Need Help?

Search our documentation and community forum

Terra is a cloud-native platform for biomedical researchers to access data, run analysis tools, and collaborate.
Terra powers important scientific projects like FireCloud, AnVIL, and BioData Catalyst. Learn more.

Articles in this section

Using permissions and groups to manage shared resources (billing, data, and workspaces)

Avatar
Anton Kovalsky
  • Updated
Follow

Use permissions (roles) and managed groups to control how much - and with whom - you share in Terra. 

Contents

  Controlling access to data, workspaces, and billing 
   - Workspace permissions - who can analyze, access and share resources
   - Billing permissions - who can create Billing projects and workspaces
   - Managed groups - Enabling large sets of users to access resources
  Evolution of permissions - a lab scenario 

Controlling access to resources (data, workspaces, billing)

If you work in teams, you're probably familiar with the idea of using permissions or roles to control what collaborators can do with shared resources (such as datasets or analysis tools). Roles are granted by the owner (or other person with the right permissions). Typical roles include "owner", "administrator" and "user".

In Terra, you can assign roles for each resource (GCP Billing account, Terra Billing project, and workspace) in gray boxes in the diagram below. Read on for more details about what roles and permissions of each resource allow. 

Billing-heierarchy-in-cloud.png


Workspace permissions/roles - who can analyze, access, and share data

Workspace permissions control who can perform what operations in a workspace. When you share a workspace, you grant each person a role, or permission level, in the share screen.

Workspace-permissions_Screen_shot.png

Examples of workspace roles and their permitted activities

  Owner Writer Reader Can
compute
Can edit workspace documentation, data tables

 

  X depends 
Can access data in the workspace bucket

X
Can give others access

 ✔

 depends  -- depends

Can run workflows and interactive analyses

depends

X

Can store data

 X

depends

Note that whether a person can perform operations that have a GCP cost depends on their workspace role (not their Billing project role). 

G0_tip-icon.png


Workspace permissions determine who can incur GCP costs
 

Workspace roles that allow users to incur costs include "Writer" and "Owner" and anyone
with "Can-compute" permission. 

Note that workspace creators are owners, by default
When you create a workspace, Terra automatically makes you the "owner". Owners
control who can share the workspace, access data and accrue costs (run workflows or
interactive analyses) by assigning roles (permission) to collaborators
 

Workspace roles/permissions

 
Workspace roles include the following. All roles that enable users to accrue costs are noted in red
  • Owner (can incur costs) - may add/remove users (grant access), lock workspace, etc. 
  • Writer (can incur storage costs by adding data to the workspace bucket) - may write to/add tables, workflow configs, etc. 
  • Reader - may read tables, method configs, etc. 
  • Can-compute (can incur compute costs) - able to launch workflows and interactive analyses (notebooks). 
  • Share-writer (can enable others to incurs costs - see Writer, above) - able to grant others write access. 
  • Share-reader - able to grant others read access. 

 Billing permissions/roles - who can create billing projects and workspaces

Billing resources in Terra include GCP Billing accounts and Terra Billing projects. Access to billing (i.e. GCP Billing accounts and Terra billing projects) allows you to create resources (i.e. Terra billing accounts and workspaces). GCP Billing account owners, admins and users can also access detailed cost breakdowns in GCP.

Billing account (GCP) and billing project (Terra) roles

  • Administrator - can see and manage all billing aspects
  • Viewer - can view billing account information 
  • User - can access Billing account

 

G0_tip-icon.png


Billing project roles don't directly affect who can work in a workspace
 

Workspace permissions are what determine who can incur cost in a workspace. Workspace
permissions can be very granular. Workspace owners can grant roles including "can-
compute" or "can share" as well as the traditional "Owner," "Reader," and "Writer" roles. 

Billing project roles determines whether you can create resources like projects or
workspaces. Note that the creator is the initial owner, by default (but this can be
modified). 

 

 

Can access cost breakdown

Can create Billing projects

Can create workspaces

Can store and analyze data

Billing account admin, owner, user

in GCP console

in Terra UI

in Terra UI

Depends on workspace role

Billing project admin, owner, user

x

x

Depends on workspace role

 

G0_tip-icon.png

 

Workspace creators are owners by default
 

When you create a workspace, Terra automatically makes you the "owner". Owners
control who can share the workspace, access data and accrue costs (run workflows or
interactive analyses) by assigning roles (permission) to collaborators. 

Unexpected example cases

  • A Billing project user won't have access to a workspace created by a collaborator under the same Billing project without the right workspace permission. The workspace owner would share the workspace and give them permission. 

  • Removing a user from a Billing account or Billing project means they cannot create billing projects or workspaces (respectively). It does not impact their ability to accrue charges in a workspace where they already have "can-compute" permission.


Managed groups - Enabling many users to access the same resources

A collaborative team may have many team members, numerous workspaces and even separate billing projects. To streamline resource management, especially since teams often change, owners can assign permissions (roles) to a managed group as well as to an individual. A managed group could include everyone in a research team, for example, who might need access to the same workspace or billing project.

S57a_Managing_shared_resources-Create_a_group.png

Managing changing teams with groups

Groups are especially useful when team members change. Owners can simply adjust the group membership in the Groups page of Terra. This automatically updates the users for every resource shared with the group. This way, Owners don't have to update every individual workspace, billing project etc. 

S57b_Managing_shared_resources-Edit_group.png

Roles for managed groups

  • Member - any individual in the group. When any form of access is granted to a group, the members include all who have that access.
  • Admin - may add or remove members or other admins to or from the group. Admins are also members of the group.
  • Admin-notifier - users who are allowed to send notifications to the admins of a group. When a group is created, this access policy is set to public - meaning all users are able to request access to a group.
G0_tip-icon.png


Group roles versus resource permissions
 

Permissions for managed groups are not the same as permissions for other resources. If a
group is given access to a workspace, the workspace owner controls the role of the group
with respect to the workspace (i.e. reader or writer), but the group's owner controls the
role of the user in the group.

For example, if a group has the role of "writer" (not owner) in a workspace, even group
admins will only have writer access.  
 

Evolution of permissions and groups and access to resources and billing - a lab scenario

 
Follow the story diagram below to see how permissions, groups and billing might affect access to resources in a cartoon lab scenario:
  1. The head of a research laboratory (User #1) creates a billing project - they are the "Owner" of the billing project
    G21_PermissionScenario-1.png

  2. User #1 assigns the role of “workspace creator” to their post-doctoral fellows (User #2) , charging them with the task of creating a fresh workspace to be shared with potential collaborators. The workspace will include shared data resources uploaded to the workspace Google bucket.
    G21_PermissionScenario-2.png
  3. The post doc creates the workspace (they are automatically the Owner of the workspace), adds some content, and then invites another coworker (User #3) to help edit the content - giving them “writer can-compute” permission in the workspace.
    G21_PermissionScenario-3.png

  4. User #3 is can now edit and run code in the workspace, but cannot give other new users access. Can you guess what role they have with respect to the workspace resource?

  5. In the meantime, a researcher from an unrelated group (User #4) - who wants to introduce a team of students to Terra - creates a managed group (they’re the "Owner" of the group).

    G21_PermissionScenario-4.png

  6. In order for the students (User #5, User #6) to access the workspace, User #2 (workspace owner) must give the group created by User #4 reader permission for that workspace. All the group's members, including the group's owner, will have "read" permissions on the workspace.
    G21_PermissionScenario-5.png

  7. The the group (users #4, 5 and 6) now has “Reader” permission.
    G21_PermissionScenario-6.png

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk