Manage users and organsiations

Introduction to users

General information about users and organisations

In most situations, a user is associated with an organisation and has exactly one of five default roles within the organisation. The five default roles are cumulative, i.e. a Theme Manager can do everything a Data Manager can do:

  1. User (US): A user who can log in to the system and does not have a specific role in an organisation. Can typically only read public resources.
  2. Data Manager (DM): A user who can log in to the system and is responsible for uploading and maintaining data sets.
  3. Theme Manager (TM): A user who can log in to the system and manage themes, schemas and transformation projects.
  4. Superuser (SU): A user who can log in to the system and is responsible for an organisation.
  5. Administrator (AD): A user who can log in to the system and access all system functionality and resources. The Administrator’s access is not defined through his organisational role.

The structure of organisations is hierarchical. Each organisational structure has a root organisation, such as in this example:

  • State A
    • County A1
      • Municipality A1a
      • Municipality A1b
    • County A2
      • Municipality A2a
      • Municipality A2b
      • Municipality A2c

Usually, a user has exactly one role inside an organisation. The user gets access to resources and functions of the system via privileges defined for the role. Some privileges depend on the hierarchical structure of the organisations of the logged in user and the owner of a resource.

Example: You belong to «County A1» with role «Superuser». As a «Superuser», you can see the data sets belonging to your organisation «County A1», and the data sets belonging to any suborganisations associated with your root organisation. You can create new user accounts and suborganisations for your organisation, or for any of its suborganisations. You can create as many levels of suborganisations as you need.

When you create a new user as an administrator, the system enforces association of the user with an organisation and a role.

Switch application language

Click on the «Language» Symbol in the header to display the languages that are installed on the instance you’re using. Pick the language you’d like to work with.

Please note that system errors are usually not translated and may be displayed in English, independent of your language settings.

Configure Roles and Privileges

Roles and Privileges cannot be configured via the application’s web interface. Instead, they can only be edited via a JSON file that is accessible to the system administrator. The settings cannot be changed for public cloud instances. For Private Cloud instances, please request the change you would like to make by contacting support. As a system administrator for an On Premise instance, follow the steps explained below to make changes to roles and privileges.

Resource permissions

Resource permissions are permissions granted on individual resources or on types of resources. To check a resource permission, the resource type name (e.g. ‘User’) is needed, and often also a concrete resource object or ID that can be used for checking the permission conditions.

There are four default resource permissions for each resource type that can be extended with other custom permissions if needed. The four default permissions are:

  • read: Resource may be read and viewed
  • edit: Resource may be edited
  • delete: Resource may be deleted
  • create: Resource of a type may be created

The system manages different resource types, depending on which services are part of it. A resource type is usually managed by a specific service. By convention, resource types start with an uppercase character. The following are the resource types currently available in hale-connect:

  • User: A registered user
  • Organisation: A registered organisation
  • Bucket: A data set consisting of files and metadata
  • Theme: A theme which defines common settings for data sets
  • Schema: A data model which can be referenced from themes
  • TransformationProject: A hale»studio transformation project

Conditions

When a user requests access to a resource or functionality of the system, at least one access condition must be met. The system supports the following condition checks:

  • owner: - The user is the owner of the resource (not an organisation)
  • organisation: - The resource is owned by the role organisation or is the role organisation itself
  • suborganisations: - The resource is owned by a suborganisation or is a suborganisation of the role organisation
  • parentOrg: The resource is owned by a parent organisation or is a parent organisation of the role organisation
  • public: The resource is marked as public
  • shared: The resource is shared with the user (usually read access)
  • collaborator: The user is a collaborator on the resource (usually edit access)

