Re: [Qgis-user] User setup for PostGres/PostGis use with QGIS

[Alessandro Pasotti]

Note that there is a little trick that might make things easier:
suppose you want to share a QGS project within an organization, by
using the QGIS authentication database you can create an
authentication configuration with a know ID  (the usually automatic 7
characters ID) and share the project withing your organization using
that authentication configuration to access the server, to load the
project (and to connect to the server) all what a user would need to
do is to create an authentication configuration with the same ID (but
with his/her own credentials).

We happily tested it with PKI user certificates on a postgis backend.


On Sun, Apr 26, 2020 at 9:26 AM Michael Dufty
 wrote:
>
> Good point on the security, so far we’ve been relying on the server only 
> being accessible from our network, but would be good to be able to open that 
> up.
>
> Other than that would simultaneous uses of the same account be likely to 
> cause issues.
>
>
>
> Michael Dufty
>
>
>
> From: Qgis-user  On Behalf Of Jeff Hubbs
> Sent: Sunday, 26 April 2020 1:45 AM
> To: qgis-user@lists.osgeo.org
> Subject: Re: [Qgis-user] User setup for PostGres/PostGis use with QGIS
>
>
>
> Agree, strongly. Even better to have an independent authentication system 
> (e.g. LDAP) that everything uses but at minimum, separate PostgreSQL accounts 
> for everybody is highly recommended.
>
>
>
> On 4/25/20 11:39 AM, Jo wrote:
>
> From a security perspective you definitely want to create a distinct user 
> account for each user. What if a user leaves your organisation? Will you 
> update the password and have to communicate it to everyone before they can do 
> further work? That's more cumbersome than doing it right from the start.
>
>
>
> After a while you may also discover that some users will need different 
> rights.
>
>
>
> Jo
>
>
>
> On Sat, Apr 25, 2020 at 12:23 PM Michael Dufty 
>  wrote:
>
> I’m looking at setting up a postGIS server for use to store mapping files to 
> use with QGIS.
>
> We have about a dozen users who will all need to be able to edit layers and 
> save new layers to the server, and any new layers they create need to be 
> editable by other users.
>
>
>
> Can anyone advise if having everyone use the same user account would be a 
> good idea?  Since everyone will have the same privileges this would seem to 
> simplify setup.  Often there will be different people editing the same QGIS 
> project at different times, and I think it would help with that, although it 
> looks like we would need to use the same id for the authentication on every 
> computer if we don’t want password prompts all the time.  I’m just concerned 
> this may cause issues with the server if the same user account is accessing 
> the database from different locations at the same time.
>
>
>
> As I understand it the alternative would be to create a role that all 
> accounts are members of, and alter the default privileges for each account so 
> the role gets access to any new tables created, which would be a bit of a 
> pain to set up for lots of accounts, but probably OK.
>
>
>
> I have struggled with this in the past, and the consultant who set up a 
> similar server for us in  the past to use with Manifold gave up on getting 
> permissions to work and just made every account a superuser.  This doesn’t 
> seem ideal, but hasn’t caused any issues in over 10 years.
>
>
>
>
>
> Michael Dufty
>
>
>
> ___
> Qgis-user mailing list
> Qgis-user@lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
>
>
>
> ___
>
> Qgis-user mailing list
>
> Qgis-user@lists.osgeo.org
>
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
>
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
>
>
>
> ___
> Qgis-user mailing list
> Qgis-user@lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user



-- 
Alessandro Pasotti
w3:   www.itopen.it
___
Qgis-user mailing list
Qgis-user@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user

Re: [Qgis-user] User setup for PostGres/PostGis use with QGIS

[Fernando M. Roxo da Motta]

On Sat, 25 Apr 2020 17:39:37 +0200, Jo  wrote:


> From a security perspective you definitely want to create a distinct
> user account for each user. What if a user leaves your organisation?
> Will you update the password and have to communicate it to everyone
> before they can do further work? That's more cumbersome than doing it
> right from the start.

  Out of curiosity, does PostgreSQL keep any kind of log about what
transactions were performed by each user?

  If so, this can be an extra security tool.


  Regards.


