHIS auth system is <a href="https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id" target="_blank">https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id</a><u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">The master password can be stored in the operating system wallet so that the user will not need to type his password.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Regards<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Fri, May 29, 2020, 19:39 Cliff Patterson <<a href="mailto:cpatterson@psdrcs.com" target="_blank">cpatterson@psdrcs.com</a>> wrote:<u></u><u></u></p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<p class="MsoNormal">PS: I realize I can create maps with basic auth and not store the PW, which prompts the user to enter their creds. But is there a better way now to achieve the same result? <u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Cliff<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Fri, May 29, 2020 at 1:29 PM Cliff Patterson <<a href="mailto:cpatterson@psdrcs.com" target="_blank">cpatterson@psdrcs.com</a>> wrote:<u></u><u></u></p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<p class="MsoNormal">What is the best approach to save QGIS projects to PostgreSQL without saving the project-creator's credentials/permissions? If the DB admin creates a project and saves it to the DB, anyone opening that project will attain the admin's permissions
on layers in that map. <u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">To recreate:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">1) Create a map containing PostGIS layers and save project to DB. All layers should be editable by the admin. Admin is logged into DB with auth config, not basic auth. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">2) Create a new read-only user and new profile in QGIS and log in to DB.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">3) Open the project and try to edit layers. Read-only user will be able to see and edit all layers just like the DB Admin. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Is there a way to save projects to DB WITHOUT saving any user creds/permissions? <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Cliff<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">-- <u></u><u></u></p>
<div>
<div>
<div>
<div>
<p style="margin-bottom:0.0001pt">Cliff Patterson Ph.D.<br>
<br>
<b>PSD</b> | Senior GIS Consultant <br>
P: 519-690-2565 ext. 2616<br>
<a href="http://www.psdrcs.com" target="_blank">www.psdrcs.com</a><br>
London | 148 Fullarton St. 9th Floor <u></u><u></u></p>
<p style="margin-bottom:0.0001pt"><span style="font-size:9pt;font-family:Verdana,sans-serif;color:rgb(0,112,192)"><img style="width: 2.0833in; height: 0.5937in;" id="gmail-m_7291774620206724704gmail-m_1659471629441315938gmail-m_8831101397474556384_x0000_i1025" width="200" height="57" border="0"></span><span style="font-size:9.5pt"><u></u><u></u></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br clear="all">
<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">-- <u></u><u></u></p>
<div>
<div>
<div>
<div>
<p style="margin-bottom:0.0001pt">Cliff Patterson Ph.D.<br>
<br>
<b>PSD</b> | Senior GIS Consultant <br>
P: 519-690-2565 ext. 2616<br>
<a href="http://www.psdrcs.com" target="_blank">www.psdrcs.com</a><br>
London | 148 Fullarton St. 9th Floor <u></u><u></u></p>
<p style="margin-bottom:0.0001pt"><span style="font-size:9pt;font-family:Verdana,sans-serif;color:rgb(0,112,192)"><img style="width: 2.0833in; height: 0.5937in;" id="gmail-m_7291774620206724704gmail-m_1659471629441315938gmail-m_8831101397474556384_x0000_i1026" width="200" height="57" border="0"></span><span style="font-size:9.5pt"><u></u><u></u></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Qgis-user mailing list<br>
<a href="mailto:Qgis-user@lists.osgeo.org" target="_blank">Qgis-user@lists.osgeo.org</a><br>
List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-user" target="_blank">
https://lists.osgeo.org/mailman/listinfo/qgis-user</a><br>
Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-user" target="_blank">
https://lists.osgeo.org/mailman/listinfo/qgis-user</a><u></u><u></u></p>
</blockquote>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br clear="all">
<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">-- <u></u><u></u></p>
<div>
<div>
<div>
<div>
<p style="margin-bottom:0.0001pt">Cliff Patterson Ph.D.<br>
<br>
<b>PSD</b> | Senior GIS Consultant <br>
P: 519-690-2565 ext. 2616<br>
<a href="http://www.psdrcs.com" target="_blank">www.psdrcs.com</a><br>
London | 148 Fullarton St. 9th Floor <u></u><u></u></p>
<p style="margin-bottom:0.0001pt"><span style="font-size:9pt;font-family:Verdana,sans-serif;color:rgb(0,112,192)"><img style="width: 2.0833in; height: 0.5937in;" id="gmail-m_7291774620206724704gmail-m_1659471629441315938gmail-m_8831101397474556384_x0000_i1027" width="200" height="57" border="0"></span><span style="font-size:9.5pt"><u></u><u></u></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><p style="margin-bottom:0.0001pt">Cliff Patterson Ph.D.<br><br><b>PSD</b> | Senior GIS Consultant <br>P: 519-690-2565 ext. 2616<br><a href="http://www.psdrcs.com" target="_blank">www.psdrcs.com</a><br>London | 148 Fullarton St. 9th Floor <span style="font-size:small"> </span><br></p><p style="font-size:12.8px;margin-bottom:0.0001pt"><span style="font-size:12.8px"><span style="font-size:9pt;line-height:12.84px;font-family:Verdana,sans-serif;color:rgb(0,112,192)"><img width="200" height="57"></span></span></p></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><p style="margin-bottom:0.0001pt">Cliff Patterson Ph.D.<br><br><b>PSD</b> | Senior GIS Consultant <br>P: 519-690-2565 ext. 2616<br><a href="http://www.psdrcs.com" target="_blank">www.psdrcs.com</a><br>London | 148 Fullarton St. 9th Floor <span style="font-size:small"> </span><br></p><p style="font-size:12.8px;margin-bottom:0.0001pt"><span style="font-size:12.8px"><span style="font-size:9pt;line-height:12.84px;font-family:Verdana,sans-serif;color:rgb(0,112,192)"><img width="200" height="57"></span></span></p></div></div></div></div>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>Alessandro Pasotti</div><div>QCooperative: <a href="https://www.qcooperative.net" target="_blank">www.qcooperative.net</a><br></div>ItOpen: <a href="http://www.itopen.it" target="_blank">www.itopen.it</a></div></div>