search

geonetwork / core-geonetwork

GeoNetwork is a catalog application to manage spatially referenced resources. It provides powerful metadata editing and search functions as well as an interactive web map viewer. It is currently used in numerous Spatial Data Infrastructure initiatives across the world.
http://geonetwork-opensource.org/
GNU General Public License v2.0
427 stars 489 forks source link

Restricting permissions assignments on groups used for publishing data. #8283

Open ianwallen opened 3 months ago

ianwallen commented 3 months ago

Is your feature request related to a problem? Please describe. In Geonetwork, editors are able to edit the permissions on metadata records and assign any permissions to any groups. The only groups that are not allowed are the reserved groups like All, Intranet and Guest and these are used internally for the publishing process.

User Case We are in collaboration with "University A" and we would like to grant them access to some of our data. So we would create a group called "University A" and we would assign users from the university to "University A". Then we would grant the records that we want viewable by "University A". This all works as expected.

The problem, we don't want any data granted to "University A". We have lots of users using our system and we want to ensure that nobody assigned records to the to "University A" group unless they are authorized. GN does not seem to restrict who can grant permissions to other groups, this is where we seem to have a problem.

Describe the solution you'd like I would like to see the group and permissions ui modified so that we can identify the groups allowed to set permissions on other groups.

Proposal Add new publication_flag field is added to the group table which would be used for indicating that normal editor cannot grant permissions to this group. This would be similar to the current publishing option for setting permissions for All group. One difference is that it would not be reviewers from group "X" that would approve records being published to "University A". It would be reviewers from "University A" that would approve publishing request to "University A" group. So reviewers would be responsible for outgoing reviews for all group (as it is now) and they would be responsible for incoming reviews for publishing request to their groups (New). I'm guessing that we can use the same reviewer profile - but if needed we could create a new profile.

Changes required:

Describe alternatives you've considered No other options considered...

Feedback Looking for feedback from the community on whether this feature is of interest Once we receive feedback, we may begin to work on PR's for this features.

josegar74 commented 2 months ago

If I'm understanding the proposal correctly, the groups will have a new "publication" field (we need to check how to name it clearly), that if selected only reviewers will see the group in the privileges dialog, but not the editors.

It sounds fine to me, as long as the new flag naming is clear.

I'm thinking of another option, but maybe is too restrictive: a new setting Minimum user profile allowed to set metadata privileges, similar to the option Minimum user profile allowed to import metadata (see https://github.com/geonetwork/core-geonetwork/pull/6200). This option can have the value Editor by default, but it could be changed to Reviewer.

Let's check for additional feedback from @fxprunayre

ianwallen commented 2 months ago

@josegar74

The publication flag is used to indicate that only reviewers from the current group can decide if the records from another group is published to the current group. i.e. User from group "X" wants to publish a record to users who have read access to group "University A" . They would request to publish a record via the publishing ui to group "University A" which would start a review process for group "University A" reviewers to approve the request to grant permissions on group "University A"

If there are editors from "University A", they would be able to create records in "University A" like they can now but I would expect these records would not be visible until a reviewer approves the record. So editors from the group cannot set the publish permissions for the record belonging to that group. Maybe this is where the "Minimum user profile allowed to set metadata privileges" option could be used. This could allow editors of the group "University A" to also publish to their own group. If this is what you were referring to then yes this extra option could be a good enhancement as it could be used to indicate if editors can publish to their group. This could probably be a separate enhancement unrelated to this request but we can also make the changes as part of this request.

ianwallen commented 2 months ago

The proposed new publication flag is used to identify if users from other groups can assign metadata to the current group. In other words, we are looking to restrict who can publish to a specific group.

Currently only reviewers from the current group can decide what is published to the all group. For this case, at the moment we don't care who makes the request to publish. But was we want to avoid is users from other groups publishing their records to another group without a review process.

In this case we we are looking for reviewers from "University A" group to decide on what is published to "University A" group. But we want to allow users from other groups to make a request for data from "Sample Group" to be published to "University A"

User Case

Minimum user profile allowed to set metadata

This seems like it could be and extra field that could be used to identify the level of users who could make a request to publish to the group. i.e. if we had University A group set to allow reviewer to publish. Then only users who are a reviewer for records group would be allowed to make a request to publish to the University A group. If this is what you were proposing, then yes, I like this option, and we can look at incorporating this as well.