Authentication and Authorization module user stories

Data:

• structural elements include entities (table), fields (columns), and user interface screens
• instance elements are the 'rows' or 'objects'.

Users:

• anonymous user: users who are not logged in
• authenticated user: users that have registered to the system
• adminstrator: special authenticated user who may manage overall permissions for the MOLGENIS app.

Permission:

• read permission: ability to view the data
• write permissions: ability to edit the data
• execute: ability to use data inside processing
• ownership: ability to add or remove data or set permissions
• sharing permissions: that is row-level security which is defined as defining permissions per data row/object.

As authenticated user I want to define data permissions including read, write, execute and ownership.

Acceptance criteria:

• Please add!

Tickets:

• Extend Permission enum in DatabaseLogin? to cover read, write, execute and ownership.

As an administrator I want to set permissions on entities including entities, fields, rows and screens.

Acceptance criteria:

• Please add!

Tickets:

• Create an interface MolgenisElement?. Make Entity, Field, ScreenModel? implement MolgenisElement?.
• Create an interface Authorizable with fields owner: xref->MolgenisUser, shareRead: xref->MolgenisGroup, shareWrite: xref->MolgenisGroup.

As authenticated user I want to create my own groups of users and add permissions on users or groups. If multiple permissions apply the broader ones override the narrower ones.

Acceptance criteria:

• I want to say that my friend Peter can see all my Protocols but not all my ObservedValue? except those ObservedValue? I marked as 'public'.
• Please add!

Tickets:

• Rename MolgenisRole to MolgenisGroup.
• Connect MolgenisUsers to MolgenisGroups using a many-many relationship. Figure out how to do that best: mref, explicit bridge table, inheritance, ...
• Create a table that contains MolgenisElements and connects them with MolgenisUser's and Permissions.
• Make Molgenis check permissions via central class. (To be refined.)
• Create a user interface to manage permissions for the entities owned by the user that is logged in.

As an administrator I want to be able to manage users and groups.

Acceptance criteria:

*

Tickets:

• Create a user interface to manage users and groups that is accessible to the administrator only.

As an administrator I want to have the possibility to forward permissions from an entity to others.

Acceptance criteria:

• I want that I can automatically derive my permissions on 'Sample' from the sharing permissions that are set on Investigation
• Please add!

Tickets:

• Create a function as part of the admin interface to forward permissions from an entity to others that are connected with it (xref, mref).

As a anonymous user I want to see all the entities I am entitled to see without logging in.

Acceptance criteria:

• Please add!

Tickets:

• Create a public user.
• Make the login class to log in the public user by default.

As an investigator I want to be able to share the permissions on all entities belonging to my investigation with other users or groups.

Acceptance criteria:

• I, Erik, can give my co-workers Despoina and Robert read-only access to all the features, values and targets belonging to my investigation AnimalDB.
• Please add!

Tickets:

• See above.