Custom role issue

[meghan.good...@gmail.com]

Hello folks,

At Borealis, we had a request awhile ago to create a global custom role that would allow Contributors to manage dataset permissions but not publish. The reasoning behind creating this "ContributorPlus" role was to allow users to add collaborators, but the collection admins wanted to continue to use the submit for review workflow.

The issue is that “Edit Permissions” function allows users to make any permissions changes, including adding admin roles. Some users have been abusing this by adding collaborators as Admins and then publishing on their own. 

We're curious if it would be possible to add some logic to the permissioning so that the role would only be able to edit permissions at the level of a contributor plus or below, but not to be able to edit above their permissions role (i.e., curators, admins)? Would this be a possibility?

Any feedback would be very helpful.

Thanks,

Meghan
Borealis Team

[gwenaël doux]

Hi all,

We have a quite similar issue, here at Cirad, with some permissions linked with roles. For example, we have collection administrators which managed datasets adn dataverses inside their collection, addded contributors, etc. But with this role they can deaccessionned dataset and sometimes, the functionnality was abused by somes.

I don't know if it's possible or/and complicated to have more granularity to permissions.

[meghan.good...@gmail.com]

Thanks for your response! Yes, I think we would be interested in exploring more granularity of the permissions as well. 

[Philipp Conzett]

Hello

I think refining the configuration options for permission managing makes perfectly sense for installations that don't allow self publishing, but would like to provide depositors the rights to grant contributor or reading permissions at dataset level. So far, such requests have been handled by curators in our installation (DataverseNO).

Best, Philipp

[Philip Durbin]

I don't have much to add except to say that Jim Myers recently figured out how to split a permission into two so we're in a better position to look at this, given time, of course. :) If someone already created an issue, please let us know.

Thanks,

Phil

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/7e25a12d-d094-4f68-8135-dc8c7ada83e2n%40googlegroups.com.

--

Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin

[gwenaël doux]

Hello,

I've created an issue here  https://github.com/IQSS/dataverse/issues/9190

Gwenaël

[fa...@kb.dk]

In that context, maybe also think about new names for the different roles to make clear, whether they apply on Dataverse or Dataset level. One example is the "Curator" role, which has permissions for AddDataverse, AddDataset and ViewUnpublishedDataverse, which are redundant for Datasets. (I understand that the "Curator" role actually applies on Dataverse level, but it's confusing...)

On the other hand, a "Contributor" does not have permission for AddDataset, even though you can choose "Anyone with a Dataverse account can add datasets" on Dataverse level.

Maybe rather something like "Collection Curator", "Dataset Editor" and "Dataset Owner" or similar? Shifting terminology from "Dataverse" to "collection" will also help.

I also find the description for "Contributor" and "Curator" roles in the Permissions tab for Dataverses in combination with the Roles tab a bit tricky:

Contributor - Edit metadata, upload files, and edit files, edit Terms, Guestbook, Submit datasets for review
Curator - Edit metadata, upload files, and edit files, edit Terms, Guestbook, File Restrictions (Files Access + Use), Edit Permissions/Assign Roles + Publish

e.g. "Edit metadata" = "EditDataset"? What about "Guestbook"?

I know that this makes perfect sense within the Dataverse logic, but it's quite tough to get your head around as regular user.

Regarding misuse: We've had a similar discussion a few years ago: https://github.com/IQSS/dataverse/issues/6342

Best regards,
Falco