| Both sides previous revision Previous revision Next revision | Previous revision |
| rdms:data:permissions [2026/01/15 14:38] – [Example: Permission Inheritance - Enabled] Some dots added jelte | rdms:data:permissions [2026/03/11 10:10] (current) – [Permissions and Inheritance] IRODS --> iRODS jelte |
|---|
| | {{indexmenu_n>3}} |
| ====== Permissions and Inheritance====== | ====== Permissions and Inheritance====== |
| |
| Within the RDMS, we support **four levels of permissions** or user privileges to files and folders. These permissions are either automatically assigned when a file or folder enters the RDMS, or they can be defined by the user(s). | With the current version of iRODS, **ten levels** of permissions on data and metadata are available to the user. These permissions are either automatically assigned when a file or folder enters the RDMS, or they can be defined by the user(s). In an order of ascending privileges, these permissions are 'Null', 'Read_Metadata', 'Read_Object', 'Create_Metadata', 'Modify_Metadata', 'Delete_Metadata', 'Create_Object', 'Modify_Object', 'Delete_Object', and 'Own'. You can set these permissions either by using the ''ichmod'' command in the Command Line Interface (CLI), or by using the web interface. |
| |
| In an order of ascending privileges, these permissions are 'Null', 'Read', 'Read/Write' and 'Own'. | **Note**: The web interface lets you currently set **four levels** of permissions, as those were the ones available before the iRODS version update. In an order of ascending privileges, these permissions are 'Null', 'Read', 'Read/Write', and 'Own'. At the moment, the new permissions are displayed in the web interface, but can only be set using iCommands. |
| |
| Please see the following table for a summary of what these different permissions allow within the RDMS: | Please see the following table for a summary of what these different permissions allow within the RDMS (corresponding permissions from the old four-level model noted in parantheses) : |
| |
| ^ Permission Level ^ Read ^ Modify ^ Create New ^ Delete ^ Share ^ | ^ ^ Metadata ^ ^ ^ ^ Data ^ ^ ^ ^ ^ |
| | **Null** | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | | ^ Permission Level ^ Read ^ Create ^ Modify ^ Delete ^ Read ^ Create ^ Modify ^ Delete ^ Share ^ |
| | **Read** | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | | | **Null** (Null) | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | |
| | **Write** | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | | | **Read_Object** (Read) | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | |
| | **Own** | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | | | **Create_Metadata** | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | |
| | | **Modify_Metadata** | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | |
| | | **Delete_Metadata** | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | |
| | | **Modify_Object** (Write) | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | |
| | | **Delete_Object** | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:1280px-eo_circle_red_blank.svg.png?nolink&20|}} | |
| | | **Own** (Own) | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | {{:rdms:data:eo_circle_green_checkmark.svg.png?nolink&20|}} | |
| |
| | **Note**: The table does not contain **Read_Metadata** and **Create_Object**, as these permissions are currently causing unexpected behaviour in the system. We advise not to use them. |
| |
| And for a more detailed explanation of what this permissions mean: | Finally, find below a brief explanation of what the permissions mean and how they are linked to the old set of permissions. |
| |
| **Own**: The user owns the data object (file) or the collection (folder) and has the full permission on reading, modifying (including deletion), and sharing. This permission is assigned automatically to a file a user uploads into their RDMS Home Drive, for example. | * **Null**: The user has no permissions on the object or metadata. The object is invisible to the user. You can use this permission to remove previously granted permissions on data and metadata. |
| | * **Read_Object**: The user can display the data object and the metadata attached to it. The user can also download the data object from the RDMS. This level of permission corresponds to the **old READ** permission. |
| **Write**: The user has read and write access to the object. This permission level does not allow you to rename or delete the object. | * **Create_Metadata**: The user has the same permissions as the permission level above, but can also create new metadata entries for the data object. Existing metadata cannot be modified. |
