Permissions: Difference between revisions

From PHENOM Portal Knowledgebase
Jump to navigation Jump to search
(Added permissions page detailing everything needed to know about new permissions regime)
 
No edit summary
 
(13 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== General ==
Permissions are a user's access level to either a project or a model. There are four different types of permissions, and a user can have any of the permissions types independent of one another.
Permissions are a user's access level to either a project or a model. There are four different types of permissions, and a user can have any of the permissions types independent of one another. Users are able to assign permissions to their projects and models by using the Permissions Manager on the Projects Detail and Model Detail pages. The table contains all users on the same account as the user.
Permissions on a project and the models it contains are distinct (i.e., the user can have different permissions (higher or lower) at the project level compared to the models).


[screenshot]
= Permissions Types =
== Read Permissions ==
'''If a user has Read permissions, they have read-only access to the project or model.'''


Another way to assign permissions to users that do not belong to the current user's account is by giving them a Permissions Token via the Project Sharing page. By inputting a username and the desired permissions level, then clicking the Share button, a unique Token will be generated for the specified user.
Having Read permissions to a project and its models allows the user to switch to that project, see all the content, export the content, but not create, edit, or update it. In addition, if the model inherits from another model, a user with Read permissions is allowed to see the nodes that can be pulled from a parent model, but are prevented from actually pulling that content. Likewise, if a model has other models that inherit from it, a user with Read permissions to the model is allowed to see the push requests from the children models, but is not allowed to approve those changes.  


[screenshot]
Read permissions are unique from the other permissions types in that they are required in order to have any other permissions. For that reason, when assigning Write, Admin, or Owner permissions, Read permissions are assigned by default and can't be removed, as seen below.


The other user can then input the generated token to gain access to that project or model.
[[File:Perms5 2.png|frameless|636x636px]]


[screenshot]
== Write Permissions ==
'''If a user has Write permissions, they are allowed to edit project and model content.'''
 
Having Write permissions to a project or a model allows the user to modify any of its content, including pulling, pushing, and approving push requests. Note that to pull changes from a parent model, the user needs at least Read permissions to the parent model.
 
== Admin Permissions ==
'''If a user has Admin permissions, they are allowed to share the project or model and inherit from it'''


This user, along with any other external users, will appear in the Permissions Manager under a separate External Users table.
Having Admin permissions to a project or a model allows the user to create inheriting projects or models. Admin users can assign Read, Write, and Admin permissions to users belonging to their account for this particular project or model (including themselves).
 
== Owner Permissions ==
'''If a user has Owner permissions, they have the same permissions as Admins, as well as some additional actions.'''


[screenshot]
Having Owner permissions to a project or a model provide the user with Admin permissions plus the ability to delete the project or model, to change the metadata of it, and to share it with users external to their account. Owner users can assign Read, Write, and Admin permissions to internal and external users and grant Owner permissions to internal users.


== Read permissions ==
= Assign Permissions =  
== Assign Permissions to Internal Users ==
Users are able to assign permissions to their projects or models by using the Permission Manager on the Project or Model Details page. The table lists all the users from the same account as the current user.


===== If a user has Read permissions, they have the most basic access to a project or model. =====
[[File:Perms1.png|alt=Project Details Page Permissions Manager|frameless|1023x1023px]]
The user is allowed to switch to a project to which they have Read permissions to all the contained models. The user is allowed to see all the content of their Read access projects and models. The user is also allowed to export their project for use elsewhere. In addition, if the model inherits from another model, a user with Read permissions is allowed to see the nodes that can be pulled from a parent model, but are prevented from actually pulling that content. Likewise, if a model has other models that inherit from it, a user with Read permissions to the model is allowed to see the push requests from the children models, but is not allowed to approve those changes.


Read permissions are also unique from the other permissions types because in order to have any other permissions, a user is required to also have Read access, to prevent scenarios where a user is allowed to edit model content that they are not even allowed to see. This is why a user wanting to assign Write or Admin permissions are not allowed to disable Read permissions, as seen below.
To be able to share a Model, users need to have Admin or Owner permissions to it.


[screenshot]
To be able to share a Project, users need to have Admin or Owner permissions to it and to all the models it contains. The permissions granted for the project will be applied to all its models.


== Write Permissions ==
== Assign Permissions to External Users ==
To assign permissions to users that do not belong to the current user's account, the user has to give them a Permissions Token. The procedure to do so is as follows:
* Go to the Project Sharing page
* Locate the project or model to be shared
* Enter the username and the desired permissions level<sup>*</sup>
* Click the Share button
* Email the generated Token (which appeared on the right of the screen) to the user.
Note that the Token is only valid for 24 hours.


===== If a user has Write permissions, they are allowed to edit project and model content. =====
<sup>*</sup> The types of permissions users can grant follow the same policy as for internal users (see table above) except that they can't grant Owner permissions even if they have Owner permissions themselves.
The user is able to modify fields on the details pages of nodes in the model, as well as the majority of the actions related to inheriting models. If the model inherits from another model, the user with Write access is able to request to push content to the parent model. Assuming that the user also has Read permissions to the parent model, the user is also allowed to pull any new changes from the parent model. Likewise, if a model has other models that inherit from it, a user with Write permissions to the model is allowed to approve content changes and delete push requests.


== Admin Permissions ==
[[File:Perms2.png|alt=Project Sharing Page|frameless|1027x1027px]]


===== If a user has Admin permissions, they are allowed to make changes to projects and models themselves. =====
To gain access to the project or model, the user has to go to the Project Sharing page, copy the Token received by email in the dedicated field and click the Submit button. The new project or model should then appear in the their project/model tree.
A user who has Admin access to projects or models is allowed to change the permissions of the projects or models to users who belong to the same account as them. A user with Admin access to a model is also allowed to create inheriting models from it.


