Versions Compared

Old Version 9

changes.mady.by.user John Hill

Saved on

compared with

New Version Current

changes.mady.by.user John Hill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For more information on the use cases please see: AR Bypass for Data Contributors /wiki/spaces/GI/pages/2946695193.

Download Authorization Mechanisms

...

This rule works by first finding the ACL that controls the Entity to be downloaded. An ACL can be bound directly to an Entity, or any Entity in its hierarchy such as parent/grandparent folders all the way up to the containing project. An Entity is controlled by the first ACL found in its hierarchy. Once the controlling ACL is found, it is check to determine if at least one of the the user’s principal IDs have has been granted the download permission.

...

To determine if a user is “exempt” on an AR, a check will be made to determine if at least one of the user’s principals have been granted the EXEMPTION_ELIGIBLE permission on the AR’s ACL, plus one of the user’s principals must be granted one more permissions on the Entity’s ACL that identify the user as a Data Contributor. If both conditions are not met, the user will not be considered “exempt”. In short, a user must be both eligible for exemption (via ACT) and must be a Data Contributor (via Data Administrator) to be exempt from an AR on a per file basis.

Note: We have yet to determine which permission/permissions define a user as settled on a Data Contributor . Only ACT can determine what the appropriate level of permission is needed to bypass the normal access approval processstatus to be identified by a user that has been granted both the EDIT and DELETE on a file.

Exemption Eligible Team

Given that a single project might have many ARs, it would laborious for ACT add/remove individual eligible users to each AR over the course of a project’s lifecycle. In fact, this might be just as much work, for all users, as the existing system of granting “dummy” submissions. Instead, it would be more convenient for ACT to create a reusable team of eligible individuals. The team would then be granted the EXEMPTION_ELIGIBLE permission on each AR in the project. ACT would then add/remove users from team over the course of the project’s lifecycle.

...