Prevent file downloads by guests (and other permission qs)

38 views
Skip to first unread message

Sebastian Karcher

unread,
Mar 7, 2017, 7:36:23 PM3/7/17
to Dataverse Users Community
A couple of permission questions:

1. In QDR, we require authentication for any file access. I thought I could just set this up as a dataverse admin, but I don't see a way to prevent file download by guests. Is there any way to do this easily? Any suggested ways to do this?

2. As a corollary, we do want to keep the option open to have some datasets be traditional open data (i.e. freely downloadable without need for registration) in the future, so the solution to 1. should not close the door on that.

3. We want authenticated users to be able to propose but not publish datasets. Do I understand correctly that dataset creator is the right role for this? We found the permission descriptions a bit hard to parse, to be honest.

Thanks as always,
Sebastian

Philip Durbin

unread,
Mar 7, 2017, 9:05:40 PM3/7/17
to dataverse...@googlegroups.com
The way to prevent file download by guests is to restrict files before they are published: http://guides.dataverse.org/en/4.6/user/dataset-management.html#restricted-files-terms-of-access

Restricting files in some datasets won't close the door to having open data in others.

Yeah, permissions are a bit confusing. The User Guide should describe permissions better.* The really important quote for your use case is this one: "The Edit Access pop up allows you to also select if someone adding a dataset to this dataverse should be allowed to publish it (Curator role) or if the dataset will be submitted to the administrator of this dataverse to be reviewed then published (Contributor role)." http://guides.dataverse.org/en/4.6/user/dataverse-management.html#permissions

I hope this helps!

Phil

* https://github.com/IQSS/dataverse/issues/2653


--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/5aa9563b-5b7e-476b-a147-d2dc48bbe90f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Sebastian Karcher

unread,
Mar 7, 2017, 9:23:56 PM3/7/17
to dataverse...@googlegroups.com
Thanks Phil,

the second part definitely does help, so that'll work smoothly.
But I'm struggling with the file restrictions: how would I set up a dataverse/file restricton combination where authenticated users _can_ download files (without having to separately request access) but guests can not?

Sebastian


On Tue, Mar 7, 2017 at 9:05 PM, Philip Durbin <philip...@harvard.edu> wrote:
The way to prevent file download by guests is to restrict files before they are published: http://guides.dataverse.org/en/4.6/user/dataset-management.html#restricted-files-terms-of-access

Restricting files in some datasets won't close the door to having open data in others.

Yeah, permissions are a bit confusing. The User Guide should describe permissions better.* The really important quote for your use case is this one: "The Edit Access pop up allows you to also select if someone adding a dataset to this dataverse should be allowed to publish it (Curator role) or if the dataset will be submitted to the administrator of this dataverse to be reviewed then published (Contributor role)." http://guides.dataverse.org/en/4.6/user/dataverse-management.html#permissions

I hope this helps!

Phil

* https://github.com/IQSS/dataverse/issues/2653

On Tue, Mar 7, 2017 at 7:36 PM, Sebastian Karcher <sebastiankarcher2008@u.northwestern.edu> wrote:
A couple of permission questions:

1. In QDR, we require authentication for any file access. I thought I could just set this up as a dataverse admin, but I don't see a way to prevent file download by guests. Is there any way to do this easily? Any suggested ways to do this?

2. As a corollary, we do want to keep the option open to have some datasets be traditional open data (i.e. freely downloadable without need for registration) in the future, so the solution to 1. should not close the door on that.

3. We want authenticated users to be able to propose but not publish datasets. Do I understand correctly that dataset creator is the right role for this? We found the permission descriptions a bit hard to parse, to be honest.

Thanks as always,
Sebastian

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse-community@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Sebastian Karcher, PhD
www.sebastiankarcher.com

Philip Durbin

unread,
Mar 7, 2017, 10:36:36 PM3/7/17
to dataverse...@googlegroups.com
There should be a built-in group called "all authenticated users" or something that you can give the FileDownloader role to at the dataset level. If that's what you want. Seems a little broad. It's up to you.




--
Sebastian Karcher, PhD
www.sebastiankarcher.com

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse-community@googlegroups.com.