Example roles.json

{
  "anonymous": {
    "resource": {
      "Bucket": {
        "comment": {
          "requires": "read"
        },
        "createNote": {
          "requires": "read"
        },
        "editMetadata": {
          "requires": "edit"
        }
      },
      "Schema": {
        "comment": {
          "requires": "read"
        },
        "createNote": {
          "requires": "read"
        }
      },
      "Theme": {
        "comment": {
          "requires": "read"
        },
        "createNote": {
          "requires": "read"
        },
        "editMetadata": {
          "requires": "edit"
        }
      },
      "TransformationProject": {
        "comment": {
          "requires": "read"
        },
        "createNote": {
          "requires": "read"
        },
        "createTask": {
          "requires": "edit"
        },
        "replyToTask": {
          "requires": "read"
        }
      }
    },
    "application": {
      "awsGrantAccess": false
    }
  },
  "user": {
    "extends": "anonymous",
    "label": {
      "en": "Registered user",
      "de": "Standardnutzer"
    },
    "resources": {
      "User": {
        "read": true,
        "edit": ["self"]
      },
      "Organisation": {
        "read": true
      }
    }
  },
  "dataManager": {
    "extends": "user",
    "label": {
      "en": "Data manager",
      "de": "Daten-Manager"
    },
    "resources": {
      "Bucket": {
        "create": ["organisation"],
        "read": ["organisation"],
        "edit": ["organisation"],
        "delete": ["organisation"]
      },
      "Theme": {
        "read": ["organisation", "parentOrg"]
      },
      "Schema": {
        "read": ["organisation", "parentOrg"]
      },
      "TransformationProject": {
        "read": ["organisation", "parentOrg"]
      }
    }
  },
  "themeManager": {
    "extends": "dataManager",
    "label": {
      "en": "Theme manager",
      "de": "Themen-Manager"
    },
    "resources": {
      "Theme": {
        "create": ["organisation"],
        "edit": ["organisation"],
        "delete": ["organisation"],
        "view": {
          "requires": "read"
        }
      },
      "Schema": {
        "create": ["organisation"],
        "edit": ["organisation"],
        "delete": ["organisation"],
        "view": {
          "requires": "read"
        }
      },
      "TransformationProject": {
        "create": ["organisation"],
        "edit": ["organisation"],
        "delete": ["organisation"],
        "view": {
          "requires": "read"
        }
      }
    }
  },
  "orgAdmin": {
    "extends": "themeManager",
    "label": {
      "en": "Superuser",
      "de": "Superanwender"
    },
    "resources": {
      "User": {
        "create": true,
        "delete": ["organisation", "suborganisations"],
        "disable": ["organisation", "suborganisations"],
        "accessDisabled": true,
        "accessNotActivated": true
      },
      "Organisation": {
        "create": ["organisation", "suborganisations"],
        "edit": ["organisation", "suborganisations"],
        "delete": ["organisation", "suborganisations"],
        "assignRole": ["organisation", "suborganisations"]
      },
      "Bucket": {
        "create": ["suborganisations"],
        "read": ["suborganisations"],
        "edit": ["suborganisations"],
        "delete": ["suborganisations"]
      },
      "Theme": {
        "create": ["suborganisations"],
        "edit": ["suborganisations"],
        "delete": ["suborganisations"]
      },
      "Schema": {
        "create": ["suborganisations"],
        "edit": ["suborganisations"],
        "delete": ["suborganisations"]
      },
      "TransformationProject": {
        "create": ["suborganisations"],
        "read": ["suborganisations"],
        "edit": ["suborganisations"],
        "delete": ["suborganisations"]
      }
    },
    "application": {
      "viewSystemInfo": true
    }
  }
}

Registration

Self-registration

Your system administrator can configure the application so that users can self-register. For private cloud instances, contact support to configure this functionality. On public cloud instances, it is currently not available.

If self-registration is enabled, go to the start page and click «Register». Provide your e-mail and a password, and then proceed. After registration you should receive an activation e-mail to complete the registration via double opt-in. The activation link is valid for 24 hours. This duration is configurable on on-premise and private cloud instances.

All newly registered users have to set a password before their first log-in. The password field has an indicator for password security on the right side; a secure password gets at least three out of four points. To get three points, your password has to have eight or more characters, and needs to contain at least three different classes of characters (small letters, capital letters, numbers, special characters). After setting the password, you can proceed to log in.

Add users

As a system administrator, you can enable self-registration of users. If self-registration is not enabled, administrators and organisation superusers need to create all user accounts.

To create a new user account, follow these steps while logged in as an administrator or organisation superuser:

  1. Go to settings (gear symbol)
  2. Go to «Users»
  3. Pick «Create New User» at the bottom of the user list
  4. Enter a name (we strongly recommend using first and last name)
  5. Enter a username under the portrait
  6. Provide a unique e-mail address (every e-mail address may be associated with only one user account)
  7. Pick an organisation for the new user
  8. Pick a role (Data Manager, Theme Manager or Organisation Superuser)
  9. Optionally add a description, and contact info
  10. All role types can add custom metadata fields. Custom fields enable you to create your own key, value pairs for use in metadata. Click «+Add field» to enter a key, value pair. You can add as many custom fields as you need. Theme Managers and Superusers configuring metadata should come to an agreement with Data Managers on the custom metadata fields that will be implemented. Themes configured to use custom metadata fields in user profiles will access the value from the user profile of the person creating the dataset. The custom fields added to user profiles are available in the Autofill assistant when a Theme Manager or Superuser uses the metadata editor. For more information about using the metadata editor and working with autofill rules, visit the Edit metadata configuration section of our help.
  11. Click «Create»

The person you’ve created the account for now receives an activation e-mail. The account will be activated only when the person has clicked the link in the notification and successfully sets a password.

