Users created with no roles, cannot use UI

[ajs6f]

I have a new Dataverse install (4.8.3) and when users are created (by signing themselves) up, they have no roles. I understand from https://github.com/IQSS/dataverse/issues/4475 that this is normal, but when these users try to do anything in Dataverse, they get the message:

Sorry, nothing was found for these roles: Admin, File Downloader, Dataverse + Dataset Creator, Dataverse Creator, Dataset Creator, Contributor, Curator, Member

and cannot use the UI further.

I'm not sure if this is normal (in which case a much better error message and documentation would be the outcome of this ticket) or not.

What is worse, because I (the admin) have no way (that I know of) to adjust user roles short of learning the Dataverse API, I have no way to correct the situation short of learning some of the API just to evaluate the product. If there are settings to configure the default roles with which a new user is equipped, I could not find them in the installation documents, where I should think they would be featured prominently.

I'm not sure what else might be relevant about this install for this ticket, but I am happy to supply any further information that would be useful.

[pdurbin]

@ajs6f thanks for the feedback. You don't need to learn any APIs to correct the situation. At http://guides.dataverse.org/en/4.8.5/installation/config.html#root-dataverse-permissions (or 4.8.3) the following step appears:

In order for non-superusers to start creating dataverses or datasets, you need click “Edit” then “Permissions” and make choices about which users can add dataverses or datasets within the root dataverse.

I'm sure there are improvements we could make. Do you have any suggestions for us? Should the documentation be improved? Should someone installing Dataverse have a different user experience? Should they see something different in the UI I mean? Should end users have a different experience when they log in? (It sounds like "yes", given your comments above.) Should they be guided to where in the hierarchy of dataverses (if any) they are permitted to add data? Or if they don't have any permission at all, should it be suggested to them that they contact someone?

Another thought is that the installer prompt the person installing Dataverse whether they want users to be able to add data or not. Right now it conservatively doesn't give any users any permission to add data, leaving the choice up to the superuser who installed Dataverse.

[ajs6f]

@pdurbin Thanks for staying with this problem, even on the weekend. Unfortunately, when I go to that permissions-manage.xhtml?id=1 page, none of the users who have signed up (who are all visible at dashboard-users.xhtml) are present, only the admin account. I'm not sure what that means or what can be done about it.

As for the other questions you are asking, yes-es are indeed the answers to most, but only for me, so to speak. As I noted elsewhere, part of the problem here is that I'm not installing Dataverse to use it-- I'm installing it so that my institution can evaluate it. So the quickest path to the simplest setup that will allow a few users to upload data and play with it is all I want. That's a distinct use case, and it's not necessarily a good one on which to base defaults for full installs. I'll open a new ticket to discuss specifically the idea of a "easy 1-2-3 packaged evaluation install" and what's more, I'll even try to come up with a better name for it.

[pameyer]

@ajs6f - Not to discourage installing dataverse for institutional evaluation (that's something I did); but I'm curious if there are reasons for using a local installation instead of https://demo.dataverse.org.

[ajs6f]

@pameyer: Firstly (and this is a more minor point) because the "headline" (so to speak) on that page is:

This Dataverse is for demo purposes only. To deposit actual datasets please visit dataverse.harvard.edu.

but depositing actual datasets is certainly one thing that we are trying to test. More importantly, the ease with which an install (of any kind) can be administered and the possibilities for integration with our larger ecosystem are both important parts of evaluation. This very ticket discusses an issue that (it seems to me) would only arise while administering an instance.

If there's an easier way, I'm all 👂s. But since there is (again, to my current understanding, and I'm happy to learn otherwise) no option for a hosted Dataverse site, it seems necessary for us to do some level of install to get a genuine evaluation.

[pdurbin]

Unfortunately, when I go to that permissions-manage.xhtml?id=1 page, none of the users who have signed up (who are all visible at dashboard-users.xhtml) are present, only the admin account.

@ajs6f To see the users you added you need to expand "User/Groups" and the click "Assign Roles to Users/Groups" and then autocomplete a name (such as "Fiona Finch" in the example below. I'm putting some screenshots below. (Note that below I'm making use of the :authenticated-users group.) Does this help?

[ajs6f]

Firstly, @pdurbin, I want to thank you for staying with these tickets in such a professional manner. Whatever my opinion of the Dataverse software may end up being, I am developing a very good opinion of the Dataverse project.

That having been said, I'm afraid I can't use your advice above quite entirely, because my equivalent screens don't show the same info. Here is a shot of my equivalent to your second screen:

I was able to try to assign some roles to one of our users. But the role of interest (dataset creator) resulted in the message:

Error – Dataset Creator role could NOT be assigned to Keri Thompson for Root. If you believe this is an error, please contact Root Support for assistance.

