Groups, Projects, Ownership and Permissions Specification¶

• There are three levels of permission, "can_read", "can_write", and "can_manage".
  • "can_read" grants read-only access to the record
  • "can_write" permits changes to content (but not metadata) fields of the record. "can_write" also implies "can_read"
  • "can_manage" permits the user to create permission links with head_uuid set to this object. "can_manage" also implies "can_write" and "can_read"
• All Arvados objects have an owner_uuid field. Valid uuid types for owner_uuid are "User" or "Group".
• If the owner_uuid of an object is a User, that User has can_manage" permission on that object.
• If owner_uuid of an object is a Group, then that object is a member of that group.
• A "Project" is a subtype of Group that indicates the group should be displayed in the "Projects" section of Workbench.