== Owner Permissions ==
[[File:Perms3.png|alt=Accepting Perms Token|frameless|597x597px]]


===== If a user has Owner permissions (or "owns" a project or model), they were the creator of the project or model, and therefore have all of the above permissions types, as well as some more actions limited to just the owner of the project or model. =====
This user, along with any other external users, will appear in the Permissions Manager under a separate External Users table.
A user that owns a project or model is allowed to change permissions, both to users that belong to the same account as them, as well as external users, sharing permissions with them via Permissions Tokens. If a user owns a project and wishes to give other users permissions to it that are higher than those users currently have, the user must also have Admin permissions to all the contained models. In addition, the Owner of a project or model is the only user allowed to rename or delete the projects and models they own. If a user owns a project or model, no other user is allowed to revoke any of their permissions.


It should be noted that if a project or model was created before April 2nd, 2024, the project or model may have more than one Owner. When Owner permissions were added, the Owner of a given project or model was determined to be anyone who had Admin permissions to that project or model, excluding any user who recieved Admin access via a Permissions Token. All projects and models created after April 2nd, 2024, only have one Owner.
[[File:Perms4.png|alt=Project Details with External Users Permissions|frameless|599x599px]]


== Account Admins ==
== Account Admins ==
Account admins are able to see all the projects and models that exist on their account, and are able to assign permissions to those projects and models to any user on the same account. In the case that a project or model was shared to someone on an account using a Permissions Token, that account's Admins are only allowed to assign permissions to the project or model that someone on the account holds.
Account admins are able to see all the projects and models that users from their account have access to, and are able to assign permissions to those projects and models to any user in their account.
 
For internally created projects or models, Account admins can grant any types of permissions (including Owner) to any user in their account.
 
For a project or model that was externally shared with one (or more) of their account users, the Account admin can only assign permissions to other users if at least one of those original users was granted Admin permissions. In addition, if no one was granted Write access to the project or model, then Account admins will not be allowed to grant Write permissions to anyone, only Read and Admin.

Latest revision as of 10:11, 6 May 2024

Permissions are a user's access level to either a project or a model. There are four different types of permissions, and a user can have any of the permissions types independent of one another. Permissions on a project and the models it contains are distinct (i.e., the user can have different permissions (higher or lower) at the project level compared to the models).

Permissions Types

Read Permissions

If a user has Read permissions, they have read-only access to the project or model.

Having Read permissions to a project and its models allows the user to switch to that project, see all the content, export the content, but not create, edit, or update it. In addition, if the model inherits from another model, a user with Read permissions is allowed to see the nodes that can be pulled from a parent model, but are prevented from actually pulling that content. Likewise, if a model has other models that inherit from it, a user with Read permissions to the model is allowed to see the push requests from the children models, but is not allowed to approve those changes.

Read permissions are unique from the other permissions types in that they are required in order to have any other permissions. For that reason, when assigning Write, Admin, or Owner permissions, Read permissions are assigned by default and can't be removed, as seen below.

Write Permissions

If a user has Write permissions, they are allowed to edit project and model content.

Having Write permissions to a project or a model allows the user to modify any of its content, including pulling, pushing, and approving push requests. Note that to pull changes from a parent model, the user needs at least Read permissions to the parent model.

Admin Permissions

If a user has Admin permissions, they are allowed to share the project or model and inherit from it

Having Admin permissions to a project or a model allows the user to create inheriting projects or models. Admin users can assign Read, Write, and Admin permissions to users belonging to their account for this particular project or model (including themselves).

Owner Permissions

If a user has Owner permissions, they have the same permissions as Admins, as well as some additional actions.

Having Owner permissions to a project or a model provide the user with Admin permissions plus the ability to delete the project or model, to change the metadata of it, and to share it with users external to their account. Owner users can assign Read, Write, and Admin permissions to internal and external users and grant Owner permissions to internal users.

Assign Permissions

Assign Permissions to Internal Users

Users are able to assign permissions to their projects or models by using the Permission Manager on the Project or Model Details page. The table lists all the users from the same account as the current user.

Project Details Page Permissions Manager

To be able to share a Model, users need to have Admin or Owner permissions to it.

To be able to share a Project, users need to have Admin or Owner permissions to it and to all the models it contains. The permissions granted for the project will be applied to all its models.

Assign Permissions to External Users

To assign permissions to users that do not belong to the current user's account, the user has to give them a Permissions Token. The procedure to do so is as follows:

  • Go to the Project Sharing page
  • Locate the project or model to be shared
  • Enter the username and the desired permissions level*
  • Click the Share button
  • Email the generated Token (which appeared on the right of the screen) to the user.

Note that the Token is only valid for 24 hours.

* The types of permissions users can grant follow the same policy as for internal users (see table above) except that they can't grant Owner permissions even if they have Owner permissions themselves.

Project Sharing Page

To gain access to the project or model, the user has to go to the Project Sharing page, copy the Token received by email in the dedicated field and click the Submit button. The new project or model should then appear in the their project/model tree.

Accepting Perms Token

This user, along with any other external users, will appear in the Permissions Manager under a separate External Users table.

Project Details with External Users Permissions

Account Admins

Account admins are able to see all the projects and models that users from their account have access to, and are able to assign permissions to those projects and models to any user in their account.

For internally created projects or models, Account admins can grant any types of permissions (including Owner) to any user in their account.

For a project or model that was externally shared with one (or more) of their account users, the Account admin can only assign permissions to other users if at least one of those original users was granted Admin permissions. In addition, if no one was granted Write access to the project or model, then Account admins will not be allowed to grant Write permissions to anyone, only Read and Admin.