Re: [galaxy-user] Permissions and private roles
Hello Anthony, On Oct 24, 2011, at 10:01 AM, Anthony Underwood wrote:
Hi Greg
Thanks for the reply. I can see now that as an admin user I can now add private roles using the Admin View as opposed to the data libraries view. It is still a bit unclear how a folder can be visible to one user but not to another. If both users have access to the library then they can view all folders, correct?
Permissions on a folder are derived from permissions on specific datasets contained in the folder. So, if folder1 contains dataset1 and dataset2, and only Jack can see dataset 1 in folder1 and only Jill can see dataset2 in Folder1, both Jack and Jill can see Folder1, but Spot cannot. In addition, even though both Jack and Jill can see Folder1, each of them will be able to see only their respective dataset.
I can see how I can edit add/modify permissions for a folder but not the view/access permission.
Also another question about permissions. If I create a Galaxy page and share that with limited users then it appears that the datasets are all public via a URL is that correct?
I'm not the expert on pages, Jeremy, can you answer this one?
Thanks again
Anthony
On 24/10/2011 14:09, "Greg Von Kuster" <greg@bx.psu.edu> wrote:
Hello Anthony,
On Oct 24, 2011, at 6:55 AM, Anthony Underwood wrote:
Permissions and private roles Hi all
I’m trying to get my head round permissions on Data Libraries. I have a couple of questions 1) When I come to give access to a library the only roles I see are the current (admin) user’s private roles and other non-private roles I have created - no other private roles.
The list of roles you see on the permission page for data library items ( folders and datasets ) is dependent upon the following:
1. Whether you are setting permissions on the library item from the Admin view ( where you should see both private and public roles ) or the Data Libraries view ( where you should only see your own private roles along with certain other public roles
2. The level in the hierarchy of the data library at which you are setting permissions. At the top level ( the data library level ), you have the ability to set the LIBRARY_ACCESS permission for the entire data library hierarchy. Depending upon the roles you associate here, all lower levels in the data library hierarchy show only those roles that are derived from the roles you set at the top LIBRARY_ACCESS permission. This is because it makes no sense to allow user john to have some permission to do something in a lower folder of a data library when he is not associated with the permission to even access the library at the top level.
Reading the wiki page suggests that I should see all roles private and non-private.
Not knowing which wiki you've read, make sure to see these:
http://wiki.g2.bx.psu.edu/Admin/Data%20Libraries/Library%20Security
2) Is there a way to give a role access to just one folder of a library rather than the whole library?
Yes, but again, the user with the role must be able to access the data library ( either the data library is public, or the user with the role is associated with the LIBRARY_ACCESS permission at the top level.
Many thanks
Anthony Dr Anthony Underwood Bioinformatics Group | Applied Laboratory and Bio- Informatics Unit Microbiology Services, Colindale Health Protection Agency
************************************************************************** The information contained in the EMail and any attachments is confidential and intended solely and for the attention and use of the named addressee(s). It may not be disclosed to any other person without the express authority of the HPA, or the intended recipient, or both. If you are not the intended recipient, you must not disclose, copy, distribute or retain this message or any part of it. This footnote also confirms that this EMail has been swept for computer viruses, but please re-sweep any attachments before opening or saving. HTTP://www.HPA.org.uk ************************************************************************** ___________________________________________________________ The Galaxy User list should be used for the discussion of Galaxy analysis and other features on the public server at usegalaxy.org <http://usegalaxy.org> . Please keep all replies on the list by using "reply all" in your mail client. For discussion of local Galaxy instances and the Galaxy source code, please use the Galaxy Development list:
http://lists.bx.psu.edu/listinfo/galaxy-dev
To manage your subscriptions to this and other Galaxy lists, please use the interface at:
Greg Von Kuster Galaxy Development Team greg@bx.psu.edu
************************************************************************** The information contained in the EMail and any attachments is confidential and intended solely and for the attention and use of the named addressee(s). It may not be disclosed to any other person without the express authority of the HPA, or the intended recipient, or both. If you are not the intended recipient, you must not disclose, copy, distribute or retain this message or any part of it. This footnote also confirms that this EMail has been swept for computer viruses, but please re-sweep any attachments before opening or saving. HTTP://www.HPA.org.uk **************************************************************************
Greg Von Kuster Galaxy Development Team greg@bx.psu.edu
Thanks for the reply Greg
Still don¹t think I¹ve quite got it in my head though it¹s becoming clearer.
