Jobs Authorization
CASL ability actions
This is the list of the permissions methods available for Jobs and all their endpoints.
The authorization for jobs is consistently different from all the other endpoints
Endpoint Authorization
- JobCreate
- JobRead
- JobStatusUpdate
- JobDelete
(Data) Instance Authorization
- JobCreateConfiguration (The jobs create section of the configuration dictats if the user can create the job)
- JobCreateOwner (Users with this privileges can create jobs only for themselves)
- JobCreateAny (Users with this privileges can create jobs for any of the users that are defined in the create section of the job configuration)
- JobReadAccess
- JobReadAny
- JobStatusUpdateConfiguration (The jobs update section in configuration dictates if the user can update the status of the job)
- JobStatusUpdateOwner (Users with this privileges can update the status of jobs belonging to themselves)
- JobStatusUpdateAny (Users with this privileges can update the status of any job)
- JobDeleteAny
Priority
Authorization table
| HTTP method | Endpoint | Endpoint Authentication | Anonymous | Authenticated | Create Jobs Groups | Update Jobs Groups | Admin Groups | Delete Groups | Notes |
|---|---|---|---|---|---|---|---|---|---|
| POST | Jobs | JobCreate | JobCreateConfiguration | JobCreateConfiguration | Any JobsCreateOwner |
no | Any JobsCreateAny |
no | |
| GET | Jobs | JobReadMany | no | Has Access JobReadAccess |
Has Access JobReadAccess |
no | Any JobReadAny |
no | |
| GET | Jobs/jid | JobReadOne | no | Has Access JobReadAccess |
Has Access JobReadAccess |
no | Any JobReadAny |
no | |
| POST | Jobs/statusUpdate | JobStatusUpdate | no | JobStatusUpdateConfiguration | no | Owner JobStatusUpdateOwner |
Any JobStatusUpdateAny |
no | |
| DELETE | Jobs/jid | JobDelete | no | no | no | no | no | JobDeleteAny |
Job Create Authorization Table
The JobCreateConfiguration authorization permissions are configured directly in the create section of the job configuration.
Any positive match will results in the user acquiring JobCreate endpoint authorization which apply to the jobs endpoint POST:Jobs
| Job Create Authorization | Endpoint Authentication Translation | Endpoint Authentication Description | Instance Authentication Translation | Instance Authentication Description |
|---|---|---|---|---|
| #all | #all | any user can access this endpoint, both anonymous and authenticated | #all | Any user can create this instance of the job |
| #datasetPublic | #all | any user can access this endpoint, both anonymous and and authenticated | #datasetPublic | the job instance will be created only if all the datasets listed are public |
| #authenticated | #user | any valid users can access the endpoint, independently from their groups | #user | any valid users can cretae this instance of the job |
| #datasetAccess | #user | any valid user can access this endpoint, independently from their groups | #datasetAccess | the job instance will be created only if the user has access to all the datasets listed |
| #datasetOwner | #user | any valid user can access this endpoint, independently from their groups | #datasetOwner | the job instance will be created only if the user is part of all the datasets owner group |
| @GROUP | GROUP | only users that belongs to the specified group can access the endpoint | GROUP | the job instance will be created only if all the datasets listed belong to the group specified |
| USER | USER | only the specified user can access the endpoint | #datasetOwner | the job instance will be created only if all the datasets listed are owned by any of the user's groups |
IMPORTANT: use option #all carefully, as it allows anybody to create a new job. It is mostly use for debuging and testing
Job Status Update Authorization Table
The JobStatusUpdateConfiguration authorization permissions are configured directly in the update section of the job configuration.
Any positive match will results in the user acquiring JobStatusUpdate endpoint authorization apply to the jobs endpoint POST:Jobs/statusUpdate
| Job Status Update Authorization | Endpoint Authentication Translation | Endpoint Authentication Description | Instance Authentication Translation | Instance Authentication Description |
|---|---|---|---|---|
| #all | #all | any user can access this endpoint, both anonymous and authenticated | #all | Any user can update the status of this job instance |
| #jobOwnerUser | #user | authenticated user can access the endpoint | #jobOwnerUser | only the user that is listed in field ownerUser can perform the update |
| #jobOwnerGroup | #user | authenticated user can access the endpoint | #jobOwnerGroup | any user that belongs to the group listed in field ownerGroup can perform the update |
| @GROUP | GROUP | only users that belongs to the specified group can access the endpoint | GROUP | the job status can be updated only by users who belong to the group specified |
| USER | USER | only the specified user can access the endpoint | USER | the job status can be updated only by the user indicated |
IMPORTANT: use option #all carefully, as it allows anybody to update the status of the job. It is mostly use for debuging and testing
Job Authorization priority
The endpoint authorization is the most permissive authorization across all the jobs defined. The priority between job create and status update authorization is as follow: