Introduction to Permission Management System
Permission System Composition
The Tencent HealthCare Omics Platform supports five types of roles. Each of them has different permissions. Ranked in the order of the highest to the lowest, the roles are the manager, owner, writer, executor, and reader-only.
The Tencent HealthCare Omics Platform divides permissions based on projects and supports two levels of granularity for permission assignment:
Assign project role permissions to users.
Assign project role permissions to user groups.
Note:
The permission actually assigned to the user in a project is the highest one between the permissions assigned through the two settings. For example, user A belongs to user group A. The manager assigns the role of the executor to user A, and the manager assigns the role of the writer to user group A. At this time, the actual role assigned to user A in the project is the highest one; that is, the writer.
When a user belongs to multiple user groups that have different roles in the same project, the user is actually authorized to get the highest permission. For example, user B belongs to user group A and user group B. The manager assigns the role of the writer to user group A and the role of the executor to user group B. At this time, user B's actual role in the project is the highest one; that is, the writer.
Permission Management Scope
|
Project | Creating, viewing, editing, and deleting projects and modifying permissions Binding and unbinding a bucket Creating, setting, editing, viewing, running, deleting, and publishing applications Creating, viewing, and deleting tables Viewing, early terminating, and rerunning a run batch |
Image | Namespace Management Associating and disassociating with TCR Creating and deleting repositories and pushing image Creating, modifying, and deleting categories Viewing and copying the image path |
File | Viewing and deleting project buckets Viewing buckets and using bucket directories as input and output paths Binding and unbinding projects and buckets |
Project Permissions
Overview of the Types of Project Roles Assigned and Their Operation Permissions
The types of project roles assigned and their operation permissions can be found in the following table:
|
Manager | Having the highest permission for all projects Binding and unbinding a bucket Binding and unbinding environments |
Owner | Having the highest permission within the project |
Writer | Viewing, adding, writing, publishing, and running applications Deleting applications (only those you created) Creating and deleting tables |
Executor | Viewing and running the published version of the application Creating, viewing, and deleting tables |
Read-Only User | Viewing the published version of the application Viewing the table |
Viewing and Setting Project Permissions
The Tencent HealthCare Omics Platform supports Managers in viewing and setting project permissions in the console and also supports project owners in setting project permissions on the Tencent HealthCare Omics Platform website. After completing the permission setting for the same user/user group in any module, it will be synchronized to the other module, and you can switch to the latest view after refreshing.
Viewing and Setting Role Project Permissions in the Console
Managers can log in to the Console to view and set all project permissions: Log in to the console and click User Management > User, enter the user list page,which shows necessary information about user accountes.
If you need to grant a user permissions for a project, click Manage Authorization in the rightmost operation column of the row where the user is located. You can go to the permission details page to view and manage the user's project-level role assignment.
On the permission details page, you can view the user's roles assigned for the user's related projects. Click Permission Management to go to the permission management page to manage the role's authorization in the project dimension.
The permission management page can authorize the user at the project level, and the project list can be switched according to types and regions. The supported types are "partial authorization" and "for Managers", and the supported regions is Hong Kong(China).
Assigning Permissions in the Project to Roles on the Omics Platform Website
Project owners and managers can assign specific role and authorize permissions to a project member.
1. Authorizing When Creating a New Project
2. Changing Authorization for an Existing Project
Click the icon in the upper right corner of the project to enter Project Settings to modify role permissions.
Project Resource Authorization
Managers can authorize resources for projects, including storage resources and environment resources through binding buckets and environments to projects.
Binding a Bucket
Managers have permission to bind a bucket to an environment. During the File Management-Source File stage, the manager can directly specify the bucket that needs to be bound for the environment. Click the button Associate Bucket, the Associating pop-up will appear, where Manager can bind buckets to the selected environment.
Select the bucket need to be bound and comfirmed.
After the bucket is bound, you can use the bound bucket data as input data for the project task. You can also set the path in the bucket as the task output directory. For details, see Application Editing (Code Editor). Binding a Environment
Managers have permission to bind a environment for a project. During the creation of a new project stage, Managers can directly specify the bucket to be bound to the project. Managers can also bind a environment to an already created project in the project settings.