I have 2 users each whom I have given permission to access 2 datasets.
user 1 has access to data in a folder called 1st result and user 2 has access to data found in both a folder called fastqs and 2nd result (very artificial data scenario:))
user 1 can see http://cl.ly/3M3t0P2n3H101P1z393e
I would not have expected him to see the fastqs folder
user 2 can see http://cl.ly/1r2y1h2c0F0a0V403F1f I would not have expected them to be able to see 1st result.
Thanks for your patience
Anthony
----------------------------------------- ************************************************************************** The information contained in the EMail and any attachments is confidential and intended solely and for the attention and use of the named addressee(s). It may not be disclosed to any other person without the express authority of the HPA, or the intended recipient, or both. If you are not the intended recipient, you must not disclose, copy, distribute or retain this message or any part of it. This footnote also confirms that this EMail has been swept for computer viruses, but please re-sweep any attachments before opening or saving. HTTP://www.HPA.org.uk **************************************************************************
I'm not following you here - please decipher your folder names, which I assume are mapped to your encoded request strings. On Oct 24, 2011, at 1:27 PM, Anthony Underwood wrote:
Thanks for the reply Greg
Still don’t think I’ve quite got it in my head though it’s becoming clearer.
I have 2 users each whom I have given permission to access 2 datasets.
user 1 has access to data in a folder called 1st result and user 2 has access to data found in both a folder called fastqs and 2nd result (very artificial data scenario:))
user 1 can see http://cl.ly/3M3t0P2n3H101P1z393e
I would not have expected him to see the fastqs folder
user 2 can see http://cl.ly/1r2y1h2c0F0a0V403F1f I would not have expected them to be able to see 1st result.
Thanks for your patience
Anthony
************************************************************************** The information contained in the EMail and any attachments is confidential and intended solely and for the attention and use of the named addressee(s). It may not be disclosed to any other person without the express authority of the HPA, or the intended recipient, or both. If you are not the intended recipient, you must not disclose, copy, distribute or retain this message or any part of it. This footnote also confirms that this EMail has been swept for computer viruses, but please re-sweep any attachments before opening or saving. HTTP://www.HPA.org.uk **************************************************************************
Greg Von Kuster Galaxy Development Team greg@bx.psu.edu
HI Greg Sorry for the confusion. The links are to screenshot uploads of Galaxy showing the folder visibilities. If it¹s still not clear please send a quick mail. Thanks Anthony On 24/10/2011 19:01, "Greg Von Kuster" <greg@bx.psu.edu> wrote:
I'm not following you here - please decipher your folder names, which I assume are mapped to your encoded request strings.
On Oct 24, 2011, at 1:27 PM, Anthony Underwood wrote:
Re: [galaxy-user] Permissions and private roles
Thanks for the reply Greg
Still don¹t think I¹ve quite got it in my head though it¹s becoming clearer.
I have 2 users each whom I have given permission to access 2 datasets.
user 1 has access to data in a folder called 1st result and user 2 has access to data found in both a folder called fastqs and 2nd result (very artificial data scenario:))
user 1 can see http://cl.ly/3M3t0P2n3H101P1z393e
I would not have expected him to see the fastqs folder
user 2 can see http://cl.ly/1r2y1h2c0F0a0V403F1f I would not have expected them to be able to see 1st result.
