This article explains what permissions and managed groups are in Terra and how to use them to control who and how much you share with collaborators. Permissions or roles control what a collaborator can do and are assigned by the owner (or other person with the right permissions). Managed groups help streamline the sharing process by standardizing access of a group. When the group changes, you can update the group membership rather than updating every billing resource or workspace.

Contents

How roles (permission) control access to data, workspaces, and billing 
Workspace permissions - who can analyze, access and share resources
Billing account and Billing project roles - who can do what?
Managed groups - Enabling large sets of users to access resources
Evolution of permissions - a lab scenario 

How roles (permission) control access to data, workspaces and billing

If you work in teams, you're probably familiar with the idea of roles of shared resources such as datasets or analysis tools. Typical roles include "owner", "administrator" and "user", for example. Each role has its own set of actions that it permits. When you create a resource in Terra, such as a workspace or Billing project, Terra automatically makes you the "owner". Owners control who can use the resource by assigning roles (permission) to collaborators. 

Workspace permissions/roles - who can analyze, access, and share

Workspace permissions are how to control who can perform what operations in a workspace. When you share a workspace, you assign a role, or permission level, to your colleague. Their workspace role (not whether they are on the Billing project) is what determines whether they can perform operations that have a cost. The costs are paid for by the Terra Billing project associated with the workspace.  

Workspace roles include the following. All roles that enable users to accrue costs are noted in maroon font. 

• Owner (can incur costs) - may add/remove users (grant access), lock workspace, etc. 
• Writer (can incur storage costs by adding data to the workspace bucket) - may write to/add tables, workflow configs, etc. 
• Reader - may read tables, method configs, etc. 
• Can-compute (can incur compute costs) - able to launch workflows and interactive analyses (notebooks). 
• Share-writer (can enable others to incurs costs - see Writer, above) - able to grant others write access. 
• Share-reader - able to grant others read access. 

Billing permissions/roles - who can access funding and how

The structure of billing in Terra is in three levels: at the top is the GCP Billing account; in the middle is the Terra Billing project; below that is the workspace. Each user can create resources in the level immediately below: GCP Billing account owners, admins or users can create Terra Billing projects. Billing project owners and users can create workspaces to do work in.  

• Owner - full access, including adding and removing users.
• Administrator - can see and manage all billing aspects
• Viewer - can view billing account information 
• User - can access Billing account
  

Note that your billing role doesn't directly affect if you can work in a workspace.
It affects whether you can create projects or workspaces. 

Example cases

•  A Billing project user won't have access to a workspace created by a collaborator under the same Billing project unless the collaborator shares the workspace and gives them permission. 
  
  
• Removing a user from a Billing account or Billing project means they cannot create billing projects or workspaces (respectively). It does not impact their ability to accrue charges in a workspace where they already have "can-compute" permission.

Managed groups - Enabling large sets of users to access resources

A collaborative team may have many team members and numerous workspaces and even separate Billing projects. To streamline resource management, especially since teams often change, owners can assign permissions (roles) to managed groups as well as individuals. A managed group could be everyone in a research team, for example, who might need access to the same resources.

Groups are especially useful when team members change. Owners can simply adjust the group membership in the Groups page of Terra, which updates the users for every resource shared with the group. This way, the Owner doesn't have to update the users in every individual workspace, billing project etc. 

Roles for managed groups

• Member - any individual in the group. When any form of access is granted to a group, the members include all who have that access.
• Admin - may add or remove members or other admins to or from the group. Admins are also members of the group.
• Admin-notifier - users who are allowed to send notifications to the admins of a group. When a group is created, this access policy is set to public - meaning all users are able to request access to a group.

Group roles versus resource permissions

Permissions for managed groups are not the same as permissions for other resources. If a group is given access to a workspace, the workspace owner controls the role of the group with respect to the workspace (i.e. reader or writer), but the group's owner controls the role of the user in the group. For example, if a group has the role of "writer" (not owner) in a workspace, even group admins will only have writer access.