Question on roles

82 views
Skip to first unread message

Péter Király

unread,
Jan 27, 2023, 6:53:17 AM1/27/23
to dataverse...@googlegroups.com
Dear Dataverse community,

I found is that the API and the web UI is not working similarly. I tested it in 5.11.1. Here is a summary:

If I create new role ("reviewer") for the root dataverse, it is displayed only in the root's roles list. It is not displayed other dataverse' role list, and I can not create another role with the same machine name elsewhere.

Displaying a newly created role in the list of roles:

web:
- root dataverse: it is shown
- elsewhere: it is not shown

API:
- root dataverse: it is shown
- elsewhere: it is not shown

Assign role to user/group:

web:
- root dataverse: possible
- elsewhere: I can not assign the same rule in another dataverse, because it is not displayed among the selectable roles
API:
- root dataverse: possible
- elsewhere: possible

Checking the list of Users/Groups (assignments).

web:
- root dataverse: the assignment is shown in the list
- elsewhere: it doesn't.
API:
- root dataverse: the assignment is shown in the list
- elsewhere: the assignment is shown in the list

I haven't found an explanation in the Dataverse guide.

- Do you know if this inconvenience is by design? or it is rather a bug?
- What would be your expectation regarding to newly created roles (those which is not packed in a freshly installed Dataverse)? Mine would be that if I create a new role in the root, it is visible and usable elsewhere in both the web UI and API, but maybe you have different opinion.

Best,
Péter
--
Péter Király
software developer
GWDG, Göttingen - Europeana - eXtensible Catalog - The Code4Lib Journal
http://linkedin.com/in/peterkiraly

Philip Durbin

unread,
Jan 27, 2023, 8:40:20 AM1/27/23
to dataverse...@googlegroups.com
Hi Péter,

It sounds like a bug to me. I just looked through open issues but I can't find one. Please feel free to create one.

Thanks,

Phil


--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CABFhGtmvbkW%2BbH68WV3OugVsvFaoOm_feu%3DToSN9LyHeMsUBnQ%40mail.gmail.com.


--

Philip Durbin

unread,
Jan 27, 2023, 11:00:08 AM1/27/23
to dataverse...@googlegroups.com

Dario Basset

unread,
Jan 31, 2023, 10:19:37 AM1/31/23
to Dataverse Users Community
We also have some misunderstandins on roles.

Dear Peter, you said you created role in root dataverse. Are you talking about dataverse collection level roles, I suppose.
You're not talking about global roles, can you confirm?

Unfortunately we're using 4.20, but weìll migrate shortly to new version. Anyway we also found that the role system is not really clear. 
It seems that roles created in root dataverse are global, but we're not sure.

If you have other discoveries, please share with us.

Dario Basset

unread,
Feb 6, 2023, 8:54:58 AM2/6/23
to Dataverse Users Community
After some thinking and some experiments, we think that @pkiraly created a local role (a role affecting the single dataverse).

In fact, we have created by WEB interface a new local role on our root dataverse, which is called dvmanager.
See attached pic.
Then we have queried the root dataverse, but no dvmanager role is found. See attached json.
Hence there is a behaviour which we do not understand.

@pkiraly: when you write that the global role you created is found by API, which API did you use?  ARe you sure that the created role is a global one?
Can you confirm that you found the role you created among the global roles using API?

To let you know, we issued the following:

Finally, how to create a global role? How to delete it?
dataverse.unimi.it.json
dvmanager.png

Péter Király

unread,
Feb 6, 2023, 9:38:30 AM2/6/23
to dataverse...@googlegroups.com
Dear Dario,

I have created local role. I don't know how to create at al global
role. My guess that it is either not possible or not documented. Maybe
these concepts are named differently, because the documentation simply
talks about "roles", neither "local roles" nor "global roles" is found
in the documentation according to search results.

I have used the following API calls:

to create a new role for a dataverse:
curl -H X-Dataverse-key:$API_TOKEN -X POST
$SERVER_URL/api/dataverses/$ID/roles --upload-file roles.json

list roles of a dataverse:
curl -H X-Dataverse-key:$API_TOKEN $SERVER_URL/api/dataverses/$ID/roles

assign a role to a user/group:
curl -H X-Dataverse-key:$API_TOKEN -X POST -H "Content-Type:
application/json" $SERVER_URL/api/dataverses/$ID/assignments
--upload-file role.json

list role assignments in a dataverse:
curl -H X-Dataverse-key:$API_TOKEN $SERVER_URL/api/dataverses/$ID/assignments

Best,
Péter
> To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/973a41d9-4957-4258-8b46-821482363b0bn%40googlegroups.com.