Sebastian Karcher

unread,
Mar 7, 2017, 10:43:53 PM3/7/17
to dataverse...@googlegroups.com
Yes, I think that'll work. So we'd restrict all current files, and by default give access to :authenticated-users
For actually restricted files we just wouldn't grant access to any group, and for open data we wouldn't restrict the files at all.
That also sets us up for future more fine-grained permissions (e.g. access by users of a certain institution etc.)
That works, thanks!



--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse-community@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Durand, Gustavo

unread,
Mar 8, 2017, 5:50:45 PM3/8/17
to dataverse...@googlegroups.com
I'd like to elaborate a little on this, as we've seem some confusion with this. The permissions system is a little complex, but purposefully so, in order to allow for all the different workflows different users / institutions want to support.

The * Creator Roles (Dataverse Creator, Dataset Creator, and Dataverse + Dataset Creator role) are roles that are assigned at the Dataverse level, They allow you to decide who can add things to your dataverse

You can set these roles manually, but the Permissions box on the Permissions page is meant to make things easier. The first question "Who can add to this dataverse?" allows you to configure this for manual assignment or for all authenticated users (there are 4 radio buttons because there are 3 * Creator roles).

Please note, though, that this doesn't tell you what that user can do on the created objects, just that they can create them.


When you create an object, then, we have added code to automatically grant you a role on the newly created object. There is nothing inherently different from being automatically granted a role or manually being assigned that role.

Dataverses are simple: if you create a dataverse, you are automatically made a new Admin of that dataverse.

Datasets have two options: when you create a new dataset, you can be automatically granted Contributor role (can edit but not publish or manage permissions), or Curator role (can edit, publish, and manage permissions). Which of these roles is assigned to you is defined at the dataverse. That is what the the 2nd question in the permissions box, "What should be the default role for someone adding datasets to this dataverse?", allows you to configure.

Please note that these role, Contributor and Curator (as well as others), are allowed to be set at the dataverse level. The purpose of this is to allow a user to have that role on all datasets within that dataverse. For example, if you give a user Contributor role at the dataverse level, they will be able to edit all datasets within this dataverse. 

I hope this helps a little with the understanding on permissions. As Phil pointed out, we do have an issue to improve the documentation on this. If the above helped, please let us know and we can use it or a variation as a basis for the updated documentation.




On Tue, Mar 7, 2017 at 9:23 PM, Sebastian Karcher <kar...@u.northwestern.edu> wrote:
Thanks Phil,

the second part definitely does help, so that'll work smoothly.
But I'm struggling with the file restrictions: how would I set up a dataverse/file restricton combination where authenticated users _can_ download files (without having to separately request access) but guests can not?

Sebastian

On Tue, Mar 7, 2017 at 9:05 PM, Philip Durbin <philip...@harvard.edu> wrote:
The way to prevent file download by guests is to restrict files before they are published: http://guides.dataverse.org/en/4.6/user/dataset-management.html#restricted-files-terms-of-access

Restricting files in some datasets won't close the door to having open data in others.

Yeah, permissions are a bit confusing. The User Guide should describe permissions better.* The really important quote for your use case is this one: "The Edit Access pop up allows you to also select if someone adding a dataset to this dataverse should be allowed to publish it (Curator role) or if the dataset will be submitted to the administrator of this dataverse to be reviewed then published (Contributor role)." http://guides.dataverse.org/en/4.6/user/dataverse-management.html#permissions

I hope this helps!

Phil

* https://github.com/IQSS/dataverse/issues/2653

On Tue, Mar 7, 2017 at 7:36 PM, Sebastian Karcher <sebastiank...@u.northwestern.edu> wrote:
A couple of permission questions:

1. In QDR, we require authentication for any file access. I thought I could just set this up as a dataverse admin, but I don't see a way to prevent file download by guests. Is there any way to do this easily? Any suggested ways to do this?

2. As a corollary, we do want to keep the option open to have some datasets be traditional open data (i.e. freely downloadable without need for registration) in the future, so the solution to 1. should not close the door on that.

3. We want authenticated users to be able to propose but not publish datasets. Do I understand correctly that dataset creator is the right role for this? We found the permission descriptions a bit hard to parse, to be honest.

Thanks as always,
Sebastian

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Sebastian Karcher, PhD
www.sebastiankarcher.com

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse-community@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages