OpenCGA
OverviewInstallationUsing OpenCGA
v2.1
v2.1
  • Home
  • Overview
    • Features
    • Architecture Diagram
    • Security
    • Metadata and Clinical Data
    • Data Models
      • Sample
      • Individual
    • Alignment and Coverage
    • Variant Query and Analysis
    • Clinical Data Analysis
    • Running Analysis
    • Scalability and Performance
    • Sizing OpenCGA
  • OpenCGA Architecture
    • Catalog
    • Alignment and Coverage
    • Variant Storage Engine
      • Variant Data Model
    • Clinical Analysis
    • Analysis Framework
  • Data Models
    • User
    • Project
    • Study
    • File
    • Sample
    • Individual
    • Family
    • Cohort
    • Job
    • Clinical Analysis
  • Case Studies
    • Genomics England Research
    • Microsoft Azure
  • User Manual
    • Installation
      • Kubernetes Cluster
        • Azure
        • Configuration
      • On-Premise HPC Cluster
        • Server Configuration
        • Getting OpenCGA
        • Choosing Variant Storage Engine
        • Configuration
      • Running Docker
    • Login
    • Using OpenCGA
      • REST Web Service API
      • IVA Web App
      • Client Libraries
        • pyopencga - Python Library
        • opencgaR - R library
        • Java
        • JavaScript
      • Command Line
        • Configuration
      • Public Demo
    • Managing Data
      • Sharing and Permissions
        • Users and Groups
        • Study ACLs
      • Create Projects and Studies
      • Load VCF Files to a Study
      • Working with Files
      • Population of Metadata
        • Adding Custom Metadata
        • Data Versioning
    • Alignment Engine
      • BAM Index
      • Alignment Read Query
      • Working with Coverage
      • Alignment Analysis
    • Variant Storage Engine
      • Variant Query
      • Variant Aggregation Stats
      • Variant Analysis
    • Clinical Genomics
      • Clinical Interpretation
      • Clinical Analysis
    • Using JupyterLab
    • Administrator
      • User Management
      • Templates / Manifest
  • About
    • Roadmap
    • Release Notes
    • Community
Powered by GitBook
On this page
  • How it works
  • Permissions Templates
  • Special cases
  • Files
  • Individuals/Samples
  • Give public access to non-existing users

Was this helpful?

  1. User Manual
  2. Managing Data
  3. Sharing and Permissions

Study ACLs

PreviousUsers and GroupsNextCreate Projects and Studies

Last updated 3 years ago

Was this helpful?

Remember that you can always check the Catalog code that implements OpenCGA's ACLs permission system in our official publicly available .

Here you will find the list of permissions that can be granted to a member (user or group) in OpenCGA. Thanks to the ACLs system, permissions can be assigned to almost any entry level (except for User and Project).

How it works

A list of the basic permissions and their explanations can be found in the list below:

  • VIEW: Give permission to access in read-only mode to the entry (study, file, sample...). WRITE: Give permission to create and update that kind of entries within the study. This do not include permissions to modify annotation and/or annotation sets. Those actions will need additional permissions.

  • DELETE: Give permission to delete that kind of entries.

  • ANNOTATIONS: In Sample, Individual, Family and Cohort we have three additional permissions to deal with annotations.

Files deserve a special treatment as they not only exist in the database, but also physically in the file system. The special permissions added for files are the following:

VIEW_FILE_HEADER: Give permission to retrieve just the header of a file. DOWNLOAD_FILES or DOWNLOAD: Give permission to download the whole file.

  • VIEW_SAMPLES

  • WRITE_SAMPLES (implies: VIEW_SAMPLES)

  • DELETE_SAMPLES (implies:VIEW_SAMPLES, WRITE_SAMPLES)

  • VIEW_SAMPLE_ANNOTATIONS (implies: VIEW_SAMPLES)

  • WRITE_SAMPLE_ANNOTATIONS (implies: VIEW_SAMPLES, VIEW_SAMPLE_ANNOTATIONS)

  • DELETE_SAMPLE_ANNOTATIONS (implies: VIEW_SAMPLES, VIEW_SAMPLE_ANNOTATIONS, WRITE_SAMPLE_ANNOTATIONS)

  • VIEW_AGGREGATED_VARIANTS

  • VIEW_SAMPLE_VARIANTS (implies: VIEW_SAMPLES, VIEW_SAMPLE_ANNOTATIONS, VIEW_AGGREGATED_VARIANTS)

  • VIEW_INDIVIDUALS

  • WRITE_INDIVIDUALS (implies: VIEW_INDIVIDUALS)

  • DELETE_INDIVIDUALS (implies:VIEW_INDIVIDUALS, WRITE_INDIVIDUALS)

