-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature/global sharing #2956
base: master
Are you sure you want to change the base?
Feature/global sharing #2956
Conversation
…ranting write access to a global shared artifact reader role that would be given to all users. Next steps are to 1) make this configurable, 2) allow users to configure the global author role if they want only some users to be able to grant global read access, and 3) set up global read role for all users as a default assigned system role
…ole to a new roleid.
… then decided not to
…'public' role since this would remove the need to change WebAPI to add a new system role that pretty much duplicates 'public'
…rt to only persons who have been granted permission to change the same cohort.
Fix/final global sharing
...to better reflect its real purpose
fix: adjust permission name to "artifact:global:share:put"
based on this discussion OHDSI#2929 (comment)
Fix: remove dead code
...previous name isPermittedGlobalShareCohort did not reflect the fact that it is about all kind of artifacts
Fix: better name for isPermittedGlobalShareArtifact
Hi, I planned on working on merging this in but I'm now confused as to if there is an outstanding issue that needs to be resolved from OHDSI/WebAPI#2342? The atlas side looks like it adds the 'global read access' option to the security (lock) screen, and that would just put this artifact permission into role 15 (where all users have the read access permissions for global assets stored). So can anyone please clarify what this PR depends on in order to be merged? My understanding is: Role 15 (read access role) is already set up on WebAPI, and this PR just puts assets into it from the UI. Is there anything more needed from that perspective? |
Ok, not sure if this is working as intended: I created a new one and want to grant perms as global read: I click the granted button (note: this UI is not clear what the status is if it is granted or not granted, I would make the selected option green and the non selected red or something to distinguish it better. The 'public' role was added but I was expecting role id 15 (read restricted atlas users) to be the permission granted to this asset. |
@chrisknoll thanks for testing it. The "public" role behavior is correct and matches the description Rich shared above:
Regarding role 15: I think Role 15 is meant for restricted access features in general (i.e. it is perhaps best seen as an alternative to role 10 which gives access to all artifacts by default), and therefore the name "read restricted" might be a bit confusing, as it makes it sound like it is a role that would be given to someone that needs read only access. This could be part of the confusion. Anyway, to address your concerns: this current PR only makes sense in the context of the restricted access feature, and it probably only makes sense to merge this if the restricted access feature is fully working first. So yes, solving OHDSI/WebAPI#2342 first makes sense to me. |
Ok, cool thank you. So the main ask is that if the global access button should be a little more clear about if it is globally shared or not. |
This pull request adds OPTIONAL functionality to Atlas/WebAPI where folks have chosen to implement optional enhancement that allows read permission to be restricted so that only users with read access to a given artifact can view them (see description in the Atlas set up guide and more details on the WebAPI wiki.
The feature makes it possible for users of an Atlas instance that is restricting read access to share an artifact they own publicly. Example:
This operation can be reversed:
One additional feature is that artifact sharing can be restricted to only certain users. This pull request adds the enablePermissionManagement config option to config-local.js. If is set to true then, only users a specific permission ('artifact:global:share:put'), are able to share. This is useful for data commons or other collaboratives where there are many users and a small group of admins or moderators would like to filter the items shared publicly.
If this pull request is accepted, the documentation above should be copied into the the Atlas set up guide](https://github.com/OHDSI/Atlas/wiki/Atlas-Setup-Guide) and referenced from the WebAPI wiki](https://github.com/OHDSI/WebAPI/wiki/Read-restricted-Configuration).