IQSS · vera · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026
diff --git a/doc/release-notes/12076-non-superuser-dataverse-linking.md b/doc/release-notes/12076-non-superuser-dataverse-linking.md
@@ -0,0 +1 @@
+Dataverse collection linking and unlinking no longer requires superuser status. Users with the "Link Dataverse" permission on a collection can now perform these actions through the UI and API.
diff --git a/doc/sphinx-guides/source/admin/dataverses-datasets.rst b/doc/sphinx-guides/source/admin/dataverses-datasets.rst
@@ -22,14 +22,14 @@ Moves a Dataverse collection whose id is passed to an existing Dataverse collect
 Link a Dataverse Collection
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Creates a link between a Dataverse collection and another Dataverse collection (see the :ref:`dataverse-linking` section of the User Guide for more information). Only accessible to superusers. ::
+Creates a link between a Dataverse collection and another Dataverse collection (see the :ref:`dataverse-linking` section of the User Guide for more information). ::
 
     curl -H "X-Dataverse-key: $API_TOKEN" -X PUT http://$SERVER/api/dataverses/$linked-dataverse-alias/link/$linking-dataverse-alias
 
 Unlink a Dataverse Collection
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Removes a link between a Dataverse collection and another Dataverse collection. Only accessible to superusers. ::
+Removes a link between a Dataverse collection and another Dataverse collection. Accessible to users with Link Dataverse permission on the linking Dataverse collection.  ::
 
     curl -H "X-Dataverse-key: $API_TOKEN" -X DELETE http://$SERVER/api/dataverses/$linked-dataverse-alias/deleteLink/$linking-dataverse-alias
 

diff --git a/doc/sphinx-guides/source/api/native-api.rst b/doc/sphinx-guides/source/api/native-api.rst
@@ -3475,6 +3475,66 @@ The fully expanded example above (without environment variables) looks like this
 
   curl -H "X-Dataverse-key: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -X PUT "https://demo.dataverse.org/api/datasets/24/link/test"
 
+Unlink a Dataset
+~~~~~~~~~~~~~~~~
+
+Removes a link between a dataset and a Dataverse collection (see :ref:`dataset-linking` section of Dataverse Collection Management in the User Guide for more information):
+
+.. code-block:: bash
+
+export API_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+export SERVER_URL=https://demo.dataverse.org
+export DATASET_ID=24
+export DATAVERSE_ID=test
+
+curl -H "X-Dataverse-key: $API_TOKEN" -X DELETE "$SERVER_URL/api/datasets/$DATASET_ID/deleteLink/$DATAVERSE_ID"
+
+The fully expanded example above (without environment variables) looks like this:
+
+.. code-block:: bash
+
+curl -H "X-Dataverse-key: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -X DELETE "https://demo.dataverse.org/api/datasets/24/deleteLink/test"
+
+Link a Dataverse collection
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Creates a link between one Dataverse collection and another Dataverse collection (see :ref:`dataverse-linking` section of Dataverse Collection Management in the User Guide for more information):
+
+.. code-block:: bash
+
+export API_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+export SERVER_URL=https://demo.dataverse.org
+export LINKED_DATAVERSE_ID=linked-collection
+export LINKING_DATAVERSE_ID=linking-collection
+
+curl -H "X-Dataverse-key: $API_TOKEN" -X PUT "$SERVER_URL/api/dataverses/$LINKED_DATAVERSE_ID/link/$LINKING_DATAVERSE_ID"
+
+The fully expanded example above (without environment variables) looks like this:
+
+.. code-block:: bash
+
+curl -H "X-Dataverse-key: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -X PUT "https://demo.dataverse.org/api/dataverses/linked-collection/link/linking-collection"
+
+Unlink a Dataverse collection
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Removes a link between one Dataverse collection and another Dataverse collection (see :ref:`dataverse-linking` section of Dataverse Collection Management in the User Guide for more information):
+
+.. code-block:: bash
+
+export API_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+export SERVER_URL=https://demo.dataverse.org
+export LINKED_DATAVERSE_ID=linked-collection
+export LINKING_DATAVERSE_ID=linking-collection
+
+curl -H "X-Dataverse-key: $API_TOKEN" -X DELETE "$SERVER_URL/api/dataverses/$LINKED_DATAVERSE_ID/deleteLink/$LINKING_DATAVERSE_ID"
+
+The fully expanded example above (without environment variables) looks like this:
+
+.. code-block:: bash
+
+curl -H "X-Dataverse-key: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -X DELETE "https://demo.dataverse.org/api/dataverses/linked-collection/deleteLink/linking-collection"
+
 Dataset Locks
 ~~~~~~~~~~~~~
 

diff --git a/doc/sphinx-guides/source/user/dataverse-management.rst b/doc/sphinx-guides/source/user/dataverse-management.rst
@@ -221,18 +221,18 @@ In order to link a dataset, you will need your account to have the "Link Dataset
 
 To link a dataset to your Dataverse collection, you must navigate to that dataset and click the white "Link" button in the upper-right corner of the dataset page. This will open up a window where you can type in the name of the Dataverse collection that you would like to link the dataset to. Select your Dataverse collection and click the save button. This will establish the link, and the dataset will now appear under your Dataverse collection.
