Hi all,

I'm currently looking for some help to manage groups/roles in Galaxy.

The instance I'm working with uses LDAP authentication (all Galaxy registered users are in LDAP) and the datasets that are uploaded have permissions 'patterns' that can be mapped to groups already available in the LDAP server. Current approach is to manually add roles and groups and assign the registered users to them. Since the amount of users and groups is considerable large and can also change, I was hoping to have a more automatic system such that, when a new dataset is added, the required group/roles are already available to be assigned.

I guess that, since the LDAP system is only used for authentication purposes, there is no way to directly map all the groups and users to galaxy (and actually it would be an overkill). But, at least I would like to get to map the primary LDAP group in a somehow automatic way.

The only approach I could come up with is to manage the group/roles creation through the API, assuming I have a list of the relevant group names at a certain point in time, and then update the link of users to the available groups/roles by using information from LDAP.  

When I first deployed the instance I added an extra check during user authentication to verify that the user belongs to a specific LDAP group which grants access to the Galaxy instance. To do this, a list of groups the user belongs to is obtained from the server. I was thinking about extending this step to also update the user's Galaxy profile, associating it with the groups that are already created in Galaxy. 

Since this will require some digging into Galaxy code, I first want ask if there is any alternative solution for this kind of situation or some work was already done..

Thanks in advance