Arvados Docs
  1. Topics
    1. Arvados admin overview
  2. Users and Groups
    1. User management
    2. User management at the CLI
    3. Role group management at the CLI
    4. Reassign user data ownership
    5. Link user accounts
    6. Configuring federation
    7. Migrating users to federated accounts
    8. Changing upstream login providers
    9. Synchronizing from external sources
    10. Securing API access with scoped tokens
    11. Automatic logout and token expiration
  3. Monitoring
    1. Logging
    2. Metrics
    3. Health checks
    4. Inspecting active requests
    5. Diagnostics
    6. Management token
    7. User activity report
  4. Data Management
    1. Configuring collection versioning
    2. Configuring collection's managed properties
    3. Restricting upload or download
    4. Balancing Keep servers
    5. Preventing container reuse
    6. Logs table management
    7. Metadata vocabulary
    8. Configuring storage classes
    9. Recovering data
    10. Measuring deduplication
    11. Faster garbage collection in S3
  5. Cloud
    1. Using Preemptible instances
    2. Testing cloud configuration

Role group management at the CLI

This page describes how to manage groups at the command line. You should be familiar with the permission system .

Create a role group

User groups are entries in the “groups” table with "group_class": "role".

arv group create --group '{"name": "My new group", "group_class": "role"}'

Add a user to a role group

There are two separate permissions associated with group membership. The first link grants the user can_manage permission to manage things that the group can manage. The second link grants permission for other users of the group to see that this user is part of the group.

arv link create --link '{
  "link_class": "permission",
  "name": "can_manage",
  "tail_uuid": "the_user_uuid",
  "head_uuid": "the_group_uuid"}'

arv link create --link '{
  "link_class": "permission",
  "name": "can_read",
  "tail_uuid": "the_group_uuid",
  "head_uuid": "the_user_uuid"}'

A user can also be given read-only access to a group. In that case, the first link should be created with can_read instead of can_manage.

List role groups

arv group list --filters '[["group_class", "=", "role"]]'

List members of a role group

Use the command jq to extract the tail_uuid of each permission link which has the user uuid.

arv link list --filters '[["link_class", "=", "permission"],
  ["head_uuid", "=", "the_group_uuid"]]' | jq .items[].tail_uuid

Share a project with a role group

Members of the role group will have access to the project based on their level of access to the role group.

arv link create --link '{
  "link_class": "permission",
  "name": "can_manage",
  "tail_uuid": "the_group_uuid",
  "head_uuid": "the_project_uuid"}'

A project can also be shared read-only. In that case, the link name should be can_read instead of can_manage.

List things shared with the group

Use the command jq to extract the head_uuid of each permission link which has the object uuid.

arv link list --filters '[["link_class", "=", "permission"],
  ["tail_uuid", "=", "the_group_uuid"]]' | jq .items[].head_uuid

Stop sharing a project with a group

This will remove access for members of the group.

The first step is to find the permission link objects. The second step is to delete them.

arv --format=uuid link list --filters '[["link_class", "=", "permission"],
  ["tail_uuid", "=", "the_group_uuid"], ["head_uuid", "=", "the_project_uuid"]]'

arv link delete --uuid each_link_uuid

Remove user from a role group

The first step is to find the permission link objects. The second step is to delete them.

arv --format=uuid link list --filters '[["link_class", "=", "permission"],
  ["tail_uuid", "in", ["the_user_uuid", "the_group_uuid"]],
  ["head_uuid", "in", ["the_user_uuid", "the_group_uuid"]]'

arv link delete --uuid each_link_uuid
Previous: User management at the CLI Next: Reassign user data ownership

The content of this documentation is licensed under the Creative Commons Attribution-Share Alike 3.0 United States licence.
Code samples in this documentation are licensed under the Apache License, Version 2.0.