Dario Basset

unread,
Feb 6, 2023, 9:51:33 AM2/6/23
to Dataverse Users Community
Dear Péter,
Thank you so much.

According to the documentation, you can create global roles, i.e. that are visible to all the dataverses.
You can find info here at the paragraph Create Global Role. It's part of the admin capabilities.
If you want to have roles that are visible to all the installation, this is the way to go.
And by the way, this is the way that we need.

Having 4.20 version, we are afraid that the global role functionality is not completely implemented.
Anyway, if you  happen to experiment with global roles with version 5, just keep us updated.
Thank you!

Philip Durbin

unread,
Feb 6, 2023, 1:42:01 PM2/6/23
to dataverse...@googlegroups.com
I don't mean to rain on anyone's parade, to burst anyone's bubble, to yuck anyone's yum, but...

With "ManageDataversePermissions" and "ManageDatasetPermissions" you can give yourself permission to publish. This is known in security circles as privilege escalation. So please be careful!


Thanks,

Phil

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/b6da16ca-1983-4663-976f-d30383c7c372n%40googlegroups.com.

Durand, Gustavo

unread,
Feb 6, 2023, 5:31:10 PM2/6/23
to dataverse...@googlegroups.com
I haven't looked at the code for this recently, but I would expect that if you do create a role at a Dataverse Collection level, that it would be available for any collections in its branch. If it's not, I would call that a bug.

And yes, if you want it to be a role that exists as the other roles do, it needs to be a Global role using the admin api as described in the link Dario sent out.

(the difference in the db is whether there is a value in the dataverse_id column)

On Mon, Feb 6, 2023 at 1:42 PM Durbin, Philip <philip...@harvard.edu> wrote:
I don't mean to rain on anyone's parade, to burst anyone's bubble, to yuck anyone's yum, but...

With "ManageDataversePermissions" and "ManageDatasetPermissions" you can give yourself permission to publish. This is known in security circles as privilege escalation. So please be careful!


Thanks,

Phil

On Mon, Feb 6, 2023 at 9:51 AM Dario Basset <dario....@gmail.com> wrote:


--

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

Dario Basset

unread,
Feb 7, 2023, 4:09:29 AM2/7/23
to Dataverse Users Community
Thx Gustavo, Philip and Péter.
@philip => of course we need to manage also the permissions, you are right, otherwise the restrictions we want to use are useless.
@gustavo => We could not find the right API verb that can delete a global role in 4.20! It seems that in 4.20 this capability was not yet implemented. If you have info about this "delete global role" in 4.20 please share. That would definitely solve our case, we could define a global role which is inherited by all dataverses in the installation.

Durand, Gustavo

unread,
Feb 7, 2023, 5:42:54 PM2/7/23
to dataverse...@googlegroups.com
Dario,

It looks like delete was added in Dataverse 5.4, in this PR:


Before then, you would have to manually delete it from the database.

(Do note that you should not delete the built in roles that the software provides upon setup, as the some part sof the code may rely on their existing).

Also, note that the intended design would be to add any roles as a custom role at the root level. But due to the aforementioned bug, it is not inherited. We have prioritized that issue and I expect that it will be fixed by 5.14. (not 5.13 which is due in the next week or so)

Gustavo

On Tue, Feb 7, 2023 at 6:32 AM Dario Basset <dario....@gmail.com> wrote:
Thx Gustavo, Philip and Péter.
@philip => of course we need to manage also the permissions, you are right, otherwise the restrictions we want to use are useless.
@gustavo => We could not find the right API verb that can delete a global role in 4.20! It seems that in 4.20 this capability was not yet implemented. If you have info about this "delete global role" in 4.20 please share. That would definitely solve our case, we could define a global role which is inherited by all dataverses in the installation.

Il giorno lunedì 6 febbraio 2023 alle 23:31:10 UTC+1 Gustavo Durand ha scritto:

Dario Basset

unread,
Feb 8, 2023, 1:56:13 AM2/8/23
to dataverse...@googlegroups.com
Thank you Gustavo.
This is clear.

You received this message because you are subscribed to a topic in the Google Groups "Dataverse Users Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dataverse-community/2M9A7uo4KpM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CAF2sSeegv%3DayMAN3CuEGnvKPjvGLD-rPhNqwR-XRB7YX%2BAg8Eg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages