Access Control for OpenGIS^® Web Services

Access Control for an OpenGIS^® Web Service based Spatial Data Infrastructure is one of the relevant pre-conditions to provide high quality geographic information. Basically, access to the services has to be protected by an appropriate Access Control System that implements (at least) the following requirements:

• It must be possible to declare access rights for particular data types of geographic information objects. When protecting access to the Web Map Service (WMS), a data type can be a layer, provided by the WMS. For a Web Feature Service (WFS) a data type can be a feature type.
• It must be possible to declare access rights for particular instances of geographic information objects. For protecting access to a WFS, this allows to associate access rights to individual features or a group of features.
• It must be possible to declare access rights for particular geographic areas (regions). For protecting a WMS, this allows to restrict access for maps to particular areas of interest. For protecting a WFS, this allows to minimize the area, for which features can be requests, created, modified or deleted.
• Requesting maps in a binary format (e.g. gif, jpeg, etc.) it must be possible to declare access rights based on the resolution of the map.
• It must be possible to declare access rights for requests, issued by clients with a particular IP-address or computer name.
• It must be possible to declare access rights for particular time windows.
• It must be possible to combine different types of access rights and manage access rights for roles.

These (and more) requirements are supported by the Geospatial eXtensible Access Control Markup Language, short GeoXACML. It defines a geo-specific extension to the eXtensible Access Control Markup Language, short XACML which is a standard from OASIS. More information on GeoXACML can be obtained from the Homepage.

The establishment of Access Control requires Authentication. One interoperable solution to implement Authentication that supports Single-Sign-On is based on on the Security Markup Language Standard by OASIS.