permissions and ":authenticated-user"

35 views
Skip to first unread message

Jamie Jamison

unread,
Jul 16, 2019, 7:31:32 PM7/16/19
to Dataverse Users Community
I'm trying to set up a sub-dataverse for library materials that are limited to users affiliated with UCLA.  Patrons would log in through shibboleth and be able to download material.

I found a role -  " Anyone with a dataverse account | :authenticated-users "

I thought this might force users to log in when they try to download. But this doesn't happen, anyone logged in or not can download. I can't tell if this has to do with shibboleth or I might be misunderstanding what ":authenticated-users" does.

I'd set this up as restricted but the librarian who would be admin doesn't want to deal with the requests.  His idea is they come in through shibboleth and download.

Thank you,

Jamie

Sherry Lake

unread,
Jul 16, 2019, 10:25:25 PM7/16/19
to dataverse...@googlegroups.com
Hi Jamie,

UVA has shibboleth-only log in, so only UVa folks can create accounts.

I have, on our test server, a sub-dataverse where "authenticated-users" can only download. Here's a screen shot of the sub-dataverse permissions (which populates through all datasets in that sub-directory - no other permissions set up for datasets):
Screen Shot 2019-07-16 at 10.08.45 PM.png

A non-logged in user sees this for all files in any dataset in the sub-dataverse; there is no download button  (The text "File accessible to ...." we put in the file description):
Screen Shot 2019-07-16 at 10.03.30 PM.png



Once logged on, via shibboleth, the download button appears:
Screen Shot 2019-07-16 at 10.16.29 PM.png


--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/cf2590d5-bfc3-472e-9a38-e2b71b11c45e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Durand, Gustavo

unread,
Jul 16, 2019, 10:32:50 PM7/16/19
to dataverse...@googlegroups.com
Hi Jamie,

Just to be completely clear about these scenarios, you do have to restrict the file. Adding the File Dowloader role (as Sherry did) only works, if the file is restricted in the first place. But if it is, then the :authenticated-users role would allow anyone logged in to download.

In the future, when we have DataTags support, it would be a little different. You would just need to set the file as "green". Where blue is anyone can download, green is anyone who has authenticated can download.

Hope that helps.
Gustavo

On Tue, Jul 16, 2019 at 10:25 PM Sherry Lake <shla...@gmail.com> wrote:
Hi Jamie,

UVA has shibboleth-only log in, so only UVa folks can create accounts.

I have, on our test server, a sub-dataverse where "authenticated-users" can only download. Here's a screen shot of the sub-dataverse permissions (which populates through all datasets in that sub-directory - no other permissions set up for datasets):
Screen Shot 2019-07-16 at 10.08.45 PM.png

A non-logged in user sees this for all files in any dataset in the sub-dataverse; there is no download button  (The text "File accessible to ...." we put in the file description):
Screen Shot 2019-07-16 at 10.03.30 PM.png



Once logged on, via shibboleth, the download button appears:
Screen Shot 2019-07-16 at 10.16.29 PM.png


On Tue, Jul 16, 2019 at 7:31 PM Jamie Jamison <jam...@g.ucla.edu> wrote:
--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/cf2590d5-bfc3-472e-9a38-e2b71b11c45e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

Sherry Lake

unread,
Jul 17, 2019, 7:15:26 AM7/17/19
to dataverse...@googlegroups.com
Yes, thanks Gustavo. The files are restricted. 

I forgot that important point. That’s what I get when replying without my notes & relying on memory. 

Sherry

Philip Durbin

unread,
Jul 17, 2019, 8:03:22 AM7/17/19
to dataverse...@googlegroups.com
Hi Jamie and all,

When I hear you say this: "I'm trying to set up a sub-dataverse for library materials that are limited to users affiliated with UCLA.  Patrons would log in through shibboleth and be able to download material."

I'm strongly reminded of a blog post[1] about how only Harvard affiliates are allowed to download data from https://dataverse.harvard.edu/dataverse/HarvardSubscriptionData

In a similar fashion, only MIT affiliates can download restricted data from https://dataverse.harvard.edu/dataverse/mit

Harvard Dataverse makes use of the "Institution-Wide Shibboleth Groups" feature to achieve this: http://guides.dataverse.org/en/4.15.1/installation/shibboleth.html#institution-wide-shibboleth-groups

The idea is that Harvard Dataverse creates two of these groups, one for Harvard and one for MIT. (We might have more; I'm not sure.)

Then someone gives permission to this group (file downloader, I assume) on the dataverse in question.

As you say, this eliminates any effort going into maintaining lists of who should have access based on their affiliation. If they have MIT credentials, they get access to that restricted data. If they leave MIT, poof, that access is gone.

I hope this helps,

Phil


For more options, visit https://groups.google.com/d/optout.

Jamie Jamison

unread,
Jul 17, 2019, 1:23:00 PM7/17/19
to Dataverse Users Community
Thank you Sherry, Gustavo and Phil,

Following your explanations the datavers on the test site is setup. 

Jamie
Reply all
Reply to author
Forward
0 new messages