Learn how to control who can access tools, data, and results and incur costs in your workspace. Terra workspaces have three access levels: READER, WRITER, and OWNER. Each access level represents an expanded set of permissions.
Before sharing with someone who doesn't have access to the workflowsUsers with access to a workspace get access to job history and the workflow - even if the workflow isn't public or shared. Best practice: If you don’t want someone to see your work, don’t share your workspace with them.
Workspace roles and what they allow collaborators to do
Note: There are scenarios when even sharing as workspace Readers can incur costs! For example, this could be the case if the reader had write permission on another workspace and copied data from your workspace bucket into their workspace. This would incur data transfer costs for which you, as the owner of the bucket, would be responsible (unless the bucket had the requester pays option enabled).
Owner | Writer | Reader | Can-compute | Share-writer | Share-reader | |
Associated Google Cloud costs | Storage, compute, query |
Storage Adding data to workspace bucket |
Data transfer Downloading data
|
Can run a workflow or start a Cloud Environment; can generate data that is then stored |
Can enable others to incur costs Also see writer |
|
Role description | Add/remove users, lock workspace, etc | Write to/add tables, workflow configs, etc | Read tables, method configs etc | Launch workflows and interactive analyses (notebooks) | Grant others write access | Grant others read access |
Workspace permissions determine who can perform operations with a Google Cloud cost! A collaborator does not have to be a billing project user to incur costs. Workspace roles that allow users to incur costs include "Writer" and "Owner" and anyone with "Can-compute" permission. All Google Cloud fees are paid for by the Terra Billing project associated with the workspace.
READER access details
A READER can
- Enter the workspace and view its contents
- Clone the workspace
- Copy data and tools (workflows and/or notebooks) from that workspace to one where they have WRITER or OWNER access. Note that unless your workspace storage is a "Requester Pays" bucket, this can cause you to incur Google Cloud data transfer out charges.
A READER cannot
- Make changes to data tables (add/delete entities, edit metadata)
- Add/delete workflows or workflow configurations
- Edit workflows or workflow configurations
- Launch a workflow or interactive analysis app (i.e., spin up a Cloud Environment)
- Abort workflow submissions
Can-share (optional permission)
Giving readers "can-share" permission allows them to share the workspace with other users as readers. However, only workspace owners can grant those users "can-share" permission.
WRITER access details
A WRITER has all the permissions of a READER, and can also
- Make changes to data tables (add/delete entities, edit metadata)
- Create new collections (sample sets, individual sets, pair sets) from existing non-set entities (samples, participants, pairs)
- Delete/edit data in tables
- Add/modify data in tables
- Copy entities from a data table in another workspace, provided they have at least READER access to the source workspace
- Upload data tables and their data files directly to workspace
- Add/modify/delete workflows or workflow configurations, including pushing workflows or workflow configurations to the workspace from the Dockstore (provided they have READER access to the tools and tool configurations)
- Push workflows or workflow configurations from another workspace if they have at least READER access to the source workspace
- Edit workflows and workflow configurations within the workspace
Can-share (optional)
Giving writers "can-share" permission allows them to share the workspace with other users as readers or writers. However, only workspace owners can grant those users "can-share" permission.
Can-compute (optional)
Giving writers "can-compute" permission allows them to run workflows and interactive analysis apps (Galaxy, Jupyter, and RStudio).
OWNER access details
An OWNER access has all the permissions of a WRITER, and in addition can
- Edit the workspace Access Control Levels (i.e., add and change collaborator roles)
- Delete a workspace
When you create or clone a workspace, you are the OWNER.