# Core Concepts This section introduces the fundamental concepts of the Spatial Data Management on AWS solution, explaining what the solution does and how resources are organized. ## What is Spatial Data Management on AWS? Spatial Data Management on AWS is a solution for managing large-scale spatial data assets such as point clouds, 3D models, and geospatial imagery. It provides: + **Centralized Storage** – Secure storage and organization of spatial data in Amazon Simple Storage Service (Amazon S3) + **Metadata Management** – Rich metadata and search capabilities for spatial assets + **Access Control** – Fine-grained permissions for users and teams + **Integration** – Connectors for external systems and workflows + **Versioning** – Complete version history for all assets ## Resource Model The Spatial Data Management on AWS solution organizes resources in a hierarchical structure: ![\[Resource model diagram\]](http://docs.aws.amazon.com/solutions/latest/spatial-data-management-on-aws/images/resource-hierarchy.svg) ## Key Resources The solution uses the following resource types: **Libraries** Libraries provide secure boundaries and permission management for managing primary resources — Projects, Asset templates, and Connectors — which in turn help manage Assets. Each library defines S3 configuration and serves as a top-level organizational container for related spatial data. **Projects** Projects logically group related assets and serve as the primary permission boundary. Each project can use configurable templates to enforce consistent metadata and structure across its assets. **Assets** Assets are versioned collections of files and folders that represent a logical unit of spatial data. Each asset includes a manifest defining its structure and metadata. **Asset Templates** Asset templates define structure requirements using JSON Schema validation, ensuring consistent organization of files and metadata. Templates also control which connectors can interact with assets of a specific type. **Files** Files represent individual data items stored using content-addressable storage, enabling automatic deduplication across versions and assets. Each file maintains its own metadata while being efficiently shared across the system. **Connectors** Connectors enable configuration-driven integration between the solution and external systems. They support multiple integration patterns including Content Derivers, Publishers, and Bi-directional synchronization. # Access Methods Users interact with the solution through multiple interfaces: ## Spatial Data Portal (Web) + Browser-based interface accessible from any device + Complete functionality for all user roles + No installation required + Responsive design for desktop and tablet ## Client Application (Desktop) + Native desktop application for Windows, macOS, and Linux + Enhanced performance for large file uploads and downloads + Bulk operations and batch processing + Offline capabilities for metadata editing ## REST APIs + Programmatic access for automation and integration + Direct S3 upload and download with temporary credentials + Full CRUD operations for all resources + Webhook support for event notifications ## Command-Line Interface (CLI) + Python-based CLI for scripting and automation + Batch operations and data migration + Integration with CI/CD pipelines + Administrative tasks and reporting # Personas and Permissions Overview Spatial Data Management on AWS uses resource-based access control to provide fine-grained permissions management. The solution does not define business personas as fixed roles in the system. Instead, it provides flexible permission levels (Owner, Manager, Contributor, and Viewer) that can be assigned to users on specific resources (libraries, projects, and assets). This approach allows customers to grant appropriate permissions to users based on their actual responsibilities and needs, rather than predefined role assignments. The business personas described in this guide (IT Admin, Project Admin, Asset Creator, and Asset Consumer) represent common user types to help you understand how to apply permissions effectively in your organization. ## Business Personas These are the general business personas a typical customer will have. ### IT Admin Manages cloud infrastructure, security, and system integrations. Responsible for deployment, maintenance, and ensuring compliance with the organization’s IT policies. **Work Style** – Domain: Generalist; Cloud/Ops: Expert; Learning: Reader **Goals** – The IT Admin aims to establish a secure and scalable environment while seamlessly integrating Spatial Data Management on AWS into the organization’s existing technology stack. Their focus is on implementing robust governance policies and access controls to ensure smooth operations across multiple projects and teams. **Example Roles** – DevOps Engineers, System Administrators, Cloud Architects ### Project Admin Oversees project workflows, manages team access, and coordinates asset organization. Creates metadata schemas and defines processing pipelines for specific projects. **Work Style** – Domain: Specialist; Cloud/Ops: Learner; Learning: Doer **Goals** – The Project Admin strives to optimize team workflows by establishing standardized metadata schemas and configuring efficient processing pipelines. They actively monitor resource usage and team productivity to ensure project deliverables meet quality standards and timelines. **Example Roles** – BIM Managers, Project Coordinators, Asset Managers, Quality Assurance Leads ### Asset Creator Creates, modifies, and processes three-dimensional (3D) assets and point cloud data. Includes both internal teams and external contractors who capture field data using scanning devices. Uses the solution daily for asset management, data upload, and file processing tasks. **Work Style** – Domain: Specialist (internal) or Mixed (contractors); Cloud/Ops: Learner to Novice; Learning: Doer **Goals** – Asset Creators focus on streamlining their daily workflows through efficient organization and processing of digital assets. For field teams, this extends to managing scanning projects and ensuring quality data capture. They need seamless collaboration capabilities to share work with team members and track project deliverables. **Example Roles** – Internal: 3D Artists, CAD Engineers, Point Cloud Specialists, Digital Twin Engineers. External: Scanning Service Providers, Drone Operators, Survey Teams, Reality Capture Specialists, Field Data Collection Teams ### Asset Consumer Uses processed assets in downstream applications and workflows. Interacts with the solution primarily through integrated applications or for asset retrieval. May include stakeholders who need to visualize or reference processed data without direct manipulation. **Work Style** – Domain: Generalist; Cloud/Ops: Novice; Learning: Reader or Visual **Goals** – Asset Consumers need quick access to finalized assets for their specific use cases, whether visualization, analysis, or integration into other applications. They require reliable ways to retrieve current versions of assets and monitor project status, often working through familiar tools and interfaces rather than directly with Spatial Data Management on AWS. **Example Roles** – Business Users: Project Managers, Facility Managers, Asset Integrity Managers, Plant Operations Supervisors. Technical Users: Digital Twin Engineers, Process Control Engineers, Simulation Engineers, Data Scientists. Field Users: Inspection Teams, Maintenance Crews, Field Operations Staff, Safety Inspectors, Equipment Operators ## Permission Model and Access Control Business personas map to resource based access with permission levels that govern access to features. ### Initial Admin Setup By default, the solution creates an Amazon Cognito group named `SpatialDataManagementAdministrators` with Owner access to all resources. This group enables IT Admins to designate an initial administrator user from the Cognito user pool or connected identity provider. This first admin can then assign permission levels to other users and groups within the application. ### User Access Initialization Any user connected through a Cognito user group (who is not part of `SpatialDataManagementAdministrators`) starts with no permissions. An administrator in the `SpatialDataManagementAdministrators` group or another user with permission delegation rights must explicitly assign an access level before the user can organize and begin work. ### Permission Levels Each resource supports four permission levels – Owner, Manager, Contributor, and Viewer – that define what actions users can perform within the solution. The permission levels provide the following access: + **Owner** – Full access to all resources and actions, including access management on that resource and child resources + **Manager** – Can create, update, and manage access on the resource and child resources + **Contributor** – Can create and update the resource and child resources + **Viewer** – Can view the resource and child resources only ## Next Steps Now that you understand the core concepts, you can proceed with deploying and configuring the solution: + [Plan your deployment](plan-your-deployment.md) – Review deployment considerations and prerequisites + [Deploy the solution](deploy-the-solution.md) – Deploy the solution to your AWS account