Managing access to shared resources (data and tools)

Anton Kovalsky
  • Updated

Learn how to use roles and managed groups to control how much - and with whom - you share in Terra. Note that Terra workspace permissions determine who can access data and run analysis tools as well as who can incur Google Cloud Platform (GCP) costs for analyses. All workspace costs are billed through the Terra Billing project you assign to the workspace when you create it.   

Controlling access to workspace data and analysis tools

Resources in Terra include workspaces (including analysis tools and data in the workspace bucket) and Terra Billing projects. Workspace Owners and Billing project Owners control access by granting permissions to collaborators for each resource. Read on for more details about what roles and permissions of each resource allow. 

Managing-shared-resources-permissions_Terra-resource-structure_Diagram.png
Blue boxes are Google resources and grey are Terra resources.

Note that analysis tools (workflows, notebooks and R markdown files) are included with the workspace and access is specified by the workspace permissions. 

To learn more about billing roles, see Best practices for managing shared funding.

Workspace permissions/roles (includes workflows and analysis apps)

What's in a workspace?
Workspaces include all data stored in the workspace bucket as well as all workflows, notebooks, and R Markdown files organized in the workspace.
If you don’t want someone to see your work, don’t share your workspace with them.

shareworkspace.png

When you share a workspace, you grant each collaborator a role, or permission level, in the share screen (screenshot at left).

- Reader
- Writer
- Owner

- Can share
- Can compute

Workspace creators are owners, by default When you create a workspace, Terra automatically makes you the "owner". Owners control who can share the workspace, access data and accrue costs (run workflows or interactive analyses) by assigning roles (permission) to collaborators. 

Workspace roles and what they allow collaborators to do

Workspace permissions determine who can perform operations with a GCP cost! A collaborator does not have to be a billing project user to incur costs. Workspace roles that allow users to incur costs include "Writer" and "Owner" and anyone with "Can-compute" permission. All GCP fees are paid for by the Terra Billing project associated with the workspace.

 

  Owner Writer Reader Can-compute Share-writer Share-reader
Associated GCP costs Storage, compute, query

Storage

Adding data to workspace bucket

Egress

Downloading data 

 

Can run a workflow or start a Cloud Environment; can generate data that is then stored

Can enable others to incur costs 

Also see writer

 
Role description Add/remove users, lock workspace, etc Write to/add tables, workflow configs, etc Read tables, method configs etc Launch workflows and interactive analyses (notebooks) Grant others write access Grant others read access

 

Managed groups - Enabling many users to access the same resources

A collaborative team may have many team members, numerous workspaces, and even separate billing projects. To streamline resource management, especially since teams often change, owners can assign roles to a managed group as well as to an individual. A managed group could include everyone in a research team, for example, who might need access to the same workspace or billing project.

S57a_Managing_shared_resources-Create_a_group.png

Best practices for managing changing teams: Managed groups

Groups are especially useful when team members change. Owners can simply adjust the group membership on the Groups page of Terra. This automatically updates the users for every resource shared with the group. This way, owners don't have to update every individual workspace, billing project etc. 

S57b_Managing_shared_resources-Edit_group.png

Roles for managed groups

Member
Any individual in the group. When any form of access is granted to a group, that access will apply to all the members of that group.

Admin
May add or remove members or other admins to or from the group. Admins are also members of the group.

 

Group roles versus resource permissions Permissions for managed groups are not the same as permissions for other resources. If a group is given access to a workspace, the workspace owner controls the workspace role for the whole the group (i.e. reader or writer). The group's admin only controls who is in the group (and who may modify the group itself).

For example, if a group has the role of writer (not owner) in a workspace, even group
admins will only have writer access. 

Create your team Terra group in four steps

1. Start at the Main Menu (from the top left of any page in Terra).

2. Go to your Groups page (Main menu > Groups).
Create-Terra-Group_Step-1_Screen_shot.png

3. In the Create a New Group card, click on the blue "+" icon.
Create-Terra-group_Step-2_Screen_shot.png

4. Enter your human-friendly team group name and click the Create Group button.
Create-Terra-Group_Step-3_Scren_shot.png

You can share resources with the group just like with an individual. 
Create-Terra-Group_Step-4_Screen_shot.png

Note that the group admin can change who is in the group at any time in Terra. To add more people to the group, click on the group name and click + Add User. 

Permissions and groups and access to resources and billing - a lab scenario

Follow the story diagram below to see how permissions, groups and billing might affect access to resources in a cartoon lab scenario.

  • 1. The head of a research laboratory (User #1) creates a billing project - they are the "Owner" of the billing project
    G21_PermissionScenario-1.png

    2. User #1 assigns the role of “workspace creator” to their post-doctoral fellows (User #2) , charging them with the task of creating a fresh workspace to be shared with potential collaborators. The workspace will include shared data resources uploaded to the workspace Google bucket.
    G21_PermissionScenario-2.png

    3. The post doc creates the workspace (they are automatically the Owner of the workspace), adds some content, and then invites another coworker (User #3) to help edit the content - giving them “writer can-compute” permission in the workspace.
    G21_PermissionScenario-3.png

    4. User #3 can now edit and run code in the workspace, but cannot give other new users access. Can you guess what role they have with respect to the workspace resource?

    5. In the meantime, a researcher from an unrelated group (User #4) - who wants to introduce a team of students to Terra - creates a managed group (they’re the "Owner" of the group).

    G21_PermissionScenario-4.png

    6. In order for the students (User #5, User #6) to access the workspace, User #2 (workspace owner) must give the group created by User #4 reader permission for that workspace. All the group's members, including the group's owner, will have "read" permissions on the workspace.
    G21_PermissionScenario-5.png

    7. The group (users #4, 5 and 6) now has “Reader” permission.
    G21_PermissionScenario-6.png

 

Was this article helpful?

3 out of 5 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.