User Roles and Permissions

This document outlines all possible user-roles within the GDI Node software.

Some basic relationships between the entities:

  1. User must have one or more roles. Without roles, the user cannot log in.
  2. System-level (help-desk) roles are given through configuration file.
  3. System-level roles enable read-only/read-write access for managing data-providers, their users, storage, and visibility of datasets.
  4. A user must belong to one or more data-provider organisations.
  5. A dataset belongs to exactly one data-provider organisation.
  6. User is an active member of an organisation if
    1. the organisation is marked active, and
    2. the user has at least one role in that organisation.

System-level roles

If user is given a system-level role, the user won’t inherit explicitly defined organisation-based roles. Instead they inherit all roles and permissions implicitly. System-level roles cannot upload datasets.

  1. node.sys.admin – manages (adds, edits) organisations and their users; can also view datasets and change their status.
  2. node.sys.audit – same as node.sys.admin but limited to read-only access.

Data-provider’s organisation-level roles

Technically a user can have more than one role per organisation. Without roles, the user is no longer an active member of the organisation.

  1. node.org.admin - modifies organisation info, users, and storage access parameters.
  2. node.org.dataset - uploads and manages the visibility of all datasets under the organisation.

Implicit permissions for users

Assuming a data-provider’s organisation is enabled and a user has at least one role in it, the user can:

  1. view all active users of the organisation.
  2. view whether the organisation’s storage is configured and accessible.
  3. view the list of organisation’s datasets.