Groups Projects Ownership and Permissions Specification » History » Revision 5

« Previous | Revision 5/28 (diff) | Next »
Peter Amstutz, 08/06/2014 10:49 PM

Groups, Projects, Ownership and Permissions Specification¶

There are three levels of permission, can_read, can_write, and can_manage.
- can_read grants read-only access to the record
- can_write permits changes to content (but not metadata) fields of the record. can_write also implies can_read
- can_manage permits the user to create permission links with head_uuid set to this object. can_manage also implies can_write and can_read

If a user does not have at least can_read permission, the user is forbidden from

All Arvados objects have an owner_uuid field. Valid uuid types for owner_uuid are "User" or "Group".
The User or Group specified by owner_uuid has can_manage permission on that object.
If owner_uuid of an object is a Group, then that object is a member of that group, and should be displayed as being contained within the owner Group.
- A "Project" is a subtype of Group that indicates the group should be displayed in the "Projects" section of Workbench.

Moving an object from Group A to Group B implies changing the owner_uuid field from Group A to Group B.

What permission is required on the object itself to change the owner_uuid field?
What permission is required on Group A to change the object owner_uuid field so it no longer points to Group A? This logically removes the object from Group A.
What permission is required on Project B to set the object owner_uuid field to Group B? This logically adds the object to Group B.

A link object with

grants the name permission for tail_uuid accessing head_uuid

If a User can_read Group A, and Group A can_read group B, then User can_read Group B.
Permissions are narrowed to the least powerful permission on the path.
- If User can_write Group A, and Group A can_read Group B, then User can_read Group B.
- If User can_read Group A, and Group A can_write Group B, then User can_read Group B.

Files (0)