Application Permissions
After a user logs in to the Tencent HealthCare Omics Platform, the project list page only displays authorized projects. Within a project, different roles have different operation permissions. Within an application, the application editing page displays the corresponding operation view based on the operation permissions. For project application-level operation permissions, see the following table:
|
Manager | Creating, editing, running, and deleting applications and publishing application versions Viewing timeline editing historical and version history |
Owner | Creating, editing, running, and deleting applications and publishing application versions Viewing timeline editing historical and version history |
Writer | Creating, editing, running applications, and publishing application versions Deleting applications (only those you created) Viewing timeline editing historical and version history |
Executor | Viewing and running the published application version Viewing timeline version history |
Read-Only User | Viewing the published application version Viewing timeline version history |
Table Permissions
For table-related operation permissions, see the following table:
|
Manager | Creating, deleting, and viewing tables |
Owner | Creating, deleting, and viewing tables |
Writer | Creating, deleting (only those you created), and viewing tables. |
Executor | Creating, deleting (only those you created), and viewing tables. |
Read-Only User | Viewing tables |
Running Groups-related Operation Permissions
The following table contains the running groups-related permissions generated after the task is successfully submitted:
|
Manager | Viewing running groups Terminating and rerunning groups early |
Owner | Viewing running groups Terminating and rerunning groups early |
Writer | Viewing running groups Terminating and rerunning groups early (only for running groups submitted by the Writer) |
Executor | Viewing running groups Terminating and rerunning groups early (only for running groups submitted by the Writer) |
Read-Only User | Viewing running groups |
User Group Permissions
User Group Overview
The user group is a group of user members. It represents a resource access control mechanism provided by the Tencent HealthCare Omics Platform. This mechanism supports managers in creating, maintaining, and deleting user groups, as well as adding users to groups and modifying permissions in batches to make permission management easier.
In the bioinformatics analysis scenerio, the user group mode can help managers better authorize projects. For example, you can create a user group, add all team members involved in a specific project to the user group, and then grant the user group the permissions required to access and operate the project. In this way, all user group members can access and operate the project as needed, and you have no need to grant each user the permissions respectively.
This section mainly introduces operations related to grant permissions to user groups. For operations such as creating a new user group and adding or removing members from a user group, see User Management. Grant Permissions to User Groups
Switch to the Permissions module and click Permission Management, and the permission management page is displayed.
The permission management page displays a list of projects under each region and authorizes roles to user groups.
Permission Management of other modules
Image Management Permissions
Permission for associating and disassociating Tencent Cloud Tencent Container Registry
To use the image management module, the manager must first activate Tencent Cloud Tencent Container Registry in the Tencent Cloud Console and associate it with the Tencent HealthCare Omics Platform account. For specific operations, see Image Repository Management. Image Repository Management-related Permissions
For image repository management permissions, see the following table:
|
Manager | Creating, modifying, and deleting category tags are supported. Viewing quick instructions and repositories in the image repository list is supported. Copying image addresses is supported. Deleting image repositories is supported. |
Owner Writer Executor Read-Only User | Viewing quick instructions and repositories in the image repository list is supported. Copying image addresses is supported. |
File Management Permissions
The file management module involves three types: bucket, public bucket, and project bucket. The operation permissions are as follows:
After the manager associates a bucket, users can view the file directory of the bucket. After the manager binds a project, project members can use the bucket directory as an input and output path.
Public buckets are open to all platform users;
Project buckets are open to project members.
For specific operation permissions, see the following table:
|
Manager | You can associate and disassociate buckets. You can bind and unbind projects. You can view items. You can use input and output paths. | You can view items. You can use input and output paths.
| You can view and delete items. |
Owner | You can view items. You can use input and output paths. | You can view items. You can use input and output paths. | You can view and delete items. |
Writer | You can view items. You can use input and output paths. | You can view items. You can use input and output paths. | You can view items. |
Executor | You can view items. You can use input and output paths. | You can view items. You can use input and output paths. | You can view items. |
Read-Only User | You can only view items. | You can only view items. | You can only view items. |
Was this page helpful?