Permissions explained

1

The Collaboratory embeds a powerful and easy to use access management system. This document presents an overview of how it works. For a more detailed explanation, read up on [[authentication and authorisation in the collaboratory>>doc:Collabs.the-collaboratory.Tips to users.Architecture.Permissions.Authentication & Authorisation using OIDC.WebHome]].

2

= Definitions =

== User ==

A user is an individual, it is the digital identity of an existing human being.

10

11

Users are stored in KeyCloak as users (same terminology): [[https:~~/~~/www.keycloak.org/docs/latest/server_admin/index.html#user-management>>url:https://www.keycloak.org/docs/latest/server_admin/index.html#user-management]]

== Unit ==

Units represent divisions and sub-divisions of an existing institution. For the Human Brain Project, it is used to represent the project structure: [[https:~~/~~/www.humanbrainproject.eu/en/about/project-structure/>>url:https://www.humanbrainproject.eu/en/about/project-structure/]]

16

17

Units are hierarchical. They are represented as a tree structure, therefore they can:

18

19

* have 0 or 1 parent unit

20

* contain 0 to n users

21

* contain 0 to n units

22

23

The relations between units are meant to be rigid (they should not change a lot).

24

25

Units are managed outside of the Collaboratory, by administrators of the institutions. For the Human Brain Project, units will be managed through PLUS (not yet implemented).

26

27

Units are stored in KeyCloak as groups (different terminology): [[https:~~/~~/www.keycloak.org/docs/latest/server_admin/index.html#groups>>url:https://www.keycloak.org/docs/latest/server_admin/index.html#groups]]

28

29

Follow [[here for more details about units and accreditation>>doc:Collabs.the-collaboratory.Tips to users.Architecture.Permissions.Authentication & Authorisation using OIDC.WebHome||anchor="HUnits%3AtheOrganistationalStructure"]].

== Roles ==

Collabs have 3 roles: viewer, editor, admin.

34

35

Each role is bound to local permissions in applications that form a collab (for example the wiki or the drive).

Usually:

* viewer can access the collab linked data in the application in read-only mode

40

* editor can modify the collab linked data in the application

41

* admin can edit the settings of the collab in the application

42

43

Collab roles are stored in KeyCloak as client roles in a specific client: [[https:~~/~~/www.keycloak.org/docs/latest/server_admin/index.html#client-roles>>url:https://www.keycloak.org/docs/latest/server_admin/index.html#client-roles]]

44

45

(% class="wikigeneratedid" %)

46

== Permissions ==

47

48

You can found here some documentations about permissions in our system based on keycloak roles and groups

49

50

[[https:~~/~~/gitlab.humanbrainproject.org/HumanBrainProject/xwiki-distribution-collaboratory/-/wikis/iam/permissions>>https://gitlab.humanbrainproject.org/HumanBrainProject/xwiki-distribution-collaboratory/-/wikis/iam/permissions]]

51

52

[[https:~~/~~/gitlab.humanbrainproject.org/HumanBrainProject/xwiki-distribution-collaboratory/-/wikis/analysis/permission>>https://gitlab.humanbrainproject.org/HumanBrainProject/xwiki-distribution-collaboratory/-/wikis/analysis/permission]]

== Team ==

A Collab team is the definition of which users and units can access the Collab with specific roles.

57

58

Each Collab role can be given to:

* 0 to n users

* 0 to n units

Teams are stored in KeyCloak through linking client roles to users, groups and composite roles: [[https:~~/~~/www.keycloak.org/docs/latest/server_admin/index.html#roles>>url:https://www.keycloak.org/docs/latest/server_admin/index.html#roles]]

= Requirements =

== Secure ==

Any piece of information or data that is protected for access should be done so in a secure manner.

== Auditable ==

The level of access of a given user for a given resource has to be auditable: at least administrators of the system must be able to verify the access and determine how this access level is granted.

== Flexible ==

The access management system has to be flexible enough to fulfill users use cases.

== Manageable ==

Users must be able to modify the level of access other users have on their resources in a simple way.

== Trustworthy ==

Users need to trust the access management system before they store any private piece of information. The access management system needs to be easy enough to understand for users to trust it.

