Feature #18277
Updated by Peter Amstutz about 3 years ago
Need to be able to share with groups without having full read access to the group. Ideas: Need to do one of: # -New New type of permission link that grants ability to see a group without traversing it- it # Config option to make all 'role' groups visible without traversing them Option 2 is simpler, sounds simpler but will may not actually be simpler to implement (may require introducing a special case into the permission checks. checks). -Option Option 1 could possibly be used to generalize the annoying special case of read access on users (unlike groups, can_read on a user implies seeing the user but not traversing them).- them). From discussion on Nov 23: Consensus to do the easier solution (option 2). Proposal: New configuration option @RoleGroupsVisibleToAll@ When enabled, all Users are permitted to see role groups and share things with them. Default value true, based on feedback, this Tom is how users generally expect the system going to work. Does not prevent us from supporting the a complex multi-tenant case (using option 1) in the future -- config option can be turned off. Will be implemented by adding making role groups a special case within @ArvadosModel#readable_by@. propose something