View Source

In this tutorial we will assume that we already have a user called "owner" that has a study populated with some samples and files and no permissions has been set at any point, so no one will have access to "owner"'s data.

In this OpenCGA installation we also have the following list of users:

user1-admin and user2-admin should have admin permissions and should be able to take the same actions the user "owner" can do.

# If we know that those users will always share the same permissions, we can create an "admin" group for them
opencga.sh studies groups-create -s projectAlias:studyAlias --users user1-admin,user2-admin --group admin

# And now we give admin permissions to the @admin group. Important: groups in opencga are always preceded by @ internally although it is not mandatory adding it when we create it !
opencga.sh studies acl-create --members @admin --template admin -s projectAlias:studyAlias

user1-analyst, user2-analyst, user3-analyst should have access to data (read and write) but they should not be able to delete anything.

# If we know that those users will always share the same permissions, we can create an "analyst" group for them
opencga.sh studies groups-create -s projectAlias:studyAlias --users user1-analyst,user2-analyst,user3-analyst --group analyst

# And now we give admin permissions to the @analyst group.
opencga.sh studies acl-create --members @analyst --template analyst -s projectAlias:studyAlias

user1-external, user2-external, user3-external should have just view access to all the files but not the rest of entries.

# If we know that those users will always share the same permissions, we can create an "external group for them
opencga.sh studies groups-create -s projectAlias:studyAlias --users user1-external,user2-external,user3-external --group external

# And now we give admin permissions to the @external group.
opencga.sh studies acl-create --members @external -s projectAlias:studyAlias --permissions VIEW_FILES,VIEW_FILE_HEADERS,VIEW_FILE_CONTENTS,DOWNLOAD_FILES

user4-external should have view access to just one sample.

# We need to create first some permissions to the user at the study entry level. Remember: The absence of permissions is equivalent to denying those permissions. 
opencga.sh studies acl-create --members user4-external -s projectAlias:studyAlias

# user4-external does not have any permission yet, but we have it registered at the study entry point. Now we can add the permission for the sample
opencga.sh samples acl-create --id sampleName --members user4-external --permissions VIEW -s  projectAlias:studyAlias