Alternatively, you can create a new user account while managing your organisation. Go to settings (gear symbol), go to «Organisations» and click «Create user» under the portrait.

Login and Logout

Logging in works via the «Login» link visible on the top right of the application. Login either with your e-mail or with your user name and your password. In case you’ve forgotten your password, click the link «Forgot your password?». You will then receive a new confirmation e-mail. Click on the link it contains to set a new password. This link is valid for two hours.

To log out, go to your user profile (person icon in the main toolbar) and click on «Logout». When you close the browser or the tab, in which the application was running, you are automatically logged out.

You can use the application in multiple tabs or windows, but need to login separately to each tab or window. This has the advantage that it is possible to use multiple user accounts at the same time.

Edit users

Edit user profile

Every user can edit their own profile. In addition, administrators and organisation super users can edit some properties of a user account, such as the role and organisation it is associated with. To edit your profile, click on the profile icon in the main toolbar. On the profile page, you have the following options:

  • Change Password: Similar to the process used when confirming a registration, you can change your password here. Please keep in mind that the same rules for safe passwords apply!
  • Change E-Mail address: Every profile needs to have a unique, valid e-mail address.
  • Add Contact Information: These standard contact info fields help other users reach out to you and can be used for the metadata autofill rules.
  • Assign an Organisation: As organisation superuser or administrator, you can change your organisation association and role within the organisation.
  • Add user-defined fields: Such fields are used to save user-defined values for metadata autofill rules. You and your organisation should agree on the keys for these user-defined fields so that they can be used effectively in the autofill rules.
The username cannot be edited.
If you'd like to see a proper portrait picture or avatar, use Gravatar to add a picture of your choice to your e-mail address.

Delete User

When logged in as an Administrator or organisation superuser, follow these steps to delete a user:

  1. Go to settings (gear symbol)
  2. Go to «Users»
  3. Select the user you need to delete from the list
  4. Click on the «Delete» button
  5. Confirm deletion
When you delete a user, the user account is permanently deactivated. The user account is still stored in the data base, which means that no user with the same username can be created. Furthermore, all resources that the user created are kept in the system and remain accessible to other members of the organisation.
As an Administrator or organisation superuser, you can delete your own profile! You should only do so if you are entirely sure that is what you want. When the only administrator account is deleted, the system will recreate one with a default password on restart. To restart the system and to receive the default password, please contact support.

Deactivate User

When logged in as an administrator or organisation superuser, follow these steps to deactivate a user:

  1. Go to settings (gear symbol)
  2. Go to «Users»
  3. Select the user you need to deactivate from the list
  4. Click on the «Deactivate» button in the user profile
  5. Confirm deactivation

Deactivated users are still searchable in the Users section in Settings. Click on the «Reactivate» button in the user profile to reactivate a deactivated user.

Users will receive an automated email about the status of their user account if it is deactivated or reactivated.

Manage organisations

Create an organisation

To create a new organisation, follow these steps while logged in as an administrator:

  • Go to settings (gear symbol)
  • Go to «Organisations»
  • Pick «Create New Organisation» at the bottom of the organisation list
  • Enter an organisation name (we recommend a short memorable one)
  • Provide the «name of the legal entity»
  • Optionally, provide a description and contact information
  • Provide a URL to a WMS basemap. As organisation superuser or administrator, you can configure the default basemap for the map view in the view services section of your datasets. When members of your organisation view published services on the platform, the data is displayed using your configured WMS as the basemap. Users have the added ability to upload their own WMS basemap via the map view interface.
  • Custom fields enable you to create your own key, value pairs for use in metadata. Click «+Add field» to enter a key, value pair. You can add as many custom fields as you need. The custom fields that you add to your organisation are available in the Autofill assistant when you use the metadata editor. The Autofill assistant automatically populates your metadata with the information provided in your custom fields. For more information about using the metadata editor and working with autofill rules, visit the Edit metadata configuration section of our help.
  • Click «Create»

To create a new suborganisation, follow these steps while logged in as an administrator or organisation superuser:

