Dear all,
I was wondering if it’s possible to prevent some users from uploading data?
In our setup, we have a smallish RAID attached to the DSS, therefore, large datasets and, in particular, users that belong to our collaboration but not the institute, should upload & link the data to S3. Users from the institute should, ideally, still be able to upload small/medium sized datasets but we are wondering if there is a way to prevent other users to do that (other than convetion)?
Many thanks
Dear @kerzel,
what you are searching for is briefly described here.
https://openbis.readthedocs.io/en/latest/user-documentation/general-admin-users/admins-documentation/user-registration.html#observer
This role can be assigned to the whole openBIS instance (Instance Observer) or to specific Spaces or Projects (Space or Project Observer). Users with this role have read-only access to the whole openBIS (Instance Observer), or to a specified Space or Project (Space or Project Observer).
An Observer can see and search everything in an openBIS instance or the Space/Project which they have access to. They can also download datasets. They cannot modify nor delete anything.
Dear @artur.pedziwilk ,
many thanks - hm, what I’m looking for (and it may well be that it doesn’t exist) is that the users can create new projects, entries, collections, modify experiments, etc as a “normal” user would - but they cannot add datasets. i.e. they can add/modify/delete metadata, etc - but not fill up the storage space.
You should be able to do this by modifying the capabilities role map: Optional Application Server Configuration — Python documentation
By default SPACE_USER/PROJECT_USER can create datasets. You can try to set this to a higher role.
Dear @cbarillari
many thanks - would it be possible to add another user role in this way, i.e. a “regular” user that has the current capabilities (including uploading data), as well as a new user that is identical to the current user behaviour, except they can’t upload data?
Many thanks
Ulrich
Dear Ulrich,
I am afraid that this is not possible. The roles are fixed, what can be modified are the capabilities assigned to each role.
Dear @cbarillari ,
I see - so I guess the next best shot would be to look into modifying the super_user role and see if we need it or if we can “abuse” it for this purpose.
(Well, of course we need it, it’s more the question what we would need more…)
many thanks
Ulrich
Dear all,
hm, going down that route doesn’t seem to be that easy (and the system wasn’t built for it…)
I’ve tried to start with the etc/capabilities file below (I’m sure that needs more editing).
Then, I think I would need to reduce the role to USER for the personal space (by default, it’s SPACE_ADMIN, but then they have full rights there).
However, then the user cannot create proejcts in their own space, so I tried to move the capability CREATE_PROJECT down to role USER. That works in the sense that then the UI element appears to enter the relevant details for creating a project.
However, this leads to the error message:
Authorization failure: ERROR: "None of method roles '[SPACE_POWER_USER, SPACE_ADMIN, INSTANCE_ADMIN, SPACE_ETL_SERVER, INSTANCE_ETL_SERVER]' could be found in roles of user 'testuser_upload'.".
with the corresponding exception showing up in the log-file.
Not sure…
Many thanks and best wishes
Ulrich
CREATE_DATASET : SPACE_POWER_USER
CREATE_DATASET : SPACE_ETL_SERVER
CREATE_DATASET : INSTANCE_ADMIN
CREATE_DATASET : PROJECT_POWER_USER
CREATE_DATASET : INSTANCE_ETL_SERVER
UPDATE_DATASET : SPACE_POWER_USER
WRITE_DATASET : SPACE_POWER_USER
WRITE_DATASET_PROPERTIES : SPACE_POWER_USER
DELETE_DATASET : SPACE_ADMIN
DELETE_DATASET : INSTANCE_ADMIN
DELETE_DATASET : SPACE_ETL_SERVER
CREATE_PROJECT : SPACE_USER
CREATE_PROJECT : INSTANCE_ADMIN
CREATE_PROJECT : SPACE_ETL_SERVER
CREATE_PROJECT : INSTANCE_ETL_SERVER
UPDATE_PROJECT : SPACE_USER
UPDATE_PROJECT : INSTANCE_ADMIN
UPDATE_PROJECT : SPACE_ETL_SERVER
UPDATE_PROJECT : INSTANCE_ETL_SERVER
2024-02-27 13:05:12,808 ERROR [Service Conversations-T10::1709035512763-1320186238 (ch.systemsx.cisd.openbis.generic.shared.IServiceForDataStoreServer)] OPERATION.ServiceForDataStoreServer - An exception has occurred while processing method: 'IServiceForDataStoreServer.performEntityOperations'.
ch.systemsx.cisd.common.exceptions.AuthorizationFailureException: Authorization failure: ERROR: "None of method roles '[SPACE_POWER_USER, SPACE_ADMIN, INSTANCE_ADMIN, SPACE_ETL_SERVER, INSTANCE_ETL_SERVER]' could be found in roles of user 'testuser_upload'.".
at ch.systemsx.cisd.openbis.generic.server.authorization.AuthorizationAdvisor$AuthorizationMethodInterceptor.invoke(AuthorizationAdvisor.java:166)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
at com.sun.proxy.$Proxy176.assertProjectCreationAllowed(Unknown Source)
at ch.systemsx.cisd.openbis.generic.server.ServiceForDataStoreServer.checkProjectCreationAllowed(ServiceForDataStoreServer.java:2350)
at ch.systemsx.cisd.openbis.generic.server.ServiceForDataStoreServer.createProjects(ServiceForDataStoreServer.java:2333)
at ch.systemsx.cisd.openbis.generic.server.ServiceForDataStoreServer.performEntityOperations(ServiceForDataStoreServer.java:1894)
at jdk.internal.reflect.GeneratedMethodAccessor488.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
....
Dear all,
maybe trying to tackle this another way…
Is there a way to query a space/experiment/object about who has access?
E.g. if I create space, I can go to More → Manage Access and add users to such a space.Where is this information stored, i.e. can I get a list of users in, say, a space and then compare this to the current user?
many thanks
Ulrich
Dear all,
hm, digging around a bit, maybe like this?
fdm1 = oBis.get_person('fdm2024_user_1')
print(type(fdm1))
roles =fdm1.get_roles(space='FDM_DEMO_SPACE').df
print(type(roles))
print(roles.role)