---
layout: default
-navsection: api
+navsection: architecture
navmenu: Concepts
title: "Permission model"
...
+{% comment %}
+Copyright (C) The Arvados Authors. All rights reserved.
+
+SPDX-License-Identifier: CC-BY-SA-3.0
+{% endcomment %}
* There are four levels of permission: *none*, *can_read*, *can_write*, and *can_manage*.
** *none* is the default state when there are no other permission grants.
-*** the object is not returned by any list query.
+*** the object is not included in any list query response.
*** direct queries of the object by uuid return 404 Not Found.
*** Link objects require valid identifiers in @head_uuid@ and @tail_uuid@, so an attempt to create a Link that references an unreadable object will return an error indicating the object is not found.
** *can_read* grants read-only access to the record. Attempting to update or delete the record returns an error. *can_read* does not allow a reader to see any permission grants on the object except the object's owner_uuid and the reader's own permissions.
** A "role" is a subtype of Group that is treated in Workbench as a group of users who have permissions in common (typically an organizational group).
* To change the @owner_uuid@ field, it is necessary to have @can_write@ permission on both the current owner and the new owner.
-h2. Permission links
+h2(#links). Permission links
A link object with
* *can_read* on a Collection grants permission to read the blocks that make up the collection (API server returns signed blocks)
* If User or Group X *can_FOO* Group A, and Group A *can_manage* User B, then X *can_FOO* _everything that User B can_FOO_.
-h2. System user and group
+h2(#system). System user and group
A privileged user account exists for the use by internal Arvados components. This user manages system objects which should not be "owned" by any particular user. The system user uuid is @{siteprefix}-tpzed-000000000000000@.
h2. Anoymous user and group
-An Arvado site may be configued to allow users to browse resources without requiring a log in. In this case, permissions for non-logged-in users are associated with the "anonymous" user. To make objects visible to the public, they can be shared with the "anonymous" group. The anonymous user uuid is @{siteprefix}-tpzed-anonymouspublic@.
+An Arvado site may be configued to allow users to browse resources without requiring a log in. In this case, permissions for non-logged-in users are associated with the "anonymous" user. To make objects visible to the public, they can be shared with the "anonymous" group. The anonymous user uuid is @{siteprefix}-tpzed-anonymouspublic@. The anonymous group uuid is @{siteprefix}-j7d0g-anonymouspublic@.
+
+h2. Example
+
+!(full-width){{site.baseurl}}/images/Arvados_Permissions.svg!
projects / arvados.git / blobdiff