* The name of a role is unique across a single Arvados cluster.
* Roles can be both targets (@head_uuid@) and origins (@tail_uuid@) of permission links.
* By default, all roles are visible to all active users. However, if the configuration entry @Users.RoleGroupsVisibleToAll@ is @false@, visibility is determined by normal permission rules, _i.e._, a role is only visible to users who have that role, and to admins.
-* By default, any user can create a new role. However, if the configuration entry @Users.CreateRoleGroups@ is @false@, only admins can create roles.
+* By default, any user can create a new role. However, if the configuration entry @Users.CanCreateRoleGroups@ is @false@, only admins can create roles.
h3. Access through Roles
Permission level can be one of the following: @can_read@, @can_write@ or @can_manage@, giving the group member read, read/write or managing privileges on the group. For backwards compatibility purposes, if any record omits the third (permission) field, it will default to @can_write@ permission. You can read more about permissions on the "group management admin guide":{{ site.baseurl }}/admin/group-management.html.
-When using @arvados-sync-groups@, consider setting @Users.CreateRoleGroups: false@ in your "cluster configuration":{{site.baseurl}}/admin/config.html to prevent users from creating additional groups.
+When using @arvados-sync-groups@, consider setting @Users.CanCreateRoleGroups: false@ in your "cluster configuration":{{site.baseurl}}/admin/config.html to prevent users from creating additional groups.
h2. Options
# cluster.
RoleGroupsVisibleToAll: true
- # If CreateRoleGroups is true, regular (non-admin) users can
+ # If CanCreateRoleGroups is true, regular (non-admin) users can
# create new role groups.
#
# If false, only admins can create new role groups.
- CreateRoleGroups: true
+ CanCreateRoleGroups: true
# During each period, a log entry with event_type="activity"
# will be recorded for each user who is active during that
"Users.AutoSetupNewUsersWithRepository": false,
"Users.AutoSetupNewUsersWithVmUUID": false,
"Users.AutoSetupUsernameBlacklist": false,
- "Users.CreateRoleGroups": true,
+ "Users.CanCreateRoleGroups": true,
"Users.EmailSubjectPrefix": false,
"Users.NewInactiveUserNotificationRecipients": false,
"Users.NewUserNotificationRecipients": false,
PreferDomainForUsername string
UserSetupMailText string
RoleGroupsVisibleToAll bool
- CreateRoleGroups bool
+ CanCreateRoleGroups bool
ActivityLoggingPeriod Duration
}
StorageClasses map[string]StorageClassConfig
if !super
return false
elsif group_class == "role" &&
- !Rails.configuration.Users.CreateRoleGroups &&
+ !Rails.configuration.Users.CanCreateRoleGroups &&
!current_user.andand.is_admin
raise PermissionDeniedError.new("this cluster does not allow users to create role groups")
else
arvcfg.declare_config "Users.UserNotifierEmailBcc", Hash
arvcfg.declare_config "Users.NewUserNotificationRecipients", Hash, :new_user_notification_recipients, ->(cfg, k, v) { arrayToHash cfg, "Users.NewUserNotificationRecipients", v }
arvcfg.declare_config "Users.NewInactiveUserNotificationRecipients", Hash, :new_inactive_user_notification_recipients, method(:arrayToHash)
-arvcfg.declare_config "Users.CreateRoleGroups", Boolean
+arvcfg.declare_config "Users.CanCreateRoleGroups", Boolean
arvcfg.declare_config "Users.RoleGroupsVisibleToAll", Boolean
arvcfg.declare_config "Login.LoginCluster", String
arvcfg.declare_config "Login.TrustedClients", Hash
[false, :active, false],
[true, :admin, true],
[true, :active, true],
+ [true, :inactive, false],
].each do |conf, user, allowed|
- test "config.Users.CreateRoleGroups conf=#{conf}, user=#{user}" do
- Rails.configuration.Users.CreateRoleGroups = conf
+ test "config.Users.CanCreateRoleGroups conf=#{conf}, user=#{user}" do
+ Rails.configuration.Users.CanCreateRoleGroups = conf
act_as_user users(user) do
if allowed
Group.create!(name: 'admin-created', group_class: 'role')