Groups and roles
To understand the security context of MOLGENIS you need to understand the following concepts.
Group
A number of people that work together.
User
A person that can login to MOLGENIS.
Roles
A role is a job function within the context of a group with certain permissions on resources. Examples of roles are:
- Managers
- Editors
- Viewers
Resource
Resources can be tables or folders.
Plugin
Plugins are specific modules within MOLGENIS that offer certain functionality. For example the Data Explorer.
Overview
You can start performing these steps to configure groups in MOLGENIS.
Step 1: Add a group
When you create a new root package, e.g. using the importer, a group will automatically be created for the package. You can manually add groups to MOLGENIS to structure user groups and data you want to share or manage. Every group gets a root package to put resources in.
Step 2: Add members
When you have defined your group, you can add members to the group. Admins can also add new users, for more information see the user management guide.
Step 3: Add members to groups
You can now determine who does what in your group. There are standard roles that you can use to enable members to edit, view or manage your group content. The available roles are:
Manager
Can manage members from a group and all resources in a group (tables, scripts and files)
Editor
Can edit all resources in a group (folders, tables)
Viewer
Can view all resources in a group (folders, tables)
When you have setup this basic configuration you can start using MOLGENIS.
Adding groups
note: you need to be superuser to add groups
You can add groups in MOLGENIS by navigating to Admin --> Security Manager.
Click on the Add group-button.
Fill out the necessary field and click on Create.
When you've added the group a folder is created and the default roles are created for that group. The user who creates the group becomes manager of the group.
Deleting groups
You can delete a group by clicking it on the detail screen to see the details, and than use the delete button (recycle bin icon) to delete the group. When deleting a group the package, groups specific roles and group memberships are deleted as well.
Adding members to a group
note: you need to be superuser or group manager to add members to a group
You can add members to groups via the security manager. Navigate to Admin --> Security Manager. Click on a group
Click on Add member.
Select a member from the User-pulldown and specify the role, for example: Editor. Click on Add member.
When a member is added to a group, permissions are set according to the role he/she has been given. The default permissions for these roles are as follows:
Manager:
- You can manage the memberships in the group
- You get access to the following plugins:
- Import Data
- Advanced importer
- One click importer
- Navigator
- Data Explorer
- Plugins
- Search all
- Job overview
- Import Data
Editor:
- You can edit data in the group
- You get access to the following plugins:
- Import Data
- Advanced importer
- Navigator
- Data Explorer
- Plugins
- Search all
- Job overview
- Questionnaires
- Import Data
Viewer:
- You can view data in the group
- You get access to the following plugins:
- Navigator
- Data Explorer
- Plugins
- Search all
You can switch between roles whenever you want by updating the role of the member. Click on a member ("test" in this example).
Click on "Edit" to update the role and click on "Update role".
You can now view the members of the group and see that the "test" member has a Manager-role.
You can also remove a member from a group. Click on a member ("test" in this example) and click on "Remove from group".
Roles and inclusion
MOLGENIS comes with three default roles out of the box: Manager, Editor and Viewer. When you add a Group, the three group roles that are added actually include (or inherit) these default roles. That's how you get all those permissions on plugins listed above automatically.
The default roles include each other as well. The Editor can see and do everything a Viewer can, and some more. The Manager can see and do everything the Editor can, and some more. System admins can change the permissions of these roles, so that certain plugins and functionality can be turned on or off across the system for all groups. Some examples:
- As the admin, you don't want any user to use the Search All plugin. You achieve this by removing the Search All plugin permission
from the
VIEWERrole. - As the admin, you only want Managers and Editors to use the Navigator. You achieve this by removing the Navigator plugin permission
from the
VIEWERrole, and giving theEDITORroleVIEWpermission to the Navigator plugin.
For more information on how to give permissions to roles, read up on the Permission Manager
The group roles include each other as well, in the same manner as the default roles. Your group's Manager can see and do everything your group's Editor can, etc. See the following schematic for an overview of how all the roles connect for a group that has been aptly named 'test':
The group roles do not contain any permissions when you first create them; they only include the default roles. However, just like with any other role, you can still add permissions to them. This setup gives you fine grained control, especially when your MOLGENIS hosts multiple groups. Some examples:
- You want all the users in your group to see a special plugin that's not relevant for other groups. You achieve this by
giving the
TEST_VIEWERroleVIEWpermission on that plugin. - You don't want all Editors in the system to see the Job Overview plugin. You achieve this by removing that plugin permission from the default Editor role and adding it to your group's Editor role. Now both the Editors and Managers in your group can use it, but from now on any new group that's added won't have these permission by default.
Even though you'll find that the default settings are sufficient most of the time, you have complete control over all the roles and permissions in the system if you ever wish to change something.