 
-A draft dataset can be linked to other Dataverse collections. It will only become publicly visible in the linked collection(s) after it has been published. To publish the dataset, your account must have the "Publish Dataset" permission for the Dataverse collection in which the dataset was originally created. Permissions in the linked Dataverse collections do not apply.
+To remove an established link, navigate to the linked dataset's page and click the white "Unlink" button in the upper-right corner of the page.
 
-There is currently no way to remove established links in the UI. If you need to remove a link between a Dataverse collection and a dataset, please contact the support team for the Dataverse installation you are using (see the :ref:`unlink-a-dataset` section of the Admin Guide for more information).
+A draft dataset can be linked to other Dataverse collections. It will only become publicly visible in the linked collection(s) after it has been published. To publish the dataset, your account must have the "Publish Dataset" permission for the Dataverse collection in which the dataset was originally created. Permissions in the linked Dataverse collections do not apply.
 
 .. _dataverse-linking:
 
 Dataverse Collection Linking
 ============================
 
-Similarly to dataset linking, Dataverse collection linking allows a Dataverse collection owner to "link" their Dataverse collection to another Dataverse collection, so the Dataverse collection being linked will appear in the linking Dataverse collection's list of contents without actually *being* in that Dataverse collection. Currently, the ability to link a Dataverse collection to another Dataverse collection is a superuser only feature. 
+Similarly to dataset linking, Dataverse collection linking allows a Dataverse collection owner to "link" their Dataverse collection to another Dataverse collection, so the Dataverse collection being linked will appear in the linking Dataverse collection's list of contents without actually *being* in that Dataverse collection.
 
-If you need to have a Dataverse collection linked to your Dataverse collection, please contact the support team for the Dataverse installation you are using.
+In order to link a collection, you will need your account to have the "Link Dataverse" permission on the linking Dataverse collection.
 
 Publish Your Dataverse Collection
 =================================

diff --git a/src/main/java/edu/harvard/iq/dataverse/DataverseLinkingServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/DataverseLinkingServiceBean.java
@@ -89,19 +89,19 @@ public void save(DataverseLinkingDataverse dataverseLinkingDataverse) {
         }
     }
 
-    public DataverseLinkingDataverse findDataverseLinkingDataverse(Long dataverseId, Long linkingDataverseId) {
+    public DataverseLinkingDataverse findDataverseLinkingDataverse(Long linkingDataverseId, Long linkedDataverseId) {
         try {
             return em.createNamedQuery("DataverseLinkingDataverse.findByDataverseIdAndLinkingDataverseId", DataverseLinkingDataverse.class)
-                .setParameter("dataverseId", dataverseId)
+                .setParameter("dataverseId", linkedDataverseId)
                 .setParameter("linkingDataverseId", linkingDataverseId)
                 .getSingleResult();
         } catch (jakarta.persistence.NoResultException e) {
-            logger.fine("No DataverseLinkingDataverse found for dataverseId " + dataverseId + " and linkedDataverseId " + linkingDataverseId);        
+            logger.fine("No DataverseLinkingDataverse found for linkingDataverseId " + linkingDataverseId + " and linkedDataverseId " + linkedDataverseId);
             return null;
         }
     }
 
-    public boolean alreadyLinked(Dataverse definitionPoint, Dataverse dataverseToLinkTo) {
-        return findDataverseLinkingDataverse(dataverseToLinkTo.getId(), definitionPoint.getId()) != null;
+    public boolean alreadyLinked(Dataverse linkingDataverse, Dataverse linkedDataverse) {
