Authorization in the Repository Service
Resources, Users and Groups
Requests to the repository service (RS) involve creating, retrieving, changing, deleting or sharing resources.
...
SHARE – permission to add or remove any kind of access to the resource to any user group.
(Other useful access types might include DOWNLOAD, REVISE or EXECUTE.)
RS has the following system generated groups:
...
User Groups – Each user belongs to a group named after them, having them as the sole member, and to which they have READ access. Access to a resource can be granted to an individual by adding the resource to their individual group.
System Behavior
Those in the administrative group have full access to all resources.
...
By default READ access to users and user groups is public.
API
Properties of DAOs in general:
CRUD requests may through UnauthorizedException. Query requests do not throw this exception, but omit results to which the user does not have READ access.
Additionally, each DAO has a 'hasAccess' method which, given a resource and access type, says whether the user (or Public, if anonymous) has the specified permission.
User Group DAO requests:
- standard CRUD
...
- add/remove/get resources in the group, given an access type
Examples
Anonymous Access
User | Request | Result |
|---|---|---|
anonymous | get all Datasets | the list of Datasets to which the Public has READ access |
Resource Creation
User | Request | Result |
|---|---|---|
Alice (non-admin) | create group "MyGroup" | MyGroup is created. |
Alice (non-admin) | create Dataset "DS-11 " | UnauthorizedException |
admin | create group "Curators" | Curators is created. |
admin | add Dataset creation authority to Curators | Curators is updated. |
admin | add Alice to Curators | Curators is updated. |
Alice | create Dataset "DS-1 " | DS-1 is created. |
Publication
User | Request | Result |
|---|---|---|
Curator | create Dataset "DS-1" | DS-1 is created. |
Curator | share DS-1 with FederationGroup, with READ/CHANGE/SHARE access | DS-1 is shared. |
Alice (generic user) | get all Datasets | list of datasets returned, omitting DS-1 |
Federation Member | share DS-1 with Public, with READ access | DS-1 is published. |
Alice (generic user) | get all Datasets | list of datasets returned, including DS-1 |
Separate Permissions for Meta-Data and Content
User | Request | Result |
|---|---|---|
Curator | Create DS-1 | DS-1 is created. |
Curator | share DS-1 with Public, READ access | DS-1 is shared. |
Curator | share DS-1 with FederationGroup, DOWNLOAD access | DS-1 is shared. |
anonymous | get all Datasets | list of datasets returned, including DS-1 |
anonymous | download DS-1 | UnauthorizedException |
Federation Member | download DS-1 | DS-1 is downloaded |
Create Administrator
User | Request | Result |
|---|---|---|
admin | Add Bob to group "Administrators" | Bob now has full administrative rights. |
Notes
We don't differentiate Public/anonymous from Public/logged-in.