Groups Projects Ownership and Permissions Specification » History » Revision 3
Revision 2 (Peter Amstutz, 08/06/2014 09:36 PM) → Revision 3/28 (Peter Amstutz, 08/06/2014 09:50 PM)
h1. Groups, Projects, Ownership and Permissions Specification h2. Permissions * There are three levels of permission, *can_read*, *can_write*, and *can_manage*. ** *can_read* grants read-only access to the record ** *can_write* permits changes to content (but not metadata) fields of the record. *can_write* also implies *can_read* ** *can_manage* permits the user to create permission links with @head_uuid@ set to this object. *can_manage* also implies *can_write* and *can_read* h2. Ownership * All Arvados objects have an @owner_uuid@ field. Valid uuid types for @owner_uuid@ are "User" or "Group". * If the @owner_uuid@ of an object is a User, that User has *can_manage* permission on that object. * If @owner_uuid@ of an object is a Group, then that object is a member of that group, and should be displayed as being contained within the owner Group. group. ** * A "Project" is a subtype of Group that indicates the group should be displayed in the "Projects" section of Workbench. h2. Permission links * A link object with @link_class@ "permission", @name@ one of *can_read*, *can_write* or *can_manage*, @head_uuid@ of some Arvados object, and @tail_uuid@ of an User or Group, grants the named permission for @head_uuid@ to @tail_uuid@. h2. Transitive permissions * If a User *can_read* Group A, and Group A *can_read* group B, then User *can_read* Group B. * Permissions are narrowed. ** If User *can_write* Group A, and Group A *can_read* Group B, then User *can_read* Group B. ** If User *can_read* Group A, and Group A *can_write* Group B, then User *can_read* Group B.