Unfortunately that’s not possible with resources in the current security model. XNAT doesn’t distinguish between editing a project and editing the stuff secured by the project. The stuff secured by the project is distinct from data in the project that is in turn represented by secured data types.
So. XNAT has secured data types, which have permissions set by XSI type on a per-project/role basis. This means you can ask questions like, “Can a user in the group ProjectId_member edit an instance of xnat:subjectData in project ProjectId?” There are also unsecured data types, where you can’t ask questions like that so you have to be able to trace instances of those unsecured data types to a parent instance of a secure data type and use that as a proxy.
Resources and image scans (semi-sort-of-mostly) are both unsecured data types, meaning you’ve got to look at the parent object to determine permissions. This makes sense in almost all contexts, because there’s little or no difference between the data object and the resources stored in the archive: the data object is basically just metadata about the stored resources that allows XNAT to manage everything. The problem at the project level is there really is a difference between the data object (the project) and the resources stored in the archive, but XNAT just doesn’t deal with that well.
But here’s a possible fix. One of the things we did to work around this very problem was to add the xnat:abstractProjectAsset data type, which supports secured data types that can be stored under a project but have distinct permissions from the project. We did this originally for the data-set and -collection data types for the ML project, since collections of experiments inherently span multiple other objects and can’t be secured by any data types other than the project or the collection itself. You could implement a project-asset data type for your spreadsheets, which has the disadvantage of being a bigger pain than just uploading resources through the file manager but has the advantage of providing control and tracking of that data.
Rick Herrick
Senior Software Developer
------ Original Message ------
Date 12/21/2022 5:47:49 PM
Subject [XNAT Discussion] Re: "Owner" privilege required to upload data at project level?