From c1695c06e6536f1653ecedd6fae129a863870fd8 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Tue, 5 May 2026 14:27:28 +0200 Subject: [PATCH 01/31] Updated datasets authorization --- .../authorization/authorization_datasets.md | 142 ++++++++++++++++++ 1 file changed, 142 insertions(+) create mode 100644 docs/developer-guide/authorization/authorization_datasets.md diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md new file mode 100644 index 000000000..c4da2810e --- /dev/null +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -0,0 +1,142 @@ +# Datasets Authoorization + +## CASL ability actions + +This is the list of the permissions methods available for datasets and all their endpoints + +### Endpoint authorization + +- DatasetCreate +- DatasetRead +- DatasetUpdate +- DatasetDelete + +### Instance authorization + +- DatasetCreateOwnerNoPid +- DatasetCreateOwnerWithPid +- DatasetCreateAny +- DatasetReadManyPublic +- DatasetReadManyAccess +- DatasetReadAny +- DatasetUpdateOwner +- DatasetUpdateAny +- DetasetDeleteOwner +- DatasetDeleteAny + +### Implementation + +How the different level of authorization translates in data condition applied by the backend. + +- Public + - isPublished = true +- Access (condition ar applied in logical _or_) + - isPublished = true + - ownerGroup is one of the groups that the user belongs + - accessGroups are one of the groups that the user belongs + - _sharedWith contains the user's email_ (obsolete, it will removed) +- Owner + - ownerGroup is one of the groups that the user belongs +- Any + - User can perform the action to any dataset + +### Operation to endpoints map + +- Create + - POST Datasets + - POST Datasets/isValid +- Read + - GET Datasets + - GET Datasets/fullquery + - GET Datasets/fullfacet + - GET Datasets/metadataKeys + - GET Datasets/count + - GET Datasets/findOne + - GET Datasets/_pid_ +- Update + - PATCH Datasets/_pid_ + - PUT Datasets/_pid_ + - POST Datasets/_pid_/appendToArrayField +- Delete + - DELETE Datasets/_pid_ + +### Authorization standard users + +| Operation | Endpoint Authorization | Anonymous | Authenticated User | Notes | +| --------- | ---------------------- | --------- | ------------------ | ----- | +| Create | _DatasetCreate_ | __no__ | __no__ | | +| Read | _DatasetRead_ | Public
_DatasetReadPublic_ | Has Access
_DatasetReadAccess_ | | +| Update | _DatasetUpdate_ | __no__ | __no__ | | +| | | | | | +| DELETE | _DatasetDelete_ | __no__ | __no__ | | + +### Special permissions groups + +- Dataset Create Basic (DsCB) + These groups are allowed to create datasets for any of the group they belong to, although they are not allowed to assigned the pid to the new dataset. + Default: _#nogroup_ + Special values: + - _#all_ : all groups are allowed to create datasets with pid assigned by the system. +- Dataset Create Extended (DsCE) + These groups are allowed to create datasets for any of the group they belong to, and they can assign the pid to the new dataset. + Default: _#nogroup_ + Special values: + - _#all_ : all groups are allowed to create datasets with explicit pid. +- Dataset Create Privileged (DsCP) + These groups are allowed to create datasets for any group, and they can also assign the pid to the new dataset. + Default: _#nogroup_ + Special values: + - _#all_ : all groups are allowed to create datasets with pid assigned by the system +- Dataset Read Privileged (DsRP) + These groups are allowed to read all datasets independently from the ownership. + Default: _#nogroup_ +- Dataset Update Basic (DsUB) + These groups are allowed to update only datasets they own. + Default: _#nogroup_ + Special values: + - _#DsCB_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. + - _#DsCE_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. +- Dataset Update Privileged (DsUP) + These groups are allowed to update any datasets independently from the ownerhip. + Default: _#nogroup_ + Special values: + - _#DsCP_ : all groups listed in _Dataset Create Privileged_ are allowed to update any datasets. +- Dataset Delete Basic (DsDB) + These groups are allowed to delete only the datasets they own. + Default: _#nogroup_ + Special values: + - _#DsCB_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. + - _#DsCE_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. +- Dataset Delete Privileged (DsDP) + These groups are allowed to delete any dataset independently of the ownership. + Default: _#nogroup_ + Special values: + - _#DsCP_ : all groups listed in _Dataset Create Privileged_ are allowed to update any datasets. + +### Authorization special permissions groups + +If a user belongs to one of the groups which is listed to any special permission, the permissions listed in this table override the standard permissions. +When the cell is empty in the following table, the permissions listed in the standard users table are applied. +A user can belong to multiple groups listed in multiple special permissions. The union of all the permissions is applied. + +| Operation | Endpoint Authorization | Dataset Read Privileged | Dataset Create Basic | Dataset Create Extended | Dataset Create Privileged | Dataset Update Basic | Dataset Update Privileged | Admin | Dataset Delete Basic | Dataset Delete Privilieged | Delete | Notes | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | +| Create | _DatasetCreate_ | | Owner, w/o PID
_DatasetCreateOwnerNoPid_ | Owner, w/ PID
_DatasetCreateOwnerWithPid_ | Any
_DatasetCreateAny_ | | | Any
_DatasetCreateAny_ | | | | | +| Read | _DatasetRead_ | Any
_DatasetReadAny_ | | | | | Any
_DatasetReadyAny_ | | | +| Update | _DatasetUpdate_ | | | | | Owner
_DatasetUpdateOwner_ | Any
_DatasetUpdateAny_ | Any
_DatasetUpdateAny_ | | | | | +| | | | | | | | | | +| Delete | _DatasetDelete_ | | | | | | | | Own
_DatasetDeleteOwner_ | Any
_DatasetDeleteAny_ | Any