== Extensible ==

External services must be able to leverage the Collaboratory access management system to reduce engineering costs.

author	version	line-number	content
		1	The Collaboratory embeds a powerful and easy to use access management system. This document presents an overview of how it works. For a more detailed explanation, read up on [[authentication and authorisation in the collaboratory>>doc:Collabs.the-collaboratory.Tips to users.Architecture.Permissions.Authentication & Authorisation using OIDC.WebHome]].
		2
		3	{{toc numbered="true"/}}
		4
		5	= Definitions =
		6
		7	== User ==
		8
		9	A user is an individual, it is the digital identity of an existing human being.
		10
		11	Users are stored in KeyCloak as users (same terminology): [[https:~~/~~/www.keycloak.org/docs/latest/server_admin/index.html#user-management>>url:https://www.keycloak.org/docs/latest/server_admin/index.html#user-management]]
		12
		13	== Unit ==
		14
		15	Units represent divisions and sub-divisions of an existing institution. For the Human Brain Project, it is used to represent the project structure: [[https:~~/~~/www.humanbrainproject.eu/en/about/project-structure/>>url:https://www.humanbrainproject.eu/en/about/project-structure/]]
		16
		17	Units are hierarchical. They are represented as a tree structure, therefore they can:
		18
		19	* have 0 or 1 parent unit
		20	* contain 0 to n users
		21	* contain 0 to n units
		22
		23	The relations between units are meant to be rigid (they should not change a lot).
		24
		25	Units are managed outside of the Collaboratory, by administrators of the institutions. For the Human Brain Project, units will be managed through PLUS (not yet implemented).
		26
		27	Units are stored in KeyCloak as groups (different terminology): [[https:~~/~~/www.keycloak.org/docs/latest/server_admin/index.html#groups>>url:https://www.keycloak.org/docs/latest/server_admin/index.html#groups]]
		28
		29	Follow [[here for more details about units and accreditation>>doc:Collabs.the-collaboratory.Tips to users.Architecture.Permissions.Authentication & Authorisation using OIDC.WebHome\|\|anchor="HUnits%3AtheOrganistationalStructure"]].
		30
		31	== Roles ==
		32
		33	Collabs have 3 roles: viewer, editor, admin.
		34
		35	Each role is bound to local permissions in applications that form a collab (for example the wiki or the drive).
		36
		37	Usually:
		38
		39	* viewer can access the collab linked data in the application in read-only mode
		40	* editor can modify the collab linked data in the application
		41	* admin can edit the settings of the collab in the application
		42
		43	Collab roles are stored in KeyCloak as client roles in a specific client: [[https:~~/~~/www.keycloak.org/docs/latest/server_admin/index.html#client-roles>>url:https://www.keycloak.org/docs/latest/server_admin/index.html#client-roles]]
		44
		45	(% class="wikigeneratedid" %)
		46	== Permissions ==
		47
		48	You can found here some documentations about permissions in our system based on keycloak roles and groups
		49
		50	[[https:~~/~~/gitlab.humanbrainproject.org/HumanBrainProject/xwiki-distribution-collaboratory/-/wikis/iam/permissions>>https://gitlab.humanbrainproject.org/HumanBrainProject/xwiki-distribution-collaboratory/-/wikis/iam/permissions]]
		51
		52	[[https:~~/~~/gitlab.humanbrainproject.org/HumanBrainProject/xwiki-distribution-collaboratory/-/wikis/analysis/permission>>https://gitlab.humanbrainproject.org/HumanBrainProject/xwiki-distribution-collaboratory/-/wikis/analysis/permission]]
		53
		54	== Team ==
		55
		56	A Collab team is the definition of which users and units can access the Collab with specific roles.
		57
		58	Each Collab role can be given to:
		59
		60	* 0 to n users
		61	* 0 to n units
		62
		63	Teams are stored in KeyCloak through linking client roles to users, groups and composite roles: [[https:~~/~~/www.keycloak.org/docs/latest/server_admin/index.html#roles>>url:https://www.keycloak.org/docs/latest/server_admin/index.html#roles]]
		64
		65	= Requirements =
		66
		67	== Secure ==
		68
		69	Any piece of information or data that is protected for access should be done so in a secure manner.
		70
		71	== Auditable ==
		72
		73	The level of access of a given user for a given resource has to be auditable: at least administrators of the system must be able to verify the access and determine how this access level is granted.
		74
		75	== Flexible ==
		76
		77	The access management system has to be flexible enough to fulfill users use cases.
		78
		79	== Manageable ==
		80
		81	Users must be able to modify the level of access other users have on their resources in a simple way.
		82
		83	== Trustworthy ==
		84
		85	Users need to trust the access management system before they store any private piece of information. The access management system needs to be easy enough to understand for users to trust it.
		86
		87	== Extensible ==
		88
		89	External services must be able to leverage the Collaboratory access management system to reduce engineering costs.

Wiki source code of Permissions explained

The Collaboratory