# Role-based Access Control (RBAC) Each request to the system requires that the current user has a permission. Instead of assigning each user the permission directly, they are group into ready to use roles and an individual user is assign a role. When the user makes a request, the system looks if the user has a roles that contains the required permission and authorized this action based on the users roles. ## Permission to Role mapping | Name | Description | Resource | Operation | No role | Authorized user | Developer | Reviewer | DBMaintainer | Admin | |------------------------------------|--------------------------------------------------------------------------------------------------------------------|--------------------|---------------|:-------:|:---------------:|:---------:|:--------:|:------------:|:-----:| | Create Bucket | Create a bucket | bucket | create | ⨯ | ✓ | ⨯ | ⨯ | ⨯ | ✓ | | Read Bucket | Read the meta-data and contents of a bucket, that the user owns or bucket has permission for | bucket | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Update Bucket | Update the public state of a bucket that the user owns | bucket | update | ⨯ | ✓ | ⨯ | ⨯ | ⨯ | ✓ | | Update any Bucket | Update the public state of a any bucket | bucket | update_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | List Buckets | List all buckets that the user owns or has permission for | bucket | list | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Read any Bucket | Read the meta-data and contents of any bucket | bucket | read_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | List all Buckets | List all buckets that are in the system | bucket | list_all | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | Delete Bucket | Delete a bucket that the user owns | bucket | delete | ⨯ | ✓ | ⨯ | ⨯ | ⨯ | ✓ | | Delete any Bucket | Delete any bucket in the system | bucket | delete_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | | | | | | | | | | | | Create Bucket Permission | Create a bucket permission | bucket_permission | create | ⨯ | ✓ | ⨯ | ⨯ | ⨯ | ✓ | | Read Bucket Permission | Read a bucket permission where the user is the grantee or owner of the bucket | bucket_permission | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | List Bucket Permission | List all bucket permissions of a bucket where the user is the owner of or of himself | bucket_permission | list | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Read any Bucket Permission | Read any bucket permission in the system | bucket_permission | read_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | List all Bucket Permissions | List all bucket permissions in the system | bucket_permission | list_all | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | Delete Bucket Permission | Delete a bucket permission where the user is the grantee or owner of the bucket | bucket_permission | delete | ✓ | ✓ | ⨯ | ✓ | ✓ | ✓ | | Delete any Bucket Permission | Delete any bucket permission in the system | bucket_permission | delete_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | Update Bucket Permission | Update a bucket permission where the user os the owner of the bucket | bucket_permission | update | ⨯ | ✓ | ⨯ | ⨯ | ⨯ | ✓ | | | | | | | | | | | | | Create S3 Key | Create a S3 Key | s3_key | create | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Read S3 Key | Read a S3 Key | s3_key | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | List S3 Keys | List all S3 Keys where the user is the owner | s3_key | list | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Delete S3 Key | Delete a S3 Key where the user is the owner | s3_key | delete | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Delete Any S3 Key | Delete any S3 Key in the system | s3_key | delete_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | | | | | | | | | | | | Start Workflow Execution | Start a workflow execution | workflow_execution | create | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Start unpublished Workflow Version | Start a workflow execution with an unpublished workflow | workflow_execution | create_any | ⨯ | ⨯ | ⨯ | ✓ | ⨯ | ✓ | | Read Workflow Execution | Read the meta-data of a workflow execution where the user is the owner | workflow_execution | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | List Workflow Executions | List all workflow executions where the user is the owner | workflow_execution | list | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Read Any Workflow Execution | Read the meta-data of any workflow execution in the system | workflow_execution | read_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | List all Workflow Executions | List all workflow executions in the system | workflow_execution | list_all | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | Cancel Workflow Execution | Cancel an active workflow execution where the user is the owner | workflow_execution | cancel | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Cancel Any Workflow Execution | Cancel any active workflow execution in the system | workflow_execution | cancel_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | Delete Workflow execution | Delete a workflow execution where the user is the owner | workflow_execution | delete | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Delete Any Workflow execution | Delete any workflow execution in the system | workflow_execution | delete_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | | | | | | | | | | | | Create Workflow | Create a new workflow | workflow | create | ⨯ | ⨯ | ✓ | ⨯ | ⨯ | ✓ | | Read Workflow | Read the meta-data and published versions of any workflow and versions where the user is the developer of | workflow | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Read all Workflow Versions | Read the meta-data and all versions of any workflow | workflow | read_any | ⨯ | ⨯ | ⨯ | ✓ | ⨯ | ✓ | | List Workflows | List the meta-data of all workflows and their latest published version | workflow | list | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | List filtered Workflow | List the meta-data of all workflows and their latest published version based on a privileged filter (developer, …) | workflow | list_all | ⨯ | ⨯ | ⨯ | ✓ | ⨯ | ✓ | | Update Workflow | Update a workflow and deprecate versions where the user is the developer of | workflow | update | ⨯ | ⨯ | ✓ | ⨯ | ⨯ | ✓ | | Change Workflow Version Status | Change the status of a workflow version, e.g. for publishing it | workflow | update_status | ⨯ | ⨯ | ⨯ | ✓ | ⨯ | ✓ | | Delete Workflow | Delete a complete workflow from the system where the user is the developer | workflow | delete | ⨯ | ⨯ | ✓ | ⨯ | ⨯ | ✓ | | Delete any Workflow | Delete any workflow from the system | workflow | delete_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | | | | | | | | | | | | List Users | List all users in the system with their roles | user | list | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | Read User | Read the user that is currently logged in | user | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Read any User | Read any user in the system | user | read_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | Search User | Search users based on their name | user | search | ⨯ | ✓ | ⨯ | ✓ | ⨯ | ✓ | | | | | | | | | | | | | Get API token | Get the meta-information about an API token that belongs the user | api_token | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Get any API token | Get the meta-information about an any API token | api_token | read_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | | List API token | List the meta-information about all API token that belongs to the user | api_token | list | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | List all API token | List the meta-information about all API token in the system | api_token | list_all | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | | Create API token | Create a new API token | api_token | create | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Delete API token | Delete an API token that belongs to the user | api_token | delete | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Delete any API token | Delete any API token in the system | api_token | delete_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | | | | | | | | | | | | | Read Resource | Read a meta-data and its public version of any resource and versions where the user is the maintainer of | resource | read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Read any Resource | Read the meta-data and all versions of any resource | resource | read_any | ⨯ | ⨯ | ⨯ | ✓ | ⨯ | ✓ | | List Resources | List the meta-data of all resources and their latest public version | resource | list | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | List filtered Resources | List the meta-data of all workflows and their latest public version based on a privileged filter (maintainer, …) | resource | list_all | ⨯ | ⨯ | ⨯ | ✓ | ⨯ | ✓ | | Request Resource | Request a new resource | resource | create | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | ✓ | | Update Resource | Update a resource versions where the user is the maintainer of | resource | update | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | ✓ | | Update any Resource | Update any resource in the system | resource | update_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | Delete Resource | Delete a resource and its versions from the system | resource | delete | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | Delete on cluster / S3 | Delete the resource version on the cluster or S3 | resource | delete_any | ⨯ | ⨯ | ⨯ | ⨯ | ⨯ | ✓ | | Request synchronization | Request the synchronization of the resource version to the cluster | resource | request_sync | ⨯ | ✓ | ⨯ | ✓ | ✓ | ✓ | | Synchronize Denied Resource | Accept or reject a review of a resource version | resource | update_status | ⨯ | ⨯ | ⨯ | ✓ | ⨯ | ✓ |