Default AIP permissions configuration

Default AIP permissions configuration

It is possible to change how AIP permissions are granted to users and groups when creating an AIP on the Web interface or when creating it via ingest. To do so, the following configurations must be changed in the roda-core.properties file.

1. If we wish to add a group as a super group that has full permissions when creating aip’s, we simply need add the following lines:

    # Admin users or groups so AIPs can be administered
       
    core.aip.default_permissions.admin.group[] = administrators
       
    core.aip.default_permissions.admin.group[].administrators.permission[] = READ
    core.aip.default_permissions.admin.group[].administrators.permission[] = UPDATE
    core.aip.default_permissions.admin.group[].administrators.permission[] = CREATE
    core.aip.default_permissions.admin.group[].administrators.permission[] = GRANT
    core.aip.default_permissions.admin.group[].administrators.permission[] = DELETE
   

   The lines above configure the administrators group. If we wanted to add a super user, for example, an admin user, we would do it like so:

    core.aip.default_permissions.admin.user[] = admin
      
    core.aip.default_permissions.admin.user[].admin.permission[] = READ
    core.aip.default_permissions.admin.user[].admin.permission[] = UPDATE
    core.aip.default_permissions.admin.user[].admin.permission[] = CREATE
    core.aip.default_permissions.admin.user[].admin.permission[] = GRANT
    core.aip.default_permissions.admin.user[].admin.permission[] = DELETE
   

   Finally, we can also add other groups, other than super groups. These are normal groups, and do not have full permissions.

    # Additional group permissions
    core.aip.default_permissions.group[] = archivists
    core.aip.default_permissions.group[] = producers
    core.aip.default_permissions.group[] = guests
       
    core.aip.default_permissions.group[].archivists.permission[] = READ
    core.aip.default_permissions.group[].archivists.permission[] = UPDATE
    core.aip.default_permissions.group[].archivists.permission[] = CREATE
       
    core.aip.default_permissions.group[].producers.permission[] = READ
       
    core.aip.default_permissions.group[].guests.permission[] = READ
   

2. A requirement might be that the user that created the AIP must belong to one of the groups defined on the configurations file and it has READ and UPDATE permissions at least. If the intersection is empty, or generally, if the set permission ends up not providing the user with at least READ and UPDATE permissions to the created AIP, then these permissions are loaded as the minimum permissions from the config file.

    # Intersect creator groups with the configuration groups
    core.aip.default_permissions.intersect_groups = true
   
    # System expects a minimum set of direct or indirect permissions for the creator (DO NOT CHANGE THIS!)
    core.aip.default_permissions.creator.minimum.permissions[] = UPDATE
    core.aip.default_permissions.creator.minimum.permissions[] = READ
   

By default, and to conform to legacy behaviour, the creator user is granted all permissions when creating an AIP.