...
User | Request | Result |
|---|---|---|
Alice (non-admin) | create group "MyGroup" | MyGroup is created. |
Alice (non-admin) | create Dataset "DS-1 1 " | UnauthorizedException |
admin | create group "Curators" | Curators is created. |
admin | add Dataset creation authority to Curators | Curators is updated. |
admin | add Alice to Curators | Curators is updated. |
Alice | create Dataset "DS-1 1 " | DS-1 1 is created. |
Publication
User | Request | Result |
|---|---|---|
Curator | create Dataset "DS-11 " | DS-1 1 is created. |
Curator | share DS-1 1 with FederationGroup, with READ/CHANGE/SHARE access | DS-1 1 is shared. |
Alice (generic user) | get all Datasets | list of datasets returned, omitting DS-11 |
Federation Member | share DS-1 1 with Public, with READ access | DS-1 1 is published. |
Alice (generic user) | get all Datasets | list of datasets returned, including DS-1 1 |
Separate Permissions for Meta-Data and Content
User | Request | Result |
|---|---|---|
Curator | Create DS-11 | DS-1 1 is created. |
Curator | share DS-1 1 with Public, READ access | DS-1 1 is shared. |
Curator | share DS-1 1 with FederationGroup, DOWNLOAD access | DS-1 1 is shared. |
anonymous | get all Datasets | list of datasets returned, including DS-1 1 |
anonymous | download DS-11 | UnauthorizedException |
Federation Member | download DS-1 1 | DS-1 1 is downloaded |
Create Administrator
User | Request | Result |
|---|---|---|
admin | Add Bob to group "Administrators" | Bob now has full administrative rights. |
Notes / Open Questions
Should permissions be inherited by a resource's components and revisions, or should they be controlled independently? (Or should there be a hybrid: The permissions could be inherited initially, then subject to change.)
We don't differentiate Public/anonymous from Public/logged-in, i.e. to say "anyone can access this resource, but only if they are logged in."