_DatasetDeleteAny_ | | + +## Priorities + +This section lists the connected special permissions groups in order of importance. +A user will acquire the permissions from the special permissions groups to the most right in the list, he/she belongs to. + +- Read + - Anonymous -> Authenticated -> Dataset Read Privileged -> Admin +- Create + - Anonymous -> Authenticated -> Dataset Create Basic -> Dataset Create Extended -> Dataset Create Privileged -> Admin +- Update + - Anonymous -> Authenticated -> Dataset Update Basic -> Dataset Update Privileged -> Admin +- Delete + - Anonymous -> Authenticated -> Dataset Delete Basic -> Dataset Delete Privileged -> Delete From 1ee138d950c2253f1e0ae95e60f07f2437002864 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 6 May 2026 10:43:00 +0200 Subject: [PATCH 02/31] New proposed dataset authorization matrix --- .../authorization/authorization_datasets.md | 171 ++++++++++++++++++ 1 file changed, 171 insertions(+) create mode 100644 docs/developer-guide/authorization/authorization_datasets.md diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md new file mode 100644 index 000000000..189dc7cfb --- /dev/null +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -0,0 +1,171 @@ +# Datasets Authorization + +## CASL ability actions + +This is the list of the permissions methods available for datasets and all their endpoints + +### Endpoint authorization + +- DatasetCreate +- DatasetRead +- DatasetUpdate +- DatasetDelete + +### Instance authorization + +- DatasetCreateOwnerNoPid +- DatasetCreateOwnerWithPid +- DatasetCreateAny +- DatasetReadManyPublic +- DatasetReadManyAccess +- DatasetReadAny +- DatasetUpdateOwner +- DatasetUpdateAny +- DetasetDeleteOwner +- DatasetDeleteAny + +### Implementation + +How the different level of authorization translates in data condition applied by the backend. + +- Public + - isPublished = true +- Access (condition ar applied in logical _or_) + - isPublished = true + - ownerGroup is one of the groups that the user belongs + - accessGroups are one of the groups that the user belongs + - _sharedWith contains the user's email_ (obsolete, it will removed) +- Owner + - ownerGroup is one of the groups that the user belongs +- Any + - User can perform the action to any dataset + +### Operation to endpoints map + +- Create + - POST Datasets + - POST Datasets/isValid +- Read + - GET Datasets + - GET Datasets/fullquery + - GET Datasets/fullfacets + - GET Datasets/metadataKeys + - GET Datasets/count + - GET Datasets/findOne + - GET Datasets/_pid_ + - GET Datasets/_pid_/datasetlifecycle + - GET Datasets/_pid_/logbook +- Update + - PATCH Datasets/_pid_ + - PUT Datasets/_pid_ + - POST Datasets/_pid_/appendToArrayField + - PATCH Datasets/_pid_/datasetlifecycle +- Delete + - DELETE Datasets/_pid_ + +### Authorization standard users + +| Operation | Endpoint Authorization | Anonymous | Authenticated User | Notes | +| --------- | ---------------------- | --------- | ------------------ | ----- | +| Create | _DatasetCreate_ | __no__ | __no__ | | +| Read | _DatasetRead_ | Public
_DatasetReadPublic_ | Has Access
_DatasetReadAccess_ | | +| Update | _DatasetUpdate_ | __no__ | __no__ | | +| | | | | | +| DELETE | _DatasetDelete_ | __no__ | __no__ | | + +### Special permissions groups + +- Dataset Create Basic (DsCB) + These groups are allowed to create datasets for any of the group they belong to, although they are not allowed to assigned the pid to the new dataset. + Default: _#nogroup_ + Special values: + - _#all_ : all groups are allowed to create datasets with pid assigned by the system. +- Dataset Create Extended (DsCE) + These groups are allowed to create datasets for any of the group they belong to, and they can assign the pid to the new dataset. + Default: _#nogroup_ + Special values: + - _#all_ : all groups are allowed to create datasets with explicit pid. +- Dataset Create Privileged (DsCP) + These groups are allowed to create datasets for any group, and they can also assign the pid to the new dataset. + Default: _#nogroup_ + Special values: + - _#all_ : all groups are allowed to create datasets with pid assigned by the system +- Dataset Read Privileged (DsRP) + These groups are allowed to read all datasets independently from the ownership. + Default: _#nogroup_ +- Dataset Update Basic (DsUB) + These groups are allowed to update only datasets they own. + Default: _#nogroup_ + Special values: + - _#DsCB_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. + - _#DsCE_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. +- Dataset Update Privileged (DsUP) + These groups are allowed to update any datasets independently from the ownerhip. + Default: _#nogroup_ + Special values: + - _#DsCP_ : all groups listed in _Dataset Create Privileged_ are allowed to update any datasets. +- Dataset Delete Basic (DsDB) + These groups are allowed to delete only the datasets they own. + Default: _#nogroup_ + Special values: + - _#DsCB_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. + - _#DsCE_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. +- Dataset Delete Privileged (DsDP) + These groups are allowed to delete any dataset independently of the ownership. + Default: _#nogroup_ + Special values: + - _#DsCP_ : all groups listed in _Dataset Create Privileged_ are allowed to update any datasets. + +### Authorization special permissions groups + +If a user belongs to one of the groups which is listed to any special permission, the permissions listed in this table override the standard permissions. +When the cell is empty in the following table, the permissions listed in the standard users table are applied. +A user can belong to multiple groups listed in multiple special permissions. The union of all the permissions is applied. + +| Operation | Endpoint Authorization | Dataset Read Privileged | Dataset Create Basic | Dataset Create Extended | Dataset Create Privileged | Dataset Update Basic | Dataset Update Privileged | Admin | Dataset Delete Basic | Dataset Delete Privileged | Delete | Notes | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | +| Create | _DatasetCreate_ | | Owner, w/o PID
_DatasetCreateOwnerNoPid_ | Owner, w/ PID
_DatasetCreateOwnerWithPid_ | Any
_DatasetCreateAny_ | | | Any
_DatasetCreateAny_ | | | | | +| Read | _DatasetRead_ | Any
_DatasetReadAny_ | | | | | Any
_DatasetReadyAny_ | | | +| Update | _DatasetUpdate_ | | | | | Owner
_DatasetUpdateOwner_ | Any
_DatasetUpdateAny_ | Any
_DatasetUpdateAny_ | | | | | +| | | | | | | | | | +| Delete | _DatasetDelete_ | | | | | | | | Own
_DatasetDeleteOwner_ | Any
_DatasetDeleteAny_ | Any
