Sharing data and tools with workspace access controls

Allie Hajian
  • Updated

Learn how to control who can access tools, data, and results and incur costs in your workspace. Terra workspaces have three access levels: READERWRITER, and OWNER. Each access level represents an expanded set of permissions. 

Before sharing with someone who doesn't have access to the workflowsUsers with access to a workspace get access to job history and the workflow - even if the workflow isn't public or shared. Best practice: If you don’t want someone to see your work, don’t share your workspace with them.

Workspace roles and what they allow collaborators to do

Note: There are scenarios when even sharing as workspace Readers can incur costs! For example, this could be the case if the reader had write permission on another workspace and copied data from your workspace bucket into their workspace. This would incur data transfer costs for which you, as the owner of the bucket, would be responsible (unless the bucket had the requester pays option enabled). 

  Owner Writer Reader Can-compute Share-writer Share-reader
Associated Google Cloud costs Storage, compute, query

Storage

Adding data to workspace bucket

Data transfer

Downloading data 

 

Can run a workflow or start a Cloud Environment; can generate data that is then stored

Can enable others to incur costs 

Also see writer

 
Role description Add/remove users, lock workspace, etc Write to/add tables, workflow configs, etc Read tables, method configs etc Launch workflows and interactive analyses (notebooks) Grant others write access Grant others read access

Workspace permissions determine who can perform operations with a Google Cloud cost! A collaborator does not have to be a billing project user to incur costs. Workspace roles that allow users to incur costs include "Writer" and "Owner" and anyone with "Can-compute" permission. All Google Cloud fees are paid for by the Terra Billing project associated with the workspace. 

READER access details

A READER can

  • Enter the workspace and view its contents
  • Clone the workspace (must have "can share" permission)
  • Copy data and tools (workflows and/or notebooks) from that workspace to one where they have WRITER or OWNER access. Note that unless your workspace storage is a "Requester Pays" bucket, this can cause you to incur Google Cloud data transfer out charges

A READER cannot

  • Make changes to data tables (add/delete entities, edit metadata)
  • Add/delete workflows or workflow configurations
  • Edit workflows or workflow configurations
  • Launch a workflow or interactive analysis app (i.e., spin up a Cloud Environment) 
  • Abort workflow submissions

Can-share (optional permission)

Giving readers "can-share" permission allows them to make their own copy of the workspace with their own billing. 

WRITER access details

A WRITER has all the permissions of a READER, and can also

  • Make changes to data tables (add/delete entities, edit metadata)
  • Create new collections (sample sets, individual sets, pair sets) from existing non-set entities (samples, participants, pairs)
  • Delete/edit data in tables
  • Add/modify data in tables
  • Copy entities from a data table in another workspace, provided they have at least READER access to the source workspace
  • Upload data tables and their data files directly to workspace
  • Add/modify/delete workflows or workflow configurations, including pushing workflows or workflow configurations to the workspace from the Dockstore (provided they have READER access to the tools and tool configurations)
  • Push workflows or workflow configurations from another workspace if they have at least READER access to the source workspace
  • Edit workflows and workflow configurations within the workspace

Can-share (optional)

Giving writers "can-share" permission allows them to make their own copy of the workspace with their own billing. 

Can-compute (optional)

Giving writers "can-compute" permission allows them to run workflows and interactive analysis apps (Galaxy, Jupyter, and RStudio). 

OWNER access details

An OWNER access has all the permissions of a WRITER, and in addition can

  • Edit the workspace Access Control Levels (i.e., add and change collaborator roles)
  • Delete a workspace

When you create or clone a workspace, you are the OWNER.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.