Rework permissions structure
We need to define a permissions structure for controlling superevent actions, as well as upgrade the old one for events. Here is a proposal for how to define this structure going forward.
Update (6 Sept 2018): this issue is no longer going to cover redoing the events permission structure; it will only focus on creating the superevents permission structure.
Creation
Action | Allowed users | Comments |
---|---|---|
create event | Specific LVK users only | Currently allowed for pipeline accounts and specific users; remove individual users? |
create test event | All LVK users | |
create superevent | emfollow/superevent manager | |
create test superevent | All LVK users | |
create MDC superevent | emfollow/superevent manager |
Updates
Action | Allowed users | Comments |
---|---|---|
update/replace event | Only the user who originally submitted the event | Or should it be anyone who is allowed to submit events for the given pipeline? |
update/replace test event | All LVK users | |
update superevent | emfollow/superevent manager | Applies to production and MDC superevents |
update test superevent | All LVK users | |
add/remove event from superevent | emfollow/superevent manager | Production and MDC |
add/remove event from test superevent | All LVK users | |
confirm superevent as gw | Some special people | Should emfollow/superevent manager be on this list? |
confirm test superevent as gw | All LVK members | |
confirm mdc superevent as gw | emfollow/superevent manager |
Annotations
Action | Allowed users | Comments |
---|---|---|
add log message/file | All LVK (all events/superevents); LV-EM (only exposed events/superevents) | Not allowed for public users (?) |
tag log message/file | All LVK (all event/superevent logs) | Not allowed for LV-EM or public |
untag log message/file | All LVK (all event/superevent logs) | Not allowed for LV-EM or public |
add label | Specific LVK members can add specific labels | Needs some thought and a finalized list of labels to define this |
remove label | Specific LVK members can remove the same specific labels | |
create voevent | emfollow | Are others needed? |
create emobservation | All LVK (all events/superevents) and all LV-EM (all exposed events/superevents) | This is a little weird because as far as I know, only LV-EM people should be uploading EM observations |
add/update/remove operator signoff | LVK members in control rooms | Control room groups controlled by IP address |
add/update/remove advocate signoff | LVK members in em_advocates group |
Viewing
Action | Allowed users | Comments |
---|---|---|
view event | All LVK (all events/superevents); LV-EM/Public (exposed events/superevents? Or just superevents?) | Applies equally to production and test events. Note to self: need to consider event subtypes and permissions on those as well |
view logs | All LVK (all event/superevent logs); LV-EM/Public (exposed logs only) | Logs will be exposed via a tag ('lv-em' or 'public'); files associated with exposed logs will also be exposed |
view voevents | All LVK (all voevents); not sure about LV-EM or public | Currently, all VOEvents are viewable to anyone who can view the event |
view emobservations | All LVK (all emobservations); not sure about LV-EM or public | Currently, all EMObservations are viewable to anyone who can view the event |
Main questions
- Who can add/remove which labels? Or should all LVK users be able to add/remove all labels?
- Who can expose/hide events and superevents?
- Who can expose/hide logs with the 'lv-em' and 'public' tags?
- Does exposing a superevent to external users mean that we should expose all of the individual events as well?
- Who can confirm superevents as GWs?