UI Server permissions for individual workflows or workflow groups/patterns?

Hi,

I couldn’t see anything in the docs, so I assume this can’t be done, but, is it possible to grant permissions to workflows but limited to indivudal workflows instead of access to all workflows? For example, say I’m working on two or more projects. I want projectA people to have the ability to interact with systemA workflows, and projectB people to interact with systemB workflows. From what I can see, I can’t specify that, instead I can only specify that projectA and projectB people have access to all of my workflows.

Have I missed something? If not, could this functionality be provided, so I can do "modelA*" : "group:projectA_staff" : [permissions] or whatever syntax is appropriate (workflows matching modelA* glob pattern, for projectA_staff group have [permissions])?

That’s right, you can authorize users or groups to have different levels of access to your workflows, but not just to a subset of those.

In principle that could be implemented, but as far as I remember there wasn’t any call for that during Cylc 8 planning discussions.

We decided that we would not support per-workflow permissions.

On the surface, it might seem reasonable, however, doing this would risk creating a layer of pseudo security as what we are really controlling here is not so much workflow permissions, but account permissions.

The recommendation for this sort of problem (with or without Cylc) is to use role-based user accounts for each project to keep the trust zones separate.

1 Like

Yep, thanks for the reminder @oliver.sanders

We could do it, but it would create a false sense of security. If you have been granted access to one workflow on a user account, then in principle you have full access to that account - because the workflow can run any code as the owner.

I understand the false sense of security part. But, having restrictions based on workflow does help protect against - but not completely remove the risk of - accidents. For example, projectA person means to stop modelA but accidentally stops modelB. Whilst this may be considered unlikely, it is definitely possible.