X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/d63eaa465e157dd289a80738c5da83edaf03e784..HEAD:/doc/api/permission-model.html.textile.liquid diff --git a/doc/api/permission-model.html.textile.liquid b/doc/api/permission-model.html.textile.liquid index 82e8128c6e..2d589e2709 100644 --- a/doc/api/permission-model.html.textile.liquid +++ b/doc/api/permission-model.html.textile.liquid @@ -46,7 +46,7 @@ This grants the permission in @name@ for @tail_uuid@ accessing @head_uuid@. If a User has *can_manage* permission on some object, the user has the ability to read, create, update and delete permission links with @head_uuid@ of the managed object. In other words, the user has the ability to modify the permission grants on the object. -The *can_login* @name@ is only meaningful on a permission link with with @tail_uuid@ a user UUID and @head_uuid@ a Virtual Machine UUID. A permission link of this type gives the user UUID permission to log into the Virtual Machine UUID. The username for the VM is specified in the @properties@ field. Group membership can be specified that way as well, optionally. See the "VM login section on the CLI cheat sheet":/install/cheat_sheet.html#vm-login for an example. +The *can_login* @name@ is only meaningful on a permission link with with @tail_uuid@ a user UUID and @head_uuid@ a Virtual Machine UUID. A permission link of this type gives the user UUID permission to log into the Virtual Machine UUID. The username for the VM is specified in the @properties@ field. Group membership can be specified that way as well, optionally. See the "VM login section on the 'User management at the CLI' page":{{ site.baseurl }}/admin/user-management-cli.html#vm-login for an example. h3. Transitive permissions @@ -66,7 +66,7 @@ A "project" is a subtype of Group that is displayed as a "Project" in Workbench, * The name of a project is unique only among projects and filters with the same owner_uuid. * Projects can be targets (@head_uuid@) of permission links, but not origins (@tail_uuid@). Putting a project in a @tail_uuid@ field is an error. -A "filter" is a subtype of Group that is displayed as a "Project" in Workbench, and as a directory by @arv-mount@. See "the groups API documentation":/api/methods/groups.html for more information. +A "filter" is a subtype of Group that is displayed as a "Project" in Workbench, and as a directory by @arv-mount@. See "the groups API documentation":{{ site.baseurl }}/api/methods/groups.html for more information. * A filter group cannot own things (cannot appear in @owner_uuid@). Putting a filter group in an @owner_uuid@ field is an error. * A filter group can be owned by a user or a project. * The name of a filter is unique only among projects and filters with the same owner_uuid. @@ -77,6 +77,8 @@ A "role" is a subtype of Group that is treated in Workbench as a group of users * All roles are owned by the system user. * The name of a role is unique across a single Arvados cluster. * Roles can be both targets (@head_uuid@) and origins (@tail_uuid@) of permission links. +* By default, all roles are visible to all active users. However, if the configuration entry @Users.RoleGroupsVisibleToAll@ is @false@, visibility is determined by normal permission rules, _i.e._, a role is only visible to users who have that role, and to admins. +* By default, any user can create a new role. However, if the configuration entry @Users.CanCreateRoleGroups@ is @false@, only admins can create roles. h3. Access through Roles @@ -102,6 +104,8 @@ A user can only read a container record if the user has read permission to a con *can_manage* access to a user grants can_manage access to the user, _and everything owned by that user_ . If a user A *can_read* role R, and role R *can_manage* user B, then user A *can_read* user B _and everything owned by that user_ . +Modifying a role group requires *can_manage* permission (by contrast, *can_write* is sufficient to modify project groups and other object types). + h2(#system). System user and group A privileged user account exists for the use by internal Arvados components. This user manages system objects which should not be "owned" by any particular user. The system user uuid is @{siteprefix}-tpzed-000000000000000@.