_DatasetDeleteAny_ | | + +## Priorities + +This section lists the connected special permissions groups in order of importance. +A user will acquire the permissions from the special permissions groups to the most right in the list, he/she belongs to. + +- Read + - Anonymous -> Authenticated -> Dataset Read Privileged -> Admin +- Create + - Anonymous -> Authenticated -> Dataset Create Basic -> Dataset Create Extended -> Dataset Create Privileged -> Admin +- Update + - Anonymous -> Authenticated -> Dataset Update Basic -> Dataset Update Privileged -> Admin +- Delete + - Anonymous -> Authenticated -> Dataset Delete Basic -> Dataset Delete Privileged -> Delete + +## Environmental Variables + +The following list present the environmental variables that should be configured to setup the special groups listed in the previous sections. +Each variable is a comma separated list of the users' groups that acquired the special permissions linked to the special group. + +- DATASET_READ_PRIVILEGED_GROUPS: groups with __Dataset Read Privileged__ permissions +- DATASET_CREATE_BASIC_GROUPS: groups with __Dataset Create Basic__ permissions +- DATASET_CREATE_EXTENDED_GROUPS: groups with __Dataset Create Extended__ permissions +- DATASET_CREATE_PRIVILEGED_GROUPS: groups with __Dataset Create Privileged__ permissions +- DATASET_UPDATE_BASIC_GROUPS: groups with __Dataset Update Basic__ permissions +- DATASET_UPDATE_PRIVILEGED_GROUPS: groups with __Dataset Update Privileged__ permissions +- DATASET_DELETE_BASIC_GROUPS: groups with __Dataset Delete Basic__ permissions +- DATASET_DELETE_PRIVILEGED_GROUPS: groups with __Dataset Delete Privileged__ permissions +- ADMIN_GROUPS: groups with __Admin__ permissions. This variable effects all the sub-systems. +- DELETE_GROUPS: groups with __Delete__ permissions. This variable effects all the sub-systems. + +## Legacy + +The legacy datasets special permissions environment variables are marked obsolete and will be removed in the future. +In the meantime, they are mapped to the matching new variable. +Here is the map: + +- Create Dataset Groups ( CREATE_DATASET_GROUP ) -> Dataset Create Basic +- Create Dataset with PID Group ( CREATE_DATASET_WITH_PID_GROUP ) -> Dataset Create Extended +- Create Dataset Privileged ( CREATE_DATASET_PRIVIELEGED_GROUP ) -> Dataset Create Privileged From c4c60673f6c133c3d471997962f58872fd76608f Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 6 May 2026 11:43:29 +0200 Subject: [PATCH 03/31] Update docs/developer-guide/authorization/authorization_datasets.md Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com> --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index aac3551d7..189dc7cfb 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -1,4 +1,4 @@ -# Datasets Authoorization +# Datasets Authorization ## CASL ability actions From bfdf846621027e40a42b4e6deb1f4587b0e55686 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 6 May 2026 11:44:19 +0200 Subject: [PATCH 04/31] Update docs/developer-guide/authorization/authorization_datasets.md Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com> --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index 189dc7cfb..85222f682 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -21,7 +21,7 @@ This is the list of the permissions methods available for datasets and all their - DatasetReadAny - DatasetUpdateOwner - DatasetUpdateAny -- DetasetDeleteOwner +- DatasetDeleteOwner - DatasetDeleteAny ### Implementation From c63efa547ac64b2510a59d2c4bbd948383a2d98d Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 6 May 2026 11:44:52 +0200 Subject: [PATCH 05/31] Update docs/developer-guide/authorization/authorization_datasets.md Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com> --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index 85222f682..fa6f0ca8c 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -26,7 +26,7 @@ This is the list of the permissions methods available for datasets and all their ### Implementation -How the different level of authorization translates in data condition applied by the backend. +How the different levels of authorization translate into data conditions applied by the backend. - Public - isPublished = true From 9fb6f8ce4e981e3831c0671dac03412664f90e84 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 6 May 2026 11:45:21 +0200 Subject: [PATCH 06/31] Update docs/developer-guide/authorization/authorization_datasets.md Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com> --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index fa6f0ca8c..531114a4c 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -30,7 +30,7 @@ How the different levels of authorization translate into data conditions applied - Public - isPublished = true -- Access (condition ar applied in logical _or_) +- Access (conditions are applied in logical _or_) - isPublished = true - ownerGroup is one of the groups that the user belongs - accessGroups are one of the groups that the user belongs From dcd88d805d641846db630f4c3ddfcf5a7f61ba48 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 6 May 2026 11:45:45 +0200 Subject: [PATCH 07/31] Update docs/developer-guide/authorization/authorization_datasets.md Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com> --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index 531114a4c..cd0840b05 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -34,7 +34,7 @@ How the different levels of authorization translate into data conditions applied - isPublished = true - ownerGroup is one of the groups that the user belongs - accessGroups are one of the groups that the user belongs - - _sharedWith contains the user's email_ (obsolete, it will removed) + - _sharedWith contains the user's email_ (obsolete, it will be removed) - Owner - ownerGroup is one of the groups that the user belongs - Any From e3fd4b5404a4b52f228de486d796a31770b49c2f Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 6 May 2026 11:46:56 +0200 Subject: [PATCH 08/31] Update docs/developer-guide/authorization/authorization_datasets.md Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com> --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index cd0840b05..c99ee5675 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -118,7 +118,7 @@ How the different levels of authorization translate into data conditions applied ### Authorization special permissions groups -If a user belongs to one of the groups which is listed to any special permission, the permissions listed in this table override the standard permissions. +If a user belongs to one of the groups which is listed in any special permission, the permissions listed in this table override the standard permissions. When the cell is empty in the following table, the permissions listed in the standard users table are applied. A user can belong to multiple groups listed in multiple special permissions. The union of all the permissions is applied. From a7bfd94cab579523ed0ac8e799a4cab3881783c0 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 6 May 2026 11:47:13 +0200 Subject: [PATCH 09/31] Update docs/developer-guide/authorization/authorization_datasets.md Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com> --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index c99ee5675..d944212c2 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -125,7 +125,7 @@ A user can belong to multiple groups listed in multiple special permissions. The | Operation | Endpoint Authorization | Dataset Read Privileged | Dataset Create Basic | Dataset Create Extended | Dataset Create Privileged | Dataset Update Basic | Dataset Update Privileged | Admin | Dataset Delete Basic | Dataset Delete Privileged | Delete | Notes | | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | | Create | _DatasetCreate_ | | Owner, w/o PID