> 
> After a while you may also discover that some users will need
> different rights.
> 
> Jo
> 
> On Sat, Apr 25, 2020 at 12:23 PM Michael Dufty <
> mdu...@mbsenvironmental.com.au> wrote:  
> 
> > I’m looking at setting up a postGIS server for use to store mapping
> > files to use with QGIS.
> >
> > We have about a dozen users who will all need to be able to edit
> > layers and save new layers to the server, and any new layers they
> > create need to be editable by other users.
> >
> >
> >
> > Can anyone advise if having everyone use the same user account
> > would be a good idea?  Since everyone will have the same privileges
> > this would seem to simplify setup.  Often there will be different
> > people editing the same QGIS project at different times, and I
> > think it would help with that, although it looks like we would need
> > to use the same id for the authentication on every computer if we
> > don’t want password prompts all the time.  I’m just concerned this
> > may cause issues with the server if the same user account is
> > accessing the database from different locations at the same time.
> >
> >
> >
> > As I understand it the alternative would be to create a role that
> > all accounts are members of, and alter the default privileges for
> > each account so the role gets access to any new tables created,
> > which would be a bit of a pain to set up for lots of accounts, but
> > probably OK.
> >
> >
> >
> > I have struggled with this in the past, and the consultant who set
> > up a similar server for us in  the past to use with Manifold gave
> > up on getting permissions to work and just made every account a
> > superuser.  This doesn’t seem ideal, but hasn’t caused any issues
> > in over 10 years.
> >
> >
> >
> >
> >
> > *Michael Dufty*
> >
> >
> > ___
> > Qgis-user mailing list
> > Qgis-user@lists.osgeo.org
> > List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
> > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user  








  Roxo

-- 
 Non luctari, ludare ---+ WYSIWYG
Fernando M. Roxo da Motta   | Editor?
Except where explicitly stated I speak on my own behalf.|  VI !!
PU5RXO  | I see text,
 Quis custodiet ipsos custodes?-+ I get text!
 
___
Qgis-user mailing list
Qgis-user@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user

Re: [Qgis-user] User setup for PostGres/PostGis use with QGIS

[Michael Dufty]

Good point on the security, so far we’ve been relying on the server only being 
accessible from our network, but would be good to be able to open that up.
Other than that would simultaneous uses of the same account be likely to cause 
issues.

Michael Dufty

From: Qgis-user  On Behalf Of Jeff Hubbs
Sent: Sunday, 26 April 2020 1:45 AM
To: qgis-user@lists.osgeo.org
Subject: Re: [Qgis-user] User setup for PostGres/PostGis use with QGIS

Agree, strongly. Even better to have an independent authentication system (e.g. 
LDAP) that everything uses but at minimum, separate PostgreSQL accounts for 
everybody is highly recommended.

On 4/25/20 11:39 AM, Jo wrote:
From a security perspective you definitely want to create a distinct user 
account for each user. What if a user leaves your organisation? Will you update 
the password and have to communicate it to everyone before they can do further 
work? That's more cumbersome than doing it right from the start.

After a while you may also discover that some users will need different rights.

Jo

On Sat, Apr 25, 2020 at 12:23 PM Michael Dufty 
mailto:mdu...@mbsenvironmental.com.au>> wrote:
I’m looking at setting up a postGIS server for use to store mapping files to 
use with QGIS.
We have about a dozen users who will all need to be able to edit layers and 
save new layers to the server, and any new layers they create need to be 
editable by other users.

Can anyone advise if having everyone use the same user account would be a good 
idea?  Since everyone will have the same privileges this would seem to simplify 
setup.  Often there will be different people editing the same QGIS project at 
different times, and I think it would help with that, although it looks like we 
would need to use the same id for the authentication on every computer if we 
don’t want password prompts all the time.  I’m just concerned this may cause 
issues with the server if the same user account is accessing the database from 
different locations at the same time.

As I understand it the alternative would be to create a role that all accounts 
are members of, and alter the default privileges for each account so the role 
gets access to any new tables created, which would be a bit of a pain to set up 
for lots of accounts, but probably OK.

I have struggled with this in the past, and the consultant who set up a similar 
server for us in  the past to use with Manifold gave up on getting permissions 
to work and just made every account a superuser.  This doesn’t seem ideal, but 
hasn’t caused any issues in over 10 years.


Michael Dufty

___
Qgis-user mailing list
Qgis-user@lists.osgeo.org<mailto:Qgis-user@lists.osgeo.org>
List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user



___

Qgis-user mailing list

Qgis-user@lists.osgeo.org<mailto:Qgis-user@lists.osgeo.org>

List info: https://lists.osgeo.org/mailman/listinfo/qgis-user

Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user


___
Qgis-user mailing list
Qgis-user@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user

Re: [Qgis-user] User setup for PostGres/PostGis use with QGIS

[Jeff Hubbs]

Agree, strongly. Even better to have an independent authentication 
system (e.g. LDAP) that everything uses but at minimum, separate 
PostgreSQL accounts for everybody is highly recommended.


