Inheriting roles from dataverse to dataset level

185 views
Skip to first unread message

Leif Longva

unread,
May 11, 2016, 5:48:13 AM5/11/16
to Dataverse Users Community

In our 4.3 test installation of Dataverse access permissions/roles at the dataverse level seem to be inherited to the dataset level. If you enter into a dataset as admin, and you then go to Edit > Permissions > Dataset, I would expect to see a list of those who are assigned a role for this dataset, most often this would be the role Contributor for the creator of the dataset. But instead I get a list of all roles assigned at the dataverse level within the dataverse in question. For instance all “common” users in the Dataverse are here listed with the Dataset Creator role. Can this inheritance feature be switched off, or is this a bug that will be fixed?


Yours,

Leif Longva

UiT The Arctic University of Norway

Philip Durbin

unread,
May 11, 2016, 6:33:13 AM5/11/16
to dataverse...@googlegroups.com
Hi Leif,

Would you be able to attach a screenshot of what you're looking at? I think this will help us understand. It sounds like at the very least what you see is confusing or at least unexpected so you're welcome to open an issue and upload the screenshot there.

I know some work went into a "permissions UX" branch at https://github.com/IQSS/dataverse/tree/2572-permissions-ux but it hasn't been merged and I don't think it changes anything with inheritance. There's some related chatter at https://github.com/IQSS/dataverse/issues/2255

Thanks,

Phil

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/5d8b0f74-929a-46cc-812e-aedb98bef879%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Leif Longva

unread,
May 11, 2016, 7:30:53 AM5/11/16
to Dataverse Users Community, philip...@harvard.edu

Thank you Phil

Please see enclosed, from our 4.2.3 test-version (it is still the same in 4.3) When I, as Dataverse Admin try to look at permissions for a single dataset (at root), all users with various roles in root are listed. Even users with no access to this dataset are listed. Should the list not be limited to those users who have access to do something with the actual dataset?

Leif




onsdag 11. mai 2016 12.33.13 UTC+2 skrev Philip Durbin følgende:
Hi Leif,

Would you be able to attach a screenshot of what you're looking at? I think this will help us understand. It sounds like at the very least what you see is confusing or at least unexpected so you're welcome to open an issue and upload the screenshot there.

I know some work went into a "permissions UX" branch at https://github.com/IQSS/dataverse/tree/2572-permissions-ux but it hasn't been merged and I don't think it changes anything with inheritance. There's some related chatter at https://github.com/IQSS/dataverse/issues/2255

Thanks,

Phil
On Wed, May 11, 2016 at 5:48 AM, Leif Longva <leif....@uit.no> wrote:

In our 4.3 test installation of Dataverse access permissions/roles at the dataverse level seem to be inherited to the dataset level. If you enter into a dataset as admin, and you then go to Edit > Permissions > Dataset, I would expect to see a list of those who are assigned a role for this dataset, most often this would be the role Contributor for the creator of the dataset. But instead I get a list of all roles assigned at the dataverse level within the dataverse in question. For instance all “common” users in the Dataverse are here listed with the Dataset Creator role. Can this inheritance feature be switched off, or is this a bug that will be fixed?


Yours,

Leif Longva

UiT The Arctic University of Norway

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
DV4_permissionillustration.png

Philip Durbin

unread,
May 11, 2016, 8:01:12 AM5/11/16
to dataverse...@googlegroups.com
The screenshot is extremely helpful. Thanks.

So you're creating a dataset in the root and when you look at the permissions for that dataset you see roles that have been assigned in the dataset's parent, which is the root dataverse. This is expected.

I guess my first thought is that since you :authenticated-users (Anyone with a Dataverse account) has the "Dataset Creator" role at the root dataverse, having the same role ("Dataset Creator") assigned to individuals at the root dataverse is redundant. @LeifLong, for example, already has the "Dataset Creator" role due to being one of the :authenticated-users.

As for who has access to that dataset in the root, I'm pretty sure all those roles are meaningful and legitimate. That is to say, anyone who is a Curator at the root dataverse can probably publish datasets in the root. Contributors can edit them. If these people are part of your team this is fine but you probably don't want end users editing each other's datasets.