_DatasetCreateOwnerNoPid_ | Owner, w/ PID
_DatasetCreateOwnerWithPid_ | Any
_DatasetCreateAny_ | | | Any
_DatasetCreateAny_ | | | | | -| Read | _DatasetRead_ | Any
_DatasetReadAny_ | | | | | Any
_DatasetReadyAny_ | | | +| Read | _DatasetRead_ | Any
_DatasetReadAny_ | | | | | Any
_DatasetReadAny_ | | | | Update | _DatasetUpdate_ | | | | | Owner
_DatasetUpdateOwner_ | Any
_DatasetUpdateAny_ | Any
_DatasetUpdateAny_ | | | | | | | | | | | | | | | | Delete | _DatasetDelete_ | | | | | | | | Own
_DatasetDeleteOwner_ | Any
_DatasetDeleteAny_ | Any
_DatasetDeleteAny_ | | From f96e6f1196eb2c126e0eea6121e08342fa861fe1 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 6 May 2026 11:47:40 +0200 Subject: [PATCH 10/31] Update docs/developer-guide/authorization/authorization_datasets.md Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com> --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index d944212c2..31318e66d 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -133,7 +133,7 @@ A user can belong to multiple groups listed in multiple special permissions. The ## Priorities This section lists the connected special permissions groups in order of importance. -A user will acquire the permissions from the special permissions groups to the most right in the list, he/she belongs to. +A user will acquire the permissions from the special permissions groups up to the rightmost group in the list they belong to. - Read - Anonymous -> Authenticated -> Dataset Read Privileged -> Admin From 536ea33c91e8b198b91afa99199f23061e3cb5f8 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 6 May 2026 12:11:18 +0200 Subject: [PATCH 11/31] included feedback --- .../authorization/authorization_datasets.md | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index 189dc7cfb..1b6d7e9bb 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -1,17 +1,15 @@ # Datasets Authorization -## CASL ability actions +This is the list of the permissions available for datasets and all their endpoints -This is the list of the permissions methods available for datasets and all their endpoints - -### Endpoint authorization +## Endpoint authorization - DatasetCreate - DatasetRead - DatasetUpdate - DatasetDelete -### Instance authorization +## Instance authorization - DatasetCreateOwnerNoPid - DatasetCreateOwnerWithPid @@ -24,7 +22,7 @@ This is the list of the permissions methods available for datasets and all their - DetasetDeleteOwner - DatasetDeleteAny -### Implementation +## Implementation How the different level of authorization translates in data condition applied by the backend. @@ -32,15 +30,15 @@ How the different level of authorization translates in data condition applied by - isPublished = true - Access (condition ar applied in logical _or_) - isPublished = true - - ownerGroup is one of the groups that the user belongs - - accessGroups are one of the groups that the user belongs + - the user belongs to the group listed in the _ownerGroup_ field + - the user belongs to one of the groups listed in the _accessGroups_ field - _sharedWith contains the user's email_ (obsolete, it will removed) - Owner - - ownerGroup is one of the groups that the user belongs + - the user belongs to the group listed in the _ownerGroup_ field - Any - User can perform the action to any dataset -### Operation to endpoints map +## Operation to endpoints map - Create - POST Datasets @@ -63,7 +61,7 @@ How the different level of authorization translates in data condition applied by - Delete - DELETE Datasets/_pid_ -### Authorization standard users +## Authorization standard users | Operation | Endpoint Authorization | Anonymous | Authenticated User | Notes | | --------- | ---------------------- | --------- | ------------------ | ----- | @@ -73,15 +71,15 @@ How the different level of authorization translates in data condition applied by | | | | | | | DELETE | _DatasetDelete_ | __no__ | __no__ | | -### Special permissions groups +## Special permissions groups - Dataset Create Basic (DsCB) - These groups are allowed to create datasets for any of the group they belong to, although they are not allowed to assigned the pid to the new dataset. + These groups are allowed to create datasets for any of the groups they belong to, although they are not allowed to assign the pid to the new dataset. Default: _#nogroup_ Special values: - _#all_ : all groups are allowed to create datasets with pid assigned by the system. - Dataset Create Extended (DsCE) - These groups are allowed to create datasets for any of the group they belong to, and they can assign the pid to the new dataset. + These groups are allowed to create datasets for any of the groups they belong to, and they can assign the pid to the new dataset. Default: _#nogroup_ Special values: - _#all_ : all groups are allowed to create datasets with explicit pid. @@ -100,7 +98,7 @@ How the different level of authorization translates in data condition applied by - _#DsCB_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. - _#DsCE_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. - Dataset Update Privileged (DsUP) - These groups are allowed to update any datasets independently from the ownerhip. + These groups are allowed to update any datasets independently from the ownership. Default: _#nogroup_ Special values: - _#DsCP_ : all groups listed in _Dataset Create Privileged_ are allowed to update any datasets. @@ -116,7 +114,7 @@ How the different level of authorization translates in data condition applied by Special values: - _#DsCP_ : all groups listed in _Dataset Create Privileged_ are allowed to update any datasets. -### Authorization special permissions groups +## Authorization special permissions groups If a user belongs to one of the groups which is listed to any special permission, the permissions listed in this table override the standard permissions. When the cell is empty in the following table, the permissions listed in the standard users table are applied. From f9e0aa1ba799724221aded4ece2846b5f968a957 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 6 May 2026 12:15:56 +0200 Subject: [PATCH 12/31] unforseen changes --- .../developer-guide/authorization/authorization_datasets.