  • Go to settings (gear symbol)
  • Go to «Organisations»
  • Select the organisation for which you’d like to create a new suborganisation
  • Click «Create Suborganisation»
  • Enter an organisation name (we recommend a short memorable one)
  • Provide the «name of the legal entity»
  • Optionally, provide a description and contact information
  • Provide a URL to a WMS basemap. As organisation superuser or administrator, you can configure the default basemap for the map view in the view services section of your datasets. When members of your organisation view published services on the platform, the data is displayed using your configured WMS as the basemap. Users have the added ability to upload their own WMS basemap via the map view interface.
  • Custom fields enable you to create your own key, value pairs for use in metadata. Click «+Add field» to enter a key, value pair. You can add as many custom fields as you need. The custom fields that you add to your organisation are available in the Autofill assistant when you use the metadata editor. The Autofill assistant automatically populates your metadata with the information provided in your custom fields. For more information about using the metadata editor and working with autofill rules, visit the Edit metadata configuration section of our help.
  • Click «Create»

Edit and delete organisation profile

Administrator and organisation superusers can edit the organisation profile page. To access the organisation profile page:

  1. Go to settings (gear symbol)
  2. Go to «Organisations»
  3. Select your organisation from the list

Alternatively, you can click on the name of the organisation in your user profile.

On the organisation profile page, there are several configuration options available.

  • Profile picture: Click on the profile picture to upload your organisation’s logo or custom avatar. Accepted file formats include JPEG and PNG.
  • Name of the legal entity: This optional field enables users to provide the name of the legal entity.
  • Description: This optional field enables users to provide a description of their organisation.
  • Add Contact Information: These standard contact info fields help other users reach out to you and can be used for the metadata autofill rules.
  • Map configuration: This field enables users to provide a URL to a WMS basemap. As organisation superuser or administrator, you can configure the default basemap for the map view in the view services section of your datasets. When members of your organisation view published services on the platform, the data is displayed using your configured WMS as the basemap. Users have the added ability to upload their own WMS basemap via the map view interface.
  • Events Activate the «Subscribed» toggle to receive email notifications about automated workflows. The notifications provide information about the status of online transformations and service publishing every time a workflow is run.
  • Add custom fields: Such fields are used to save user-defined values for metadata autofill rules. You and your organisation should agree on the keys for these user-defined fields so that they can be used effectively in the autofill rules.

Administrator and organisation superusers also have the option to create suborganisations, create users, add existing users and delete the organisation, directly from the organisation profile page.

When you delete an organisation, user accounts associated with the organisation remain active. These user accounts no longer have an organisation or role and as a consequence have very limited privileges until they are linked to a new organisation.
The organisation name cannot be edited.

Harvesting Metadata

Catalogue Service for the Web 2.0.2 (CSW service)

wetransform provides a catalogue service for the web (CSW) 2.0.2 for users who want to harvest metadata published on the hale»connect platform. The CSW contains both dataset and service metadata.

The hale»connect CSW GetCapabilities URL is: https://haleconnect.com/csw?service=CSW&request=GetCapabilities

The CSW GetCapabilities response document lists the supported request operations in the OperationsMetadata element, which include:

  • DescribeRecord

    The DescribeRecord request allows users to retrieve type definition(s) used by metadata of one or more registered resource types [OGC 07-006r1].

    https://haleconnect.com/csw?service=CSW&version=2.0.2&request=DescribeRecord

    The request returns a type definition document containing definition(s) of type(s) used by the metadata of one or more registered resource types. This type definition shall include the structure (schema), queryables, element sets, and formats of the metadata used for one or more registered resource types. The contents of the result of this operation depend on the types of metadata that can currently be used by registered resources [OGC 07-006r1].

  • GetDomain

    The GetDomain request retrieves information about the valid values of one or more named metadata properties.

    https://haleconnect.com/csw?service=CSW&version=2.0.2&request=GetDomain&propertyname=gmd:contactInfo

    The request returns descriptions of domains of one or more requested metadata properties or request parameters.

    The GetDomain operation is a “best-effort” operation that tries to generate useful information about the specified request parameter or property. It is possible that a catalogue may not be able to determine anything about the values of a property or request parameter beyond the basic type; in this case only a type reference or a type description will be returned. [OGC 07-006r1]

  • GetRecords

    The GetRecords operation enables users to build queries based on spatial predicates and attribute filters.

