This article is a detailed description to Rights Management in ONE DATA. For a more general introduction, check the User Roles and Rights article.
Introduction
ONE DATA offers various possibilities to manage the rights on available Resources such as Data Tables, Workflows, Credentials, Connections, etc. The rights are structured in a matrix, allowing to set the following for every Resource: CREATE, READ, WRITE, EXECUTE, DELETE, and SHARE. This is related to normal users and not viewer users.
Therefore, in this article, we provide you with detailed information about every matrix entry for every available Resource, which are the following:
- Credentials
- Connections
- Data Tables
- Models
- Workflows
- Workflow Jobs / Jobs
- Production Lines
- Schedules
- Reports
- Functions
General Information
Within the matrix there are also some configuration options that basically do not have an effect, but are kept to insure the integrity of the UI. We will mark such options with an "(x)" in the respective tables below, and if necessary, an explanation for those being empty is added.
Furthermore there are rights configurations that create some sort of dependency on other rights, meaning that the setting of the original right does only fully make sense if the depending right is also set, or things to consider when setting a right to true. This circumstance is written down as "Dependency" directly in the row entry of the following rights matrices.
This article does not show relations to Apps directly, as it would convolute the matrices below. However, there is an own article about the topic of Apps, their relation to the Rights Management, and how to set it up: How to Publish an App to Others.
Important Points for every Resource:
- If a Resource is deleted, it is deleted indefinitely and cannot be retrieved whatsoever! If a shared Resource is deleted, the original Resource will be deleted as well! Be mindful who you give the rights to delete Resources to!
- The creator of a Resource, which is in terms then the Resource's owner, always has full rights on it.
- If you have SHARE rights in Project A for a specific Resource, you need CREATE rights for the same Resource type in Project B to share a resource from A to B. Also, if you are not the owner of the resource, the respective resource owner does need CREATE rights in Project B as well.
Credentials
Credentials | |
| CREATE | A user can create new Credentials. |
| READ | A user is able to see the existing Credentials in a Project and can open them to see their configuration (e.g. user name and the type of the Connection like "Oracle"). The user is not able to see the password though! The password is never visible, not even to the creator of the Credentials. Dependency: If a user wants to execute a Workflow containing Credentials, READ access on Credentials must be given to the user in order to make it work (and also EXECUTE rights for the Workflow must be given). |
| WRITE | A user can alter the configuration of a Credentials resource (name, user name, password, etc.) and save them. |
| (x) EXECUTE | For Credentials, no EXECUTE rights are needed. |
| DELETE | A user can delete Credentials. Please mind that deleted Credentials can never be restored again! |
| SHARE | A user can share the reference to Credentials to another Project. Please mind that if a shared Resource gets deleted, the original one will be deleted, too! Dependency: A user needs CREATE rights on Credentials in the receiving Project for this to work. If this user is not the resource's owner, the respective owner also needs CREATE rights in the receiving Project. |
Connections
Connections | |
| CREATE | A user can create new Connections. Dependency: Some Connections require Credentials, in this case the user needs READ rights on Credentials in order to see them in the configuration of the Connection. |
| READ | A user is able to see the existing Connections in a Project and can open them to see their respective configurations. Dependency: If a user wants to execute a Workflow containing a Connection, READ access on Connections must be given to the user in order to make it work (and also EXECUTE rights for the Workflow must be given). Please note that if there is a Credential contained in the Connection, the user does not need READ rights on Credentials! |
| WRITE | A user can alter the configuration of a Connections Resource and save them. |
| (x) EXECUTE | For Connections, no EXECUTE rights are necessary. |
| DELETE | A user can delete Connections in the Project. Please mind that deleted Connections can never be restored again! |
| SHARE | A user can share Connections to another Project. Please mind that if a shared Resource gets deleted, the original one will be deleted, too! Dependency: A user needs CREATE rights on Connections in the receiving Project for this to work. If this user is not the resource's owner, the respective owner also needs CREATE rights in the receiving Project. |
Data Tables
Data Tables | |
| CREATE | A user can create new Data Tables via the dialogues in the Data Table overview (e.g. CSV Upload), and via Workflows (important: only create, not alter - this is done via the WRITE right). |
| READ | A user can display and open all Data Tables as well as see the content, statistics, or e.g. select them in a Workflow. Without READ rights, a user cannot successfully execute a Workflow in which the Data Table is used. |
| WRITE | A user can alter a Data Table via the Data Table overview directly, and via Workflows (important: only alter, not create - if the Workflow is configured to create the Data Table if it is not existing yet, the user also needs CREATE rights or otherwise cannot create the initial Data Table). |
| (x) EXECUTE | For Data Tables, no EXECUTE rights are necessary, as they are directly used by e.g. Workflows. |
| DELETE | A user is allowed to delete a Data Table. This also applies to Data Tables that were shared from other projects. Please mind that removed Data Tables cannot be restored anymore! |