  • VIEW_INDIVIDUAL_ANNOTATIONS (implies: VIEW_INDIVIDUALS)

  • WRITE_INDIVIDUAL_ANNOTATIONS (implies: VIEW_INDIVIDUALS, VIEW_INDIVIDUAL_ANNOTATIONS)

  • DELETE_INDIVIDUAL_ANNOTATIONS (implies: VIEW_INDIVIDUALS, VIEW_INDIVIDUAL_ANNOTATIONS, WRITE_INDIVIDUAL_ANNOTATIONS)

  • VIEW_FILES

  • VIEW_FILE_HEADER (implies: VIEW_FILES)

  • VIEW_FILE_CONTENT (implies: VIEW_FILES)

  • WRITE_FILES (implies: VIEW_FILES)

  • DELETE_FILES (implies: VIEW_FILES, WRITE_FILES)

  • DOWNLOAD_FILES (implies: VIEW_FILES)

  • UPLOAD_FILES (implies: WRITE_FILES, VIEW_FILES)

  • VIEW_FILE_ANNOTATIONS (implies: VIEW_FILES)

  • WRITE_FILE_ANNOTATIONS (implies: VIEW_FILE_ANNOTATIONS, VIEW_FILES)

  • DELETE_FILE_ANNOTATIONS (implies: WRITE_FILE_ANNOTATIONS, VIEW_FILE_ANNOTATIONS, VIEW_FILES)

  • EXECUTE_JOBS

  • VIEW_JOBS

  • WRITE_JOBS (implies: VIEW_JOBS)

  • DELETE_JOBS (implies: VIEW_JOBS, WRITE_JOBS)

  • VIEW_FAMILIES

  • WRITE_FAMILIES (implies: VIEW_FAMILIES)

  • DELETE_FAMILIES (implies: VIEW_FAMILIES, WRITE_FAMILIES)

  • VIEW_FAMILY_ANNOTATIONS (implies: VIEW_FAMILIES)

  • WRITE_FAMILY_ANNOTATIONS (implies:VIEW_FAMILIES, VIEW_FAMILY_ANNOTATIONS)

  • DELETE_FAMILY_ANNOTATIONS (implies: VIEW_FAMILIES, VIEW_FAMILY_ANNOTATIONS, WRITE_FAMILY_ANNOTATIONS)

  • VIEW_COHORTS

  • WRITE_COHORTS (implies: VIEW_COHORTS)

  • DELETE_COHORTS (implies: VIEW_COHORTS, WRITE_COHORTS)

  • VIEW_COHORT_ANNOTATIONS (implies: VIEW_COHORTS)

  • WRITE_COHORT_ANNOTATIONS (implies: VIEW_COHORTS, VIEW_COHORT_ANNOTATIONS)

  • DELETE_COHORT_ANNOTATIONS (implies: VIEW_COHORTS, VIEW_COHORT_ANNOTATIONS, WRITE_COHORT_ANNOTATIONS)

  • VIEW_PANELS

  • WRITE_PANELS (implies: VIEW_PANELS)

  • DELETE_PANELS (implies: VIEW_PANELS, WRITE_PANELS)

  • VIEW_CLINICAL_ANALYSIS

  • WRITE_CLINICAL_ANALYSIS (implies: VIEW_CLINICAL_ANALYSIS)

  • DELETE_CLINICAL_ANALYSIS (implies: VIEW_CLINICAL_ANALYSIS, WRITE_CLINICAL_ANALYSIS)

Permissions Templates

OpenCGA Catalog implements two Permissions templates: predefined generic roles that capture a list of defined permissions. The permission templates can be granted to either users or groups.

  • analyst: The member (user or group) will be given full READ and WRITE (not DELETE) permissions for all the entries related to the study. These users will be able to view and do modifications on all the data that is related to the study.

  • view_only: The member (user or group) will be given full READ permissions.

Special cases

Permissions can be given to any concrete entity (file, sample, cohort...) to deny or grant access to just one concrete entry. This is always true except for a few exceptions in which we might propagate those same permissions to other entries:

Files

File entry might be of type file or folder (directory). Permissions assigned in folders are propagated to all the children (files and folders) recursively.

Individuals/Samples

Individuals are really strongly related with samples. So every time permissions are given to an individual, the same permissions can be applied to all the related samples if the user sets the 'propagate' field to True, and vice-versa.

Give public access to non-existing users

Catalog has one special user for this purpose represented with * symbol. Anytime a user tries to fetch anything and no session id is provided, Catalog will treat that user as *. By default, only authorised users will have access to data. However, study managers can still define permissions for non-authenticated users assigning permissions to the "user" *.

GitHub repository