Skip to content

Datasets Authorization

Datasets authorisation relies on groups defined in the configuration file for the backend:

Configuration Group List Description
ADMIN_GROUPS Users of the listed groups can create, read, modify, and delete any dataset.
DELETE_GROUPS Users of the listed groups can delete any dataset.
CREATE_DATASET_GROUPS Users of the listed groups can create and modify datasets for any of the groups they belong to. At creation time, the system assigns a pid to the new datasets. If the user assigns one, the system will ignore it.
CREATE_DATASET_WITH_PID_GROUPS Users of the listed groups can create and modify datasets for any of the groups they belong to. They are allowed to specify the dataset pid. If they decide not to specify a pid, the system will assign one.
CREATE_DATASET_PRIVILEGED_GROUPS Users of the listed groups can create datasets for any group, but can only modify datasets belonging to one of the groups they belong to. They are allowed to specify pids for new datasets. This setting is suggested for ingestion functional accounts.
UPDATE_DATASET_LIFECYCLE_GROUPS Users of the listed groups can update the lifecycle state fields of a dataset. Authenticated users not in this group (and not in ADMIN_GROUPS) cannot modify lifecycle fields.

CASL ability actions

This is the list of the permissions methods available for datasets and all their endpoints and more fine-grained instance authorization.

Endpoint authorization

  1. DatasetCreate
  2. DatasetRead
  3. DatasetUpdate
  4. DatasetDelete
  5. DatasetAttachmentCreate
  6. DatasetAttachmentRead
  7. DatasetAttachmentUpdate
  8. DatasetAttachmentDelete
  9. DatasetOrigdatablockCreate
  10. DatasetOrigdatablockRead
  11. DatasetOrigdatablockUpdate
  12. DatasetOrigdatablockDelete
  13. DatasetDatablockCreate
  14. DatasetDatablockRead
  15. DatasetDatablockUpdate
  16. DatasetDatablockDelete
  17. DatasetLogbookRead

Instance authorization

  1. DatasetCreateOwnerNoPid
  2. DatasetCreateOwnerWithPid
  3. DatasetCreateAny
  4. DatasetReadManyPublic
  5. DatasetReadManyAccess
  6. DatasetReadManyOwner
  7. DatasetReadOnePublic
  8. DatasetReadOneAccess
  9. DatasetReadOneOwner
  10. DatasetReadAny
  11. DatasetUpdateOwner
  12. DatasetUpdateAny
  13. DatasetDeleteOwner
  14. DatasetDeleteAny
  15. DatasetAttachmentCreateOwner
  16. DatasetAttachmentCreateAny
  17. DatasetAttachmentReadPublic
  18. DatasetAttachmentReadAccess
  19. DatasetAttachmentReadOwner
  20. DatasetAttachmentReadAny
  21. DatasetAttachmentUpdateOwner
  22. DatasetAttachmentUpdateAny
  23. DatasetAttachmentDeleteOwner
  24. DatasetAttachmentDeleteAny
  25. DatasetOrigdatablockCreateOwner
  26. DatasetOrigdatablockCreateAny
  27. DatasetOrigdatablockReadPublic
  28. DatasetOrigdatablockReadAccess
  29. DatasetOrigdatablockReadOwner
  30. DatasetOrigdatablockReadAny
  31. DatasetOrigdatablockUpdateOwner
  32. DatasetOrigdatablockUpdateAny
  33. DatasetOrigdatablockDeleteAny
  34. DatasetDatablockCreateOwner
  35. DatasetDatablockCreateAny
  36. DatasetDatablockReadPublic
  37. DatasetDatablockReadAccess
  38. DatasetDatablockReadOwner
  39. DatasetDatablockReadAny
  40. DatasetDatablockUpdateOwner
  41. DatasetDatablockUpdateAny
  42. DatasetDatablockDeleteOwner
  43. DatasetDatablockDeleteAny
  44. DatasetLogbookReadOwner
  45. DatasetLogbookReadAny

Implementation

How the different level of authorization translates in data condition applied byt he backend.