+        return findDataverseLinkingDataverse(linkingDataverse.getId(), linkedDataverse.getId()) != null;
     }
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/DataversePage.java b/src/main/java/edu/harvard/iq/dataverse/DataversePage.java
@@ -218,7 +218,7 @@ public boolean showLinkingPopup() {
             testquery = query;
         }
 
-        return (session.getUser().isSuperuser() && (dataverse.getOwner() != null || !testquery.isEmpty()));
+        return (dataverse.getOwner() != null || !testquery.isEmpty());
     }
 
     public void setupLinkingPopup (String popupSetting){

diff --git a/src/main/java/edu/harvard/iq/dataverse/api/Dataverses.java b/src/main/java/edu/harvard/iq/dataverse/api/Dataverses.java
@@ -843,7 +843,7 @@ private List<DatasetFieldType> parseFacets(JsonArray facetsArray) throws Wrapped
 
     @DELETE
     @AuthRequired
-    @Path("{linkingDataverseId}/deleteLink/{linkedDataverseId}")
+    @Path("{linkedDataverseId}/deleteLink/{linkingDataverseId}")
     public Response deleteDataverseLinkingDataverse(@Context ContainerRequestContext crc, @PathParam("linkingDataverseId") String linkingDataverseId, @PathParam("linkedDataverseId") String linkedDataverseId) {
         boolean index = true;
         return response(req -> {

diff --git a/.../edu/harvard/iq/dataverse/engine/command/impl/DeleteDataverseLinkingDataverseCommand.java b/.../edu/harvard/iq/dataverse/engine/command/impl/DeleteDataverseLinkingDataverseCommand.java
@@ -26,7 +26,7 @@
  * @author sarahferry
  */
 
-@RequiredPermissions( Permission.EditDataverse )
+@RequiredPermissions( Permission.LinkDataverse )
 public class DeleteDataverseLinkingDataverseCommand extends AbstractCommand<Dataverse> {
 
     private final DataverseLinkingDataverse doomed;
@@ -42,10 +42,6 @@ public DeleteDataverseLinkingDataverseCommand(DataverseRequest aRequest, Dataver
 
     @Override
     public Dataverse execute(CommandContext ctxt) throws CommandException {
-        if ((!(getUser() instanceof AuthenticatedUser) || !getUser().isSuperuser())) {
-            throw new PermissionException("Delete dataverse linking dataverse can only be called by superusers.",
-                    this, Collections.singleton(Permission.DeleteDataverse), editedDv);
-        }
         Dataverse merged = ctxt.em().merge(editedDv);
         DataverseLinkingDataverse doomedAndMerged = ctxt.em().merge(doomed);
         ctxt.em().remove(doomedAndMerged);

diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/LinkDataverseCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/LinkDataverseCommand.java
@@ -45,10 +45,6 @@ public LinkDataverseCommand(DataverseRequest aRequest, Dataverse dataverse, Data
 
     @Override
     public DataverseLinkingDataverse execute(CommandContext ctxt) throws CommandException {
-        if ((!(getUser() instanceof AuthenticatedUser) || !getUser().isSuperuser())) {
-            throw new PermissionException("Link Dataverse can only be called by superusers.",
-                    this, Collections.singleton(Permission.LinkDataverse), linkingDataverse);
-        }
         if (linkedDataverse.equals(linkingDataverse)) {
             throw new IllegalCommandException("Can't link a dataverse to itself", this);
         }

diff --git a/src/main/java/edu/harvard/iq/dataverse/search/savedsearch/SavedSearchServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/search/savedsearch/SavedSearchServiceBean.java
@@ -276,7 +276,7 @@ public void removeLinks(DataverseRequest dvReq, SavedSearch savedSearch) throws
 
             if (dvObjectThatDefinitionPointWillLinkTo.isInstanceofDataverse()) {
                 Dataverse linkedDataverse = (Dataverse) dvObjectThatDefinitionPointWillLinkTo;
-                DataverseLinkingDataverse dvld = dvLinkingService.findDataverseLinkingDataverse(linkedDataverse.getId(), linkingDataverse.getId());
+                DataverseLinkingDataverse dvld = dvLinkingService.findDataverseLinkingDataverse(linkingDataverse.getId(), linkedDataverse.getId());