| | * **Modify_Metadata**: The user has the same permissions as the permission level above, but can now modify existing metadata entries. The user may not delete any metadata entry attached to the data object. |
| **Read**: The user can only read the object or its content. This also allows to make a (editable) copy of the file/folder. | * **Delete_Metadata**: The user has the same permissions as the permission level above, but can now delete metadata entries. |
| | * **Modify_Object**: The user has the same permissions as the permission level above, but can now modify the data object itself. This level of permission corresponds to the **old READ/WRITE** permission. With this level of permission, you can upload a new version of the data and modify it, but you cannot delete it or rename it. |
| **Null**: The user does not have any permission on the object. One can use 'none' when removing the previously assigned permissions to a user. | * **Delete_Object**: The user has the same permissions as the permission level above, but can now delete and rename objects. As the sharing of data or setting permissions requires ownership of the data, these are actions not available to the user. |
| | * **Own**: The user owns the data object (file) or the collection (folder) and has full permission on reading, modifying (including deletion), and sharing. This permission is assigned automatically to a file a user uploads into their RDMS Home Drive, for example. |
| |
| **Important Note** | **Important Note** |
| |
| * If you **remove your own permissions**, you will no longer be able to restore them even if you were the original owner of the object. This worked in previous versions of IRODS, but was removed in later updates. | * If you **remove your own permissions**, you will no longer be able to restore them even if you were the original owner of the object. This worked in previous versions of iRODS, but was removed in later updates. |
| * While 'write' permissions allow to create new objects and modify existing ones, it does **not allow** for the deletion of objects nor to rename them. The reason why renaming is blocked for the write permission is because iRODS handles renaming as creating a new object with the new name and deleting the old object. As such, renaming is a sort of deletion. | * While 'write' permissions allow the creation of new objects and the modification of existing ones, it does **not allow** for the deletion of objects nor the renaming of them. The reason why renaming is blocked for the write permission is that iRODS handles renaming as creating a new object with the new name and deleting the old object. As such, renaming is a sort of deletion. |
| |
| ===== Permission Inheritance ===== | ===== Permission Inheritance ===== |
| $ icp -r folder_test /rug/home/Test_Team/folder_with_inheritance | $ icp -r folder_test /rug/home/Test_Team/folder_with_inheritance |
| |
| # Checking the permission shows that the permission of the parent folder are applied/inherited. Reason: Copy counts as new data --> Inheritance is applied. | # Checking the permission shows that the permission of the parent folder are applied/inherited. Reason: Copy counts as new |
| | data --> Inheritance is applied. |
| $ ils -A /rug/home/Test_Team/folder_with_inheritance/folder_test | $ ils -A /rug/home/Test_Team/folder_with_inheritance/folder_test |
| /rug/home/Test_Team/folder_with_inheritance/folder_test: | /rug/home/Test_Team/folder_with_inheritance/folder_test: |
| Inheritance - Disabled | Inheritance - Disabled |
| |
| # The 'rdms-testers@rug.nl' user uploads a new file from the local system to the RDMS folder | # The 'rdms-testers@rug.nl' user uploads a new file from the local system to the RDMS folder. |
| $ iput test.txt /rug/home/Test_Team/folder_without_inheritance | $ iput test.txt /rug/home/Test_Team/folder_without_inheritance |
| |
| # See the 'ACL' entry to verify the permission level of 'rdms-testers' | # See the 'ACL' entry to verify the permission level of 'rdms-testers'. |
| # Permissions on the newly uploaded file show that it only has one permission: own for the uploading user | # Permissions on the newly uploaded file show that it only has one permission: 'own' for the uploading user (creator). |
| $ ils -A /rug/home/Test_Team/folder_without_inheritance/test.txt | $ ils -A /rug/home/Test_Team/folder_without_inheritance/test.txt |
| /rug/home/Test_Team/folder_without_inheritance/test.txt | /rug/home/Test_Team/folder_without_inheritance/test.txt |