A user (person) is permitted to act on an object if there is a path (series of permission Links) from the acting user to the object in which
-* Every intervening object is a Group or a User, and
+* Every intervening object is a Group, and
* Every intervening permission Link allows the current action
+Special case: A permission path can also include intervening User objects if the links _to_ the Users are "can_manage" links.
+
Each object has exactly one _owner_, which can be either a User or a Group.
* If the owner of X is A, then A is permitted to do any action on X.
table(table table-bordered table-condensed).
|Tail |Permission |Head |Effect|
|Group: Ashton Lab Admin|can_manage |User: Lab Member 1 |Lab member 1 is in this administrative group|
-|Group: Ashton Lab Admin|can_manage |User: Lab Member 2 |Lab member 1 is in this administrative group|
-|Group: Ashton Lab Admin|can_manage |User: Lab Member 3 |Lab member 1 is in this administrative group|
+|Group: Ashton Lab Admin|can_manage |User: Lab Member 2 |Lab member 2 is in this administrative group|
+|Group: Ashton Lab Admin|can_manage |User: Lab Member 3 |Lab member 3 is in this administrative group|
|Group: Ashton Lab Admin|can_manage |User: Alison |Alison is in this administrative group|
|Group: Ashton Lab Admin|can_manage |User: George |George is in this administrative group|
|Alison |can_manage |Group: Ashton Lab Admin |Alison can do everything the above lab members can do|
projects / arvados.git / blobdiff