There's a section on permissions at http://guides.dataverse.org/en/4.3/user/dataverse-management.html but probably some more explanation should be added.

I hope this is helping. I'd be curious to hear what other people who have installed Dataverse 4 and have been playing with permissions think about all this. I know the University of Virginia doesn't let their authors have a role higher than "Contributor" which means I need to go fix https://github.com/IQSS/dataverse/issues/1070 :) . There's flexibility and complexity in Dataverse 4 permissions.

Phil

On Wed, May 11, 2016 at 7:30 AM, Leif Longva <leif....@uit.no> wrote:

Thank you Phil

Please see enclosed, from our 4.2.3 test-version (it is still the same in 4.3) When I, as Dataverse Admin try to look at permissions for a single dataset (at root), all users with various roles in root are listed. Even users with no access to this dataset are listed. Should the list not be limited to those users who have access to do something with the actual dataset?

Leif




onsdag 11. mai 2016 12.33.13 UTC+2 skrev Philip Durbin følgende:
Hi Leif,

Would you be able to attach a screenshot of what you're looking at? I think this will help us understand. It sounds like at the very least what you see is confusing or at least unexpected so you're welcome to open an issue and upload the screenshot there.

I know some work went into a "permissions UX" branch at https://github.com/IQSS/dataverse/tree/2572-permissions-ux but it hasn't been merged and I don't think it changes anything with inheritance. There's some related chatter at https://github.com/IQSS/dataverse/issues/2255

Thanks,

Phil
On Wed, May 11, 2016 at 5:48 AM, Leif Longva <leif....@uit.no> wrote:

In our 4.3 test installation of Dataverse access permissions/roles at the dataverse level seem to be inherited to the dataset level. If you enter into a dataset as admin, and you then go to Edit > Permissions > Dataset, I would expect to see a list of those who are assigned a role for this dataset, most often this would be the role Contributor for the creator of the dataset. But instead I get a list of all roles assigned at the dataverse level within the dataverse in question. For instance all “common” users in the Dataverse are here listed with the Dataset Creator role. Can this inheritance feature be switched off, or is this a bug that will be fixed?


Yours,

Leif Longva

UiT The Arctic University of Norway

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Leif Longva

unread,
May 11, 2016, 8:59:17 AM5/11/16
to Dataverse Users Community, philip...@harvard.edu
What is most confusing is that e.g. our user @Udmurt01 is listed as a "Dataset Creator" in this list of "Dataset Permissions". @Udmurt01 has no role or permissions in this particular dataset. So it looks like all users with any role in root are listed in this list of "Dataset Permissions", which looks like a bug. I would expect only users that do have a role with permissions regarding the particular dataset should have been listed. 

Leif
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

Philip Durbin

unread,
May 11, 2016, 9:47:28 AM5/11/16
to dataverse...@googlegroups.com
Hmm. You're right. It's weird. When you are looking at the permissions of a dataset, how valuable is it for you to be given a list of people who can create a dataset ("Dataset Creator" role) in the same container (dataverse) that your dataset happens to live in? It's probably Too Much Information. In fact, at the dataset level perhaps the rule should be that if you don't see a role listed under "Roles" (which you have to expand, I'll attach a screenshot from 4.2.3) then you shouldn't see the role listed under "Users/Groups" because the role doesn't apply. That is to say that out of the box there are five permissions that apply at the dataset level (listed under "Roles" in the screenshot)...

- Admin
- Contributor
- Curator
- File Downloader
- Member

(Yesterday we were debating whether we could stop showing "Admin" at the dataset level since "Curator" has equivalent permissions at the dataset level, but this is a little beside the point.)