  • Public
  • isPublished = true
  • Access (condition ar applied in logical or)
  • isPublished = true
  • ownerGroup is one of the groups that the user belongs
  • accessGroups are one of the groups that the user belongs
  • sharedWith contains the user's email
  • Owner
  • ownerGroup is one of the groups that the user belongs
  • Any
  • User can perform the action to any dataset

Priority

    DatasetCreate-->DatasetCreateOwnerNoPid;
    DatasetCreateOwnerNoPid-->DatasetCreateOwnerWithPid;
    DatasetCreateOwnerWithPid-->DatasetCreateAny;

    DatasetRead-->DatasetReadManyPublic;
    DatasetReadManyPublic-->DatasetReadManyAccess;
    DatasetReadManyAccess-->DatasetReadManyOwner;
    DatasetReadManyOwner-->DatasetReadAny;
    DatasetRead-->DatasetReadOnePublic;
    DatasetReadOnePublic-->DatasetReadOneAccess;
    DatasetReadOneAccess-->DatasetReadOneOwner;
    DatasetReadOneOwner-->DatasetReadAny;

    DatasetUpdate-->DatasetUpdateOwner;
    DatasetUpdateOwner-->DatasetUpdateAny;
    DatasetDelete-->DatasetDeleteOwner;
    DatasetDeleteOwner-->DatasetDeleteAny;

Authorization table

Note, merely for visibility reasons the table has been split. Hierarchically, OrigDatablocks and Datablocks belong to Datasets.

Datasets

HTTP method Endpoint Endpoint Authorization Anonymous Authenticated User Create Dataset Groups Create Dataset with Pid Groups Create Dataset Privileged Groups Admin Groups Delete Groups Notes
POST Datasets DatasetCreate no no Owner, w/o PID
DatasetCreateOwnerNoPid		 Owner, w/ PID
DatasetCreateOwnerWithPid		 Any
DatasetCreateAny		 Any
DatasetCreateAny		 no
POST Datasets/isValid DatasetCreate no no Owner, w/o PID
DatasetCreateOwnerNoPid		 Owner, W/ PID
DatasetCreateOwnerWithPid		 Any
DatasetCreateAny		 Any
DatasetCreateAny		 no
GET Datasets DatasetRead Public
DatasetReadPublic		 Has Access
DatasetReadAccess		 Has Access
DatasetReadAccess		 Has Access
DatasetReadAccess		 Has Access
DatasetReadAccess		 Any
DatasetReadAny		 no
GET Datasets/fullquery DatasetRead Public
DatasetReadManyPublic		 Has Access
DatasetReadManyAccess		 Has Access
DatasetReadManyAccess		 Has Access
DatasetReadManyAccess		 Has Access
DatasetReadManyAccess		 Any
DatasetReadAny		 no
GET Datasets/fullfacet DatasetRead Public
DatasetReadManyPublic		 Has Access
DatasetReadManyAccess		 Has Access
DatasetReadManyAccess		 Has Access
DatasetReadManyAccess		 Has Access
DatasetReadManyAccess		 Any
DatasetReadAny		 no
GET Datasets/metadataKeys DatasetRead Public
DatasetReadManyPublic		 Has Access
DatasetReadManyAccess		 Has Access
DatasetReadManyAccess		 Has Access
DatasetReadManyAccess		 Has Access
DatasetReadManyAccess		 Any
DatasetReadAny		 no
GET Datasets/count DatasetRead Public
DatasetReadManyPublic		 Has Access
DatasetReadManyAccess		 Has Access
DatasetReadManyAccess		 Has Access
DatasetReadManyAccess		 Has Access
DatasetReadManyAccess		 Any
DatasetReadAny		 no
GET Datasets/findOne DatasetRead Public
DatasetReadOnePublic		 Has Access
DatasetReadOneAccess		 Has Access
DatasetReadOneAccess		 Has Access
DatasetReadOneAccess		 Has Access
DatasetReadOneAccess		 Any
DatasetReadAny		 no
GET Datasets/pid DatasetRead Public
DatasetReadOnePublic		 Has Access
DatasetReadOneAccess		 Has Access
DatasetReadOneAccess		 Has Access
DatasetReadOneAccess		 Has Access
DatasetReadOneAccess		 Any
DatasetReadAny		 no
PATCH Datasets/pid DatasetUpdate no no Owner
DatasetUpdateOwner		 Owner
DatasetUpdateOwner		 Owner
DatasetUpdateOwner		 Any
DatasetUpdateAny		 no
PUT Datasets/pid DatasetUpdate no no Owner
DatasetUpdateOwner		 Owner
DatasetUpdateOwner		 Owner
DatasetUpdateOwner		 Any
DatasetUpdateAny		 no
POST Datasets/pid/appendToArrayField DatasetUpdate no no Owner
DatasetUpdateOwner		 Owner
DatasetUpdateOwner		 Owner
DatasetUpdateOwner		 Any
DatasetUpdateAny		 no
DELETE Datasets/pid DatasetDelete no no no no no no Any
DatasetDeleteAny
GET Datasets/pid/thumbnail DatasetRead Public
DatasetReadPublic		 Has Access
DatasetReadAccess		 Has Access
DatasetReadAccess		 Has Access
DatasetReadAccess		 Has Access
DatasetReadAccess		 Any
DatasetReadAny		 no
POST Datasets/pid/attachments DatasetAttachmentCreate no no Owner
DatasetAttachmentCreateOwner		 Owner
DatasetAttachmentCreateOwner		 Any
DatasetAttachmentCreateAny		 Any
DatasetAttachmentCreateAny		 no
GET Datasets/pid/attachments DatasetAttachmentRead Public
DatasetAttachmentReadPublic		 Has Access
DatasetAttachmentReadAccess		 Has Access
DatasetAttachmentReadAccess		 Has Access
DatasetAttachmentReadAccess		 Has Access
DatasetAttachmentReadAccess		 Any
DatasetAttachmentReadAny		 no
PUT Datasets/pid/attachments/aid DatasetAttachmentUpdate no no Owner
DatasetAttachmentUpdateOwner		 Owner
DatasetAttachmentUpdateOwner		 Owner
DatasetAttachmentUpdateOwner		 Any
DatasetAttachmentCreateAny		 no
DELETE Datasets/pid/attachments/aid DatasetAttachmentDelete no no Owner
DatasetAttachmentDeleteOwner		 Owner
DatasetAttachmentDeleteOwner		 Owner
DatasetAttachmentDeleteOwner		 Any
DatasetAttachmentDeleteAny		 no