Thanks for your patience
Anthony
************************************************************************** The information contained in the EMail and any attachments is confidential and intended solely and for the attention and use of the named addressee(s). It may not be disclosed to any other person without the express authority of the HPA, or the intended recipient, or both. If you are not the intended recipient, you must not disclose, copy, distribute or retain this message or any part of it. This footnote also confirms that this EMail has been swept for computer viruses, but please re-sweep any attachments before opening or saving. HTTP://www.HPA.org.uk **************************************************************************
Greg Von Kuster Galaxy Development Team greg@bx.psu.edu
----------------------------------------- ************************************************************************** The information contained in the EMail and any attachments is confidential and intended solely and for the attention and use of the named addressee(s). It may not be disclosed to any other person without the express authority of the HPA, or the intended recipient, or both. If you are not the intended recipient, you must not disclose, copy, distribute or retain this message or any part of it. This footnote also confirms that this EMail has been swept for computer viruses, but please re-sweep any attachments before opening or saving. HTTP://www.HPA.org.uk **************************************************************************
Anthony, Yours may be a corner case scenario that isn't properly handled, although I'm not sure it's critical as the data you want protected is, in fact, protected (or am I still not seeing it correctly?). If you feel this is a bug, please submit a ticket, although this is far off my development plans for the forsee-able future. Thanks! On Oct 25, 2011, at 4:30 AM, Anthony Underwood wrote:
HI Greg
Sorry for the confusion. The links are to screenshot uploads of Galaxy showing the folder visibilities. If it’s still not clear please send a quick mail.
Thanks Anthony
On 24/10/2011 19:01, "Greg Von Kuster" <greg@bx.psu.edu> wrote:
I'm not following you here - please decipher your folder names, which I assume are mapped to your encoded request strings.
On Oct 24, 2011, at 1:27 PM, Anthony Underwood wrote:
Re: [galaxy-user] Permissions and private roles
Thanks for the reply Greg
Still don’t think I’ve quite got it in my head though it’s becoming clearer.
I have 2 users each whom I have given permission to access 2 datasets.
user 1 has access to data in a folder called 1st result and user 2 has access to data found in both a folder called fastqs and 2nd result (very artificial data scenario:))
user 1 can see http://cl.ly/3M3t0P2n3H101P1z393e
I would not have expected him to see the fastqs folder
user 2 can see http://cl.ly/1r2y1h2c0F0a0V403F1f I would not have expected them to be able to see 1st result.
Thanks for your patience
Anthony
************************************************************************** The information contained in the EMail and any attachments is confidential and intended solely and for the attention and use of the named addressee(s). It may not be disclosed to any other person without the express authority of the HPA, or the intended recipient, or both. If you are not the intended recipient, you must not disclose, copy, distribute or retain this message or any part of it. This footnote also confirms that this EMail has been swept for computer viruses, but please re-sweep any attachments before opening or saving. HTTP://www.HPA.org.uk **************************************************************************
Greg Von Kuster Galaxy Development Team greg@bx.psu.edu
************************************************************************** The information contained in the EMail and any attachments is confidential and intended solely and for the attention and use of the named addressee(s). It may not be disclosed to any other person without the express authority of the HPA, or the intended recipient, or both. If you are not the intended recipient, you must not disclose, copy, distribute or retain this message or any part of it. This footnote also confirms that this EMail has been swept for computer viruses, but please re-sweep any attachments before opening or saving. HTTP://www.HPA.org.uk **************************************************************************
Greg Von Kuster Galaxy Development Team greg@bx.psu.edu
Hi Greg Yes all the data security is fine it¹s just me trying to find a way to present the end results¹ from a workflow/history to group heads who won¹t be especially interested in how we got there but more in the final story. It¹s not a major bug so I won¹t for the moment submit a ticket. It may be that galaxy pages and protecting datasets within these is the way to go. Thanks for your help and persisting with the problem. Anthony On 25/10/2011 13:54, "Greg Von Kuster" <greg@bx.psu.edu> wrote:
Anthony,
Yours may be a corner case scenario that isn't properly handled, although I'm not sure it's critical as the data you want protected is, in fact, protected (or am I still not seeing it correctly?). If you feel this is a bug, please submit a ticket, although this is far off my development plans for the forsee-able future.
