Knowing your Role when defining Best Practices for SDI Access Control

Requirements for Access Control and Authentication solutions on the Web have been growing during the last few years - but many security concerns for deploying geospatial data services like OGC Web Feature Services (WFS) Transactional still need to be addressed. Specifically, the lack of adequate Web-based Access Control solutions has contributed to a situation where many organizations have been avoiding deployment of their OGC services like WFS-T on the Web. The lack of such controls has forced data providers to adopt, for example, data sub-setting techniques to isolate access to geospatial data based on different projects, users, groups of users, etc. But such approaches have been proven to add hardware, software, implementation and maintenance costs for organizations deploying their OGC-based SDI data services.

To address this challenge a collaborative group including CubeWerx, The Carbon Project and others have been working on Best Practices for Role-based Access Control to help organizations deploying OGC Spatial Data Infrastructure (SDI) services. The approach is based on a set of simple Access Control Rules that can be used to make sure the right geospatial information goes to the right people. But behind the scenes there are IT industry-wide efforts working on “Identity Metasystems” to provide an interoperable architecture for digital identity, OASIS security standards for Information Cards, Authentication discussions on "Identity Provider" and "Relying Party" – all built on top of the Web Services Protocol Stack that includes WS-Security, WS-Trust, WS-MetadataExchange and WS-SecurityPolicy. In other words, an incredible amount of effort IT industry-wide on Authentication.

So in the Best Practices for Role-based Access Control we adopted the philosophy that says, “Use Authentication methods defined by IT industry-wide efforts ” - we'll focus on defining simple, reusable SDI Access Control Rules (SACR) for granting access to OGC services by role, geographic extent, feature and SDI operations. This approach adds significant new capability for deploying SDI by allowing organizations to optimize data services and reduce costs. Over the next weeks we'll be talking more about these Best Practices, examples, and the associated 2008 NSDI Cooperative Agreements Program (CAP) project.

- Jeff

Basic roles in a crowd-sourced OGC SDI

Spatial data infrastructures (SDI) are starting to tap the knowledge and energy of collaborating communities - and move data production and update operations to local levels, closest to source. But what are the basic roles people can play in this collaborative environment?

It turns out the basic operations for this kind of "GeoSynchronization" (from OGC) are simple - updates are published by one data source, reviewed by another and followed by others. When you organize geoRSS feeds for the task you get three basic roles in a crowd-sourced SDI -

Publisher - Makes changes to content. Generates feature changes , submits them for review via a Change Feed. Changes include adding, deleting or updating features. When a change is accepted or rejected Publisher is notified via a Resolution Feed.

Reviewer - Approves changes submitted by Publishers, subscribed to a Change Feed. When the Reviewer receives a change, they can then use an application to review and 'accept' or 'reject'. GeoSynchronization Services (GSS) can then apply accepted changes to any registered OGC WFS via WFS Transactions.

Follower - Can use standard RSS reader to get updates on any device. When changes to servers are accepted GSS announces them to Followers via the Replication Feed. A Follower subscribed to these event notifications will receive appropriate updates in the form of RSS or GeoRSS entries.

More info check here

- Jeff

Spatially-defined Access Control on YouTube

More NOAA weather via WMS and WFS SOA

It's Earth observation week at CarbonCloud - and here's quick look at some NOAA National Weather Service (NWS) WMS and WFS. Rumor has it a lot has happened in NWS with regards to web services - and the radar/warnings and Flood Outlook Product (FOP) WMS and WFS above are just a small glimpse of the progress. Although not a traditional part of an NSDI "Framework", climate and weather data have become essential for both daily forecasts and longer term understanding of potential changes in climate. The data is overlayed on USGS Framework WMS, NASA OnEarth WMS. If anyone would like the Gaia geospatial session file (GSF) for the services above just let us know at info@thecarbonproject.com.

- Jeff

NOAA's WFS - Instant Access to Climate Data

NOAA's National Climatic Data Center (NCDC) is "the world's largest active archive of weather data" - producing numerous climate publications and responding to data requests from all over the world. As part of its access programs the NCDC provides its geospatial data through OGC web services (WMS, WFS, KML/KMZ) and Catalog Service for the Web (CS-W). We tried the WFS recently in Gaia (above) and they work great. The data is overlayed on USGS Framework WMS, NASA OnEarth WMS and OpenStreetMap. Looks like lots of potential for open access to climate data.

