Role-based Access Control in FAIR
A user newly signed up to the service will be assigned a role however the user will remain unapproved until an Administrator approves the user. These roles are assigned to users by the Customer in a self-service manner at any time or by Aridhia upon request.
Note: a FAIR instance can be configured to auto-approve and automatically assign roles to users after signup upon request to Aridhia.
A set of managed roles exist that can be assigned to users:
| Role | View Dataset | Request Dataset Access | Manage Dataset | Manage Users and Service |
|---|---|---|---|---|
| Guest | ✅ | ❌ | ❌ | ❌ |
| Observer | ✅ | ❌ | ❌ | ❌ |
| Standard | ✅ | ✅ | ❌ | ❌ |
| Data Manager | ✅ | ✅ | ✅ | ❌ |
| Data Steward | ✅ | ✅ | ✅ | ✅ |
| Administrator | ❌ | ❌ | ❌ | ✅ |
- Guest (API code: 'guest'): a role that only allows the user to view existing datasets made public by Data Owners.
- Observer (API code: ‘observer’): a role that only allows the user to view existing datasets made public by Data Owners, and observer can also view dataset assets.
- Standard (API code: ‘standard’): a role that allows the user to view existing datasets made public by Data Owners and submit data access requests.
- Data Manager (API code: 'data-manager'): can create, edit and delete datasets
- Data Steward (API code: ‘data-steward’): can create, edit and delete datasets as well as assume the permissions of the Administrator role.
- Administrator (API code: ‘admin’): can perform role management capabilities and other administration tasks via the API. Where managed roles differ to requirements.
Administrator and Data Steward can create custom roles from the FAIR Data Services permission set and assign these roles to users in the platform.
Custom Roles
If the existing managed roles do not meet a user's needs, they have the option of creating custom roles.
Users can do this by accessing the Roles tab from the Administer menu.
From the Roles tab they should select the New option:
This opens a pop-up where users can define the new role by providing the following:
- ID - Optional, if left blank the role ID will be based on the name
- Name - The name of the role
- Can be assigned to - Roles can be assigned to users or API tokens, this field specifies which
- Based on - To simplify the creation process all custom roles are based on an existing role. This field allows users to choose an existing role to base their custom role on
- Description - A description of the role being created
At the point of creation the custom role will have the permissions of the role it has been based on. These can be edited by navigating to the custom role in the Roles tab and selecting Open from this menu:
From here, users can edit the role details e.g. name and add and remove permissions from it as required.
