Permissions and User Groups

This page details how Workbench Permissions and User Groups are structured to provide User access to different endpoints and resources in Data Refinery Workbench. Permissions and User Groups ensure that users only have access to relevant resources.

Table of contents

Permissions
- Permission Visibility and Access Breakdown
User Groups

Permissions

Permissions are used to determine if a user can call a secured API. These permissions are used throughout Workbench and allow the user to call certain endpoints or access specific resources. User permissions are combined, and a user’s access is determined by the highest level of permission granted.

Review the different permissions, based on endpoint, in the table below.

Permission Name	Endpoint	GET	PUT	POST	DELETE
USER_ADMIN	/sso/oidc	Y	Y	Y	Y
USER_ADMIN	/users	N	Y	Y	Y
USER_ADMIN	/groups	Y	Y	Y	Y
DEFINITION_ADMIN	/definitions/workflows	N	Y	Y	Y
DEFINITION_ADMIN	/entitytypes	N	Y	Y	Y
DEFINITION_ADMIN	/dropdowns	N	Y	Y	Y
WORKFLOW_ADMIN	/workflows	N	Y	Y	NA
WORKFLOW_ADMIN	/data	N	Y	Y	Y

Permission Visibility and Access Breakdown

Permissions are used throughout Workbench and, depending on the level of access, visibility will vary for an individual user.

View the table below for the visibility and access differences among the available permissions.

Permission Name	Endpoint	Visibility	Access	Breakdown Notes
USER_ADMIN	/users	View ALL Users	ALL Access to Users	Can Create Users and Set Permissions
USER_ADMIN	/groups	View ALL Groups	ALL Access to Groups	Can Create Groups and Assign Users to Groups
DEFINITION_ADMIN	/definitions	View ALL Definitions	ALL Access to Transitions and Statuses	Can Create Workflow Definitions, Transitions, and Statuses; *Assign Groups to Transitions
DEFINITION_ADMIN	/entitytypes	View ALL EntityTypes	ALL Access to EntityTypes and AttributeTypes	Can Define and Update EntityTypes and AttributeTypes; Associate AttributeTypes to an EntityType,
DEFINITION_ADMIN	/dropdowns	View ALL Dropdowns	ALL Access to Dropdowns and DropdownValues	Can Define and Update Dropdowns and DropdownValues
WORKFLOW_ADMIN	/workflows	View ALL Workflows	ALL Access to Workflows and WorkflowAttributes	Can Create Workflows and Workflow Data (WorkflowAttributes); Import Workflow Data
WORKFLOW_ADMIN	/data	View ALL DataObjects	ALL Access to DataObjects and DataAttributes	Can Create DataObjects and DataAttributes; Import/Export DataObjects

The combination of USER_ADMIN, DEFINITION_ADMIN, and WORKFLOW_ADMIN Permissions grants the highest level of access throughout Data Refinery Workbench.

User Groups

User Groups control when a User is able to modify Workflow Data. Workbench users are organized into User Groups, and in a Workflow Definition, Groups are assigned to Transitions. User Groups use the notion of “eligibility” to describe the conditions under which a user can modify Workflow Data. Eligibility refers to the user’s ability to be assigned to a Workflow, change the assignee of a Workflow, edit and save Workflow Data, and apply a Workflow Transition.

A user is eligible if the user is a member of a Group assigned to a Transition that can be applied to the current Status of the Workflow.

User eligibility is a function of the Groups in which the user is a member, Transitions that the Groups are assigned to, and the current Status of the Workflow.

Example

For example, assume a simple Workflow Definition that has statuses named “Remediate,” “Review,” and “Clean.” It has a Start Transition from Remediate to Review and an End Transition from Review to Clean. This Workflow Definition assigns a Group named “Revisers” to the Start Transition and a Group named “Reviewers” to the End Transition. Assume User “A” is a member of the Revisers Group and User “B” is a member of the Reviewers Group. Finally, assume a Workflow based on this Workflow Definition is created from Live Data and is in the initial, “Remediate” Status.

In this example, access to the Workflow Data is controlled as follows:

The Workflow can be assigned to User A, but not to User B. User A is in a Group (Revisers) that is assigned to a Transition that can be applied to the Remediate Status, whereas User B is not.
User A is able to modify and save the Workflow Data, while User B is not.
Once finished, User A applies the Transition from the Remediate to the Review Status. User A is no longer able to modify the Workflow Data, and the Workflow is no longer assigned to User A.
In the Review Status, and as a member of the Reviewers Group, User B is able to become the assignee of the Workflow. Further, User B is able to modify and save the Workflow Data.
Once User B reviews the data and is satisfied with the changes, User B applies the Transition from the Review to the Clean Status.
Since the Clean Status has no Transitions, neither User A nor B can modify the Workflow Data.

User eligibility is enforced through the API endpoints below.

Eligible Access	API Endpoint
Modify and Save Data	`/workflows/{workflowID}/data`
Apply a Workflow Transition	`/workflows/{workflowID}/transitions`
To be Assigned to a Workflow	`/workflows/{workflowID}/assignee`
To Reassign or Clear Workflow Assignee	`/workflows/{workflowID}/assignee`

Note that all eligible users are able to modify the Workflow Data, not just the Workflow Assignee, and eligible users are able to assign themselves to Workflows.

Default Permissions and User Groups

When a user logs into Data Refinery Workbench for the first time, there are no default permissions given to the user and there is no default Group membership. Permissions must be explicitly granted (assigned) to users to use secured APIs, and users must be assigned to User Groups to modify Workflow Data in Data Refinery Workbench.

Creating User Groups

User Groups can be created via Data Refinery Workbench or Data Refinery Workbench APIs. To create a User Group using APIs, see the Data Refinery Workbench API Reference.

To create User Groups through the Data Refinery Workbench UI, follow the procedure below.

Begin by selecting the User Groups tab in the top navigation.
Next, select the Create Group button. A form will appear.
Type the name of the desired User Group in the “Name” field.
Click Create.

The User Group should appear in the User Group list after creation.

Assigning Users to User Groups

After a User Group has been created, a USER_ADMIN can assign users to the group. Also, a USER_ADMIN can update group memberships at any time. To assign users to User Groups in Data Refinery Workbench, follow the procedure below.

Begin by selecting the User Groups tab in the top navigation.
Once selected, the User Groups page should render a list of all User Groups in Data Refinery Workbench.

The search bar is available to find a specific User Group. Type the group name, followed by the Enter key. A refined list should render to find the correct group.

Otherwise, a user can scroll through the list of available groups to find the correct User Group.

Note. The search bar requires an “exact match” to find a User Group. Partial names or spelling errors will yield no results.
When the desired User Group is found and selected, the group information should be listed to the right of the User Groups list. This information will show what users are assigned to the User Group, if any. Click the Group Memberships button.
A Group Memberships form will appear. A USER_ADMIN will see a list of available users to select for membership.

A USER_ADMIN can scroll through the list of available users or search for specific users in the search bar to assign group memberships.

To assign users to the User Group, the USER_ADMIN must select the Member box to the right of the user’s name.

Note. If a USER_ADMIN would like to remove group membership from a user, the USER_ADMIN must deselect the Member box to the right of a user’s name.
Once users have been selected or deselected for membership, select the Done button.

Any users added to the User Group will now appear under the “Users” list of the group information.