- Jeff

Science Fiction or the Future of Aviation? NextGen System Utilizes Open Data Modeling

Image copyright & courtesy Geoworld magazine

The Carbon Project's CTO, Nuke Goldstein, discusses the role of open data modeling in the November issue of Geoworld (pp 19-21). The article begins by describing a pilot on a Flight from Dallas/Forth Worth airport in 2020 - and continues on to describe the role of geospatial data modeling and online services in modernizing our aging national airspace system. Check it out online here and let us know your thoughts.

- Jeff

Gaia brings WFS Transactions on ArcGIS to everyone

Modern mapping technologies can allow anyone to contribute up-to-date knowledge anywhere and at anytime - not just professionals equipped with GIS desktops. If you look at the geospatial market a key aspect of this emerging environment is likely to be open geospatial services supported by ArcGIS Server 9.3. Implementing specifications from the Open Geospatial Consortium (OGC) ArcGIS Server 9.3 not only enhances interoperability - it offers a new angle on data updates.

How? ArcGIS Server 9.3 implements OGC Web Feature Service (WFS) to let anyone interact with geospatial services and affect remote content. This is possible because the folks at ESRI have implemented a powerful concept from the OGC WFS specification – Transactions. WFS Transactions on ArcGIS Server allow users to selectively pull in geospatial information and then push out value-added content for reuse by others. At this point I should mention that WFS-T tools like The Carbon Project’s CarbonArc PRO (an ESRI ArcGIS desktop extension) have been around for a few years - and allow ArcGIS users to graphically update, delete or insert info on a WFS-T within the ArcGIS ArcMap application. But sometimes ArcGIS desktop may not be that easy for the average "non-GIS" end-user (and some people might not even have an ArcGIS desktop ;-)

So to make WFS-T usable by non-GIS professional a light, cost-effective and user-friendly software client is needed that can work with ArcGIS Server 9.3. This tool would enable users to post updates in a visual and intuitive way. To support this requirement and accommodate for users who can’t rely on stable network connectivity, such as users in the field, a standalone application also seems to be reasonable. Enter the WFS-Transactions Extender to The Carbon Project’s Gaia SDI platform. The Gaia WFS-T Extender allows geospatial edits and updates using WFS-T and GML in both online and offline environments - and the user-interface wraps the OGC standards into an easy-to-use application accessible to everyone, including non-GIS users. The app also works with non-ESRI WFS-T as well - and we hope it promotes enhanced collaboration and participatory mapping in the geospatial community.

- Jeff

New OGC WMTS hits the street - supporting REST interfaces

CubeWerx is in the process of launching its OGC WMTS implementation and the feature list is impressive - tiles created using OGC Styled Layer Descriptor (SLD), multiple tile sets from the same data (to respond to different symbology or map projection requirements), no database needed to deploy, REST interfaces and more.

With the recent release of a proposed standard for tile-based web mapping, Web Map Tile Service (WMTS), the OGC and members like CubeWerx are poised to provide open alternatives for "slippy" tile-based web mapping. Worked on quietly by the gurus at CubeWerx, CREAF and the Autonomous University of Barcelona - the candidate WMTS Interface Standard is much like OGC's popular WMS, but it enables faster server performance.

As many know, OGC Web Map Server (WMS) has been criticized for being slow because it creates a new image for each request – rather than returning pre-generated tiles that provide an almost instant zoom and pan. WMS was designed this way because there were two goals behind the interface, interoperability and the ability to overlay many sources - and in this respect it's been very successful. A WMS client can overlay map layers from many sources in an arbitrary bounding box at an arbitrary scale with any number of styles. But this flexibility comes at a price - since a WMS server is required to generate each requested map image on the fly it's slower to respond than a tile map service.

But OGC WMTS like CubeSERV Web Map Tile Server (WMTS) change all this. To improve performance, instead of creating a new image for each request, the WMTS returns small pre-generated images (e.g., PNG or JPEG) or reuses identical previous requests that follow a set of tile matrices. This service is also the first OGC standard to include a RESTful approach in addition to the usual OGC "KVP" encodings. The "oh, that makes sense" aspect of WMTS has already resulted in implementation in clients like Gaia 3.4.

Bottom Line - WMTS provides a natural way to evolve WMS services into a more constrained - but more scalable and faster service - so anyone can build services and applications that are fast, easy to use, and democratically accessible.

- Jeff

Advantage of OneGeology WMS model - data stays in nations

An article from Pubblica Amministrazione raises the interesting assertion that the "technology used by" the OneGeology project, "called 'Web Map Service', surpasses that of Google Earth using a distributed model, dynamic and sustainable, able to leave the data provider in the sites of nations so that they are best kept and constantly updated."

- Jeff