rights-problem when granting access to 2 authority records at the same time

Skip to first unread message

Raphael Unterweger

Feb 24, 2022, 8:43:19 AM2/24/22
to AtoM Users
Hi AtoM Community, hi Dan, 

sorry, here I'm again.

We encountered another strange problem ... if we grant a user all information object rights of one authority, everything works fine, then, if we grant that same user all information object rights to a second authority, then this user cant view any Information object of both authorities. If we then remove the 'view drafts' grant for this user on the second authority (not the first), he can again see all information object, but can not edit anyone. There is also no error logging happening. AtoM just says, that that user has no access rights.

And without logs, searching for an error is quite difficult.

This is no urgent problem, we have a workaround. This situation works when using roles or when applying the right via the information object directly, rather than over the authority. But it would be easier for us to handle the rights that way ...

Thanks and many greets

Dan Gillean

Feb 28, 2022, 10:13:03 AM2/28/22
to ICA-AtoM Users
Hi Raphael, 

Sorry for the delay. I will do some testing and see if I can reproduce this issue, but I will start by saying that unfortunately there are a number of known issues with AtoM's permissions module, and this may be one of them. 

There's a lot that could be said here, but much of it has been said before. The short version is: AtoM's permissions module was first added over a decade ago (when the application's primary use case was small to medium archives, with simpler permissions needs), and unfortunately, while AtoM's user base has grown exponentially and the ways in which the community attempts to use it have multiplied, the permissions module has not received any significant overhaul. Consequently, there are many known performance and scalability issues, as well as a number of bugs that are difficult to change without performing a full rewrite. We'd like to do this, but it's a major piece of work - meaning that for Artefactual to take it on, we'd need community support, either in the form of community code contributions or development sponsorship. So far no one has been willing to fund the level of work necessary to truly address these issues.

For a longer response on some of the known issues with the permissions module, see some of our previous responses on this topic in the forum, such as:
In the meantime, can you please clarify what you mean when you say "authority" so this is not confused with AtoM's concept of an authority record (i.e. an ISAAR-CPF record of an actor)?  There is currently no method in AtoM to set information object permissions by authority record, so if I am going to attempt to reproduce the issue you describe I want to ensure that I fully understand what you've done.  

In AtoM's terminology, do you mean an Archival Institution - i.e. a repository record, to which information objects (archival descriptions) can be linked? You can configure user permissions in AtoM for all information objects, for a specific archival unit, or per archival institution (meaning all descriptions linked to that repository). Thanks in advance for the clarification!

There is at least one known issue with per-institution permissions that already has a ticket, and which may be related. See: 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
he / him

You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/d6a2ba5c-4f1f-4509-8846-5ff14df4fe64n%40googlegroups.com.
Reply all
Reply to author
0 new messages