galaxy icon indicating copy to clipboard operation
galaxy copied to clipboard
verified publisher icon galaxyproject

Delegate group membership administration to non-admins

Open natefoo opened this issue 3 months ago • 4 comments

This would be super useful for e.g. groups used only for library access. Currently only admins can modify group membership.

The caveat is that anyone delegated this permission would have full access to the list of users on the server, so I'd consider it a "lower level" of admin privileges than full admin_users superuser.

natefoo avatar Nov 18 '25 19:11 natefoo

If the idea is that this is delegated to group-specific admins, then we could:

  • let users see the available groups, to which they can ask to be added
  • a group-specific admin would only be able to see the existing group members and the users requesting to be added. WorkflowHub and Zenodo implement a system like this.

nsoranzo avatar Nov 18 '25 19:11 nsoranzo

That'd be perfect, especially if we can mark groups as public and private.

natefoo avatar Nov 18 '25 21:11 natefoo

How do you feel about trusting users with creating groups? If that's an option, then how about something like this:

  • Let any user create groups. When creating a group, a user becomes the group admin
  • A group admin has full control over the group: add/remove users, assign admins including themselves, edit/delete group
  • To add a user, an admin will need the user's galaxy username or registered email address.

That way users don't have to navigate the list of all groups (67 on main), and if they do, they are bound to request access to the wrong john-doe-lab group, and they will get access to it because of the group admin's mistake, etc, etc.

This empowers users to manage their own groups as they see fit, without pestering their admins (and, I think, those who manage research teams, especially student teams, will appreciate that!). At the same time, this does not affect any other members or groups, which makes it convenient and safe.

The one downside I can see is that a group admin would need to know the username or email of a user to add them. Although, on the other hand, wouldn't that be a preferred way to manage a group?

Another downside is group name pollution, but we could differentiate between user-created groups and system-wide groups.

Also, I think regardless of what we do, even if we only deletage group membership operations, we'll need a UI for this: I wouldn't reuse the admin UI, and I wouldn't consider group admins as "lower level" galaxy admins.

jdavcs avatar Nov 18 '25 23:11 jdavcs

  • Let any user create groups.

There are groups that give access to special resources (compute, user defined tools, file sources etc). I think we can't do that without adding a new type of group that wouldn't interfere with existing permissions that are based on group membership.

A group admin role however seems fine and would go a long way in enabling the library usecase ?

mvdbeek avatar Nov 19 '25 14:11 mvdbeek