The Tencent HealthCare Omics Platform supports five types of roles. Each of them has different permissions. Ranked in the order of the highest to the lowest, the roles are the manager, owner, writer, executor, and reader-only.
The Tencent HealthCare Omics Platform divides permissions based on projects and supports two levels of granularity for permission assignment:
Assign project role permissions to users.
Assign project role permissions to user groups.
Note:
The permission actually assigned to the user in a project is the highest one between the permissions assigned through the two settings. For example, user A belongs to user group A. The manager assigns the role of the executor to user A, and the manager assigns the role of the writer to user group A. At this time, the actual role assigned to user A in the project is the highest one; that is, the writer.
When a user belongs to multiple user groups that have different roles in the same project, the user is actually authorized to get the highest permission. For example, user B belongs to user group A and user group B. The manager assigns the role of the writer to user group A and the role of the executor to user group B. At this time, user B's actual role in the project is the highest one; that is, the writer.
Permission Management Scope
Resource Type
Involved Operation Permissions
Project
Creating, viewing, editing, and deleting projects and modifying permissions
Binding and unbinding a bucket
Creating, setting, editing, viewing, running, deleting, and publishing applications
Creating, viewing, and deleting tables
Viewing, early terminating, and rerunning a run batch
Image
Namespace Management
Associating and disassociating with TCR
Creating and deleting repositories and pushing image
Creating, modifying, and deleting categories
Viewing and copying the image path
File
Viewing and deleting project buckets
Viewing buckets and using bucket directories as input and output paths
Binding and unbinding projects and buckets
Project Permissions
Overview of the Types of Project Roles Assigned and Their Operation Permissions
The types of project roles assigned and their operation permissions can be found in the following table:
Role Type
Description
Manager
Having the highest permission for all projects
Binding and unbinding a bucket
Binding and unbinding environments
Owner
Having the highest permission within the project
Writer
Viewing, adding, writing, publishing, and running applications
Deleting applications (only those you created)
Creating and deleting tables
Executor
Viewing and running the published version of the application
Creating, viewing, and deleting tables
Read-Only User
Viewing the published version of the application
Viewing the table
Viewing and Setting Project Permissions
The Tencent HealthCare Omics Platform supports Managers in viewing and setting project permissions in the console and also supports project owners in setting project permissions on the Tencent HealthCare Omics Platform website. After completing the permission setting for the same user/user group in any module, it will be synchronized to the other module, and you can switch to the latest view after refreshing.
Viewing and Setting Role Project Permissions in the Console
Managers can log in to the Console to view and set all project permissions:
Log in to the console and click User Management > User, enter the user list page,which shows necessary information about user accountes.
If you need to grant a user permissions for a project, click Manage Authorization in the rightmost operation column of the row where the user is located. You can go to the permission details page to view and manage the user's project-level role assignment.
On the permission details page, you can view the user's roles assigned for the user's related projects. Click Permission Management to go to the permission management page to manage the role's authorization in the project dimension.
The permission management page can authorize the user at the project level, and the project list can be switched according to types and regions. The supported types are "partial authorization" and "for Managers", and the supported regions is Hong Kong(China).
Assigning Permissions in the Project to Roles on the Omics Platform Website
Project owners and managers can assign specific role and authorize permissions to a project member.
1. Authorizing When Creating a New Project
2. Changing Authorization for an Existing Project
Click the icon in the upper right corner of the project to enter Project Settings to modify role permissions.
Project Resource Authorization
Managers can authorize resources for projects, including storage resources and environment resources through binding buckets and environments to projects.
Binding a Bucket
Managers have permission to bind a bucket to an environment. During the File Management-Source File stage, the manager can directly specify the bucket that needs to be bound for the environment. Click the button Associate Bucket, the Associating pop-up will appear, where Manager can bind buckets to the selected environment.
Select the bucket need to be bound and comfirmed.