| SHARE | The user can share a Data Table to another Project. Please mind that if a shared Resource gets deleted, the original one will be deleted, too! Dependency: A user needs CREATE rights on Data Tables in the receiving Project for this to work. If this user is not the resource's owner, the respective owner also needs CREATE rights in the receiving Project. |
Models
Models | |
| CREATE | A user can create / upload new Models. Note that this right is necessary if the user is supposed to run a Workflow which creates a new initial Model. |
| READ | A user can see existing Models in a Project. Dependency: Please note that READ and WRITE rights are also necessary for the execution of a Workflow that trains a Model. |
| WRITE | A user can edit and save existing Models' information and can execute Workflows that save/alter the respective Model. |
| EXECUTE | A user is allowed to use Models for execution (e.g. in a Workflow). |
| DELETE | A user can delete Models. Please mind that removed Models cannot be restored anymore! |
| SHARE | The user can share a Model to another Project. Please mind that if a shared Resource gets deleted, the original one will be deleted, too! Dependency: A user needs CREATE rights on Models in the receiving Project for this to work. If this user is not the resource's owner, the respective owner also needs CREATE rights in the receiving Project. |
Workflows
Workflows | |
| CREATE | A user can create new Workflows. |
| READ | A user can see existing Workflows in a Project. |
| WRITE | A user can edit and save existing Workflows. |
| EXECUTE | A user is allowed to execute Workflows. Dependency: Please note that if other Resources are included in a Workflow, e.g. the training of a Model, then also respective rights need to be given to the user executing the Workflow (in the example case, the READ and WRITE rights on Models). |
| DELETE | A user can delete Workflows. Please mind that removed Workflows cannot be restored anymore! |
| SHARE | The user can share a Workflow to another Project. Please mind that if a shared Resource gets deleted, the original one will be deleted, too! Dependency: A user needs CREATE rights on Workflows in the receiving Project for this to work. If this user is not the resource's owner, the respective owner also needs CREATE rights in the receiving Project. |
Workflow Jobs / Jobs
Workflow Jobs / Jobs | |
| CREATE | Jobs are automatically created when a Workflow is executed, but when this right is given to a user, its created Jobs are visible to other users. |
| READ | A user can see all Jobs related to a Workflow. |
| WRITE | A user can see and edit the metadata of others' Jobs (a user can otherwise only edit its own Jobs). |
| (x) EXECUTE | For Jobs, no EXECUTE rights are necessary, as they are directly created via Workflows. |
| (x) DELETE | Jobs cannot be deleted via the ONE DATA UI. |
| (x) SHARE | Jobs cannot be shared directly - they are implicitly shared with a Workflow however. |
Production Lines
Production Lines | |
| CREATE | A user can create new Production Lines. Dependency: The user should also have READ rights on Workflows in order to add them to Production Lines. |
| READ | A user can see existing Production Lines. Dependency: A user can only see Production Lines for which also the READ right on respectively contained Workflows is given. |
| WRITE | A user can edit and save existing Production Lines. |
| EXECUTE | A user is allowed to execute Production Lines. Dependency: A user can only execute Productions Lines if also the rights to READ and EXECUTE the contained Workflows is given. |
| DELETE | A user can delete Production Lines. Please mind that removed Production Lines cannot be restored anymore! |
| (x) SHARE | Production Lines cannot be shared. |
Schedules
Schedules | |
| CREATE | A user can create new Schedules for both Workflows and Production Lines. |
| READ | A user can see existing Schedules in a Project and their information. |
| WRITE | A user can edit and save existing Schedules. Dependency: A user can only add Workflows and Production Lines to a Scheduler if the READ and EXECUTE rights are given on the respective Resource. |
| (x) EXECUTE | Not necessary to be set, as a Scheduler is not executed by the user itself. |
| DELETE | A user can delete Schedules. Please mind that removed Schedules cannot be restored anymore! |
| (x) SHARE | Schedules cannot be shared. |
Reports
Reports | |
| CREATE | A user can create new Reports. |
| READ | A user can see existing Reports in a Project and their content. |
| WRITE | A user can edit and save existing Reports. |
| EXECUTE | A user can execute elements of the Report, e.g. a button for the execution of a Production Line. Dependency: The user does also need the READ and EXECUTE rights on the respective underlying resource (in the example of a Production Line, the user must be allowed to both read and execute both the Production Line and respectively contained Workflows). |
| DELETE | A user can delete Reports. Please mind that removed Reports cannot be restored anymore! |
| SHARE | The user can share a Report to another Project. Please mind that if a shared Resource gets deleted, the original one will be deleted, too! Dependency: A user needs CREATE rights on Reports in the receiving Project for this to work. If this user is not the resource's owner, the respective owner also needs CREATE rights in the receiving Project. |
Functions
Functions | |
| CREATE | A user can create new Functions. |
| READ | A user can see existing Functions in a Project and their content. |
| WRITE | A user can edit and save & deploy existing Functions. |
| EXECUTE | A user can execute / run a Function. |
| DELETE | A user can delete Functions. Please mind that removed Functions cannot be restored anymore! |
| (x) SHARE | Functions cannot be shared. |
Side note for Functions: A user requires READ, WRITE, and EXECUTE rights in order to implement Functions in Apps.