Geocortex Access Controls allows you to easily understand and control who has access to layers, fields, and features.
One of the ways this is configured is by using JavaScript to create your own business rules when you’re assigning permissions.
There are a few different ways to assign permissions. For starters, you can try using simple attribute filter rules where you’re assigning a given user, but if you’re faced with a more complicated scenario, you can either do that business layer all within JavaScript, or you can send web requests to some other system that will do that for you.
Watch how this looks in the Geocortex Tech Tip below.
Video Transcript
“Hi, my name is Ryan, I’m going to show how you can use JavaScript to create your own business rules when you’re assigning permissions in Geocortex Access Control. Let’s have a look!
Today, I’ve got a bunch of point data for the State of Ohio. We can see each of these points has a county attribute, a couple of different counties here.
The business problem that I’d like to solve is that I would like a user from an individual county to only see the data for their accounting.
So, if I belong to Putnam County, I should only see the data in Putnam County here.
All right, so Access Control provides a really simple and easy way to do this, you select the service that you’re interested in, select the layer and define an attribute filter.
So, we can create a new attribute filter and assign it to either a user or group.
I’m just going to assign it to myself. This is the Geocortex demo account and I need to provide an attribute filter definition expression where clause.
In this case it would be “county equals” and I’m just going to put myself in Putnam County
So that’s defining the attribute filter. If I hit save, and refresh the application, there we go. I’m only seeing data in Putnam County.
So, it’s great, it’s easy and if I had a few other users in group to apply this to, no problem, I just follow that same pattern.
Now, what happens if there’s thousands of users? I don’t want to define thousands of these filters that would be pretty ridiculous. Usually the next stage would be we should be looking at using groups in the system.
If your organization already has properly organized groups or not properly, but relevant groups to the business problem that would be great. We could assign flip this over to User and I might select the Putnam County group and then just do the exact same thing as I’ve done here, that would be great.
There’s a couple problems with that one, there might be a lot of these things; Ohio’s got 88 Counties – I don’t really want to define 88 of these, but that would work. Sometimes the groups that might exist in your ArcGIS Enterprise don’t align at all with the business divisions that you might be trying to leverage here.
In that case we need another layer in between that can do that translation to say this user that either belongs either the username or they belong to a particular ArcGIS group well that’s really this business level group and that business level group has a where clause that should go with it.
So, this is where the power of advanced permissions comes in, so rather than doing one of these, I’m just going to eliminate that one and we’re going to go over to the advanced tab here.
So, when I create an advanced permission – it’s very similar, I can assign this permission to whoever I like.
This time rather than doing an individual one for a user or group, I can assign one for everybody and we’re going to have this one advanced permission take care of everything.
All right, so in here, we get to edit an expression and now we’re going to write some JavaScript,
So, don’t worry if you’re not too familiar with JavaScript we’re not going to write that much, but what we’re going to do is we’re going to write a short little script and this script is going to define a lookup for a given user. So, this script has access to the User in fact if I just start typing user that there is a user object here. We can use this user, we’ve got access to some things about that user we can get their name.
So given a username, let’s go and look up the county name that’s interesting for us.
What I’m going to do is I’m going to create an object called “lookup”.
So, it’s just a just a plain old object and it’s going to be the keys of this object will be the usernames and the values of this object will be the county they belong to. If “Geocortexdemo” is my username and the value or the county I’m going to put that in “PUTNAM”, and let’s do another one of these for a different user and we’ll put them in a different county; “ALLEN” County is right below Putnam County.
So, that’s my lookout this represents my business mapping of users to counties that doesn’t exist in any ArcGIS groups.
Now, I need to use that lookup to fetch a county and the way to do that is just to take that username and use it in the lookup.
So, we can take the username, use it to go and find the right key. Now is this username going to be uppercase lowercase? I’m not sure. Let’s just lowercase that to be safe.
All right, so now we have a county – or maybe we have a county – we’ve got a county if the user is one of these two users.
So if we have a county, now we can assign our where clause and the way to do that is to set an attribute filter and here we’re going to set the same sort of thing ‘county = ‘{county}’ to and I’m just going to use these template strings where I can inject the county.
So, we look up the county value, if it exists, we’re going to set an attribute filter that’s county is equal to the quoted county name.
If there wasn’t a county, we should handle the other case and we’ll just do the exact same thing we’ll set an attribute filter except rather than doing a real lookup, let’s just do your standard query to return nothing. So, if you couldn’t find you, you’re getting nothing if we could find you, you’re going to get exactly what your county offers. So hit ‘OK’, hit save, cross your fingers and refresh.
If I’ve done it right, we should see the exact same thing because I’m still in Putnam County, but to see that it’s actually working, let’s go over to this incognito tab where I’m signed in as the John Doe user. Previously, I could see everything, now I just get the Allen County values.
Okay, so what’s great about this is we’ve been able to use JavaScript to define our business logic that where there’s none of this exists in our ArcGIS groups.
So, rather than creating tons of groups or maybe your business logic just can’t be represented as simple groups, we now have a way to do that.
To complete this example, what we’ll be doing is filling in the list of these are all the users and the counties that they map to, you can get more sophisticated than this simple lookup, but that’s kind of up to you.
Another strategy could be you’ve actually got another system, another business system that can do this sort of look up for you.
Now I’ve created one here it’s a little web service. If I send it a username it returns the county and I’ll try this, John Doe. So, I get different values back, it’s actually a different county this time, but I could use this web service from my JavaScript.
All right, I’m just going to paste that one in rather than writing out the whole thing, but what we would do is this and I’ll walk through how it works.
So, we are going to run, so we’re just there’s a utility method to help us do asynchronous work.
We’ll make a web request that’s going to be asynchronous, we are going to use the fetch API, so it’s built in. We’re going to tell it the URL of our web service by passing the username as a parameter and we see we’re just going to encode it just to be safe.
So that username gets sent to this web service, so it’ll be issuing a request like this, it should be a JSON response that comes back.
So, assuming it was a successful response, we’ll go and get the JSON from that we will dig the county value out of that JSON.
You see there’s the county key that we’re after there. if the county exists, we’re going to set an attribute filter (this is identical to what we did before). At that point, we’re done we can just return and everything else falls through.
So, if we didn’t end up with a successful request or finding the right county, we’re going to set that “1=0” fallback, no data for you response, and I’m going to save that, refresh this one.
This should look the same again, as it does, and if I refresh this one, it should actually flip Counties because it’s not Allen county, it’s Hancock county. Now there it is!
It’s a fast demo of these advanced permissions, so we can see that we are able to filter data, this is spatial data, we’re filtering by attribute though, so we can filter data to users that belong to a given county, so they can only see their data.
There are simple ways to do it where you’ve just got a simple attribute filter rule where you’re assigning a given user, but if you’ve got a more complicated scenario than that, where you need this sort of intermediate business layer, you can either do that business layer all in JavaScript or you can issue web requests to some other system that’s doing that for you and then you’re assigning these. So, we can get away with one permission that we’re defining that could now serve thousands of user groups, it keeps it really simple.
I hope this has been informative and I hope this is something that you could leverage to create your own business rules and start defining your own permissions!”
Want to see more of Geocortex Access Control in action? Click the button below for more product information, or to schedule a demo.