-
Notifications
You must be signed in to change notification settings - Fork 171
Read restricted Configuration
Richard D Boyce, PhD edited this page Dec 5, 2023
·
4 revisions
By default, WebAPI assumes all users are granted read-access to entities. Write permission is granted to the entity creator, and also can be assigned by the creator to other users.
As of 2.14, there is an optional enhancement that allows read permission to be restricted so that only users with read access to a given artifact can view them. More information and discussion of this enhancement can be found in issues 2222 and 2300 and pull request 2301.
Here are instructions for organizations that would like to enable this enhancement:
- For organizations with an existing Atlas/WebAPI installation, do not make this change without careful consideration. If your organization decides to proceed, you should inform users well in advance that you are planning to enable this change and that it will have the following effects on their workflow:
- An admin will have to remove all roles from a users except their user role, any roles that give them access to the CDM sources, and a role assigned called 'read restricted Atlas users' that removes global read access while still granting permission to view the listings returned by (see pull request 2316).
- Users with the role will only see artifacts they have explicit READ access to in the listings returned by the concept sets, cohort definitions, characterizations, cohort pathways, incidence rates, and prediction tabs.
- If user 1 shares a link to artifacts that the user created with user 2 who has the role, user 2 will not be able to see that artifact unless user 1 or an admin has granted them READ access to it
- If user 1 with the role had created an artifact with id 'x' prior to the configuration change that enabled read restriction, user 1 might not be able to access the artifact until an admin grants them access specifically the artifact.
- Users with the role may give other users READ access to artifacts that they own and have WRITE access to using the grant permission feature in Atlas (the lock icon that appears when a user opens a given artifact).
- Note: The organization may not want users to have this ability. If so, the organization may shut this feature off in Atlas config-local.js by adding the line
configLocal.enablePermissionManagement = false;.
- Note: The organization may not want users to have this ability. If so, the organization may shut this feature off in Atlas config-local.js by adding the line
- An admin will have to remove all roles from a users except their user role, any roles that give them access to the CDM sources, and a role assigned called 'read restricted Atlas users' that removes global read access while still granting permission to view the listings returned by (see pull request 2316).
- in your WebAPIConfig/settings.xml add the config
<security.defaultGlobalReadPermissions>false</security.defaultGlobalReadPermissions>
- If you want Atlas to hide the 'lock' icon so that the user cannot edit READ and WRITE permissions when viewing concept sets, cohort definitions, and other artifacts:
- in js/config-local.js add
configLocal.enablePermissionManagementand set this equal to false
- in js/config-local.js add