A central aspect of the model data explorer is the permissions management. We aim for a framework where you can collaboratively edit the database content, and access the resources of your groups.
In this user story, we want to define the implications of the group-user-model-run relations (see #17) for the permission system.
Each relation between a user and a group should define:
- Whether the group owners can edit the users model runs
- Whether the group members can view the users model runs
Each relation between groups should define:
- Whether the parent group owner can edit the model runs of the child group
- Whether the parent group members can view the model runs of the child group
Each relation between model runs and users should define:
- Whether the user can edit the model run
- Whether the user can view the model run
Each relation between model runs and groups should define:
- Whether the group owners can edit a model run
- Whether the group members can edit a model run
Editing model runs should further be refined specific on the various apps. I.e. we want to distinguish, whether the user with edit rights can edit model run metadata, THREDDS catalog entries, visualization parameters, backend modules, files on the SFTP server.
Another important aspect is the approval of edit rights. Group owners should be able to add members, but the members should then grant permissions for these groups.
The outcome of this user story will be a work flow description for the points mentioned above. @philipp.sommer will come up with an initial draft and discuss this with the team. We will revise it and discuss it during a second meeting.
related User Story (Hereon internal access only): #175