= Authentication and Authorization module user stories = [[TOC()]] Definitions: * Data: * structural elements: entities (table), fields (columns), and user interface screens * objects or rows: instances of entities * Users: * anonymous user: users who are not logged in * authenticated user: users that have registered to the system * adminstrator: special authenticated user who may manage overall permissions for the MOLGENIS app. * Permission: * read permission: ability to view the data * write permissions: ability to edit the data * execute: ability to use data inside processing * ownership: ability to add or remove data or set permissions * sharing permissions: that is row-level security which is defined as defining permissions per data row/object. == As new user to the system I want to register myself and then have the ability to login, logout and change my details == "User login and registration" plugin Acceptance criteria: * I, Jessica, can access the system and subsequently register myself. * I receive an email with a link to finish registration. * I can login and change my password * I can then logout. Tickets: * please add == As an administrator I want to set read, write, execute and ownership permissions on entities including fields, rows and screens. == "Users and Groups manager" screen Acceptance criteria: * I can define that entity Sample is editable by the group 'Students' except the column 'Name' and only within the screen 'Lab'. * I can define that entity Investigation is viewable to group 'Lab workers' but only column Name so that it can be used in 'xrefs'. * I can define that entity Protocol can be edited by 'Lab technicians' except in the screen 'All protocols'. * Please add! Tasks: * Create an interface MolgenisElement. Make Entity, Field, ScreenModel implement MolgenisElement. * Create an interface Authorizable with fields owner: xref->!MolgenisUser, shareRead: xref->!MolgenisGroup, shareWrite: xref->!MolgenisGroup. * Extend Permission enum in DatabaseLogin to cover read, write, execute and ownership. * Extend the InstallPlugin so that there is always an Administrator user in the database and it can't be deleted. == As an administrator I want to be able to manage users, groups and permissions. == Acceptance criteria: * Tasks: * Create a user interface to manage users, groups and permissions that is accessible to the administrator only. * Create a intermediate layer with corresponding database functionality. == As an administrator I want to have the possibility to forward permissions from an entity to others. == Acceptance criteria: * I want that I can automatically derive my permissions on 'Sample' from the sharing permissions that are set on Investigation * Please add! Task: * Create a function as part of the admin interface to forward permissions from an entity to others that are connected with it (xref, mref). == As authenticated user I want to create my private groups of users and, for objects that I own, add permissions to users or groups. == "My sharing preferences" screen Acceptance criteria: * I want to indicate for each of the Investigations I own what groups are allowed to edit and view. * I want to be able to transfer ownership of a data objects to another user * I want to be able to transfer ownership on all my data object to another user * I want to say that my friend Peter can see all Protocols that I own but not all my ObservedValue except those ObservedValue I marked as 'public'. * , Erik, can give my co-workers Despoina and Robert read-only access to all the features, values and targets belonging to my investigation AnimalDB. * If multiple permissions apply the narrower ones override the broader ones. * Please add! Tasks: * Rename !MolgenisRole to !MolgenisGroup. * Connect !MolgenisUsers to !MolgenisGroups using a many-many relationship. Figure out how to do that best: mref, explicit bridge table, inheritance, ... * Create a table that contains !MolgenisElements and connects them with !MolgenisUser's and Permissions. * Make Molgenis check permissions via central class. (To be refined.) * Create logic layer for between database and ui layer for user permission and group management. * Create a user interface to manage permissions for the entities owned by the user that is logged in. == As a anonymous user I want to see all the entities I am entitled to see without logging in. == Acceptance criteria: * I, Anonymous, can use the application and see all entities which are available to the user "anonymous". Tickets: * Make sure that every database instance has a special 'anonymous' user * Make the login class to log in this public user by default. [[TicketQuery(format=table,component=auth,type=enhancement,col=id|summary,rows=description)]]