Data Access Control
Once you have access to a Scifeon system, you can get access to specific data based on four different criteria:
- Department based: You can see any data owned by the departments that you have access to, including un-published result sets.
- Project based: You can see data for specific types of entities if you have access to the project they are associated with, even if you don't have access to the department where they originates.
- User based: Some data are available only to the single user who owns the data; this is generally data related to Scifeon usage, e.g. notification-subscriptions and other preferences.
- Admin: A few data are available only to admin users, such as access rights management.
Write Access
When you create new primary entities, they will de associated with you own department by default. If you want to assign ownership to another department, you can do so if you have write access to that department.
You can upload result sets and associated result entities for experiments associated with departments that you have write access to. If the experiment is associated with one or more projects, you can only upload results if you also have project access.
Department Based
All primary entities (e.g. experiments, samples, resultsets, variants) in Scifeon belong to single department. Individual users can be granted access to read or modify data from one or more departments. By default, a user has read & modify rights to data from the department they belong to.
Project Based
Note: Project based access control is not part of release 1.0, but will be added in 2016 Q4
In addition to the department based data access rights, individual users can be granted access to data from specific projects. Project based access are read only.
These entities can each be associated with one or more projects:
- Antibody chains
- Experiments
- Plasmids
- Result sets (only visible outside the department once published)
- Sequences (DNA/protein)
- Variants
Other entities can also be accessed through project access rights:
- Steps through their experiment
- Result of various classed based on their result sets
- Batches based on their variants
- Samples based on their content, e.g. variant or plasmid ???
- Sequence annotations through their sequences
- Comments based on the entity they are associated with
Under consideration: Should individual results be invisible within the department unless the use has project access ???
Take a look at the access control example page for an example of how these rules apply.
Default Ownership of Data
When you register new data in Scifeon, they will generally be assigned to your own department (this association can be changed at any time).
A few entities will instead be associated with the department of a kind of "owner entity":
- Steps will be owned by the same department as the experiment that they are part of
- Any step product (samples, resultsets etc) are owned by the same department as the step
- Samples in plates are owned by the same department as the plate
When you register a result set, it will by default inherit the project association from the experiment. You can change this association at any time.
Information available when no access rights:
Even if you don't have access to a specific data entity in Scifeon, you can still see that it exists if you search for it or in various relevant pages. You can see the following information about entities that you don't have access to:
- ID
- Name
- Owner department / user
- Class and type
- Status
This applies to primary entities, including result sets, but not to result entities which are only available based on the project association of the owning result set.
When you browse data using the general entity list pages, you will not see the entities that are inaccessible with your current access rights.
Virtual Departments
It may sometimes be useful to create "virtual departments" in Scifeon, i.e. departments that don't exist as actual departments in your organization. Three examples of where this may be useful is for managing access to shared resources such as storage systems, for limiting access to highly confidential projects, and for managing access to customer data.
Shared Resources
If you have resources such as storage systems or specific laboratory instruments that are shared between departents, you can manage access to data about these systems by assigning them to specifically created "virtual departments" and granting access to these departments to all the users that need it.
Highly Confidential Projects
If your organization runs projects where data should not be shared freely within departments, you can create "virtual departments" to own the data for these projects.
Customer Projects
In the same way as for highly confidential projects, results and other data related to work done for individual customers can be managing by creating either projects or "virtual departments" representing individual customers.
Administration & Customization
You can find information about administration of user access rights on this page.
You can find guides on managing access to custom database views here.