Access Control Entry

Definition of an access control rule (or policy) with Allow or Deny decision for a given User or Group active according to a certain Permission name and scope. Multiple ACE form the effective ACL conditions to be evaluated to either grant or refuse access (i.e.: to provide the Authorization result based on the authenticated User).

Access Control List

Set of User and Group scopes, provided session Authentication elements, that either grants or denies Permission access to the applicable User for the targeted Resource. Formed of multiple ACE.

Access Permission

Required Group membership to obtain sufficient privileges in order to be permitted the execution of a given request. Requests under different scopes require variable access levels depending on context.

Allowed Permission

Set of applicable Permission values onto an element.

See also

Allowed Permissions section for details.

Application Programming Interface

Most typically, referring to the use of HTTP requests following an OpenAPI specification, and more broadly, to refer to Magpie’s own API definition. It can also refer to a specific Service using RESTful API, which can be registered using the ServiceAPI implementation.

Applied Permission

An active Permission for a given User or Group depending on context.

See also

Applied Permissions section for details.


Process of identifying one-self using credentials in order to login into Magpie, or retrieving connected session User during an HTTP request using supported methods.

See also

Authentication and Authorization section for details.


Process of allowing or denying access to a Resource or Service according to Logged User identified through one of the Authentication Methods. This process typically falls into the hands of a Proxy application as Policy Enforcement Point using policy access decisions provided by Magpie.

Context User

Specific User that is being targeted by a request from specified value for the {user_name} request path variable. The contextual User of the request could correspond to the Logged User if the reference resolves to itself, but this is not necessarily the case.

See also

Route Access for further details and examples provided.


Set of Authentication identifiers primarily employed by Magpie HTTP requests to determine the Logged User.

Direct Permissions

Describes a Permission that is given to a User explicitly, rather than one of its Group memberships.

See also

Direct Permissions section for details.

Discoverable Group

Group that has property discoverable=True, making it publicly viewable to any-level user. Otherwise, groups can be listed or accessed only by administrators.

Effective Permission

A Permission that has been completely resolved according to all applicable contexts, that indicates the final granted or denied result.

See also

Effective Permissions section for details.

Effective Resolution

Process of resolving Effective Permission over a Resource considering any applicable Permission Definition and Modifiers.

See also

Permissions Resolution section for details.

External Providers

Set of all known user-identity Provider defined externally to Magpie. Each of these Provider require specific connection methodologies, as configured in

See also

Authentication Providers section for details.


Entity on which Permission over a Service or Resource can be applied. Any User can be set as a member of any number of Group, making it inherit all applicable set of Permission. A Group can optionally have terms and conditions, which the User has to accept before being assigned to the Group. In this case, an email is sent to the User upon request to ask for confirmation. The terms and conditions can only be defined upon the Group creation and can never be modified afterwards.

Immediate Permission

Describes a Permission that originates directly and only from a Service. This is referenced in only a few use-cases, notably for Finding User Permissions.

See also

Immediate Permissions section for details.

Inherited Permission

Describes a Permission that includes both User and Group contexts simultaneously.

See also

Inherited Permissions section for details.

Internal Providers

Represents all the Provider that are known for local (instead of external) Authentication to the referenced Magpie instance. The credentials for login as locally searched fo rather than dispatched to an external user-identity. For the moment, this consists uniquely of magpie.constants.MAGPIE_DEFAULT_PROVIDER constant.

Logged User

More specific use-case of Request User that simultaneously corresponds to the active request session User as well at the referenced Context User from the path variable. This User can be automatically retrieved in applicable requests using in the request path the special constant value defined by magpie.constants.MAGPIE_LOGGED_USER, or using its literal User name. When not logged in, this User is considered to be equivalent to explicitly requesting magpie.constants.MAGPIE_ANONYMOUS_USER. Otherwise, it is whoever the Authentication mechanism identifies with token extracted from request Cookies.


Acronym for Open Geospatial Consortium that represent the global initiative and community to standardize geospatial data and service methodologies in order to improve access to geospatial and location information.


The OpenAPI Specification (OAS) defines a standard, programming language-agnostic interface description for HTTP API`s. It is used in `Magpie to represent API definitions for requests and responses.


Acronym that regroups all OGC Web Services. This includes Web Feature Service (WFS), Web Map Service (WMS) and Web Processing Service (WPS), amongst others, for which Magpie offers some specific Service request parser implementations.

Pending User

Account that is pending for validation or approval following self-registration when the application is configured to provide that functionality.

See also

User Registration section for further details about the self-registration procedure.


Element that defines which rules are applicable for a given combination of User and/or Group against one or many Service and/or Resource, depending of the many contexts for which they can apply. Applicable values are generally defined by enum magpie.permissions.Permission.

See also

Permissions chapter provides more exhaustive details, including contextual comparisons for all other Permission-related terms presented here.

Policy Decision Point

Application that has the responsibility to take the decision whether or not to allow or deny access of a given User to some targeted Resource based on applicable Permission rules. This is the role that Magpie fulfills.

Policy Enforcement Point

Application that has the responsibility of applying the decision provided by the PDP in order to grant access or block access to the Resource by the intended User. This is typically accomplished by Twitcher Proxy, but can be implemented by any application that can communicate with Magpie through the API endpoint it provides.


Corresponds to the reference user-identity to employ in order to attempt Authentication. Identities are regrouped either as Internal Providers or External Providers.

See also

ref:authn_providers section for details.


Sibling service (typically Twitcher) that employs Magpie as access management of User, Group, Service and Resource to obtain applicable sets of Permission. Provided these, it acts as Policy Enforcement Point.


Refers to a Permission applied on a Service or Resource to special elements in order to make them available to anyone including even unauthenticated sessions.

See also

Public Access section for implementation details to achieve this result.

Request User

Active HTTP request session User that can be retrieved by calling request.user with resolution of Authentication headers within the request (User is None if unauthenticated, i.e.: magpie.constants.MAGPIE_ANONYMOUS_USER). This is not the same as the Context User extracted from {user_name} path variable, except for the special case covered by Logged User’s definition. The request User could send request that work on another Context User than itself if sufficient Access Permission is granted.

See also

Route Access for further details.


Entity on which User and Group can be associated to applicable Permission respectively for the contextual Service under which it resides. This element can represent relatively anything. The interpretation of each Resource depends on the context of the Service they relate to. Implemented by sub-classes of magpie.models.Resource.


Top-level specialized Resource that defines which children Resource elements are applicable to it (if any), how its hierarchy of Resource should behave against incoming HTTP request details, and how to parse any set of Permission applied on them against respective request elements. Also defines URL connexion details pointing to the actual service on which access control are applicable. Each type of Service defines different combination of functionalities. Implemented by sub-classes of magpie.models.ServiceInterface.

Service Hook

Plugin function handler that can apply modifications onto received requests or returned responses when interacting with Twitcher Proxy, based on a set of filter conditions.

See also

Service Hooks section for details.


Unitary entity containing details about the user allowing it to log into Magpie and that can have other relationships applied to it such as Permission and Group that extend his specific access rights to Service and Resource elements. Implemented by magpie.models.User.

Web Feature Service

One of the OWS implementation which Magpie offers an implementation for controlling access to layers and their features.

Web Map Service

One of the OWS implementation which Magpie offers an implementation for controlling access to layers and generated maps from them.

Web Processing Service

One of the OWS implementation which Magpie offers an implementation for controlling access to description and execution of processes.


Subscribable events handlers to send HTTP(S) requests following the occurrence of a given Magpie action.

See also

Webhook Configuration and Combined Configuration File sections for details.