On Tuesday 14 July 2009 17:42:16 Greg Von Kuster wrote:
On Tuesday 14 July 2009 15:25:47 you wrote:
Hello Ido,
All roles are required because of the complication of derived
Ido M. Tamir wrote: permissions for datasets that are produced from running jobs on different input datasets. Take, for example, two datasets, DatasetA, and DatasetB. Access to DatasetA requires a user to be associated with RoleA, and access to DatasetB with RoleB. It follows that DatasetAB ( created by running a tool with DatasetA and DatasetB as inputs ) should have both RoleA and RoleB associated for the access permission. However, if ANY associated role was sufficient, this would allow users who are only associated either RoleA OR RoleB to view data which was originally not accessible to them.
That is an important point. But if this is the best solution I am not sure yet - first I would like to get my data in, then I can think on the effects of combining them. Could you show me how I could solve the problem I presented in my previous e-mail without creating ad-hoc roles for every user combination? thank your very much, ido
Ido M. Tamir wrote:
On Tuesday 14 July 2009 17:42:16 Greg Von Kuster wrote:
Ido M. Tamir wrote:
On Tuesday 14 July 2009 15:25:47 you wrote:
Hello Ido,
All roles are required because of the complication of derived permissions for datasets that are produced from running jobs on different input datasets. Take, for example, two datasets, DatasetA, and DatasetB. Access to DatasetA requires a user to be associated with RoleA, and access to DatasetB with RoleB. It follows that DatasetAB ( created by running a tool with DatasetA and DatasetB as inputs ) should have both RoleA and RoleB associated for the access permission. However, if ANY associated role was sufficient, this would allow users who are only associated either RoleA OR RoleB to view data which was originally not accessible to them.
That is an important point. But if this is the best solution I am not sure yet - first I would like to get my data in, then I can think on the effects of combining them.
Could you show me how I could solve the problem I presented in my previous e-mail without creating ad-hoc roles for every user combination?
Scenaro: userName group user1 group1 user2 group2 user3 bioinfo user4* group4 user4 is a collaborator of user1 - he should have access to the data of user1 - not to the rest of group1 data. How to do it: SharingRoleForUser1AndUser4 - users ( user1, user4 ) Associate SharingRoleForUser1AndUser4 with the access permission on all data that you want both to be able to access, If you add additional members to group1, they will not have access to this data because they do not have SharingRoleForUser1AndUser4. Scenario: Dataset owner A user1 B user2 I would normally solve my policy problem by creating the following roles: role members r_u1 user1* r_u2 user2* r_u3 user3* r_u4 user4* r_g1 group1** r_g2 group2** r_g4 group4** r_b user3 *I think galaxy automatically creates roles from users or allows association of libraries with users, so this might not be necessary. **I think galaxy automatically adds the roles of the groups one is member of to the users roles, so I don't add user1 to r_u1 etc... Then I would associate the following privileges with the datasets Dataset modify access A r_u1,r_b r_u1,r_g1,r_b,r_u4 B r_u2,r_b r_u2,r_g2,r_b How to do it: For Dataset A: Role1 ( for "modify permissions" dataset permission on Dataset A ) - users ( user1, user3 ) Role2 ( for "access" dataset permission on Dataset A ) - users ( user1, user3, user4 ) - groups ( group1 ) For Dataset B: Role3 ( for "modify permissions" dataset permission on Dataset B ) - users ( user2, user3 ) Role4 ( for "access" dataset permission on Dataset B ) - users ( user2, user3 ) - groups ( group2 )
thank your very much, ido
_______________________________________________ galaxy-user mailing list galaxy-user@bx.psu.edu http://mail.bx.psu.edu/cgi-bin/mailman/listinfo/galaxy-user
On Tuesday 14 July 2009 20:02:54 Greg Von Kuster wrote:
Ido M. Tamir wrote:
On Tuesday 14 July 2009 17:42:16 Greg Von Kuster wrote:
Ido M. Tamir wrote:
On Tuesday 14 July 2009 15:25:47 you wrote:
Hello Ido,
How to do it: SharingRoleForUser1AndUser4 - users ( user1, user4 )
Associate SharingRoleForUser1AndUser4 with the access permission on all data that you want both to be able to access, If you add additional members to group1, they will not have access to this data because they do not have SharingRoleForUser1AndUser4.
Dear Greg, thank you very much for your great patience in answering my questions in this level of detail. However I see that I would have to construct a role for every use case (which is already a PITA) and then, after combining the datasets I would risk that nobody (or maybe just the person that combined the datasets) will be able to access the derived data, because nobody will share all of these ad-hoc roles. I also saw that you have an RBACAgent class that seems - so I hope - to encapsulate all of the rules. I will try to hack around a little bit to change its behavior to my taste. Hopefully you won't hear from me for some time. best, ido
participants (2)
-
Greg Von Kuster -
Ido M. Tamir