Task #1783 (closed)
Permissions : Sensible default permissions for initial groups
Reported by: | jamoore | Owned by: | jamoore |
---|---|---|---|
Priority: | minor | Milestone: | OMERO-Beta4.2 |
Component: | Security | Version: | 4.1 |
Keywords: | n.a. | Cc: | atarkowska, jburel |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | 0.0d |
Sprint: | 2010-03-19 (5) |
Description
This ticket is a part of #1434.
Previously, all groups created via bin/omero db script were created with permissions -35 (rwr---). However, system and user should be -103 (rw----). What about "user" and "guest" (if it remains)?
ola 11:06 Josh: I wiped the db and script generated for me groups where (rwr-r-) ola 11:07 is this correct status? josh moore 11:08 Ola: hmm...... i might not have modified data.vm to create private groups. what do you think should happen? ola 11:09 I don;t know any reason why predefined groups should be public ola 11:09 if security sys. required that is fine, but if not I would vote after rw---- 09:42 othewise all data imported by admin is public josh moore 11:09 ola: definitely not required. Just a question of user expectation. 09:59 system should be rw----, yes. 10:04 agree. I was thinking more about "CHANGE_ME" ola 11:10 we might think about guest having rwr-r- josh moore 11:10 guess will never be able to import, so it's not really critical. in fact, guess may no longer need a group. i'll have to think about it. ola 11:12 guest - fair enough. If there is flag in vm what defines then I would reduce to rw---- and if people need they can change configuration
Change History (10)
comment:1 Changed 14 years ago by jmoore
comment:2 Changed 14 years ago by jmoore
- Sprint set to Sprint 2
comment:3 Changed 14 years ago by jmoore
- Sprint 2010-02-19 (3) deleted
comment:4 Changed 14 years ago by jmoore
comment:5 Changed 14 years ago by jmoore
- Sprint set to 2010-03-19 (5)
comment:6 Changed 14 years ago by jmoore
- Remaining Time set to 0.1
comment:7 Changed 14 years ago by jmoore
- Status changed from new to assigned
comment:8 Changed 14 years ago by jmoore
As a part of #1794, it was decided that the "user" group would be initial used as the "common pot" of objects which are globally visible. Therefore, the default group permissions are:
- system: private, so administrators' work is not seen
- user: public, since there is special handling to make it public anyway
- guest: private, so that it doesn't show up on lists of "public" data where someone might want to login.
comment:9 Changed 14 years ago by jmoore
- Remaining Time changed from 0.1 to 0
- Resolution set to fixed
- Status changed from assigned to closed
Note: this is also related to #1784. For scripting, original files must be visible (in the current implementation).