Question: how to use ownerGroup?

Question

Question: how to use ownerGroup?

Closed this issue 4 years ago · 8 comments

Hi all!

We @rosalindfranklininstitute are still investigating how to use SciCat, and I have now an instance up and running using an OpenLDAP container to provide authentication and authorisation. I am also using the memberOf attribute to determine the accessGroups, which appears to work fine.

However, at this point I am confused about what to with ownerGroup: how does it determine access? I can put in any value when uploading a new dataset and it doesn't seem to affect anything. Can users be added to such an ownerGroup? And if so, how does that work?

Thanks in advance!

Tom

Answer 1 · 2020-05-20T17:05:04.000Z

Hi Tom,
the ownerGroup field contains the name of a group, for example group named "p12345" . Then all members of the group "p12345" (as defined in your LDAP) have access to all so called "ownable" documents, like datasets, proposal etc, for which their ownerGroup field value is "p12345".

Answer 2 · 2020-05-20T19:15:43.000Z

Thanks for the quick reply @stephan271

Follow-up question: what is the difference in capabilities between users that belong to the ownerGroup of the dataset versus those that who get access through accessGroup membership? I assume the latter can do less?

Answer 3 · 2020-05-21T06:32:49.000Z

Yes, accessGroups give read access to data, members of ownerGroup can also modify data. A good use case for accessGroups are the "functional" accounts, e.g. allowing instrument responsibles to access all data measured at a given instrument without the need to add the personal account of an instrument responsible to potentially thousands of ownerGroups values. This is useful both for automated ingests of data from an instrument as well as for statistical analysis of all data taken at a given instrument

Answer 4 · 2020-05-21T06:46:39.000Z

Thanks a lot. This was very useful!

Answer 5 · 2020-05-21T13:17:10.000Z

Hey Stephan,

I got the ownerGroup/accessGroups stuff working now. The only thing that surprises me is that users that can see a dataset through accessGroups membership seem to have the same UI as those who are part of the ownerGroup. In fact accessGroups members appear to be able to add metadata, which is strange to me given that they are supposed to have read-only access.

Any thoughts?

Thanks,

Tom

Answer 6 · 2020-05-22T08:07:08.000Z

I need to have a closer look at this and will come back to you

Answer 7 · 2020-05-25T09:42:17.000Z

You correctly pointed to a problem here - thanks for that. It turned out that the modify access rights prevention was not implemented yet. A merge request is pending which should fix this issue.

The GUI is however not yet aware of all access rights limitations, therefore it may very well show edit options, even if they are not allowed (the edit will then fail at the backend side)

Answer 8 · 2020-05-25T12:40:53.000Z

Thanks Stephan!