Newer
Older
# Role-based Access Control (RBAC)
Each request to the system requires that the current user has a permission. Instead of assigning each user the
permission directly, they are group into ready to use roles and an individual user is assign a role. When the user makes
a request, the system looks if the user has a roles that contains the required permission and authorized this action
based on the users roles.
## Permission to Role mapping
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
| Name | Description | Resource | Operation | No role | Authorized user | Developer | Reviewer | DBMaintainer | Admin |
|------------------------------------|--------------------------------------------------------------------------------------------------------------------|--------------------|---------------|:-------:|:---------------:|:---------:|:--------:|:------------:|:-----:|
| Create Bucket | Create a bucket | bucket | create | ⨯ | ✓ | ⨯ | ⨯ | ⨯ | ✓ |
| Read Bucket | Read the meta-data and contents of a bucket, that the user owns or bucket has permission for | bucket | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Update Bucket | Update the public state of a bucket that the user owns | bucket | update | ⨯ | ✓ | ⨯ | ⨯ | ⨯ | ✓ |
| Update any Bucket | Update the public state of a any bucket | bucket | update_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| List Buckets | List all buckets that the user owns or has permission for | bucket | list | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Read any Bucket | Read the meta-data and contents of any bucket | bucket | read_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| List all Buckets | List all buckets that are in the system | bucket | list_all | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| Delete Bucket | Delete a bucket that the user owns | bucket | delete | ⨯ | ✓ | ⨯ | ⨯ | ⨯ | ✓ |
| Delete any Bucket | Delete any bucket in the system | bucket | delete_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| | | | | | | | | | |
| Create Bucket Permission | Create a bucket permission | bucket_permission | create | ⨯ | ✓ | ⨯ | ⨯ | ⨯ | ✓ |
| Read Bucket Permission | Read a bucket permission where the user is the grantee or owner of the bucket | bucket_permission | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| List Bucket Permission | List all bucket permissions of a bucket where the user is the owner of or of himself | bucket_permission | list | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Read any Bucket Permission | Read any bucket permission in the system | bucket_permission | read_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| List all Bucket Permissions | List all bucket permissions in the system | bucket_permission | list_all | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| Delete Bucket Permission | Delete a bucket permission where the user is the grantee or owner of the bucket | bucket_permission | delete | ✓ | ✓ | ⨯ | ✓ | ✓ | ✓ |
| Delete any Bucket Permission | Delete any bucket permission in the system | bucket_permission | delete_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| Update Bucket Permission | Update a bucket permission where the user os the owner of the bucket | bucket_permission | update | ⨯ | ✓ | ⨯ | ⨯ | ⨯ | ✓ |
| | | | | | | | | | |
| Create S3 Key | Create a S3 Key | s3_key | create | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Read S3 Key | Read a S3 Key | s3_key | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| List S3 Keys | List all S3 Keys where the user is the owner | s3_key | list | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Delete S3 Key | Delete a S3 Key where the user is the owner | s3_key | delete | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Delete Any S3 Key | Delete any S3 Key in the system | s3_key | delete_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| | | | | | | | | | |
| Start Workflow Execution | Start a workflow execution | workflow_execution | create | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Start unpublished Workflow Version | Start a workflow execution with an unpublished workflow | workflow_execution | create_any | ⨯ | ⨯ | ⨯ | ✓ | ⨯ | ✓ |
| Read Workflow Execution | Read the meta-data of a workflow execution where the user is the owner | workflow_execution | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| List Workflow Executions | List all workflow executions where the user is the owner | workflow_execution | list | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Read Any Workflow Execution | Read the meta-data of any workflow execution in the system | workflow_execution | read_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| List all Workflow Executions | List all workflow executions in the system | workflow_execution | list_all | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| Cancel Workflow Execution | Cancel an active workflow execution where the user is the owner | workflow_execution | cancel | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cancel Any Workflow Execution | Cancel any active workflow execution in the system | workflow_execution | cancel_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| Delete Workflow execution | Delete a workflow execution where the user is the owner | workflow_execution | delete | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Delete Any Workflow execution | Delete any workflow execution in the system | workflow_execution | delete_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| | | | | | | | | | |
| Create Workflow | Create a new workflow | workflow | create | ⨯ | ⨯ | ✓ | ⨯ | ⨯ | ✓ |
| Read Workflow | Read the meta-data and published versions of any workflow and versions where the user is the developer of | workflow | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Read all Workflow Versions | Read the meta-data and all versions of any workflow | workflow | read_any | ⨯ | ⨯ | ⨯ | ✓ | ⨯ | ✓ |
| List Workflows | List the meta-data of all workflows and their latest published version | workflow | list | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| List filtered Workflow | List the meta-data of all workflows and their latest published version based on a privileged filter (developer, …) | workflow | list_all | ⨯ | ⨯ | ⨯ | ✓ | ⨯ | ✓ |
| Update Workflow | Update a workflow and deprecate versions where the user is the developer of | workflow | update | ⨯ | ⨯ | ✓ | ⨯ | ⨯ | ✓ |
| Change Workflow Version Status | Change the status of a workflow version, e.g. for publishing it | workflow | update_status | ⨯ | ⨯ | ⨯ | ✓ | ⨯ | ✓ |
| Delete Workflow | Delete a complete workflow from the system where the user is the developer | workflow | delete | ⨯ | ⨯ | ✓ | ⨯ | ⨯ | ✓ |
| Delete any Workflow | Delete any workflow from the system | workflow | delete_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| | | | | | | | | | |
| List Users | List all users in the system with their roles | user | list | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| Read User | Read the user that is currently logged in | user | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Read any User | Read any user in the system | user | read_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| Search User | Search users based on their name | user | search | ⨯ | ✓ | ⨯ | ✓ | ⨯ | ✓ |
| | | | | | | | | | |
| Get API token | Get the meta-information about an API token that belongs the user | api_token | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Get any API token | Get the meta-information about an any API token | api_token | read_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ |
| List API token | List the meta-information about all API token that belongs to the user | api_token | list | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| List all API token | List the meta-information about all API token in the system | api_token | list_all | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ |
| Create API token | Create a new API token | api_token | create | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Delete API token | Delete an API token that belongs to the user | api_token | delete | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Delete any API token | Delete any API token in the system | api_token | delete_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ |
| | | | | | | | | | |
| Read Resource | Read a meta-data and its public version of any resource and versions where the user is the maintainer of | resource | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Read any Resource | Read the meta-data and all versions of any resource | resource | read_any | ⨯ | ⨯ | ⨯ | ✓ | ⨯ | ✓ |
| List Resources | List the meta-data of all resources and their latest public version | resource | list | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| List filtered Resources | List the meta-data of all workflows and their latest public version based on a privileged filter (maintainer, …) | resource | list_all | ⨯ | ⨯ | ⨯ | ✓ | ⨯ | ✓ |
| Request Resource | Request a new resource | resource | create | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | ✓ |
| Update Resource | Update a resource versions where the user is the maintainer of | resource | update | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | ✓ |
| Update any Resource | Update any resource in the system | resource | update_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| Delete Resource | Delete a resource and its versions from the system | resource | delete | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| Delete on cluster / S3 | Delete the resource version on the cluster or S3 | resource | delete_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ |
| Request synchronization | Request the synchronization of the resource version to the cluster | resource | request_sync | ⨯ | ✓ | ⨯ | ✓ | ✓ | ✓ |
| Synchronize Denied Resource | Accept or reject a review of a resource version | resource | update_status | ⨯ | ⨯ | ⨯ | ✓ | ⨯ | ✓ |