Dealing with access at more granular levels

[NCIEVS]

Derived from the utilization of Def_Curator and Special_Review.
Increased granularity in access control

• mark properties as restricted, editable only by specific users
• mark concepts as restricted, editable only by specific users
• mark branches as restricted, editable only by specific users

For now, mark definitions with a DONOTTOUCH source replacing Special_Review

See the wiki

[bdionne]

see WIKI for details

[singhik]

@NCIEVS @bdionne ::
Can you please provide Steps to Reproduce on this issue in terms of what level of granular access has been restricted and for which operations ? Is it role specific or user specific ?

[bdionne]

The idea here is to use one annotation property to restrict another. The software assumes a property called restricted_by, whose value is the IRI of another property. In this case we add restricted_by to DEFINITION and it's value is definition_curator. Don't confuse this with Def_Curator which mat be there for legacy purposes, but should probably be cleaned out at some point.

definition_curator has a range of definition_curator_enum and definition_curator_enum has a value that is a set of names, in this case cancer_curators and drug_curators. Each of these is an enum whose value will be specific users.

To restrict editing of DEFINITION on a specific class, add the definition_curator property to the class, selecting as value for it the desired enum.

The screenshots below show how this was done for SmallBase

[singhik]

@bdionne @NCIEVS :: Hi , Restriction works for non-allowed users to not Add/Edit 'DEFINITION' Complex property but for the list of allowed users, addition/edition of 'DEFINITION' only works when the User Name is specified as complete name (Itendra Singh) but not when userid is specified (singhik) under 'DataType definitions', can you please confirm if this is expected ? Below screen print shows the details ::

When userid (singhik) is added as part of restriction group, DEFINITION add/edit is not allowed ::

When complete Name (Itendra Singh) is added as part of restriction group, then DEFINITION add/edit is allowed ::

[bdionne]

nice catch, @singhik - this is just a bug - and fixed - I just finished merging another bug fix for #366 - let me check with @NCIEVS tomorrow about pushing another edit tab plugin, maybe we'll throw that in also, or just tease this out separately as a separate commit otherwise

[NCIEVS]

@bdionne, we can talk about it today, but it seems to me this one is safe and can be pushed anytime.

[bdionne]

This is now fixed in 0.8.1

[singhik]

@bdionne : Hi Bob, Thanks, User id (singhik) now works as the list of allowed users to Add/Edit DEFINITION .

For restricted users, ADD and EDIT of DEFINITION is not allowed, however DELETE of DEFINITION is allowed for restricted users, need to confirm if DELETE is part of allowed operation for restricted users ?

[bdionne]

Delete should be restricted also, I just pushed a fix for that case.

[singhik]

QA has verified Edition,Deletion,Addition of DEFINITION complex property as NOT allowed for 'restricted users'.
QA has verified Edition,Deletion,Addition of DEFINITION complex property as allowed for 'non-restricted users' with userid .

Attached doc with screen prints ....
Issue 207.docx

[bdionne]

this is done? closing it, please reopen if not