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index e1cd979a2..29f50d1b7 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -30,15 +30,9 @@ How the different levels of authorization translate into data conditions applied - isPublished = true - Access (conditions are applied in logical _or_) - isPublished = true -<<<<<<< HEAD - - ownerGroup is one of the groups that the user belongs - - accessGroups are one of the groups that the user belongs - - _sharedWith contains the user's email_ (obsolete, it will be removed) -======= - the user belongs to the group listed in the _ownerGroup_ field - the user belongs to one of the groups listed in the _accessGroups_ field - _sharedWith contains the user's email_ (obsolete, it will removed) ->>>>>>> update_dataset_authorization_documentation - Owner - the user belongs to the group listed in the _ownerGroup_ field - Any From 6c2e0f9c67c2ab64285ba5fa392821d33996dab9 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Fri, 8 May 2026 18:51:59 +0200 Subject: [PATCH 13/31] Added use cases to dataset permissions --- .../authorization/authorization_datasets.md | 109 +++++++++++++++++- 1 file changed, 108 insertions(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index 29f50d1b7..26f01b264 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -125,7 +125,7 @@ A user can belong to multiple groups listed in multiple special permissions. The | Create | _DatasetCreate_ | | Owner, w/o PID
_DatasetCreateOwnerNoPid_ | Owner, w/ PID
_DatasetCreateOwnerWithPid_ | Any
_DatasetCreateAny_ | | | Any
_DatasetCreateAny_ | | | | | | Read | _DatasetRead_ | Any
_DatasetReadAny_ | | | | | Any
_DatasetReadAny_ | | | | Update | _DatasetUpdate_ | | | | | Owner
_DatasetUpdateOwner_ | Any
_DatasetUpdateAny_ | Any
_DatasetUpdateAny_ | | | | | -| | | | | | | | | | +| | | | | | | | | | | | | | | Delete | _DatasetDelete_ | | | | | | | | Own
_DatasetDeleteOwner_ | Any
_DatasetDeleteAny_ | Any
_DatasetDeleteAny_ | | ## Priorities @@ -167,3 +167,110 @@ Here is the map: - Create Dataset Groups ( CREATE_DATASET_GROUP ) -> Dataset Create Basic - Create Dataset with PID Group ( CREATE_DATASET_WITH_PID_GROUP ) -> Dataset Create Extended - Create Dataset Privileged ( CREATE_DATASET_PRIVIELEGED_GROUP ) -> Dataset Create Privileged + +## Use cases and configuration examples + +This section includes few of the many use cases that the community as come across, found them informative. +Each use case provides the settings for each special permissions groups in isolation. +In a production setup, each special permissions groups will contain a list of multiple group that is the union of each individual case. + +### Data ingestion with creation only + +#### Description + +We need a functional account that allows the ingestion process to create datasets for any group so it can ingest datasets independently from who owns them. + +#### Configuration + +##### Accounts + +- username: ingestor +- group: ingestor + +##### Special permissions groups + +- DATASET_READ_PRIVILEGED_GROUPS = "" +- DATASET_CREATE_BASIC_GROUPS = "" +- DATASET_CREATE_EXTENDED_GROUPS = "" +- DATASET_CREATE_PRIVILEGED_GROUPS = "ingestor" +- DATASET_UPDATE_BASIC_GROUPS = "" +- DATASET_UPDATE_PRIVILEGED_GROUPS = "" +- DATASET_DELETE_BASIC_GROUPS = "" +- DATASET_DELETE_PRIVILEGED_GROUP = "" +- ADMIN_GROUPS = "" +- DELETE_GROUPS = "" + +### Data ingestion with creation and update + +#### Description + +We need a functional account that allows the ingestion process to create and update datasets for any group so it can ingest datasets independently from who owns them and also perform additional updates at a later time. + +#### Configuration + +##### Accounts + +- username: ingestor +- group: ingestor + +##### Special permissions groups + +- DATASET_READ_PRIVILEGED_GROUPS = "" +- DATASET_CREATE_BASIC_GROUPS = "" +- DATASET_CREATE_EXTENDED_GROUPS = "" +- DATASET_CREATE_PRIVILEGED_GROUPS = "ingestor" +- DATASET_UPDATE_BASIC_GROUPS = "" +- DATASET_UPDATE_PRIVILEGED_GROUPS = "ingestor" +- DATASET_DELETE_BASIC_GROUPS = "" +- DATASET_DELETE_PRIVILEGED_GROUP = "" +- ADMIN_GROUPS = "" +- DELETE_GROUPS = "" + +### Post Ingestion tasks workflow + +#### Description + +We need to set up a workflow to run post ingestions task. The process needs to be able to list any dataset that has a specific value in their keywords field independently from the group who owns the dataset. Once the list is retrieved, the process will perform the set tasks (like determining end of embargo period, performing some aggregation or statistic on the data) and save the results back in the dataset as additional scientific metadata. + +##### Accounts + +- username: post_ingestion_tasks +- group: post_ingestion_tasks + +##### Special permissions groups + +- DATASET_READ_PRIVILEGED_GROUPS = "post_ingestion_tasks" +- DATASET_CREATE_BASIC_GROUPS = "" +- DATASET_CREATE_EXTENDED_GROUPS = "" +- DATASET_CREATE_PRIVILEGED_GROUPS = "" +- DATASET_UPDATE_BASIC_GROUPS = "" +- DATASET_UPDATE_PRIVILEGED_GROUPS = "post_ingestion_tasks" +- DATASET_DELETE_BASIC_GROUPS = "" +- DATASET_DELETE_PRIVILEGED_GROUP = "" +- ADMIN_GROUPS = "" +- DELETE_GROUPS = "" + +### Automatic workflow to delete obsolete datasets + +#### Description + +We need to set up a workflow to delete datasets that are more than 10 years old and are marked with the keyword _obsolete_. +The process needs to list all datasets that contains the valu e_obsolete_ in the keywords field and have creation time older than 10 years from today. Once the list has been retrieved, it has to iterate through and execute a delte command on each dataset. + +##### Accounts + +- username: delete_obsolete_datasets +- group: delete_obsolete_datasets + +##### Special permissions groups + +- DATASET_READ_PRIVILEGED_GROUPS = "delete_obsolete_datasets" +- DATASET_CREATE_BASIC_GROUPS = "" +- DATASET_CREATE_EXTENDED_GROUPS = "" +- DATASET_CREATE_PRIVILEGED_GROUPS = "" +- DATASET_UPDATE_BASIC_GROUPS = "" +- DATASET_UPDATE_PRIVILEGED_GROUPS = "" +- DATASET_DELETE_BASIC_GROUPS = "" +- DATASET_DELETE_PRIVILEGED_GROUP = "delete_obsolete_datasets" +- ADMIN_GROUPS = "" +- DELETE_GROUPS = "" From 393bb72a9080a8546abae626e90afe83f8c5840a Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Fri, 8 May 2026 23:51:02 +0200 Subject: [PATCH 14/31] Update authorization_datasets.md fixed mistake in the special permissions groups table --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index 26f01b264..17620b357 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -123,7 +123,7 @@ A user can belong to multiple groups listed in multiple special permissions. The | Operation | Endpoint Authorization | Dataset Read Privileged | Dataset Create Basic | Dataset Create Extended | Dataset Create Privileged | Dataset Update Basic | Dataset Update Privileged | Admin | Dataset Delete Basic | Dataset Delete Privileged | Delete | Notes | | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | | Create | _DatasetCreate_ | | Owner, w/o PID
