Can you clarify functional differences between Method Repo namespace access levels?

birgerbirger Member, Broadie, CGA-mod ✭✭✭

Method Repository Namespaces have three different access levels: READER, OWNER, NO ACCESS. I am an owner of the broadinstitute_cga namespace. A member of the CGA group here at the Broad recently asked me to grant him permission to publish a method to this namespace. As an owner I can edit the namespace ACL, and so I gave the researcher READER level access to the namespace thinking that this would give the user write privileges to the namespace (since there was no explicit WRITER access level). It turns out that READER access level does not grant a user write privileges to a namespace...I had to grant the researcher OWNER privileges in order for him to be able to publish to the namespace. It's unclear to me what privileges READER level access grants a user...if I have READER level access to a namespace, does that give me privileges to run all methods under that namespace?

Could you please provide a clear explanation of the three method repo namespace access levels and the privileges each of the access levels confer. I could not find this in any of the on-line documentation.

thanks.

Answers

  • KateNKateN Cambridge, MAMember, Broadie, Moderator admin

    Our documentation is certainly lacking in that facet; we hope to fix that soon as we are working on documenting quite a lot of FireCloud at the moment. For now, here's a quick table to define those access permissions you requested.

    FireCloud Permission What you can do with it
    OWNER Read, Write, Create, Redact, Manage
    READER Read
    NO ACCESS (none)
  • birgerbirger Member, Broadie, CGA-mod ✭✭✭

    What does it mean to have Read access to method repo namespace? If I have read access to a namespace, does that mean I can run any workflow published under that namespace?

    What does it mean to have Write, Create, Redact or Manage privileges in a namespace?

    Write/Create - Does this mean I can create new workflows or edit existing workflows under that namespace? I'm not sure what the distinction between the two would be.

    Redact - Does this mean I can redact any workflow under that namespace?

    Manage - Does this mean I can edit the ACLs on the namespace?

    Also, it is unclear how the namespace-level permissions interact with the workflow-level permissions. Which take precedence?

    thanks.

  • KateNKateN Cambridge, MAMember, Broadie, Moderator admin

    Write/Create: With this permission, you can write, create, workflows using that namespace. For instance if I was a READER, I would not be able to create a new workflow under your namespace.
    Redact: With this permission, you can redact someone's access to that namespace. In order to redact a workflow under the namespace, you need Redact permission to the workflow itself.
    Manage: I will get back with you on this one, I need to check with a developer to be sure, but I believe it's the ability to edit permissions for the namespace.

    Namespace-level permissions control the access to namespace itself. Workflow-level permissions allow you to write/create/edit/redact/manage permissions for the method or configuration you have access to.

    For example, let's say I have a non-publicly readable workflow called helloworld, published under my personal namespace, knoblett. If I were to give you OWNER access to the namespace, you would be able to write new workflows under that namespace, give other people access to the namespace, and even remove me from the namespace. You would be unable to view, edit, or redact helloworld.

    Let's say I removed your access completely from the namespace and instead gave you OWNER access to helloworld. You would be able to view, edit, redact, or manage permissions on that particular workflow. You would be unable to view the namespace's access list, and you would be unable to publish any new workflows under that namespace.

    I hope this clears it up for you; I'm pushing for an easier way to express this in FireCloud itself so you won't need to remember what permissions a READER has, for instance.

  • birgerbirger Member, Broadie, CGA-mod ✭✭✭

    If I grant someone READER access to a namespace, does that mean the individual can run any workflow in that namespace?

    I'm still confused what Redact privileges on a namespace are. What does it mean to redact someone's access to a namespace...is it the same as changing someone's access to a workspace to NO ACCESS?

  • Tiffany_at_BroadTiffany_at_Broad Cambridge, MAMember, Administrator, Broadie, Moderator admin

    Hi Chet,
    Let me know if demonstrating these two use cases clears this up:
    1. Assuming I have No access to the broad-cga namespace, when I click the namespace and method I see this:

    1. I grant another account of mine "Reader" access to a namespace I own. Then Log-in with that account and click the namespace and method.

    From tmm211 experience:

    The experience is the exact same. An individual's ability to run workflows is not controlled by the namespace permissions. I imported a broad-cga method into my workspace without issue: broad-cga WXS_hg19_MutationCalling_CN_v1-1_BETA_cfg

    Yes, redacting access as an Owner means giving someone no access to the namespace. When I set No access to my tmm211 account, I had the same experience as demonstrated in 2.

    Does this help?

  • gordon123gordon123 BroadMember, Broadie

    What does it mean if the public checkbox is checked? Does the world have Owner or Reader access to the namespace?

  • gordon123gordon123 BroadMember, Broadie

    Also, does READER access grant the user the ability to list the methods under the namespace from the Method Repo?

  • KateNKateN Cambridge, MAMember, Broadie, Moderator admin

    No, Reader access does not grant the user the ability to list the methods under that namespace.

    I am following up with a developer to find out the answer to your other question, as when I experimented with the public checkbox, I couldn't find a difference.

  • Tiffany_at_BroadTiffany_at_Broad Cambridge, MAMember, Administrator, Broadie, Moderator admin

    @gordon123 I just tested making one of my namespaces publically readable and it did not enable the world to have Owner or Reader access to my namespace.

Sign In or Register to comment.