How to manage groups and permissions

Groups and permissions designed to be as simple as possible to provide data isolation needed in FOSSology. They were roughly modeled after *ux group permissions where each uploaded file can have read and write permissions assigned to a group.

Let's start with what groups and permissions are:
  • Group
    A group is composed of one or more users. This user group is the only type of group in FOSSology. The only members of a group are users, groups cannot be members of groups. Every user has their own group. So user "" has a group named "". User "mary" has a group named "mary". In other words, when user mary is created, a group named mary is also created with user mary as the only member of group mary. In addition to every user having a group with the same name, you can create new groups. For example, I could create a group named "ProjectX" and assign users as members of ProjectX.
  • Group Permissions
    Every user in a group is assigned a group permission. That is the permission the user has over the management of the group. Users may be an "Admin" of the group or a "User". Both admins and users are members of the group, but only admins may add members to the group or remove members from the group. Admins also assign each user a group permission. This includes admins assigning admin permission to other users. Each group must always have at least one admin. Group creation, deletion, and membership is done through the main menu: Admin > Groups.
  • Permissions (upload permissions)
    Permissions are granted on each upload (each file you upload). Permissions are given to groups, not users. Groups may be given "Read", "Write" or "Admin" privileges to an upload. For example, group ProjectX may be given "Read" permission to upload "myuploaded.tgz". This means that everyone in group ProjectX can browse (i.e. read) myuploaded.tgz. In addition, let's say that group Sheila is given "Write" privileges to myuploaded.tgz. This means that all the users in group Sheila can browse and update the data associated with myuploaded.tgz. For example, the Sheila users can tag, correct licenses, schedule new scans, etc. If a group is given "Admin" privileges to an upload, that means that the users of that group can manage that uploaded file's permissions. So if group "staff" is given admin privileges to myuploaded.tgz, then anyone in group staff can add groups or change group permissions on myuploaded.tgz. Upload file permissions are managed through the main menu: Admin > Upload Permissions.
  • Folder Permissions
    There are no permissions assigned to folders. However, a user is restricted to uploading files under their top-level (or root) folder. When a user is created they are assigned a top-level folder. Also, if a user goes into a file browser, the browser will start with their top-level folder. However, if they are given a URL outside their top-level, and if they have privileges to the upload at the URL, then they will be able to browse it. See examples below.
  • Legacy User Privileges
    When a FOSSology user is created, they are assigned a user permission of "None", "Read", "Write", or "Admin". These are the legacy user permissions and they are still in effect. However, as in all versions of FOSSology, these permissions don't apply to uploaded files, they refer to the user interface plugins. For example, if a user Joe is created with "Read" privileges, then Joe will be allowed to use the License Browser, because the License Browser requires the user to have "Read" or above. However, the user interface plugin to change a license requires the user to have Write access, so Joe will not be allowed to change a license because he won't be allowed to access the user interface. This may sound more confusing than it really is. Just remember that a "Read" user can only read the database, a "Write" user can write to the database. An "Admin" user is the FOSSology superuser. An Admin user can access (read and write) every uploaded file and every user interface plugin.

Example 1: Selective file sharing within a project

In this example, we want Sam and Gina to be members of project X, and share a subset of files between them.
  • First set up folders for the project. Something like this:
    Folder ProjectX
      Folder Sam
      Folder Gina
      Folder Shared     
    
  • Make folder ProjectX the top-level folder for users Sam and Gina.
  • Create a group called "Shared", with members Sam and Gina.

Now when Sam or Gina wants a private file, they upload it to their respective folders. When they want a shared file, they upload it to the "Shared" folder and give group "Shared" read or write permission on each upload.

Example 2: Selective file sharing within a project

This is identical to example 1, but shows a different folder structure.
In this example, we want Sam and Gina to be members of project X, and share a subset of files between them.
  • First set up folders for the project. Something like this:
    Folder Sam
    Folder Gina    
    

Sam uploads into his top-level folder (Sam). Gina uploads into her top-level folder (Gina). For every file Gina wants to share with Sam, she gives group Sam access. Vice-versa for Sam. Here is the catch, if Sam goes in to Browse, he will only see the files he uploaded because his top level folder is Sam. However, if Gina sends Sam a URL that she has shared, then Sam will be able to access it. Restating this: to access any upload, you need permission; when you browse you will be restricted to your top folder; but if someones sends you a URL to an upload that you have permission to, and it is outside of your top-level folder, you will still be able to access it.

Example 3: Share everything in a project

In this example, there is one project and all files are shared. However, some users only have read access to the files, and some have write.
  • Set up the sharing folder
    Folder ProjectX
    
  • Make folder ProjectX the top-level folder for all the project users.
  • Create a group "ProjectX-ReadOnly" with read only users.
  • Create a group "ProjectX-Write" with the write enabled users.
  • Upload all files to the ProjectX folder
  • Give group "ProjectX-ReadOnly" read permission to each upload.
  • Give group "ProjectX-Write" write permission to each upload.