Everything but publishing Role

[joelfan]

Overview of the Feature Request
We would like to have a workflow where all data and metadata is managed by our researchers, while publishing is managed by dedicated people. We would like to have roles where anything (including granting permissions, but not admin ones) on the sub-tree is permitted but publishing. We want curators to publish.

We saw that the contributor role is close to what we want to get, but it cannot completely manage its dataverse collection sub-tree.

What kind of user is the feature intended for?
Curators, Admins.

What inspired the request?
An effective workflow where the publishing is performed after curators' review.

What existing behavior do you want changed?
We would like to have a global role where anything (including granting permissions, but not admin ones) on the sub-tree is permitted but publishing. We want curators to publish.
We tried to define it, but we cannot understand completely dataverse behaviour. See here and here.

Any brand new behavior do you want to add to Dataverse?
None. Just one role.

Any related open or closed issues to this feature request?
None. Just to implement a new workflow.

[scolapasta]

Note that the issue with this is that if a user have the permission to grant roles, then they can give themselves a role that allows them to publish!

[poikilotherm]

This reminds me about my idea here #7252 (comment) to avoid this privilege escalation.

Back in the day it seems like @BPeuch's request was satisfied by the new split of file permissions, but maybe this usecase here demonstrates the need for such an extension?

[joelfan]

I agree with both of you.
The role should be "all but publish" but without enabling the role itself to grant publish capablities (admin or curator).
The privilege escalation should be forbidden.

[meghangoodchild]

Please see also:

• Feature Request/Idea: Added more granularity to roles permissions #9190

And the related thread: https://groups.google.com/g/dataverse-community/c/4VM49qUqMGo/m/_HhjaJtwBAA

[pdurbin]

Related:

• Creating private URL not possible for the role "Contributor" #9938

[DS-INRA]

Is there a dedicated issue to address the priviledge escalation ? I think @poikilotherm idea of a limitation would be great in itself even if it does not exactly solve this specific use case.

[poikilotherm]

The way I see it, this issue is ideal to serve as it. It sounded like it would solve the request by @joelfan. Maybe we can adapt the title a little. WDYT @pdurbin ?

[pdurbin]

Sure, but maybe we should break off into a design doc to make sure we're considering all the important angles. GitHub comments can be a bit scattered and hard to follow. 😅

[joelfan]

Is there any follow-up on this?

As previously stated, we would like to have a role where the granting is limited to the role itself, avoiding what we call "privilege escalation". Some role like a contributor that has the ability to grant to other users but only till the contributor permissions.

[pdurbin]

@joelfan it's good suggestion but not one we're actively thinking about. Permissions are a bit tricky.