_DatasetCreateOwnerNoPid_ | Owner, w/ PID
_DatasetCreateOwnerWithPid_ | Any
_DatasetCreateAny_ | | | Any
_DatasetCreateAny_ | | | | | -| Read | _DatasetRead_ | Any
_DatasetReadAny_ | | | | | Any
_DatasetReadAny_ | | | +| Read | _DatasetRead_ | Any
_DatasetReadAny_ | | | | | | Any
_DatasetReadAny_ | | | | Update | _DatasetUpdate_ | | | | | Owner
_DatasetUpdateOwner_ | Any
_DatasetUpdateAny_ | Any
_DatasetUpdateAny_ | | | | | | | | | | | | | | | | | | | | Delete | _DatasetDelete_ | | | | | | | | Own
_DatasetDeleteOwner_ | Any
_DatasetDeleteAny_ | Any
_DatasetDeleteAny_ | | From 04e3623c22985a17049530f51f821aa712afe35a Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Fri, 8 May 2026 23:52:48 +0200 Subject: [PATCH 15/31] Update authorization_datasets.md Bold for groups name in list with explanation --- .../authorization/authorization_datasets.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index 17620b357..05b5cc43c 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -73,42 +73,42 @@ How the different levels of authorization translate into data conditions applied ## Special permissions groups -- Dataset Create Basic (DsCB) +- __Dataset Create Basic__ (DsCB) These groups are allowed to create datasets for any of the groups they belong to, although they are not allowed to assign the pid to the new dataset. Default: _#nogroup_ Special values: - _#all_ : all groups are allowed to create datasets with pid assigned by the system. -- Dataset Create Extended (DsCE) +- __Dataset Create Extended__ (DsCE) These groups are allowed to create datasets for any of the groups they belong to, and they can assign the pid to the new dataset. Default: _#nogroup_ Special values: - _#all_ : all groups are allowed to create datasets with explicit pid. -- Dataset Create Privileged (DsCP) +- __Dataset Create Privileged__ (DsCP) These groups are allowed to create datasets for any group, and they can also assign the pid to the new dataset. Default: _#nogroup_ Special values: - _#all_ : all groups are allowed to create datasets with pid assigned by the system -- Dataset Read Privileged (DsRP) +- __Dataset Read Privileged__ (DsRP) These groups are allowed to read all datasets independently from the ownership. Default: _#nogroup_ -- Dataset Update Basic (DsUB) +- __Dataset Update Basic__ (DsUB) These groups are allowed to update only datasets they own. Default: _#nogroup_ Special values: - _#DsCB_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. - _#DsCE_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. -- Dataset Update Privileged (DsUP) +- __Dataset Update Privileged__ (DsUP) These groups are allowed to update any datasets independently from the ownership. Default: _#nogroup_ Special values: - _#DsCP_ : all groups listed in _Dataset Create Privileged_ are allowed to update any datasets. -- Dataset Delete Basic (DsDB) +- __Dataset Delete Basic__ (DsDB) These groups are allowed to delete only the datasets they own. Default: _#nogroup_ Special values: - _#DsCB_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. - _#DsCE_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. -- Dataset Delete Privileged (DsDP) +- __Dataset Delete Privileged__ (DsDP) These groups are allowed to delete any dataset independently of the ownership. Default: _#nogroup_ Special values: From e5231176a16effca6d5f96ae5512e05e89d79ba0 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 09:38:55 +0200 Subject: [PATCH 16/31] Apply suggestion from @alubbock Co-authored-by: Alex Lubbock --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index 05b5cc43c..e33472eca 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -46,7 +46,7 @@ How the different levels of authorization translate into data conditions applied - Read - GET Datasets - GET Datasets/fullquery - - GET Datasets/fullfacets + - GET Datasets/fullfacet - GET Datasets/metadataKeys - GET Datasets/count - GET Datasets/findOne From 1b7ec83f4b75c681b4ef4757f889cc4436e6ad65 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 09:39:12 +0200 Subject: [PATCH 17/31] Apply suggestion from @sourcery-ai[bot] Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com> --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index e33472eca..ec655e3c1 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -32,7 +32,7 @@ How the different levels of authorization translate into data conditions applied - isPublished = true - the user belongs to the group listed in the _ownerGroup_ field - the user belongs to one of the groups listed in the _accessGroups_ field - - _sharedWith contains the user's email_ (obsolete, it will removed) + - _sharedWith contains the user's email_ (obsolete, it will be removed) - Owner - the user belongs to the group listed in the _ownerGroup_ field - Any From a27dd3b22e047a66eac4da4b6f08809ce198c9f2 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 09:40:17 +0200 Subject: [PATCH 18/31] Apply suggestion from @alubbock Co-authored-by: Alex Lubbock --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index ec655e3c1..e1b2b64e6 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -87,7 +87,7 @@ How the different levels of authorization translate into data conditions applied These groups are allowed to create datasets for any group, and they can also assign the pid to the new dataset. Default: _#nogroup_ Special values: - - _#all_ : all groups are allowed to create datasets with pid assigned by the system + - _#all_ : all groups can create datasets with for any group with explicit pid. - __Dataset Read Privileged__ (DsRP) These groups are allowed to read all datasets independently from the ownership. Default: _#nogroup_ From 4839738a79176079bb234c246d80ceaab162e553 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 09:40:36 +0200 Subject: [PATCH 19/31] Apply suggestion from @alubbock Co-authored-by: Alex Lubbock --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index e1b2b64e6..c1ca0bdd2 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -96,7 +96,7 @@ How the different levels of authorization translate into data conditions applied Default: _#nogroup_ Special values: - _#DsCB_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. - - _#DsCE_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. + - _#DsCE_ : all groups listed in _Dataset Create Extended_ are allowed to update the datasets they own. - __Dataset Update Privileged__ (DsUP) These groups are allowed to update any datasets independently from the ownership. Default: _#nogroup_ From 11de7584039d9f3d89bbd23c502c47480f848d41 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 09:41:26 +0200 Subject: [PATCH 20/31] Apply suggestion from @alubbock Co-authored-by: Alex Lubbock --- docs/developer-guide/authorization/authorization_datasets.