... and below are additional permissions that are shown at the dataset level that don't actually apply at the dataset level. If we decide this is a bug (or at least causes confusion), we could look into changing the code so they are not displayed under permissions at the dataset level:

- Dataset Creator (AddDataset permission)
- Dataverse Creator (AddDataverse permission)
- Dataverse + Dataset Creator (AddDataverse and AddDataset permission)

Dataset Creator is confusing because why do I care who can create datasets in the dataverse that my dataset lives in? If I want this information, I'll go up a level and look at the permissions on the parent dataverse... hmm, unless this isn't possible because I don't have ManageDataversePermissions (because I'm not an "Admin") at the dataverse (root or otherwise) in which my dataset lives... end users wouldn't be "Admin" at the root dataverse. There's at least one installation that doesn't let authors be "Admin" or "Curator". So maybe that's why "Dataset Creator" is shown... in case you're wondering who else can create datasets in the dataverse your dataset lives in. Maybe it's a feature. :)

Dataverse Creator doesn't make a lot of sense to show at the dataset level because dataverses can't be created inside datasets.

Dataverse + Dataset Creator perhaps should still be shown if we decide (as I'm puzzling about above) that it's a feature to know who can create datasets next to yours (in the same dataverse).

Phew! Permissions. What do others think? I think I need to go lie down. :)

Phil



To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
Permissions_-_This_dataset_is_in_the_root_dataverse_-_2016-05-11_09.26.28.png

Philipp UiT

unread,
May 11, 2016, 10:40:28 AM5/11/16
to Dataverse Users Community, philip...@harvard.edu
Hi Philip,

I'm a colleague of Leif, also working with our Dataverse installation.

The issue here is not primarily about displaying the roles at the dataset level, but on how roles are inherited from the dataverse level to the dataset level. As I see it, there is a bug somewhere, either in the software, or it could be due to unproper installation/configuration by us.

If I'm not mistaken, in the Harvard Dataverse, right after creating an account, "common" users will i.a. be able to
- create a dataset right under the Harvard Dataverse (= the root dataverse),
- create a sub dataverse (and after that a sub-sub dataverse and so on; once the have created a sub dataverse, they will automatically be the administrator of this sub dataverse),
- edit their datasets and sub dataverses
- publish their datasets

Doesn't this mean that "common" users must be given the curator role in the Harvard Dataverse (= the root dataverse)? If this is correct, and the Hardvard Dataverse is behaving like our 4.3 test installation, than "common" user A is able to go to dataset B1 created by user B and modify it, because user A's curator role at the root level is automatically inherited to the dataset level (meaning ALL datasets under root, no matter who created them. I cannot imagine that the Harvard Dataverse is working like this. So I think there must be a way of configuring whether user roles should be inherited from the dataverse level to the dataset level.

Best,
Philipp
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

Philip Durbin

unread,
May 11, 2016, 10:56:33 AM5/11/16
to dataverse...@googlegroups.com
Here's the key... in your root dataverse (or any dataverse, really) you can choose whether "common" users are granted the "Contributor" role (the default) or the "Curator" role on the datasets they create within that dataverse. This role is granted on the dataset level. The root dataverse at https://dataverse.harvard.edu is configured the non-default way, which is to say that if a user signs up for an account and creates a dataset in the root dataverse, they get the "Curator" role for the dataset they created. This allows the user to publish their own dataset and manage the permissions on their dataset (things that a "Contributor" can't do).

The question is phrased this way: "What should be the default role for someone adding datasets to this dataverse?" Here's a screenshot: http://guides.dataverse.org/en/4.3/_images/dv3.png

Some subdataverses of https://dataverse.harvard.edu (not the root) only allow "common" users to create datasets but not publish them, which is to say that the users get the "Contributor" role. A common use case for this is a dataverse for a journal where the journal editors want the authors to click "Submit for Review" rather than "Publish". Then the journal editor has reviewers look at the dataset. After the journal editor has feedback from reviewers, the journal editor (who has the "Curator" or "Admin" role on their dataverse) clicks the "Publish" button, not the "common" user, the person with the "Contributor" role. I actually just yesterday made a pull request for a feature called "Private URL" that reviewers can click to make this easier (so reviewers don't have to create a Dataverse account): https://github.com/IQSS/dataverse/pull/3111

I hope this helps,

Phil

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Ben Companjen

unread,
May 24, 2016, 10:51:33 AM5/24/16
to dataverse...@googlegroups.com

After I read yesterday's email from Sherry Lake, I suddenly understood what Phil had written in this discussion: that there are contributor/curator roles at both the dataverse level and the dataset level – and you can't (easily) see the difference in the permissions view.

