2.10 Mapping External User Principals to Built-In Spatial Studio Roles

Spatial Studio supports mapping IDCS and other identity provider principals to the Spatial Studio built-in roles. This enables dynamically granting permissions to users by using custom groups, for instance.

In order to map the principals to Spatial Studio roles, you must add the security settings into the sgtech_config.json configuration file.

The configuration file is located at ~/.sgtech/sgtech_config.json path. You can directly append the security settings into the sgtech_config.json file. However, the best practice is to have the security settings in a separate configuration file and then import this file into the main configuration file.

Perform the following steps to create a configuration file containing the security settings and then import this configuration in sgtech_config.json:

1. Create a new empty JSON configuration file in the ~/.sgtech directory.
   For example:

   ~/.sgtech/sgtech_config.security.json

2. Edit the created file with a file editor of your choice and add the security settings information as shown:

   {
     "security" : {
       "role-assignments" : [
           {
             "role" : "<role_name>",
             "principals" : [
               "<principal_name>"
              ]
           }
       ]
     }
   }

   In the preceding file:

   • role: This refers to one of Spatial Studio built-in roles, specifically SGTech_SystemAdmin or SGTech_TenantAdmin. Note that the role name is case-sensitive.
   • principals: List of all principals’ names that must be mapped to the specified role. For example, ["Power_User_Members", “IT_Support_Team”], which might be IDCS or WebLogic Server groups, or properties designated in jetty-home/security/jetty-realm-mt.properties file in QuickStart.
   • role-assignments: List of the roles mapping. You can specify as many entries as required.
3. Save the sgtech_config.security.json file.
4. Edit the main sgtech_config.json file and add the import configuration as shown:

   {
     "version" : "23.1.0",
     "work_dir" : "",
     ...
     "jobs" : {
       "init_threads_count" : 15
     },
     "imports" : {
       "rolesmapping" : {
         "module" : "sgtech_config.security.json"
       }
     }

   It is important to note that there can be only one imports object in the main sgtech_config.json file. Therefore, if an imports configuration is already existing in the main sgtech_config.json file, then you can add the rolesmapping entry to the imports block as shown:

   {
     "version" : "25.1.0",
     "work_dir" : "",
     ...
     "jobs" : {
       "init_threads_count" : 15
     },
     "imports" : {
       "idcsclient" : {
         "module" : "sgtech_config.idcs.json"
       },
       "rolesmapping" : {
         "module" : "sgtech_config.security.json"  
       }
     }

5. Save the sgtech_config.json file.
   This grants all users from the groups configured for the principals, the respective role that was specified in the role configuration, when logging into Spatial Studio.