    Use the startPosition and maxRecords parameters to customize the number of results returned Use the outputSchema parameter to customize the output format Use the ElementSetName parameter (brief, summary, full) to adjust the length and detail of metadata record responses

    All records example

    https://haleconnect.com/csw?service=CSW&version=2.0.2&request=GetRecords&resultType=results&outputSchema=http://www.isotc211.org/2005/gmd&NAMESPACE=xmlns(gmd=http://www.isotc211.org/2005/gmd)&typeNames=gmd:MD_Metadata&elementSetName=full&startPosition=1&maxRecords=10

    Full text search example

    The CSW can be queried to obtain the datasets which belong to an organisation. The following example demonstrates how to retrieve 10 records for the organisation named Test Org. The constraint parameter contains an ogc:Filter which filters on organisation name.

    https://haleconnect.com/csw?service=CSW&version=2.0.2&request=GetRecords&resultType=results&outputSchema=http://www.isotc211.org/2005/gmd&NAMESPACE=xmlns(gmd=http://www.isotc211.org/2005/gmd)&typeNames=gmd:MD_Metadata&CONSTRAINTLANGUAGE=FILTER&elementSetName=full&startPosition=1&maxRecords=10&CONSTRAINT=<ogc:Filter xmlns:ogc="http://www.opengis.net/ogc" xmlns:gmd="http://www.isotc211.org/2005/gmd"><ogc:PropertyIsLike wildCard="%" singleChar="\_" escapeChar="!"><ogc:PropertyName>csw:AnyText</ogc:PropertyName><ogc:Literal>%Test Org%</ogc:Literal></ogc:PropertyIsLike></ogc:Filter>

    Use the startPosition parameter to issue iterative requests to the CSW to obtain all results for an organisation. Currently, the CSW returns a maximum of 10 records per request.

  • GetRecordById

    The GetRecordsById request enables users to query the service for individual metadata records through the use of identifiers. A CSW advertises which schemas it can use to represent a record in response to a GetRecordById request in the Capabilities document.

    https://haleconnect.com/csw?service=CSW&version=2.0.2&request=GetRecordById&id=07901729-84a2-4008-89c5-17403cd014ba&elementsetname=full&outputSchema=http://www.isotc211.org/2005/gmd

Each of the request types supports a range of parameters which can be used to query and filter the returns. Requests to the CSW can be made using HTTP GET, HTTP POST (including SOAP encodings of operation requests) and XML encoded POST requests.

The hale»connect CSW also includes an ExtendedCapabilites element which contains additional metadata required for INSPIRE compliancy.

You can explore the hale»connect CSW easily in the QGIS MetaSearch Catalogue Client plug-in. In QGIS 2.0 and higher, the plug-in is installed by default. Navigate to the Web menu in the top row of resource tabs in QGIS, and select MetaSearch from the dropdown menu.

In the MetaSearch dialog, click the Services tab and click New to create a connection to the hale»connect CSW. Give the connection a name, and enter the GetCapabilities URL to the CSW. Click OK.

Next, click the Search tab in the MetaSearch dialog and enter a search term in the Keywords field to explore the available metadata records.

For more information, visit the MetaSearch documentation on the QGIS website.

Access the harvesting endpoint

We provide a harvesting endpoint for catalogue services that want to harvest metadata from the haleconnect platform. The harvesting URL can be built using the following pattern:

https://haleconnect.com/services/bsp/metadata/org/<your org num>

Catalogue services retrieve a zip file containing all of the metadata for an organization from the harvesting URL.

As a system administrator, you can access a preview page which displays the metadata that is accessible from the harvesting endpoint. The harvesting preview page URL can be built using the following pattern:

https://haleconnect.com/services/bsp/metadata/org/<your org num>?preview=true
To find your organisation number, navigate to your organisation's account page in settings (gear symbol). Your organisation number is displayed in the browser URL. For example: https://haleconnect.com/#/organisation/1 indicates that your organisation number is 1.

The Harvest-Preview page displays the harvesting URL, the preview page URL and the number of resources at the endpoint. There are also options to control the inclusion of remote metadata resources and keyword filters through the use of toggles. The includeremote toggle allows you to include remote metadata in the endpoint. The keywords toggle allows you to filter the list of metadata resources for datasets with the keyword ‘inspireidentifiziert’. You can add additional keywords by adding one or more keywords in a comma separated list to the preview page URL after the keywords parameter.

For example, to filter on the keyword ‘infoFeatureAccessService’, construct the following URL:

https://haleconnect.com/services/bsp/metadata/org/1?preview=true&keywords=infoFeatureAccessService

The Harvest-Preview page lists the metadata resources in tabular format at the bottom of the page. Metadata resources are listed in rows with the following columns:

  • Type: The type of service
  • Title: The title of the service
  • Simple Keywords: The keywords extracted from the keywords field in the metadata file
  • Fileidentifier: The file identifier number
  • Filename: The name of the metadata file
  • Link: A hyperlink to the metadata file