Permissions

In the Beta 4.2 release of OMERO, the permissions system has been re-enabled to allow users to share data, after having been disabled in earlier releases to prevent inappropriate access.

Overview

A user may belong to one or more groups, and the data in a group may at most be shared with users in the same group on the same OMERO server. The degree to which their data is available to other members of the group depends on the permissions settings for that group. Whenever a user logs on to an OMERO server, they are connected under one of their groups. All data they import and work that is done is assigned to the current group and cannot be moved to another group.

Groups must be created by the server administrator. Users can then be added by the admin or by a group 'owner' assigned by the admin. This would typically be the PI of the lab. The group owners or server admin can also choose the permission level for that group.

An example (see image)

In this lab, all the lab members are in a group called "Smith-Lab", with the owner being the lab PI. The permissions on this group would reflect the culture of that particular lab (see below). In this case it is Read-only. Two other groups have been created to allow scientists to collaborate on particular work. One of these contains only members of the Smith lab, while the other contains collaborators from another lab. These collaborators would only be able to see the data in the "APC" group, not any of the other work from the Smith lab. As mentioned above, there is no limit on the number of groups or the number of members in a group. This allows a lab or institution to configure a solution that suits them.

Permission Levels

The various permission levels are:

• Private: All data in this group is only visible to the user who owns it and the group owners. The group owner can view the data for other group members but not make any edits (same as read-only behaviour).

• Collaborative - Read-only: Users in groups with this permission setting can view each others' data, but cannot edit or annotate another user's data. You can view another users' images but not comment, rate or tag their images.

• Collaborative: Users in a collaborative group can view and annotate the data belonging to other users. You can tag another user's images or use their tags to annotate your own images. You can add comments to their images and save your own rendering settings for each image. However, you cannot edit the names of their images, projects, datasets, tags etc.

Changing Permissions

It is possible for the group owner or server admin to change the permissions level on a group after it has been created and populated with data, with the following limitations:

• It is not possible to 'reduce' permissions to 'Private'. Once links have been created in the database under 'Collaborative' (or Collaborative - Read-only) permissions, these cannot be severed. However, it is possible to 'promote' a Private group to be Collaborative or Read-only permissions.
• It is possible to toggle permissions of a group between collaborative and collaborative-'read only'. Known Issue If a user annotates another user's data in collaborative group, they may still be able to delete these annotations after the group is changed to 'read-only'.

Collaborative permissions

Here is a more detailed list of what you can and can't do in a collaborative group. Some of these policies may evolve as the permissions functionality matures in response to user feedback. Please let us know any comments or suggestions you have.

CAN DO:

• Tagging:

  • You can add your tags to your images or another user's images
  • You can add another user's tags to your images, their images or another user's images
  • You can remove tags that you have added

• Comments:

  • You can add comments to your images or another user's images

• Rendering settings:

  • You can apply and save your own rendering settings to another user's images
  • This will not affect their rendering settings on their images

CANNOT DO:

• You can't edit another user's Project, Dataset or Image names or descriptions

• You can't remove Images from another user's Dataset, or remove Datasets (resp. Plate) from Projects (resp. Screen).

• You can't add Images to another user's Dataset, or add Dataset (resp. Plate) to Project (resp. Screen)

• You can't delete anything that belongs to another user

• Tagging:

  • You can't remove a tag that another user has added, even if it is your tag on your own image
  • You can't edit another user's tag names or descriptions

• Comments:

  • You can't edit any comments on any images. Comments are a historical record (same for all permissions levels).

Deleting

Deleting has been revamped in the OMERO 4.2.1 release, changing the behavior with respect to permissions. Previously in the 4.2 release it was not possible to delete anything that had another user's annotations on it (since you couldn't remove them).

The new delete service in OMERO 4.2.1 allows you to delete your Images etc even if they have been annotated by another user. However, you are not allowed to delete your own Tags that have been used by another user. This is because another user may have spent considerable effort tagging their own images with your Tags and this work would be lost if you are allowed to delete them.

Known Issue: if the owner of the tag is also an owner of the group, they will be able to delete their tag, even if others have used it.

As with other aspects of the permissions system, these rules are subject to evaluation and may evolve depending on feedback from the community. Please let us know if you have an opinion on these matters.

For more information on the new delete functionality, please see Delete page