However, the role seems to be assigned anyway? The logs show a org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint "unq_roleassignment_0" which seems rather surprising. In any event, I will try to get some of our users to test their experience after they have been assigned roles, hopefully later this morning.

[pdurbin]

@ajs6f thank you for your kind words.

That's a strange error. I wonder if you're suffering from #1503 or some other issue. If the role was assigned, you should be able to see it in the UI. Very strange.

We're always fixing bug so you could, of course, upgrade to the latest version of Dataverse. I don't remember a specific fix for the issue you're describing, however. Good luck with your evaluation. Please keep sending feedback our way.

[pdurbin]

@ajs6f me again. Once thing I'm confused about is if you can see your users have been assigned roles. For example, in the screenshot below, you'll see the following users:

• Fiona Finch
• Sabina Spruce
• Wilbur Wren

Can you please confirm if you can see users in the list after you've given them a role? Thanks.

[ajs6f]

In reverse order:

2. Yes, I can see the roles once assigned.
1. That (#1503) sounds extremely plausible, and it would explain the error in the logs (showing an attempt at constraint violation).

I should add that because the autocomplete-related part of your advice worked fine (sorry for the awkward phrasing) I was able to get a user off and running, and since I gave her the admin role, she has been able "bootstrap" other users. This means that we are able to move forward again with our evaluation, so thank you @pdurbin!

As far as goes this ticket, I think we have two or three ways to slice it:

1. For my money, setting the default on install such that any new user can take no action is unhelpful for a large class of installs. On the other hand, I can clearly see that setting it to be more permissive could be quite dangerous for many installs. I suspect that this is actually a different issue "hiding" inside: there is only one way to install, but several use cases for installation (evaluation, development, production, et al.).
2. I'm not sure why my install did not and does not feature the same groups as does your example (the authenticated-users group is, as you see from my screenshot above, not present). This might be a real bug, or something odd about my example.
3. The ability to assign roles to users is (to my eye) a bit hard to get to and use, because it seems (if I understand what is happening) you must use autocomplete (no entry in the list) for users with no roles. IOW, if a user has no roles, she doesn't appear in the list of users/groups. This is entirely a UI issue. I suppose that this ticket could then be refined to "Make sure users with no roles appear in the list of users for managing permissions." if you see what I mean. Or, alternatively, if it is the case that such users normally do appear in that list, we have again a possible bug or a possible oddity in our particular install.

I hope that clarifies what I'm seeing?

[pdurbin]

@ajs6f Phew! I'm glad you can see the assigned roles. That would be a pretty terrible bug if you couldn't.

I'm glad to hear your evaluation is able to proceed. If you feel like it, you can tell me which organization you're from and I can add you to an internal list of trial installations. No pressure. Up to you. We just use this list to follow up sometimes.

I like the idea of different installation modes. As you mentioned, developers have very different needs that production installations and I've already mentioned in our dev guide that we'd like to someday add a dev mode to the installer: http://guides.dataverse.org/en/4.8.5/developers/testing.html#getting-set-up-to-run-rest-assured-tests

I can imagine an evaluation mode as well, I suppose.

I think you should see :authenticated-users if you click "Edit Access" and choose whichever option allows all users to add datasets or dataverses. I add this access with a script but the effect should be the same. This is not the default setting. It's something I do so that I can run our API test suite against my laptop. But it's a valid configuration as well.

You're right that you must use autocomplete to find a user before adding that user to a role. Even if the user already has a role I think you need to use the autocomplete if you want to add a second role (which would be unusual). I'm reading between the lines of what you wrote and it sounds you don't like the autocomplete so much and you would prefer to select users from a list. Is that right? That might work fine with a small list of users but there is at least one installation of Dataverse with 14,000+ users so there are UI implications for selecting a user from such a long list. Anyway, I don't mean to put words in your mouth. Please keep the feedback coming and I apologize if I'm misunderstanding you. Also, please feel free to edit the subject of this issue.

[ajs6f]

Yes, I think the real underlying tension here is simply "one way to install" vs. "several reasons to install". That's not a single ticket issue.

I certainly didn't mean to be mysterious about my org: it's the Smithsonian Institution. You are more than welcome to keep track of that for future contact or any other reason. We'll be evaluating DV (and several other products) over the course of the spring.