                 if(dvld != null) {
                     Dataverse dv = commandEngine.submitInNewTransaction(new DeleteDataverseLinkingDataverseCommand(dvReq, linkingDataverse, dvld, true));
                 }

diff --git a/src/test/java/edu/harvard/iq/dataverse/api/LinkIT.java b/src/test/java/edu/harvard/iq/dataverse/api/LinkIT.java
@@ -105,56 +105,82 @@ public void testLinkedDataset() {
 
     @Test
     public void testCreateDeleteDataverseLink() {
-        Response createUser = UtilIT.createRandomUser();
+        // Create user #1 who owns Dataverse collection #1
+        Response createUser1 = UtilIT.createRandomUser();
+        createUser1.prettyPrint();
+        String apiToken1 = UtilIT.getApiTokenFromResponse(createUser1);
+        String username1 = UtilIT.getUsernameFromResponse(createUser1);
 
-        createUser.prettyPrint();
-        String username = UtilIT.getUsernameFromResponse(createUser);
-        String apiToken = UtilIT.getApiTokenFromResponse(createUser);
+        Response createDataverse1Response = UtilIT.createRandomDataverse(apiToken1);
+        createDataverse1Response.prettyPrint();
+        String dataverse1Alias = UtilIT.getAliasFromResponse(createDataverse1Response);
+        Integer dataverse1Id = UtilIT.getDataverseIdFromResponse(createDataverse1Response);
 
-        Response superuserResponse = UtilIT.makeSuperUser(username);
+        // Create user #2 who owns Dataverse collection #2
+        Response createUser2 = UtilIT.createRandomUser();
+        createUser2.prettyPrint();
+        String apiToken2 = UtilIT.getApiTokenFromResponse(createUser2);
 
-        Response createDataverseResponse = UtilIT.createRandomDataverse(apiToken);
-        createDataverseResponse.prettyPrint();
-        String dataverseAlias = UtilIT.getAliasFromResponse(createDataverseResponse);
-        Integer dataverseId = UtilIT.getDataverseIdFromResponse(createDataverseResponse);
+        Response createDataverse2Response = UtilIT.createRandomDataverse(apiToken2);
+        createDataverse2Response.prettyPrint();
+        String dataverse2Alias = UtilIT.getAliasFromResponse(createDataverse2Response);
+        Integer dataverse2Id = UtilIT.getDataverseIdFromResponse(createDataverse2Response);
 
-        Response createDataverseResponse2 = UtilIT.createRandomDataverse(apiToken);
-        createDataverseResponse2.prettyPrint();
-        String dataverseAlias2 = UtilIT.getAliasFromResponse(createDataverseResponse2);
-        Integer dataverseId2 = UtilIT.getDataverseIdFromResponse(createDataverseResponse2);
+        // Let user #1 try to link their collection #1 into collection #2
+        // This should fail, because user #1 has not been granted permission to link into collection #2
+        Response createDataverseLinkWithoutPermissionResponse = UtilIT.createDataverseLink(dataverse1Alias, dataverse2Alias, apiToken1);
+        createDataverseLinkWithoutPermissionResponse.prettyPrint();
+        createDataverseLinkWithoutPermissionResponse.then().assertThat()
+                .statusCode(UNAUTHORIZED.getStatusCode());
 
-        Response createLinkingDataverseResponse = UtilIT.createDataverseLink(dataverseAlias, dataverseAlias2, apiToken);
-        createLinkingDataverseResponse.prettyPrint();
-        createLinkingDataverseResponse.then().assertThat()
-                .statusCode(OK.getStatusCode())
-                .body("data.message", equalTo("Dataverse " + dataverseAlias + " linked successfully to " + dataverseAlias2));
+        // Let user #2 grant user #1 admin access for collection #2
+        // (The admin role is the only preconfigured role which includes the "Link Dataverse" permission)
+        Response grantUser2AccessOnDataverse1 = UtilIT.grantRoleOnDataverse(dataverse2Alias, "admin", "@" + username1, apiToken2);
+        grantUser2AccessOnDataverse1.prettyPrint();
+        grantUser2AccessOnDataverse1.then().assertThat()
+                .statusCode(OK.getStatusCode());
 
-        Response tryLinkingAgain = UtilIT.createDataverseLink(dataverseAlias, dataverseAlias2, apiToken);