OrigDatablock

HTTP method Endpoint Endpoint Authorization Anonymous Authenticated User Create Dataset Groups Create Dataset with Pid Groups Create Dataset Privileged Groups Admin Groups Delete Groups Notes
POST Datasets/pid/origdatablocks DatasetOrigdatablocksCreate no no Owner
DatasetOrigdatablockCreateOwner		 Owner
DatasetOrigdatablockCreateOwner		 Any
DatasetOrigdatablockCreateAny		 Any
DatasetOrigdatablockCreateAny		 no
POST Datasets/pid/origdatablocks/isValid DatasetOrigdatablocksCreate no no Owner
DatasetOrigdatablockCreateOwner		 Owner
DatasetOrigdatablockCreateOwner		 Any
DatasetOrigdatablockCreateAny		 Any
DatasetOrigdatablockCreateAny		 no
GET Datasets/pid/origdatablocks DatasetOrigdatablocksRead Public
DatasetOrigdatablockReadPublic		 Has Access
DatasetOrigdatablockReadOAccess		 Has Access
DatasetOrigdatablockReadAccess		 Has Access
DatasetOrigdatablockReadAccess		 Has Access
DatasetOrigdatablockReadAccess		 Any
DatasetOrigdatablockReadAny		 no
PATCH Datasets/pid/origdatablocks/oid DatasetOrigdatablocksUpdate no no Owner
DatasetOrigdatablockUpdateOwner		 Owner
DatasetOrigdatablockUpdateOwner		 Owner
DatasetOrigdatablockUpdateOwner		 Any
DatasetOrigdatablockCreateAny		 no
DELETE Datasets/pid/origdatablocks/oid DatasetOrigdatablocksDelete no no no no no no Any
DatasetOrigdatablockDeleteAny

Datablocks

HTTP method Endpoint Endpoint Authorization Anonymous Authenticated User Create Dataset Groups Create Dataset with Pid Groups Create Dataset Privileged Groups Admin Groups Delete Groups Notes
POST Datasets/pid/datablocks DatasetDatablocksCreate no no Owner
DatasetDatablockCreateOwner		 Owner
DatasetDatablockCreateOwner		 Owner
DatasetDatablockCreateOwner		 Any
DatasetDatablockCreateAny		 no
GET Datasets/pid/datablocks DatasetOrigdatablocksRead Public
DatasetDatablockReadPublic		 Has Access
DatasetDatablockReadAccess		 Has Access
DatasetDatablockReadAccess		 Has Access
DatasetDatablockReadAccess		 Has Access
DatasetDatablockReadAccess		 Any
DatasetDatablockReadAny		 no
PATCH Datasets/pid/datablocks/oid DatasetDatablocksUpdate no no Owner
DatasetDatablockUpdateOwner		 Owner
DatasetDatablockUpdateOwner		 Owner
DatasetDatablockUpdateOwner		 Any
DatasetDatablockCreateAny		 no
DELETE Datasets/pid/datablocks/oid DatasetDatablocksDelete no no no no no no Any
DatasetDatablockDeleteAny
GET Datasets/pid/logbook DatasetLogbookRead no Owner
DatasetLogbookReadOwner		 Owner
DatasetLogbookReadOwner		 Owner
DatasetLogbookReadOwner		 Owner
DatasetLogbookReadOwner		 Any
DatasetLogbookReadAny		 no