Groups, Projects, Ownership and Permissions Specification¶

Permissions¶

• There are three levels of permission, can_read, can_write, and can_manage.
  • can_read grants read-only access to the record
  • can_write permits changes to content (but not metadata) fields of the record. can_write also implies can_read
  • can_manage permits the user to create permission links with head_uuid set to this object. can_manage also implies can_write and can_read

If a user does not have at least can_read permission, the user is forbidden from

Ownership¶

• All Arvados objects have an owner_uuid field. Valid uuid types for owner_uuid are "User" or "Group".
• The User or Group specified by owner_uuid has can_manage permission on that object.
• If owner_uuid of an object is a Group, then that object is a member of that group, and should be displayed as being contained within the owner Group.
  • A "Project" is a subtype of Group that indicates the group should be displayed in the "Projects" section of Workbench.

Permission links¶

A link object with

• link_class "permission"
• name one of can_read, can_write or can_manage
• head_uuid of some Arvados object
• tail_uuid of an User or Group

grants the name permission for tail_uuid accessing head_uuid

Transitive permissions¶

• If a User can_read Group A, and Group A can_read group B, then User can_read Group B.
• Permissions are narrowed to the least powerful permission on the path.
  • If User can_write Group A, and Group A can_read Group B, then User can_read Group B.
  • If User can_read Group A, and Group A can_write Group B, then User can_read Group B.