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index c1ca0bdd2..a17ccf996 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -106,8 +106,8 @@ How the different levels of authorization translate into data conditions applied These groups are allowed to delete only the datasets they own. Default: _#nogroup_ Special values: - - _#DsCB_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. - - _#DsCE_ : all groups listed in _Dataset Create Basic_ are allowed to update the datasets they own. + - _#DsCB_ : all groups listed in _Dataset Create Basic_ are allowed to delete the datasets they own. + - _#DsCE_ : all groups listed in _Dataset Create Extended_ are allowed to delete the datasets they own. - __Dataset Delete Privileged__ (DsDP) These groups are allowed to delete any dataset independently of the ownership. Default: _#nogroup_ From eaede845e722f643ff1f02fd0efb80e30ceea955 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 09:41:49 +0200 Subject: [PATCH 21/31] Apply suggestion from @alubbock Co-authored-by: Alex Lubbock --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index a17ccf996..a8b1fb472 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -112,7 +112,7 @@ How the different levels of authorization translate into data conditions applied These groups are allowed to delete any dataset independently of the ownership. Default: _#nogroup_ Special values: - - _#DsCP_ : all groups listed in _Dataset Create Privileged_ are allowed to update any datasets. + - _#DsCP_ : all groups listed in _Dataset Create Privileged_ are allowed to delete any datasets. ## Authorization special permissions groups From 9dadf9b9bebc2f49678e0957b00032c6081b39fd Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 09:42:17 +0200 Subject: [PATCH 22/31] Apply suggestion from @alubbock Co-authored-by: Alex Lubbock --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index a8b1fb472..90d756f2d 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -123,7 +123,7 @@ A user can belong to multiple groups listed in multiple special permissions. The | Operation | Endpoint Authorization | Dataset Read Privileged | Dataset Create Basic | Dataset Create Extended | Dataset Create Privileged | Dataset Update Basic | Dataset Update Privileged | Admin | Dataset Delete Basic | Dataset Delete Privileged | Delete | Notes | | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | | Create | _DatasetCreate_ | | Owner, w/o PID
_DatasetCreateOwnerNoPid_ | Owner, w/ PID
_DatasetCreateOwnerWithPid_ | Any
_DatasetCreateAny_ | | | Any
_DatasetCreateAny_ | | | | | -| Read | _DatasetRead_ | Any
_DatasetReadAny_ | | | | | | Any
_DatasetReadAny_ | | | + | Read | _DatasetRead_ | Any
_DatasetReadAny_ | | | | | | Any
_DatasetReadAny_ | | | | | | Update | _DatasetUpdate_ | | | | | Owner
_DatasetUpdateOwner_ | Any
_DatasetUpdateAny_ | Any
_DatasetUpdateAny_ | | | | | | | | | | | | | | | | | | | | Delete | _DatasetDelete_ | | | | | | | | Own
_DatasetDeleteOwner_ | Any
_DatasetDeleteAny_ | Any
_DatasetDeleteAny_ | | From 9ac821e5f7c76be254e3c20cce4c76390c42abf1 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 09:43:30 +0200 Subject: [PATCH 23/31] Apply suggestion from @alubbock Co-authored-by: Alex Lubbock --- docs/developer-guide/authorization/authorization_datasets.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index 90d756f2d..756af9312 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -155,8 +155,8 @@ Each variable is a comma separated list of the users' groups that acquired the s - DATASET_UPDATE_PRIVILEGED_GROUPS: groups with __Dataset Update Privileged__ permissions - DATASET_DELETE_BASIC_GROUPS: groups with __Dataset Delete Basic__ permissions - DATASET_DELETE_PRIVILEGED_GROUPS: groups with __Dataset Delete Privileged__ permissions -- ADMIN_GROUPS: groups with __Admin__ permissions. This variable effects all the sub-systems. -- DELETE_GROUPS: groups with __Delete__ permissions. This variable effects all the sub-systems. +- ADMIN_GROUPS: groups with __Admin__ permissions. This variable affects all the sub-systems. +- DELETE_GROUPS: groups with __Delete__ permissions. This variable affects all the sub-systems. ## Legacy From 94c4350047953a22462348ed21cb1cda5f763a4d Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 09:57:59 +0200 Subject: [PATCH 24/31] Apply suggestion from @alubbock Co-authored-by: Alex Lubbock --- .../developer-guide/authorization/authorization_datasets.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index 756af9312..72b58866b 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -164,9 +164,9 @@ The legacy datasets special permissions environment variables are marked obsolet In the meantime, they are mapped to the matching new variable. Here is the map: -- Create Dataset Groups ( CREATE_DATASET_GROUP ) -> Dataset Create Basic -- Create Dataset with PID Group ( CREATE_DATASET_WITH_PID_GROUP ) -> Dataset Create Extended -- Create Dataset Privileged ( CREATE_DATASET_PRIVIELEGED_GROUP ) -> Dataset Create Privileged +- Create Dataset Groups ( CREATE_DATASET_GROUPS ) -> Dataset Create Basic +- Create Dataset with PID Group ( CREATE_DATASET_WITH_PID_GROUPS ) -> Dataset Create Extended +- Create Dataset Privileged ( CREATE_DATASET_PRIVILEGED_GROUPS ) -> Dataset Create Privileged ## Use cases and configuration examples From ff61903629ce0776dc9f18261f6084760867867d Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 10:05:07 +0200 Subject: [PATCH 25/31] Apply suggestion from @alubbock Co-authored-by: Alex Lubbock --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index 72b58866b..c81edf59d 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -170,7 +170,7 @@ Here is the map: ## Use cases and configuration examples -This section includes few of the many use cases that the community as come across, found them informative. +This section includes few of the many use cases that the community has come across, found them informative. Each use case provides the settings for each special permissions groups in isolation. In a production setup, each special permissions groups will contain a list of multiple group that is the union of each individual case. From 61d68646f6bccc90d030c071f59e6af864cbfacf Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 