head_uuid
and tail_uuid
, so an attempt to create a Link that references an unreadable object will return an error indicating the object is not found.head_uuid
is this object’s uuid
. can_manage also implies can_write and can_read.owner_uuid
field. Valid uuid types for owner_uuid
are “User” and “Group”.owner_uuid
has can_manage permission on the object.
owner_uuid
being equal to X
does not imply any permission for that User/Group to read, write, or manage an object whose uuid
is equal to X
.owner_uuid
.
arv-mount
.owner_uuid
field, it is necessary to have can_write
permission on both the current owner and the new owner.A link object with
owner_uuid
of the system user.link_class
“permission”name
one of can_read, can_write or can_managehead_uuid
of some Arvados objecttail_uuid
of a User or Groupgrants the name
permission for tail_uuid
accessing head_uuid
head_uuid
is the object under management.Permissions can be obtained indirectly through Groups.
Group membership is determined by whether the group has can_read permission on an object. If a group G can_read an object A, then we say A is a member of G.
For some kinds of groups, like roles, it is natural for users who are members of a group to also have can_manage permission on the group, i.e., G can_read A and A can_manage G (“A can do anything G can do”). However, this is not necessary: A can be a member of a group while being unable to even read it.
object_uuid
(User can access log history about objects it can read). To retain the integrity of the log, the log table should deny all update or delete operations.tail_uuid
is a User permit can_read
on the link by that user. (User can discover her own permission grants.)A privileged user account exists for the use by internal Arvados components. This user manages system objects which should not be “owned” by any particular user. The system user uuid is {siteprefix}-tpzed-000000000000000
.
An Arvados site may be configured to allow users to browse resources without requiring a login. In this case, permissions for non-logged-in users are associated with the “anonymous” user. To make objects visible to the public, they can be shared with the “anonymous” group. The anonymous user uuid is {siteprefix}-tpzed-anonymouspublic
. The anonymous group uuid is {siteprefix}-j7d0g-anonymouspublic
.
The content of this documentation is licensed under the
Creative
Commons Attribution-Share Alike 3.0 United States licence.
Code samples in this documentation are licensed under the
Apache License, Version 2.0.