Rework permissions structure
We need to define a permissions structure for controlling superevent actions, as well as upgrade the old one for events. Here is a proposal for how to define this structure going forward.
Update (6 Sept 2018): this issue is no longer going to cover redoing the events permission structure; it will only focus on creating the superevents permission structure.
|create event||Specific LVK users only||Currently allowed for pipeline accounts and specific users; remove individual users?|
|create test event||All LVK users|
|create superevent||emfollow/superevent manager|
|create test superevent||All LVK users|
|create MDC superevent||emfollow/superevent manager|
|update/replace event||Only the user who originally submitted the event||Or should it be anyone who is allowed to submit events for the given pipeline?|
|update/replace test event||All LVK users|
|update superevent||emfollow/superevent manager||Applies to production and MDC superevents|
|update test superevent||All LVK users|
|add/remove event from superevent||emfollow/superevent manager||Production and MDC|
|add/remove event from test superevent||All LVK users|
|confirm superevent as gw||Some special people||Should emfollow/superevent manager be on this list?|
|confirm test superevent as gw||All LVK members|
|confirm mdc superevent as gw||emfollow/superevent manager|
|add log message/file||All LVK (all events/superevents); LV-EM (only exposed events/superevents)||Not allowed for public users (?)|
|tag log message/file||All LVK (all event/superevent logs)||Not allowed for LV-EM or public|
|untag log message/file||All LVK (all event/superevent logs)||Not allowed for LV-EM or public|
|add label||Specific LVK members can add specific labels||Needs some thought and a finalized list of labels to define this|
|remove label||Specific LVK members can remove the same specific labels|
|create voevent||emfollow||Are others needed?|
|create emobservation||All LVK (all events/superevents) and all LV-EM (all exposed events/superevents)||This is a little weird because as far as I know, only LV-EM people should be uploading EM observations|
|add/update/remove operator signoff||LVK members in control rooms||Control room groups controlled by IP address|
|add/update/remove advocate signoff||LVK members in em_advocates group|
|view event||All LVK (all events/superevents); LV-EM/Public (exposed events/superevents? Or just superevents?)||Applies equally to production and test events. Note to self: need to consider event subtypes and permissions on those as well|
|view logs||All LVK (all event/superevent logs); LV-EM/Public (exposed logs only)||Logs will be exposed via a tag ('lv-em' or 'public'); files associated with exposed logs will also be exposed|
|view voevents||All LVK (all voevents); not sure about LV-EM or public||Currently, all VOEvents are viewable to anyone who can view the event|
|view emobservations||All LVK (all emobservations); not sure about LV-EM or public||Currently, all EMObservations are viewable to anyone who can view the event|
- Who can add/remove which labels? Or should all LVK users be able to add/remove all labels?
- Who can expose/hide events and superevents?
- Who can expose/hide logs with the 'lv-em' and 'public' tags?
- Does exposing a superevent to external users mean that we should expose all of the individual events as well?
- Who can confirm superevents as GWs?