10:05:26 +0200 Subject: [PATCH 26/31] Apply suggestion from @alubbock Co-authored-by: Alex Lubbock --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index c81edf59d..8bb37ed18 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -196,7 +196,7 @@ We need a functional account that allows the ingestion process to create dataset - DATASET_UPDATE_BASIC_GROUPS = "" - DATASET_UPDATE_PRIVILEGED_GROUPS = "" - DATASET_DELETE_BASIC_GROUPS = "" -- DATASET_DELETE_PRIVILEGED_GROUP = "" +- DATASET_DELETE_PRIVILEGED_GROUPS = "" - ADMIN_GROUPS = "" - DELETE_GROUPS = "" From d24f248d54c3f311be7a13803c8ab97418d709c9 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 10:05:43 +0200 Subject: [PATCH 27/31] Apply suggestion from @alubbock Co-authored-by: Alex Lubbock --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index 8bb37ed18..d07e5b7ed 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -222,7 +222,7 @@ We need a functional account that allows the ingestion process to create and upd - DATASET_UPDATE_BASIC_GROUPS = "" - DATASET_UPDATE_PRIVILEGED_GROUPS = "ingestor" - DATASET_DELETE_BASIC_GROUPS = "" -- DATASET_DELETE_PRIVILEGED_GROUP = "" +- DATASET_DELETE_PRIVILEGED_GROUPS = "" - ADMIN_GROUPS = "" - DELETE_GROUPS = "" From 5adaac745f73be1929bc0fb1c41929a39cf6d138 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 10:05:58 +0200 Subject: [PATCH 28/31] Apply suggestion from @alubbock Co-authored-by: Alex Lubbock --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index d07e5b7ed..545d77954 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -271,6 +271,6 @@ The process needs to list all datasets that contains the valu e_obsolete_ in the - DATASET_UPDATE_BASIC_GROUPS = "" - DATASET_UPDATE_PRIVILEGED_GROUPS = "" - DATASET_DELETE_BASIC_GROUPS = "" -- DATASET_DELETE_PRIVILEGED_GROUP = "delete_obsolete_datasets" +- DATASET_DELETE_PRIVILEGED_GROUPS = "delete_obsolete_datasets" - ADMIN_GROUPS = "" - DELETE_GROUPS = "" From ca05366e7c78a2620a5a184acca54a376144f30b Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 10:06:15 +0200 Subject: [PATCH 29/31] Apply suggestion from @alubbock Co-authored-by: Alex Lubbock --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index 545d77954..f72af8f7f 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -255,7 +255,7 @@ We need to set up a workflow to run post ingestions task. The process needs to b #### Description We need to set up a workflow to delete datasets that are more than 10 years old and are marked with the keyword _obsolete_. -The process needs to list all datasets that contains the valu e_obsolete_ in the keywords field and have creation time older than 10 years from today. Once the list has been retrieved, it has to iterate through and execute a delte command on each dataset. +The process needs to list all datasets that contains the value _obsolete_ in the keywords field and have creation time older than 10 years from today. Once the list has been retrieved, it has to iterate through and execute a delete command on each dataset. ##### Accounts From e1e6927193a22f6c6e46686917a25412f39d1012 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 10:06:25 +0200 Subject: [PATCH 30/31] Apply suggestion from @alubbock Co-authored-by: Alex Lubbock --- docs/developer-guide/authorization/authorization_datasets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index f72af8f7f..e2412c18f 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -246,7 +246,7 @@ We need to set up a workflow to run post ingestions task. The process needs to b - DATASET_UPDATE_BASIC_GROUPS = "" - DATASET_UPDATE_PRIVILEGED_GROUPS = "post_ingestion_tasks" - DATASET_DELETE_BASIC_GROUPS = "" -- DATASET_DELETE_PRIVILEGED_GROUP = "" +- DATASET_DELETE_PRIVILEGED_GROUPS = "" - ADMIN_GROUPS = "" - DELETE_GROUPS = "" From 24199c32dbee868aba81a4ca14dccc3a6551b6f0 Mon Sep 17 00:00:00 2001 From: Max Novelli Date: Wed, 20 May 2026 12:00:11 +0200 Subject: [PATCH 31/31] Update authorization_datasets.md Highlighted environmental variables --- .../authorization/authorization_datasets.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/developer-guide/authorization/authorization_datasets.md b/docs/developer-guide/authorization/authorization_datasets.md index e2412c18f..c128a05d4 100644 --- a/docs/developer-guide/authorization/authorization_datasets.md +++ b/docs/developer-guide/authorization/authorization_datasets.md @@ -147,16 +147,16 @@ A user will acquire the permissions from the special permissions groups up to th The following list present the environmental variables that should be configured to setup the special groups listed in the previous sections. Each variable is a comma separated list of the users' groups that acquired the special permissions linked to the special group. -- DATASET_READ_PRIVILEGED_GROUPS: groups with __Dataset Read Privileged__ permissions -- DATASET_CREATE_BASIC_GROUPS: groups with __Dataset Create Basic__ permissions -- DATASET_CREATE_EXTENDED_GROUPS: groups with __Dataset Create Extended__ permissions -- DATASET_CREATE_PRIVILEGED_GROUPS: groups with __Dataset Create Privileged__ permissions -- DATASET_UPDATE_BASIC_GROUPS: groups with __Dataset Update Basic__ permissions -- DATASET_UPDATE_PRIVILEGED_GROUPS: groups with __Dataset Update Privileged__ permissions -- DATASET_DELETE_BASIC_GROUPS: groups with __Dataset Delete Basic__ permissions -- DATASET_DELETE_PRIVILEGED_GROUPS: groups with __Dataset Delete Privileged__ permissions -- ADMIN_GROUPS: groups with __Admin__ permissions. This variable affects all the sub-systems. -- DELETE_GROUPS: groups with __Delete__ permissions. This variable affects all the sub-systems. +- __DATASET_READ_PRIVILEGED_GROUPS__: groups with __Dataset Read Privileged__ permissions +- __DATASET_CREATE_BASIC_GROUPS__: groups with __Dataset Create Basic__ permissions +- __DATASET_CREATE_EXTENDED_GROUPS__: groups with __Dataset Create Extended__ permissions +- __DATASET_CREATE_PRIVILEGED_GROUPS__: groups with __Dataset Create Privileged__ permissions +- __DATASET_UPDATE_BASIC_GROUPS__: groups with __Dataset Update Basic__ permissions +- __DATASET_UPDATE_PRIVILEGED_GROUPS__: groups with __Dataset Update Privileged__ permissions +- __DATASET_DELETE_BASIC_GROUPS__: groups with __Dataset Delete Basic__ permissions +- __DATASET_DELETE_PRIVILEGED_GROUPS__: groups with __Dataset Delete Privileged__ permissions +- __ADMIN_GROUPS__: groups with __Admin__ permissions. This variable affects all the sub-systems. +- __DELETE_GROUPS__: groups with __Delete__ permissions. This variable affects all the sub-systems. ## Legacy