-
Notifications
You must be signed in to change notification settings - Fork 486
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Everything but publishing Role #9358
Comments
Note that the issue with this is that if a user have the permission to grant roles, then they can give themselves a role that allows them to publish! |
This reminds me about my idea here #7252 (comment) to avoid this privilege escalation. Back in the day it seems like @BPeuch's request was satisfied by the new split of file permissions, but maybe this usecase here demonstrates the need for such an extension? |
I agree with both of you. |
Please see also: And the related thread: https://groups.google.com/g/dataverse-community/c/4VM49qUqMGo/m/_HhjaJtwBAA |
Is there a dedicated issue to address the priviledge escalation ? I think @poikilotherm idea of a limitation would be great in itself even if it does not exactly solve this specific use case. |
Sure, but maybe we should break off into a design doc to make sure we're considering all the important angles. GitHub comments can be a bit scattered and hard to follow. 😅 |
Is there any follow-up on this? As previously stated, we would like to have a role where the granting is limited to the role itself, avoiding what we call "privilege escalation". Some role like a contributor that has the ability to grant to other users but only till the contributor permissions. |
@joelfan it's good suggestion but not one we're actively thinking about. Permissions are a bit tricky. |
Overview of the Feature Request
We would like to have a workflow where all data and metadata is managed by our researchers, while publishing is managed by dedicated people. We would like to have roles where anything (including granting permissions, but not admin ones) on the sub-tree is permitted but publishing. We want curators to publish.
We saw that the contributor role is close to what we want to get, but it cannot completely manage its dataverse collection sub-tree.
What kind of user is the feature intended for?
Curators, Admins.
What inspired the request?
An effective workflow where the publishing is performed after curators' review.
What existing behavior do you want changed?
We would like to have a global role where anything (including granting permissions, but not admin ones) on the sub-tree is permitted but publishing. We want curators to publish.
We tried to define it, but we cannot understand completely dataverse behaviour. See here and here.
Any brand new behavior do you want to add to Dataverse?
None. Just one role.
Any related open or closed issues to this feature request?
None. Just to implement a new workflow.
The text was updated successfully, but these errors were encountered: