search

cvat-ai / cvat

Annotate better with CVAT, the industry-leading data engine for machine learning. Used and trusted by teams at any scale, for data of any scale.
https://cvat.ai
MIT License
12.45k stars 2.99k forks source link

Implement Open Policy Agent rules for listing connected share data #4738

Open haimat opened 2 years ago

haimat commented 2 years ago

My actions before raising this issue

Expected Behaviour

We want to use CVAT for multiple projects, so that users may only annotate images and videos, but nothing else. In particular they must not be able to see data of other projects or the connected shares.

Current Behaviour

Currently in CVAT all users can create new tasks, and by doing so they can see all the data that is available via the connected shares or the local file system.

Possible Solution

It would be great to have a kind/type of user that is not allowed to create new tasks or see any tasks of other projects.

nmanovic commented 2 years ago

@haimat , users with 'worker' role cannot create tasks and projects: https://github.com/openvinotoolkit/cvat/blob/develop/cvat/apps/iam/rules/tasks.csv

haimat commented 2 years ago

@haimat , users with 'worker' role cannot create tasks and projects: https://github.com/openvinotoolkit/cvat/blob/develop/cvat/apps/iam/rules/tasks.csv

@nmanovic Thanks for the info. These workers can, however, open the "new task" link and see the files on the connected shares. Would it be possible to hide both the "new task" and "new project" buttons/links, so that workers can not even open these pages and see the files on the connected shares?

To elaborate on this: We want to use CVAT for our clients too. So that they can access their projects and tasks, but nothing else, ever. It should be some kind of "User A belongs to organization X and must never ever access any data from outside organization X".