User Groups Permissions
The User Groups feature allows admin users to create user groups and add users to them. These groups can then be used for sharing datasets.
This article explains how FAIR user groups interact with existing user roles and permissions.
User groups, roles and permissions
The dataset visibility article details the levels of dataset visibility and the different levels of permission that a user can have on a dataset.
These permissions can also be extended to user groups. For example, a user group can be added as a Data Owner to a dataset. When doing this, the user needs to be aware of the ways that the permissions of the user group interact with:
- The user roles of group members
- Existing permissions the group members have as individuals
- Existing permissions the group members have as members of other user groups
The user role of group members
Membership of a user group cannot be used to elevate a user's permission beyond their existing role. An example of how this works in practice is provided below:
- A user group is created with two members: one has the role of Data Steward and the other is a Standard User.
- This user group is added to a dataset as a Data Owner. This allows users in the group with appropriate role permissions to fully manage the dataset, including editing the metadata, adding data files and reviewing access requests.
- The Data Steward group member now has all of the above permissions on the dataset, as their role permits this.
- The other group member can only view the dataset, as the Standard User role does not permit the user to manage datasets.
Existing permissions group members have as individuals
Users could have permissions on a dataset granted individually and as part of a user group. Where these come in to conflict, the users' individual permissions take precedence. An example of how this works in practice is provided below:
- A user has view only permission on a dataset
- They are added to a user group which has Data Owner permissions on the same dataset
- In this case, the user will still only be able to view the dataset.
The opposite case is also true: where a user has individual permissions that exceed those of a user group, they will retain their elevated permissions that other members of the user group do not have.
Existing permissions the group members have as members of other user groups
Users can be members of multiple user groups, where these user groups have access to the same dataset at different levels of permission, there is no precedence.
This means where a user is a member of more than one user group that have permissions on the same dataset, when they interact with that dataset they will have all permissions associated with the relevant user groups. An example of how this works in practice is provided below:
- A user is a member of user group 1, this has the reviewer permission for dataset 1
- The user is added to user group 2, this has the manager permission for dataset 1
- When the user interacts with dataset 1 they will have both the reviewer and manager permissions.