web-server/doc/en/user/source/security/usergrouprole/interaction.rst

.. _security_rolesystem_interaction:

Interaction between user/group and role services
================================================

The following section describes the interaction between the :ref:`security_rolesystem_usergroupservices` and the :ref:`security_rolesystem_roleservices`.

Calculating the roles of a user
-------------------------------

The diagram below illustrates how a user/group service and a role service interact to calculate user roles.

.. figure:: images/usergrouprole1.png
   :align: center

   *User/group and role service interacting for role calculation*

On fetching an enabled user from a user/group service, the roles(s) assigned to that user must be identified. The identification procedure is:

#. Fetch all enabled groups for the user. If a group is disabled, it is discarded.
#. Fetch all roles associated with the user and add the roles to the result set.
#. For each enabled group the user is a member of, fetch all roles associated with the group and add the roles to the result set.
#. For each role in the result set, fetch all ancestor roles and add those roles to the result set.
#. Personalize each role in the result set as required.
#. If the result set contains the local admin role, add the role ``ROLE_ADMINISTRATOR``.
#. If the result set contains the local group admin role, add the role ``ROLE_GROUP_ADMIN``.

.. note::

   Role personalization looks for role parameters (key/value pairs) for each role and checks if the user properties (key/value pairs) contain an identical key. If any matches are found, the value of the role parameter is replaced by the value of the user property.


Authentication of user credentials
----------------------------------

A user/group service is primarily used during authentication. An authentication provider in the :ref:`security_auth_chain` may use a user/group service to authenticate user credentials. 

.. figure:: images/usergrouprole2.png
   :align: center

   *Using a a user/group service for authentication*

GeoServer defaults
------------------

The following diagram illustrates the default user/group service, role service, and authentication provider in GeoServer:

.. figure:: images/usergrouprole3.png
   :align: center

   *Default GeoServer security configuration*

Two authentication providers are configured—the *Root* provider and the *Username/password* provider. The *Root* provider authenticates for the GeoServer :ref:`security_root` and does not use a user/group service. The *Username/password* provider is the default provider and relays username and password credentials to a user/group service.

A single user/group service, which persist the user database as XML, is present. The database contains a single user named ``admin`` and no groups. Similarly, the role service persists the role database as XML. By default, this contains a single role named ``ADMIN``, which is associated with the ``admin`` user. The ``ADMIN`` role is mapped to the ``ROLE_ADMINISTRATOR`` role and as a result, the ``admin`` user is associated with system administrator role during role calculation.