xQTL workbench - Manage users and permissions
You can edit users and permissions by clicking the Settings tab in the main menu. Then go to Users and permissions. Users, groups, entities and permissions that can be applied across them are all stored in the database and are exposed to the admin in this menu.
User management
The Basic management tab provides you with a number of subtabs where the appropriate settings can be adjusted.
- MolgenisUser: A list of all users which have (some degree of) access to the application.
- 'Admin' (super user) and 'anonymous' (not logged in) are always here.
- Passwords are MD5 hashed, and even when manually adding a new user here (instead of using Registration) the password will be hashed upon saving.
- Entities: All entities which can be assigned permissions to. Entities are:
- Database tables (ENTITY)
- Table views (FORM)
- Menu items (MENU)
- Plugins (PLUGIN)
- Note that if you want to give a user or group permission to edit records of a certain type, you must grant permissions on this ENTITY to be able to read/write, and on FORM in order to see these data in the user interface at all. If a plugin requires acccess to certain datatypes, you must both grant permissions on viewing the PLUGIN, as well as the required ENTITYs.
- MolgenisPermission: Here you apply the actual permissions. A role can be a user or a group. Then select the entity you wish to add a permission on. Lastly, select the permission: read, write or own.
Group management
Making users part of a group saves you from configuring permissions for each individual user. The user is automatically granted all permissions of the group it has been assigned to.
- MolgenisGroup: The groups you can put users in. 'AllUsers' and 'system' are always here.
- MolgenisRoleGroupLink: Here you can put users in groups, or groups inside other groups.
- By default, all users are part of the AllUsers group.
- Admin and anonymous are also part of the special system group.
- Other users can be assigned to newly created groups. For example, the 'bio-user' of the demonstration system is part of the group 'biologist'.
- Groups can be put inside groups. You can use this to create new groups which inherit the permissions of an existing group, and are then given additional permissions. For example, the group 'bioinformatician' is part of the group 'biologist' in the demonstration system. This means a bioinformatician can do all the things a biologist can do, plus any additional permissions.
Sharing permissions
If a user (or group) has own permissions on some entity, this user can choose to share this entity by granting permissions to another user (or group). This is done in a special plugin in the My permissions tab. In xQTL, we choose not to let regular users have access to this functionality by default. Its true use comes into play in applications with row level permissions, which xQTL is (at the moment) not. In that case, a specific user can own an instance of an entity. For example, a biologist user called 'Peter' owns 'Peters_investigation', and can now share this investigation by giving read permissions to biologist user 'Kate'.
