[ome-users] Having a user that (initially) cannot upload data possible? + omero admin sessionlist not working anymore

Petr Walczysko (Staff) p.walczysko at dundee.ac.uk
Fri Nov 17 10:57:07 GMT 2017


Hi Sascha

As a follow-up to Josh’s email, to answer your question

>> If an admin takes the new user and puts him/her into the correct groups, and takes him/her out of „default“ - hm, i do not yet fully understand what happens to any remaining data in „default“ yet.

Please never take a user out of any group and leave his/her data in that group. You would get undesirable effects in case you try to work with such data in OMERO.clients.
The recommended course of action is: Move the data to the group where the owner of the data is a member. Or, change the ownership of the data to somebody
who is member of the group where the data are.  See second paragraph in https://docs.openmicroscopy.org/omero/5.4.0/sysadmins/restricted-admins.html#workflow-4-group-and-data-organizer
You can organize your workflow as fast or slow as you wish (no need to do all at once or in any particular order), and you can move users and data in any order,
but be careful to end with the owners of data being in the same group as the data.

A user in OMERO can be a member of as many groups as you wish.

If you follow https://docs.openmicroscopy.org/omero/5.4.0/sysadmins/restricted-admins.html#workflow-4-group-and-data-organizer
you can find that your workflow does not need to be done by full administrators, instead, you might create some Admins with restricted privileges
as “Group and Data Organizers” and delegate such tasks to them.

Also, a Group Owner can add new members to his/her group without needing an intervention of an admin. Nevertheless, Group Owner will
not be able to remove a user from any group which they do not own.

Hope this helps

All the best

Petr



On 16/11/2017, 20:41, "ome-users on behalf of Josh Moore" <ome-users-bounces at lists.openmicroscopy.org.uk on behalf of josh at glencoesoftware.com> wrote:

    Hi Julio & Sascha,

    >> On 16 Nov 2017, at 16:24, Sascha Neinert <sascha.neinert at uni-koeln.de> wrote:
    >>
    >>> Am 15.11.2017 um 16:27 schrieb Josh Moore <josh at glencoesoftware.com>:
    >>>
    >>> On Wed, Nov 15, 2017 at 11:18 AM, Sascha Neinert wrote:
    ...
    >>>
    >>> If that doesn't work for your situation, perhaps you could explain
    >>> more about what else the non-upload users should be able to do?
    >>
    >> We use LDAP for authentication, so we do not add yet another account/password for the users. But we do not have groups in our LDAP, so currently omero.ldap.new_user_group is just „default“.

    Interestingly, this is a situation we have with the production server
    at the University of Dundee, as well. (It would be interesting to know
    who else is in the same boat.) One of the recent changes we made to
    clarify the situation was to rename the group to "My Data". Other
    suggestions include "Private space", "Temporary Data", etc. Other
    ideas?. The winner of the name raffle will go down in the OME annals.


    >> Even if we would get to have groups in our organisational LDAP at some point in the future, we would have quite some users from neighbouring institutions that would have no groups, or maybe just one very big group that would not be very useful. So our users should login for the first time, notify us to be moved into their lab groups, and then start using OMERO. But they also can login for the first time and directly start to upload data, which would then end up in „default“.

    There's certainly a window here where someone could do upload to
    "default". A No-Uploads setting on the group would prevent this, but
    it would also leave the newbie in a quite useless private, read-only
    group until an administrator comes along:

     * In a non-LDAP setting, the system administrator must actively
    create new users and place them in specific groups. No problems.

     * In an LDAP-with-groups setting, everything is automated. Again, no problems.

     * In this LDAP-without-groups setting, the assignment is delayed,
    which is leading to confusion. But I've not been able to see a way
    that the software can help with this. I'm certainly biased, but it
    seems like a system administration problem.


    >> If an admin takes the new user and puts him/her into the correct groups, and takes him/her out of „default“ - hm, i do not yet fully understand what happens to any remaining data in „default“ yet. Anyhow, we would like to avoid a situation where data ends up somewhere and nobody feels responsible for it anymore, so we thought if we could maybe set „default“ to „nobody can store anything inside“-mode. We could treat „default“ as some kind of „temp“ or „scratch“ maybe.

    We can certainly help with tools/scripts for getting all the data out.
    And we'll look into making it read only, but the user experience will
    be less than stellar. Other suggestions / code changes I can think of
    include:

     * use LDAP but require an admin to activate users

     * put your groups into LDAP (this can be achieved by layering one
    LDAP on top of another)

     * send an email on new user creation so sysadmins can assign the user ASAP

    (More ideas welcome)


    On Thu, Nov 16, 2017 at 4:37 PM, Julio MATEOS_LANGERAK
    <julio.mateos-langerak at igh.cnrs.fr> wrote:
    >
    > That is quite the same situation as ours at MRI. We do not manage groups on the LDAP and we would not like default to be data repository where nobody feels responsible for when the PhD/Postdoc leaves…
    >
    > We could informe an internal rule saying that every dataset imported more than x months ago will be deleted. Drastic but likely to work.

    A cron job at N months to warn and at N+1 months to delete would be doable.


    > Julio


    Cheers,
    ~Josh
    _______________________________________________
    ome-users mailing list
    ome-users at lists.openmicroscopy.org.uk
    http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users



The University of Dundee is a registered Scottish Charity, No: SC015096


More information about the ome-users mailing list