On 4/25/20 11:39 AM, Jo wrote:
From a security perspective you definitely want to create a distinct 
user account for each user. What if a user leaves your organisation? 
Will you update the password and have to communicate it to everyone 
before they can do further work? That's more cumbersome than doing it 
right from the start.


After a while you may also discover that some users will need 
different rights.


Jo

On Sat, Apr 25, 2020 at 12:23 PM Michael Dufty 
> wrote:


I’m looking at setting up a postGIS server for use to store
mapping files to use with QGIS.

We have about a dozen users who will all need to be able to edit
layers and save new layers to the server, and any new layers they
create need to be editable by other users.

Can anyone advise if having everyone use the same user account
would be a good idea?  Since everyone will have the same
privileges this would seem to simplify setup.  Often there will be
different people editing the same QGIS project at different times,
and I think it would help with that, although it looks like we
would need to use the same id for the authentication on every
computer if we don’t want password prompts all the time.  I’m just
concerned this may cause issues with the server if the same user
account is accessing the database from different locations at the
same time.

As I understand it the alternative would be to create a role that
all accounts are members of, and alter the default privileges for
each account so the role gets access to any new tables created,
which would be a bit of a pain to set up for lots of accounts, but
probably OK.

I have struggled with this in the past, and the consultant who set
up a similar server for us in  the past to use with Manifold gave
up on getting permissions to work and just made every account a
superuser.  This doesn’t seem ideal, but hasn’t caused any issues
in over 10 years.

*Michael Dufty*

___
Qgis-user mailing list
Qgis-user@lists.osgeo.org 
List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user


___
Qgis-user mailing list
Qgis-user@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user



___
Qgis-user mailing list
Qgis-user@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user

Re: [Qgis-user] User setup for PostGres/PostGis use with QGIS

[Jo]

>From a security perspective you definitely want to create a distinct user
account for each user. What if a user leaves your organisation? Will you
update the password and have to communicate it to everyone before they can
do further work? That's more cumbersome than doing it right from the start.

After a while you may also discover that some users will need different
rights.

Jo

On Sat, Apr 25, 2020 at 12:23 PM Michael Dufty <
mdu...@mbsenvironmental.com.au> wrote:

> I’m looking at setting up a postGIS server for use to store mapping files
> to use with QGIS.
>
> We have about a dozen users who will all need to be able to edit layers
> and save new layers to the server, and any new layers they create need to
> be editable by other users.
>
>
>
> Can anyone advise if having everyone use the same user account would be a
> good idea?  Since everyone will have the same privileges this would seem to
> simplify setup.  Often there will be different people editing the same QGIS
> project at different times, and I think it would help with that, although
> it looks like we would need to use the same id for the authentication on
> every computer if we don’t want password prompts all the time.  I’m just
> concerned this may cause issues with the server if the same user account is
> accessing the database from different locations at the same time.
>
>
>
> As I understand it the alternative would be to create a role that all
> accounts are members of, and alter the default privileges for each account
> so the role gets access to any new tables created, which would be a bit of
> a pain to set up for lots of accounts, but probably OK.
>
>
>
> I have struggled with this in the past, and the consultant who set up a
> similar server for us in  the past to use with Manifold gave up on getting
> permissions to work and just made every account a superuser.  This doesn’t
> seem ideal, but hasn’t caused any issues in over 10 years.
>
>
>
>
>
> *Michael Dufty*
>
>
> ___
> Qgis-user mailing list
> Qgis-user@lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
___
Qgis-user mailing list
Qgis-user@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user

[Qgis-user] User setup for PostGres/PostGis use with QGIS

[Michael Dufty]

I'm looking at setting up a postGIS server for use to store mapping files to 
use with QGIS.
We have about a dozen users who will all need to be able to edit layers and 
save new layers to the server, and any new layers they create need to be 
editable by other users.

Can anyone advise if having everyone use the same user account would be a good 
idea?  Since everyone will have the same privileges this would seem to simplify 
setup.  Often there will be different people editing the same QGIS project at 
different times, and I think it would help with that, although it looks like we 
would need to use the same id for the authentication on every computer if we 
don't want password prompts all the time.  I'm just concerned this may cause 
issues with the server if the same user account is accessing the database from 
different locations at the same time.

As I understand it the alternative would be to create a role that all accounts 
are members of, and alter the default privileges for each account so the role 
gets access to any new tables created, which would be a bit of a pain to set up 
for lots of accounts, but probably OK.

I have struggled with this in the past, and the consultant who set up a similar 
server for us in  the past to use with Manifold gave up on getting permissions 
to work and just made every account a superuser.  This doesn't seem ideal, but 
hasn't caused any issues in over 10 years.


Michael Dufty

___
Qgis-user mailing list
Qgis-user@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user