If you find any issues / have any comment, please contact email@example.com to give us your feedback!
As described in the authentication section, the KG requires an authentication token of the requesting user for almost all provided API endpoints.
Whilst the authentication is handled via a centralized identity management system (such as EBRAINS IAM), the authorization definition is specified in the EBRAINS KG itself.
The EBRAINS KG knows the following roles which can be applied to different area:
A consumer is allowed to read the released resources of an instance.
A reviewer has all rights of a consumer and can in addition read instances from the in progress section
An editor has all rights of a reviewer and can in addition write and delete instances
An owner has all rights of an editor and can in addition release instances
An administrator has all possible functionalities at hand.
Application of roles
All roles can be applied to one of the three granularity levels:
This means that the given role applies globally for all spaces of the KG available
The applied role is available for a specific space. For spaces, it is allowed to specify a '*' wildcard. It e.g. allows you to specify a role for a specific prefix of spaces. Please note that the wildcard will not work if used in the context of a specific instance.
The applied role is available for a specific instance
Configuration of access permissions
The access permissions can be configured by the API endpoints for "setup/permissions". They allow to declare permissions by mapping a "claim" (as received from the user info endpoint of the authentication system) to an applied role.