After the bucket is bound, you can use the bound bucket data as input data for the project task. You can also set the path in the bucket as the task output directory. For details, see Application Editing (Code Editor).
Binding a Environment
Managers have permission to bind a environment for a project. During the creation of a new project stage, Managers can directly specify the bucket to be bound to the project. Managers can also bind a environment to an already created project in the project settings.
Application Permissions
After a user logs in to the Tencent HealthCare Omics Platform, the project list page only displays authorized projects. Within a project, different roles have different operation permissions. Within an application, the application editing page displays the corresponding operation view based on the operation permissions. For project application-level operation permissions, see the following table:
Role Type
Operation Permission Description
Manager
Creating, editing, running, and deleting applications and publishing application versions
Viewing timeline editing historical and version history
Owner
Creating, editing, running, and deleting applications and publishing application versions
Viewing timeline editing historical and version history
Writer
Creating, editing, running applications, and publishing application versions
Deleting applications (only those you created)
Viewing timeline editing historical and version history
Executor
Viewing and running the published application version
Viewing timeline version history
Read-Only User
Viewing the published application version
Viewing timeline version history
Table Permissions
For table-related operation permissions, see the following table:
Role Type
Operation Permission Description
Manager
Creating, deleting, and viewing tables
Owner
Creating, deleting, and viewing tables
Writer
Creating, deleting (only those you created), and viewing tables.
Executor
Creating, deleting (only those you created), and viewing tables.
Read-Only User
Viewing tables
Running Groups-related Operation Permissions
The following table contains the running groups-related permissions generated after the task is successfully submitted:
Role Type
Operation Permission Description
Manager
Viewing running groups
Terminating and rerunning groups early
Owner
Viewing running groups
Terminating and rerunning groups early
Writer
Viewing running groups
Terminating and rerunning groups early (only for running groups submitted by the Writer)
Executor
Viewing running groups
Terminating and rerunning groups early (only for running groups submitted by the Writer)
Read-Only User
Viewing running groups
User Group Permissions
User Group Overview
The user group is a group of user members. It represents a resource access control mechanism provided by the Tencent HealthCare Omics Platform. This mechanism supports managers in creating, maintaining, and deleting user groups, as well as adding users to groups and modifying permissions in batches to make permission management easier.
In the bioinformatics analysis scenerio, the user group mode can help managers better authorize projects. For example, you can create a user group, add all team members involved in a specific project to the user group, and then grant the user group the permissions required to access and operate the project. In this way, all user group members can access and operate the project as needed, and you have no need to grant each user the permissions respectively.
This section mainly introduces operations related to grant permissions to user groups. For operations such as creating a new user group and adding or removing members from a user group, see User Management.
Grant Permissions to User Groups
Switch to the Permissions module and click Permission Management, and the permission management page is displayed.
The permission management page displays a list of projects under each region and authorizes roles to user groups.
Permission Management of other modules
Image Management Permissions
Permission for associating and disassociating Tencent Cloud Tencent Container Registry
To use the image management module, the manager must first activate Tencent Cloud Tencent Container Registry in the Tencent Cloud Console and associate it with the Tencent HealthCare Omics Platform account. For specific operations, see Image Repository Management.
Image Repository Management-related Permissions
For image repository management permissions, see the following table:
Role Type
Operation Permission Description
Manager
Creating, modifying, and deleting category tags are supported.
Viewing quick instructions and repositories in the image repository list is supported.
Copying image addresses is supported.
Deleting image repositories is supported.
Owner
Writer
Executor
Read-Only User
Viewing quick instructions and repositories in the image repository list is supported.
Copying image addresses is supported.
File Management Permissions
The file management module involves three types: bucket, public bucket, and project bucket. The operation permissions are as follows:
After the manager associates a bucket, users can view the file directory of the bucket. After the manager binds a project, project members can use the bucket directory as an input and output path.
Public buckets are open to all platform users;
Project buckets are open to project members.
For specific operation permissions, see the following table:
