Ontology-related Permissions

From TechWiki

Access and permissions for editing, managing and use of ontologies within OSF are provided at two levels within the system: structOntology and various structWSF endpoints. structOntology is a Drupal conStruct module that is a user interface used to create, manage and access ontologies loaded in a structWSF node. StructWSF has a subset of Web service endpoints that are used to create, update, delete and read ontologies hosted on its instance.

Like other aspects of structWSF, a series of authentication steps are done when someone makes a request to any of these Web services. This document explains how the permissions works at two different levels:

1. At the level of structOntology
2. At the level of the structWSF ontologies related endpoints

structOntology Access Permissions

Normally, all Drupal instances linked to a structWSF instance have full CRUD permissions over all datasets hosted on a structWSF instance.

Under a typical setup, Drupal is used as a user management access layer. This means that Drupal manages the accesses to structWSF by authenticating queries based on its own authentication layer. If a request is dropped (not authorized) by Drupal, then no queries will be sent to structWSF.

The structOntology conStruct Drupal module enables admin users to perform any kind of manipulation on any ontology hosted on the structWSF instance. (See further the Individual conStruct Ontology (structOntology) Tool manual.) This means that an admin user can create, delete, update and read all ontologies. Non-admin users will be able to view them, but they won't be able to do any modification to them.^[1]

Ontologies Permissions in structWSF

To create a new ontology in structWSF, the user has to have access, and then Create permissions, to the ontologies dataset:

 http://my-instance.com/wsf/ontologies/

If the requester doesn't have Create permissions on this dataset URI, then an authentication error will be returned.

Note: normally, if the ontologies are created via structOntology, then it means that Drupal's server permissions will be used to authenticate the ontology creation query. In a normal setup, the Drupal's server IP is what is granted full CRUD permission on all datasets.

Once the new ontology is created, a new dataset will be created in structWSF. The URI of the dataset is the URL of the ontology file that has been provided to access the ontology's OWL file. If you want to give access to this ontology to other people or systems, you will have to create the permissions records by using the /auth/registrar/ Web service endpoint.

There are two ways to get authenticated to perform any action on an ontology:

1. The requester has the proper permission on the http://my-instance.com/wsf/ontologies/ dataset
2. Or, the requester has the proper permission on the http://my-ontology-url dataset.

Endnotes

1. ↑ It is also possible to set up additional user groups in Drupal's Organic Groups that would have full ontology access rights, but not the general admin rights across all of Drupal.