 

It reminded me of the issue that I had raised on the unclear relationship between the Edit Access panel and Users/Groups panel in the dataverse permissions page. I added my "epiphany" as a comment: https://github.com/IQSS/dataverse/issues/2255#issuecomment-221291334

 

Ben

Durand, Gustavo

unread,
May 24, 2016, 10:56:50 AM5/24/16
to dataverse...@googlegroups.com
One thing to clarify - there is only one contributor role and one curator role. It's just that they can be assigned at either dataverse or dataset level.

Assigning at the dataverse allows that user to be that role for all datasets (and files for that matter, if you want to assign FileDownloader role), existing or newly created, since it's inherited.

The curator role also allows some extra permissions at the dataverse level, mainly add new dataverses and datasets, and see view unpublished dataverses.

Gustavo





On Tue, May 24, 2016 at 10:51 AM, Ben Companjen <ben.co...@dans.knaw.nl> wrote:

After I read yesterday's email from Sherry Lake, I suddenly understood what Phil had written in this discussion: that there are contributor/curator roles at both the dataverse level and the dataset level – and you can't (easily) see the difference in the permissions view.

 

It reminded me of the issue that I had raised on the unclear relationship between the Edit Access panel and Users/Groups panel in the dataverse permissions page. I added my "epiphany" as a comment: https://github.com/IQSS/dataverse/issues/2255#issuecomment-221291334

 

Ben

 

From: Dataverse-community <dataverse...@googlegroups.com> on behalf of Philip Durbin <philip...@harvard.edu>
Reply-To: Dataverse-community <dataverse...@googlegroups.com>
Date: woensdag 11 mei 2016 16:56
To: Dataverse-community <dataverse...@googlegroups.com>
Subject: Re: [Dataverse-Users] Inheriting roles from dataverse to dataset level

 

Here's the key... in your root dataverse (or any dataverse, really) you can choose whether "common" users are granted the "Contributor" role (the default) or the "Curator" role on the datasets they create within that dataverse. This role is granted on the dataset level. The root dataverse at https://dataverse.harvard.edu is configured the non-default way, which is to say that if a user signs up for an account and creates a dataset in the root dataverse, they get the "Curator" role for the dataset they created. This allows the user to publish their own dataset and manage the permissions on their dataset (things that a "Contributor" can't do).

Phil


For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

Philipp UiT

unread,
May 30, 2016, 3:15:38 AM5/30/16
to Dataverse Users Community
Thanks for claryfying this. After testing different user permission settings some weeks ago, I finally understood how it works (I think). I am adding a pdf where I describe how configuration of user permissions works in 4.3. Please notify me if I got things wrong. Best, Philipp

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.


To post to this group, send email to dataverse...@googlegroups.com.



 

--

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.


To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.
ConfigurationDataversePermissions.pdf

Philip Durbin

unread,
May 31, 2016, 9:27:01 AM5/31/16
to dataverse...@googlegroups.com
Hi Philipp, your PDF makes sense to me and I don't see any inaccuracies. In a previous post* I argued with myself whether what you're saying is a bug (what I called "Too Much Information") could be considered a feature or not. :)

You might want to consider making a pull request against the User Guide where permissions are explained: https://github.com/IQSS/dataverse/blob/develop/doc/sphinx-guides/source/user/dataverse-management.rst#permissions

Phil

* https://groups.google.com/d/msg/dataverse-community/XjodQ6bQjFg/SBpYoX6LCAAJ

p.s. If it's of interest, here is where the Curator role is defined: https://github.com/IQSS/dataverse/blob/v4.3.1/scripts/api/data/role-curator.json . I find it interesting that a Curator gets the PublishDataset permission but not the PublishDataverse permission. Only the "Admin" role gets the PublishDataverse permission, via a special token called "ALL": https://github.com/IQSS/dataverse/blob/v4.3.1/scripts/api/data/role-admin.json

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.


To post to this group, send email to dataverse...@googlegroups.com.