dataverse icon indicating copy to clipboard operation
dataverse copied to clipboard
verified publisher icon IQSS

Optimize permission lookups for a user

Open scolapasta opened this issue 6 years ago • 3 comments

When we recently added the ability to modify the "Host Dataverse" upon creating a dataverse / dataset, we ran into the "what dataverses does User x have Permission y on" challenge (in this case add dataverse/ dataset permission).

Because of how our permission system* work with groups, there is currently no straightforward way to start from the user and get the dataverses for which that user has a certain permission, without having to get all dataverses and check each one (though we mitigated some for this by filtering the list with an autocomplete, and only checking a subset of all dataverses).

  • if we ever allowed permissions to cascade from one dataverse to its child, that would also present a challenge

@landreev and I discussed at the time that it would be nice to be able to start from the user direction, so this issue is to track the investigation / solution for how to make that work.

related #784

scolapasta avatar Dec 17 '19 19:12 scolapasta

The basic idea here will be to create a simple method that takes in a user and a permission and returns a List of Dataverses. We'll want it in a performant way, so will want to query the db directly as much as possible. (for direct assignments easy, we also need to determine groups the user is in...)

scolapasta avatar Nov 17 '20 20:11 scolapasta

  • Do we do something in MyData that we could leverage here? Not sure if we do, but let's check. MyData may not account for groups (or groups within groups)
  • Possible solution: get user, figure groups they are in, get list of roles for that user groups
  • What speed(s) should constitute success here? Some powerusers may take longer. Some benchmarking would be helpful here.
  • We've optimized the other way (object to user) so there may be something to be learned there

djbrooke avatar Nov 18 '20 19:11 djbrooke

2024/03/14

  • sized at 10 for investigation, might be larger. @scolapasta may have insight.

cmbz avatar Mar 14 '24 19:03 cmbz

To focus on the most important features and bugs, we are closing issues created before 2020 (version 5.0) that are not new feature requests with the label 'Type: Feature'.

If you created this issue and you feel the team should revisit this decision, please reopen the issue and leave a comment.

cmbz avatar Aug 20 '24 15:08 cmbz

@scolapasta @pdurbin @landreev Is this API being called as a User with their credentials to get their accessible collections or is it being called by an Administrator? The main reason for the ask is around IPgroups and ShibGroup. Neither of these would allow an admin to figure out the access since the user is not connected with an IP address or logged in with Shibboleth.

stevenwinship avatar Oct 07 '24 14:10 stevenwinship