Groups, Projects, Ownership and Permissions Specification¶

• There are three levels of permission, can_read, can_write, and can_manage.
  • can_read grants read-only access to the record
  • can_write permits changes to content (but not metadata) fields of the record. can_write also implies can_read
  • can_manage permits the user to create permission links with head_uuid set to this object. can_manage also implies can_write and can_read
• All Arvados objects have an owner_uuid field. Valid uuid types for owner_uuid are "User" or "Group".
• If the owner_uuid of an object is a User, that User has can_manage permission on that object.
• If owner_uuid of an object is a Group, then that object is a member of that group.
• A "Project" is a subtype of Group that indicates the group should be displayed in the "Projects" section of Workbench.