I understand that throwing all the users into a giant list that then has to load isn't a plausible UI tactic. But there are also some pretty well-known ameliorative measures: paging, for example. My point was not to get access to every user from a list (or other widget besides autocomplete). It is to avoid giving new users the experience I had: knowing that several users have signed up, seeing them on other list screens (e.g. dashboard-users.xhtml), but seeing a blank panel in the permissions-manage.xhtml?id=1 page. That was very confusing and discomfiting. What I'm looking for here is some kind of sign or feedback that shows admins that there are users recorded and that permissions can be assigned to them. It might start with nothing more than a static text saying "Users with no roles can be assigned them via the autocomplete box above." or the like, but actual users shown would be better.

[pdurbin]

@ajs6f thanks. Added. Since you're evaluating various products you might be interested in our "Comparative Review of Various Data Repositories" at https://dataverse.org/blog/comparative-review-various-data-repositories

I heard you about being confused. As a superuser, one thing you should be able to see from the "Manage Users" dashboard is that as users start to accumulate roles, they will appear in the "Roles" column, like this:

This doesn't help the admins though. They don't have access to that dashboard unless you make them a superuser. You're right. I'm agreeing with you.

[pdurbin]

@ajs6f it's getting somewhat dated (Fall 2016) but as you evaluate Dataverse you might be interested the "Texas Digital Library Dataverse Implementation Working Group Final Report" at http://hdl.handle.net/2249.1/76364 which includes a usability study of Dataverse. See also some discussion at https://groups.google.com/d/msg/dataverse-community/eQlSLFgzQXI/5ONaOr_ACAAJ

[ajs6f]

Thanks very much, @pdurbin -- I'll certainly forward this to the folks here who should see it.

[pdurbin]

@ajs6f thanks. Any more thoughts on this issue? I'm sort of looking for a "definition of done" so we can estimate the issue (give it a "size" in https://waffle.io/IQSS/dataverse ), if you're still interested. Thanks.

[ajs6f]

@pdurbin:

As I wrote above:

What I'm looking for here is some kind of sign or feedback that shows admins that there are users recorded and that permissions can be assigned to them. It might start with nothing more than a static text saying "Users with no roles can be assigned them via the autocomplete box above." or the like, but actual users shown would be better.

As long as new admins look at that screen and clearly and immediately know that there are users to manage and how to add roles to them, the problem I had won't happen again. That could happen via any number of different visual cues, but I'm no designer. I also don't know what your resources are, so I'm not inclined to make a more concrete suggestion.

[pdurbin]

@ajs6f thanks! @mheppler recently emailed me a list of issues related to permissions (#2178 #2641 #2655 #3450 #3686 #3726 #3978 #4287 #4435) and I just emailed him back asking him to look at this issue and your most recent comment as well. Please be advised that he just left for vacation. Thanks for your patience and feedback!

[syats]

Since this issue is still open and I have run into it.. may I suggest an improvement:

Add a "default permissions for new users" setting, which also includes users from external Auth systems.

The way I see it currently, for a user to be able to upload things, admin users are required to take action, which might not be the best in a scenario of the sort "I want all users in my institutions OAuth system to be able to (at least) navigate this and that dataverse.

Thanks, V.

[pdurbin]

@syats probably what you're seeing is that the root dataverse isn't published. Maybe the root dataverse should always be published. (And maybe there could be a setting to not publish it if you really don't like that.)

Once the root dataverse (and perhaps other dataverses) have been published, users can at least navigate around, like you said. As for a setting for new users, it's scriptable, at least. In order for our test suite to run we let any user create datasets and dataverses in the root dataverse. Here's a curl command that does this:

• https://github.com/IQSS/dataverse/blob/v4.20/scripts/search/tests/grant-authusers-add-on-root
• https://github.com/IQSS/dataverse-ansible/blob/bbb0cbf8e424766800999150f64637cd7eaffd2e/tasks/custom_sampledata.yml#L26-L33

[pdurbin]

but I'm no designer

Me neither. @ajs6f @syats or anyone following this issue, what's you're latest thinking on how to improve the situation?

Are you still interested in this issue?

I think might be too influenced by how the software was designed to be used. That is, the person setting up Dataverse should:

• decide if users and groups can deposit datasets or collections (or both) in the root collection without any special permissions
• if they decided the root is off limits to random users, decide what collections to create and what users and groups can created datasets or collections in those collections

The first point about the root collection is documented, at least: https://guides.dataverse.org/en/5.12/installation/config.html#root-dataverse-collection-permissions

[pdurbin]

Related: https://dataverse.zulipchat.com/#narrow/stream/378866-troubleshooting/topic/default.20user.20roles/near/405306730

[cmbz]

To focus on the most important features and bugs, we are closing issues created before 2020 (version 5.0) that are not new feature requests with the label 'Type: Feature'.

If you created this issue and you feel the team should revisit this decision, please reopen the issue and leave a comment.