...
Administrators – Members of this group have full access to all resources. The user “admin’ is a member of this group.
User Individual Groups – Each user belongs to a group named after them, having them as the sole member, and to which they have READ access. Access to a resource can be granted to an individual by adding the resource to their individual group.
comment: May be useful to have a 'service' group (something like an admin group), with broad rights needed for services operating through the DAO layer.
System Behavior
Those in the administrative group have full access to all resources.
...
User | Request | Result |
|---|---|---|
Alice (non-admin) | create group "MyGroup" | MyGroup is created. |
Alice (non-admin) | create Dataset "DS-1 1 " | UnauthorizedException |
admin | create group "Curators" | Curators is created. |
admin | add Dataset creation authority to Curators | Curators is updated. |
admin | add Alice to Curators | Curators is updated. |
Alice | create Dataset "DS-1 1 " | DS-1 1 is created. |
Publication
User | Request | Result |
|---|---|---|
Curator | create Dataset "DS-11 " | DS-1 1 is created. |
Curator | share DS-1 1 with FederationGroup, with READ/CHANGE/SHARE access | DS-1 1 is shared. |
Alice Bob (generic user) | get all Datasets | list of datasets returned, omitting DS-11 |
Federation Member | share DS-1 1 with Public, with READ access | DS-1 1 is published. |
Alice Bob (generic user) | get all Datasets | list of datasets returned, including DS-1 1 |
Separate Permissions for Meta-Data and Content
User | Request | Result |
|---|---|---|
Curator | Create DS-11 | DS-1 1 is created. |
Curator | share DS-1 1 with Public, READ access | DS-1 1 is shared. |
Curator | share DS-1 1 with FederationGroup, DOWNLOAD access | DS-1 1 is shared. |
anonymous | get all Datasets | list of datasets returned, including DS-1 1 |
anonymous | download DS-11 | UnauthorizedException |
Federation Member | download DS-1 1 | DS-1 1 is downloaded |
Create Administrator
User | Request | Result |
|---|---|---|
admin | Add Bob Carol to group "Administrators" | Bob Carol now has full administrative rights. |
Notes / Open Questions
Should permissions be inherited by a resource's components and revisions, or should they be controlled independently? (Or should there be a hybrid: The permissions could be inherited initially, then subject to change.)
comment: Keep it simple by avoid separate permissions for components.
We don't differentiate Public/anonymous from Public/logged-in, i.e. to say "anyone can access this resource, but only if they are logged in."