+        // Let user #1 try again
+        // Now that they have access, this should succeed
+        Response tryLinkingAgain = UtilIT.createDataverseLink(dataverse1Alias, dataverse2Alias, apiToken1);
         tryLinkingAgain.prettyPrint();
         tryLinkingAgain.then().assertThat()
+                .statusCode(OK.getStatusCode())
+                .body("data.message", equalTo("Dataverse " + dataverse1Alias + " linked successfully to " + dataverse2Alias));
+
+        // And again, to see if the creation of duplicate links is correctly rejected
+        Response tryLinkingAgainAndAgain = UtilIT.createDataverseLink(dataverse1Alias, dataverse2Alias, apiToken1);
+        tryLinkingAgainAndAgain.prettyPrint();
+        tryLinkingAgainAndAgain.then().assertThat()
                 .statusCode(FORBIDDEN.getStatusCode())
-                .body("message", equalTo(dataverseAlias + " has already been linked to " + dataverseAlias2 + "."));
+                .body("message", equalTo(dataverse1Alias + " has already been linked to " + dataverse2Alias + "."));
 
-        Response getLinksResponse = UtilIT.getDataverseLinks(dataverseAlias, apiToken);
+        // Make user #1 superuser because it's required to list a collection's links
+        UtilIT.setSuperuserStatus(username1, true);
+
+        Response getLinksResponse = UtilIT.getDataverseLinks(dataverse1Alias, apiToken1);
         getLinksResponse.prettyPrint();
         getLinksResponse.then().assertThat()
                 .statusCode(OK.getStatusCode())
-                .body("data.dataversesLinkingToThis[0].id", equalTo(dataverseId2))
-                .body("data.dataversesLinkingToThis[0].alias", equalTo(dataverseAlias2))
-                .body("data.dataversesLinkingToThis[0].displayName", equalTo(dataverseAlias2));
-        getLinksResponse = UtilIT.getDataverseLinks(dataverseAlias2, apiToken);
+                .body("data.dataversesLinkingToThis[0].id", equalTo(dataverse2Id))
+                .body("data.dataversesLinkingToThis[0].alias", equalTo(dataverse2Alias))
+                .body("data.dataversesLinkingToThis[0].displayName", equalTo(dataverse2Alias));
+        getLinksResponse = UtilIT.getDataverseLinks(dataverse2Alias, apiToken1);
         getLinksResponse.prettyPrint();
         getLinksResponse.then().assertThat()
                 .statusCode(OK.getStatusCode())
-                .body("data.linkedDataverses[0].id", equalTo(dataverseId))
-                .body("data.linkedDataverses[0].alias", equalTo(dataverseAlias))
-                .body("data.linkedDataverses[0].displayName", equalTo(dataverseAlias));
+                .body("data.linkedDataverses[0].id", equalTo(dataverse1Id))
+                .body("data.linkedDataverses[0].alias", equalTo(dataverse1Alias))
+                .body("data.linkedDataverses[0].displayName", equalTo(dataverse1Alias));
+
+        // Undo superuser status to test that it's not required for deleting a link
+        UtilIT.setSuperuserStatus(username1, false);
 
-        Response deleteLinkingDataverseResponse = UtilIT.deleteDataverseLink(dataverseAlias, dataverseAlias2, apiToken);
+        Response deleteLinkingDataverseResponse = UtilIT.deleteDataverseLink(dataverse1Alias, dataverse2Alias, apiToken1);
         deleteLinkingDataverseResponse.prettyPrint();
         deleteLinkingDataverseResponse.then().assertThat()
                 .statusCode(OK.getStatusCode())
-                .body("data.message", equalTo("Link from Dataverse " + dataverseAlias + " to linked Dataverse " + dataverseAlias2 + " deleted"));
+                .body("data.message", equalTo("Link from Dataverse " + dataverse2Alias + " to linked Dataverse " + dataverse1Alias + " deleted"));
     }
 
     @Test
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Dataverse collection linking and unlinking no longer requires superuser status. Users with the "Link Dataverse" permission on a collection can now perform these actions through the UI and API.