AuthModule 2.0 wishlist
Driven by WormQTL and other community project we would like the following:
Users, groups and roles
A user is an natural person that can log in to the system. He/she can have a username and password. A group is a named role that cannot log in. Both users and other groups can be 'member' of a group. Both user and group are 'role'.
Special roles:
- anonymous (user): users that are not logged in
- admin (user): users that bypass the security system
- all users (group): all users except anonymous and admin
Entity permissions
All MOLGENIS static components are 'entities', including data entity and user interface form, menu, plugin. Each entity is identified by its unique class name (matching the name in the code). For example org.molgenis.organization.Investigation refers to the entity named Investigation. On each resource one can specify:
| action | read | write |
| view elements of this resource (e.g. records) | X | X |
| execute elements of this resource (e.g. pipelines) | - | X |
| create, edit, or delete elements in this resource | - | X |
These permissions can be restricted or loosened at record level using the permissions described below.
Discussion: how exactly should 'execute' permission work.
Record permissions
A record is an instance of an entity. Record permissions define what actions a role can perform on a record. We distinguish the following types of permissions per record:
| action | read | write | own |
| view record | X | X | X |
| edit record | - | X | X |
| give other roles view or edit permissions | - | - | X |
| delete record | - | - | X |
| transfer ownership to other role | - | - | X |
Only when having table level write permission you can create new records. The creator is automatically the owner. There can be only one owner per record.
User interactions
Default only the owner is set and the table level permissions are enforced (e.g. the admin may have specified that 'anonymous' can read and 'biologists' can edit'). Individual users may choose to override this by giving row level permissions. These come in the form 'PermissionRule?' {role,permission}, for example "admin,read". Multiple PermissionRule? can be bundled into on PermissionSet?, for example "admin,write; anonymous, view". In the 'list' view you can select record and then push the 'share' button to set sharing permissions (existing permissions are overwritten). You can also chose to apply a previous 'permission set'.
Example user stories:
| user story | how it works |
| Give everybody permission to my data | Give permission to 'anonymous' |
| Give all registered users permission to my data | Give permission to 'all users' |
| Give a particular user permission to my data | Give permission to '<username>' |
As a user you can create your own groups (i.e. the MolgenisGroup? table is editable to all users and has row level security to limit view of groups you are not member of).
