wiki:Modules/Auth

Version 9 (modified by Erik Roos, 14 years ago) (diff)

--

Authentication and Authorization module

Requirements list

Authentication

  • Registration of users includes email verification
  • Users should be able to login and logout

Authorization

  • Resources are tables, rows, columns, files (for pipelines?)
  • Subjects are users, groups, public users (unauthenticated) and exactly one administrator
  • Permissions include read, write, execute (for pipelines?) and ownership
  • Resources must have exactly one user with ownership rights
  • Permissions are provided for resources x subjects
  • The administrator has all permissions excluding ownership on all resources
  • Authenticated users can request permissions for resources. Requests are sent to the user with ownership rights of the resource.
  • Groups can be created by users who have write rights on the MolgenisGroup? table. The administrator is the owner of the MolgenisGroup? table and can delegate rights to other users.
  • In case of an UpdateDatabase? all permissions are reset (except for administrator)
  • The public user has reading permissions on all resources
  • Administrator can pass on permissions from parent tables to child tables with a toggle button

Example

Table: ObservedValue

read write execute ownership
User1 x x x x
User2 x x -(?)
Group1 x -(?)
Group2 x x x -(?)
...
Admin x x x -

Needs of the PhenoFlow module (lifelines, bbmri, gids2.0, col7a1, xgap)

PhenoFlow is the user interface for searching, browsing and extracting phenotype data from the Pheno model. This browsing module will be central in most of our applications.

The systems (that will be) using this module are

  • LifeLines (datawarehouse)
  • BBMRI-NL (biobank catalog) and
  • gids (2.0).
  • COL7A1 Phenotype/Patient? browser (here one gene == one investigation)
  • XGAP data browser

Requirements:

  • Users need to be able to login
  • All registered users have edit permissions to create new investigations
  • All existing investigations can only be listed (names) but no other values
  • All investigations are owned by one or more persons
  • If not yet owned, users can request to become manager of an investigation.
  • Otherwise users can request read access to the investigation
  • Users can create groups of themselves (except for lifelines)
  • Users can share an investigation and all its components to [public, groups, whitelists of users) for viewing
  • The sharing rules can be read or write (so that means they can transfer management of an investigation)
  • All InvestigationElement? inherit the sharing rules set on an investigation (hence, if the investigation is public so are all its elements)
  • Individual investigation elements, and the dataelements that refer to them can have different permissions (lifelines)

Issues:

See www.myexperiment.org for some inspiration on how this 'sharing' model can work. See www.myexperiment.org for some inspiration on how this 'sharing' model can work.

Needs of the xQTL Workbench

Requirements:

General:

  • All data input/output needs to be closed / secured
  • Unregistered users can still view public datasets

User:

  • Users need to be able to register (as users)
  • Confirmation email to the registrar
  • Users need to be able to register/confirm their email
  • Users need to be able to login
  • When loged in users are able to view public datasets and their own datasets

Admin:

  • Administrators need to be able to: Authenticate users, Ban users, Delete unused accounts
  • Administrators are not able to register, view all,execute all
  • Users cannot be promoted to admin, admins cannot be demoted to users
  • Admins donnot register, but are 'hardcoded' into the application