Idea #15372: Revise group permissions to separate them from permissions on managed objects - Arvados

In this case the user should see sharing controls for the project. This is what Workbench1 does when you use the "add user to group" admin feature.

       can_manage            can_manage
user --------------> group --------------> project

In this case the user should not see sharing controls for the project. This might happen if something other than the Workbench1 admin page is used to add the user→group permission link.

       can_write             can_manage
user --------------> group --------------> project

Permissions are narrowed to the least powerful permission on the path.

Actions

Copy link

#10

Updated by Peter Amstutz almost 5 years ago

Status changed from New to In Progress

Actions

Copy link

#11

Updated by Tom Morris almost 5 years ago

Target version changed from 2019-07-03 Sprint to 2019-07-17 Sprint

To be investigated - does the group sync tool set things up the same way that workbench does?

Actions

Copy link

#12

Updated by Tom Morris almost 5 years ago

If I'm understanding it correctly, the current model seems wrong to me. I expect the rights to manage a group to be orthogonal to the rights that membership in a group grants me. The rights that I have to an object should be the union of my individual rights plus the rights of all groups of which I'm a member. Granting a group member manage access to the group itself, just so that they're able to exercise their right to manage objects shared with the group, allows them to change membership of the group, which seems highly undesirable.

Permissions should be based on group membership, not access to the group.

Actions

Copy link

#13

Updated by Tom Morris almost 5 years ago

Status changed from In Progress to New
Assigned To deleted (~~Peter Amstutz~~)
Target version changed from 2019-07-17 Sprint to To Be Groomed

Actions

Copy link

#14

Updated by Tom Morris over 4 years ago

Description updated (diff)

Actions

Copy link

#15

Updated by Tom Morris over 4 years ago

Tracker changed from Bug to Idea
Subject changed from manage permission doesn't work for group members? to Revise group permissions to separate them from permissions on managed objects
Description updated (diff)

Actions

Copy link

#16

Updated by Peter Amstutz over 4 years ago

Proposal:

Permission links separately express "access to record immediate" and "transitive access through record"

Access levels¶

0 - None
1 - View ("metadata only", for collections this means manifest does not have permission signatures)
2 - Read
3 - Write
4 - Manage

Viewer: "View_None"

User can see the group record (name, description) but not gain any access through the group. "View" access does not grant access to the link records that point to the group, so the client cannot access the user list.

Viewer+: "Read_None"

"Read" access to a record also confers permission to query links that point to the record. This allows the client to get the list of permission links that grant access to this group. (This would allow the client to get a list of user uuids but not actually grant access to the user records, this might be fine if the user has access to the "All Users" group).

Administrator: "Manage_Manage"

"Manage" grants the ability to edit the record, and also create/update permission links that target the record. Grants at most "manage" permission to anything accessible through the group.

Member: "Read_Manage"

"Read" grants ability to read the record, and see permission links pointing to the record. Grants at most "manage" permission to anything accessible through the group.

Traversing the graph¶

Normal member¶

Membership is defined as having any permission link with tail_uuid of the user and head_uuid of the group.

start at user A

has "Read_Manage" for group B

group B has "Read_Read" for project C

project C owns collection D (this is Manage_Manage)

Traverse A->B, current[traversal] = Manage
1. Compute min(current[traversal], A->B[record access]) = min(Manage, Read) = Read, access level for B is 'Read'
2. Compute min(current[traversal], A->B[traversal]) = min(Manage, Manage) and update current[traversal] = Manage
Traverse B->C, current[traversal] = Manage
1. Compute min(current[traversal], B->C[record access]) = min(Manage, Read) = Read, access level for C is 'Read'
2. Compute min(current[traversal], B->C[traversal]) = min(Manage, Read) and update current[traversal] = Read
Traverse C->D, current[traversal] = Read
1. Compute min(current[traversal], C->D[record access]) = min(Read, Manage) = Read, access level for D is 'Read'
2. Compute min(current[traversal], B->C[traversal]) = min(Read, Manage) and update current[traversal] = Read

Group admin¶

has "Manage_Manage" for group B

Traverse A->B, current[traversal] = Manage
1. Compute min(current[traversal], A->B[record access]) = min(Manage, Manage) = Read, access level for B is 'Manage'
2. Compute min(current[traversal], A->B[traversal]) = min(Manage, Manage) and update current[traversal] = Manage

Migration¶

can_manage turns into Manage_Manage
can_write turns into Write_Write when head_uuid is a project and Read_Manage when head_uuid is a user group
can_read turns into Read_Read unless head_uuid is a user, then it is "View_None"

Actions

Copy link

#17

Updated by Peter Amstutz over 4 years ago

Could add a special case "if group is readable, and permission link exists group->user, then 'user' is viewable"

Actions

Copy link

#18

Updated by Peter Amstutz over 4 years ago

Might be worth considering how our permission system might interact with the GA4GH Data Use Ontology

https://www.ga4gh.org/news/data-use-ontology-approved-as-a-ga4gh-technical-standard/

Actions

Copy link

#19

Updated by Tom Clegg over 4 years ago

Group permission type	detail	current	future
(non-group target)	target is visible	can_read	can_read
(Project) viewer	project+children+grandchildren are visible	can_read	can_read
(Project) collaborator	project+children+grandchildren are writable	can_write	can_write
Viewer	group is visible	(n/a)	can_read
Viewer+	group membership list is visible (implies viewer)	(n/a)	can_list_members
Member	permissions on other objects via group (implies viewer, but not viewer+)	(n/a)	can_use_permissions
Member+	permissions on other objects via group (implies viewer+)	(n/a)	can_use_permissions + can_list_members
Administrator	can add/remove members and viewers (implies member and viewer+)	can_manage→, ←can_read	can_use_permissions + can_manage
Administrator-	can add/remove members and viewers (without implying member)	(n/a)	can_manage

Notes

A "role" group's UUID cannot be used as an owner_uuid (IOW a non-project group can't have children)
A "project" group's UUID cannot be used as the tail_uuid of a permission link
A user UUID can be a target of a can_use_permission link -- this allows access to all of the user's permissions and home project tree
A group cannot have a group_class other than "role" or "project" (and group_class cannot be null)
A group can have a can_use_permissions link to another group; this graph is (still) traversed, so groups can be composed
A can_list_members link permits its subject (tail_uuid) to read all can_use_permissions links from other users/groups to the same head_uuid, as well as the member users/groups themselves
can_manage implies can_list_members

Migration/implementation

Obviously, update the materialized view of permissions and the "readable_by" query
Clients that (might) need to be updated: Workbench1, Workbench2, group-sync, login-sync, arv-mount (probably drop Workbench1's group admin feature entirely rather than update it)
Existing "Administrator" permissions convert to "Member+"
Existing group→user links (e.g., "all users" links) convert to "Member"
Existing project-sharing links (including read-only sharing, and sharing with role groups) can be left alone
Warn/error if a non-project group is used as any object's owner_uuid, or a project group is used as a permission link's tail_uuid
Update use of "all users" links in user activation code