Project

General

Profile

Groups Projects Ownership and Permissions Specification » History » Version 4

Peter Amstutz, 08/06/2014 10:43 PM

1 1 Peter Amstutz
h1. Groups, Projects, Ownership and Permissions Specification
2
3 3 Peter Amstutz
h2. Permissions
4
5 2 Peter Amstutz
* There are three levels of permission, *can_read*, *can_write*, and *can_manage*.
6
** *can_read* grants read-only access to the record
7
** *can_write* permits changes to content (but not metadata) fields of the record.  *can_write* also implies *can_read*
8
** *can_manage* permits the user to create permission links with @head_uuid@ set to this object.  *can_manage* also implies *can_write* and *can_read*
9 3 Peter Amstutz
10 4 Peter Amstutz
If a user does not have at least *can_read* permission, the user is forbidden from 
11
12 3 Peter Amstutz
h2. Ownership
13 1 Peter Amstutz
14
* All Arvados objects have an @owner_uuid@ field.  Valid uuid types for @owner_uuid@ are "User" or "Group".
15 4 Peter Amstutz
* The User or Group specified by @owner_uuid@ has *can_manage* permission on that object.
16 3 Peter Amstutz
* If @owner_uuid@ of an object is a Group, then that object is a member of that group, and should be displayed as being contained within the owner Group.
17
** A "Project" is a subtype of Group that indicates the group should be displayed in the "Projects" section of Workbench.  
18
19 1 Peter Amstutz
h2. Permission links
20 3 Peter Amstutz
21 4 Peter Amstutz
A link object with
22 1 Peter Amstutz
23 4 Peter Amstutz
* @link_class@ "permission"
24
* @name@ one of *can_read*, *can_write* or *can_manage*
25
* @head_uuid@ of some Arvados object
26
* @tail_uuid@ of an User or Group
27
28
grants the @name@ permission for @tail_uuid@ accessing @head_uuid@
29
30 1 Peter Amstutz
h2. Transitive permissions
31 3 Peter Amstutz
32
* If a User *can_read* Group A, and Group A *can_read* group B, then User *can_read* Group B.
33 4 Peter Amstutz
* Permissions are narrowed to the least powerful permission on the path.
34 3 Peter Amstutz
** If User *can_write* Group A, and Group A *can_read* Group B, then User *can_read* Group B.
35
** If User *can_read* Group A, and Group A *can_write* Group B, then User *can_read* Group B.