Thanks!
On Oct 25, 2011, at 4:30 AM, Anthony Underwood wrote:
Re: [galaxy-user] Permissions and private roles HI Greg
Sorry for the confusion. The links are to screenshot uploads of Galaxy showing the folder visibilities. If it¹s still not clear please send a quick mail.
Thanks Anthony
On 24/10/2011 19:01, "Greg Von Kuster" <greg@bx.psu.edu <x-msg://27/greg@bx.psu.edu> > wrote:
I'm not following you here - please decipher your folder names, which I assume are mapped to your encoded request strings.
On Oct 24, 2011, at 1:27 PM, Anthony Underwood wrote:
Re: [galaxy-user] Permissions and private roles
Thanks for the reply Greg
Still don¹t think I¹ve quite got it in my head though it¹s becoming clearer.
I have 2 users each whom I have given permission to access 2 datasets.
user 1 has access to data in a folder called 1st result and user 2 has access to data found in both a folder called fastqs and 2nd result (very artificial data scenario:))
user 1 can see http://cl.ly/3M3t0P2n3H101P1z393e
I would not have expected him to see the fastqs folder
user 2 can see http://cl.ly/1r2y1h2c0F0a0V403F1f I would not have expected them to be able to see 1st result.
Thanks for your patience
Anthony
************************************************************************** The information contained in the EMail and any attachments is confidential and intended solely and for the attention and use of the named addressee(s). It may not be disclosed to any other person without the express authority of the HPA, or the intended recipient, or both. If you are not the intended recipient, you must not disclose, copy, distribute or retain this message or any part of it. This footnote also confirms that this EMail has been swept for computer viruses, but please re-sweep any attachments before opening or saving. HTTP://www.HPA.org.uk <http://www.HPA.org.uk/> **************************************************************************
Greg Von Kuster Galaxy Development Team greg@bx.psu.edu <x-msg://27/greg@bx.psu.edu>
************************************************************************** The information contained in the EMail and any attachments is confidential and intended solely and for the attention and use of the named addressee(s). It may not be disclosed to any other person without the express authority of the HPA, or the intended recipient, or both. If you are not the intended recipient, you must not disclose, copy, distribute or retain this message or any part of it. This footnote also confirms that this EMail has been swept for computer viruses, but please re-sweep any attachments before opening or saving. HTTP://www.HPA.org.uk **************************************************************************
Greg Von Kuster Galaxy Development Team greg@bx.psu.edu
----------------------------------------- ************************************************************************** The information contained in the EMail and any attachments is confidential and intended solely and for the attention and use of the named addressee(s). It may not be disclosed to any other person without the express authority of the HPA, or the intended recipient, or both. If you are not the intended recipient, you must not disclose, copy, distribute or retain this message or any part of it. This footnote also confirms that this EMail has been swept for computer viruses, but please re-sweep any attachments before opening or saving. HTTP://www.HPA.org.uk **************************************************************************
Also another question about permissions. If I create a Galaxy page and share that with limited users then it appears that the datasets are all public via a URL is that correct?
Yes, all datasets are public via URL by default in Galaxy, and a Galaxy Page makes it easy to find this URL. Without knowing the dataset hash id and/or the instance's secret key, it's very difficult to guess a URL that leads to a valid dataset. To change a dataset's permissions, click on the pencil ("Edit attributes") and scroll to the bottom of the attributes page. Thanks, J.
participants (3)
-
Anthony Underwood -
Greg Von Kuster -
Jeremy Goecks