Coordinated Permissioning Use Cases
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

In Permissions MatrixEntry IDWhat action is being taken?
Who is performing the action?
Why is action needed?Added byNotesIUEmoryUNCWGBH
X1Search, browse, View all publically available worksUnauthenicated UserResearch, browsing, searchingUniversity of North Carolina
X2Create collectionsAuthenticated UserSo I can post a link to my works on my websiteUniversity of North Carolina
X3Assign another user as my proxyAuthenticated UserSo someone can desposit works on my behalf, I'm too busy.University of North Carolina
X4Allow a colleague on campus to edit a workAuthenticated UserWe are co-authorsUniversity of North Carolina
X5Allow an external colleague to download a private dataset (24 hour, 1 time link)Authenticated UserI need to share my datasets with researchers who have I have vetted, but I can't share my dataset publiclyUniversity of North Carolina
X6Discover my works and all the works that are restricted to logged in users at my institutionAuthenticated UserI need to see my works that are private or co-authored by me. University of North Carolina
X7Log in with my university credentialsBecause my institution policy has one id and password for everythingUniversity of North Carolina
X8Deposit works to Collections that I shouldAuthenticated UserSo I don't deposit in the wrong placeUniversity of North Carolina
X9Edit and mark for deletion works, files, collections that I have created.Authenticated UserSo I can fix errors, delete things I want to withdraw. University of North Carolina
X10Assign and edit permissions on my objectsAuthenticated UserSo I can control who sees whatUniversity of North Carolina
X11Transfer ownership of works and collections to colleagues at my institutionAuthenticated UserSo when I leave my job, someone can have control over department wide resourcesUniversity of North Carolina
X12Create a collection of all the work of students and faculty in my department that I didn't deposit or have edit rights toDepartment AssistantSo I can post a link to my works on my websiteUniversity of North CarolinaDiscuss as a group - is this creating a new collection to deposit new works into, or collecting existing works for presentation?
X13Edit and delete my collectionsDepartment AssistantSo I can make changes if my department title changesUniversity of North CarolinaMW - Same as entry 9? JRR - the difference is that these might be collections the user didn't create, not sure if it's worth having them separate? MW: Julie, can we re-phrase this, then, to say "collections in my department" instead of "my collections"? I will check mark for IU assuming "my collections" is something other than the collections I have created.
X14Grant edit access to my department headDepartment AssistantSo they can fill in for meUniversity of North CarolinaIs this for every item contained in the collection?
For IU, this is not necessarily needed for this role of Department Assistant, but for collection managers.
X15Create a collection of works from across collections in the repository, but not be able to edit the works themselvesExhibit CuratorSo I can make an online exhibit University of North CarolinaFor IU, playlists fill this use case in Avalon
X16See, but not edit, all the works in repository even if they are marked privateReference LibrarianSo I can help researchers, but I don't want to edit anything by mistake.University of North CarolinaFrom Emory: we might want this for a different user type, but could see a use for this to support Collection Management activities, Curators, senior leadership, etc.✔?
X17Edit metadata for everything in the repository, but not deleteMetadata LibrarianI need to mitigate MD problems for all works in the repo, but I don't want to delete works or filesUniversity of North Carolina
X18Deposit works to a specific Admin Set, but they need to be reviewed by my boss before they go publicStudent Library StaffSomeone needs to check my workUniversity of North Carolina
X19Read, edit, delete all works in Set/CollectionCollection ManagerI am responsible for all the works in an entire collectionUniversity of North Carolinanot possible in current hyrax
X20Edit Collection objectCollection ManagerFix mistakes, add metataUniversity of North Carolina
X21Grant permissions to collections and works in a collectionCollection ManagerSo I can add staff, students who work in my departmentUniversity of North Carolina
X22Do not want to discover, edit, delete other people's admin setsCollection ManagerI need to only work on my own stuff.University of North Carolina
X23Set up all of the admin sets and propertiesRepository AdministratorSo I can determine and control how the repository is organizedUniversity of North Carolina
X24Grant permission to collection managersRepository AdministratorSo I can grant access on a collection-basis to individual staffUniversity of North Carolina
X25Override special deposit policies (release and visibility) set on the Admin SetRepository AdministratorMake exceptions to the policy without having to remove a work from an admin setUniversity of North Carolina
X26Move objects between admin setsRepository AdministratorMitigate problems/changesUniversity of North CarolinaFrom Emory: this would be useful as organizational structures change over time
27Control the settings and flippable featuresRepository Administratorset up the repo University of North CarolinaOutside of permissions context?
X28Grant/change permission at any level and object type in my repoRepository AdministratorI usually have to assist users University of North Carolina
29Revoke any access level to works/collections/set from usersRepository AdministratorSo when someone leaves a job, they can no longer edit ANYthing they shouldn'tUniversity of North Carolinanot possible in current hyrax.
Is this an action within the system to remove a user from anything on which they might have access?
X30Edit delete all objectsRepository AdministratorI need to be a superuserUniversity of North Carolina
X31Destroy objectsRepository AdministratorBecause only I should do this according to our policiesUniversity of North Carolina
X32Deny depositors from editing and deleting their works (admin set level)Repository AdministratorComply with my institutional policiesUniversity of North Carolina✔?
X33Review, accept/reject/ comment for all works in an Admin setDepartment reviewerI am the person responsible to review for all works in my departmentUniversity of North Carolina
34Notified of new pending item for reviewDepartment reviewerI want a notificationUniversity of North Carolina
35accept, reject, comment on works that have been assigned for me to reviewFaculty reviewerI am responsible for a subset of works in my departmentUniversity of North CarolinaNot possible in current hyrax✔?
36See all works deposited by members of my department before and after reviews are completedDepartment reviewerUniversity of North Carolina✔?
37Do not want to see works from my department or others, only those that are assigned to meFaculty reviewerI don't want to do the wrong thing or see sensitive papersUniversity of North Carolina✔?
X38View administrative metadata (raw metadata endpoint, Fedora identifiers etc.)Collection ManagerI need access to raw metadata for verification or use elsewhereIndiana University
X39Create, edit, delete a unit (admin set)Repository AdministratorSo that someone has the ability to do these things.Indiana University
X40Create, edit, delete a collectionCollection ManagerTo manage collectionsIndiana University
X41Create, edit, delete a nested CollectionCollection ManagerTo manage collectionsIndiana University
X42Create a workCollection Manager, Editor, DepositorTo build the collectionsIndiana Universitysimilar to entry #8, but since that case is for any authenticated users, it is not exactly the same.
X43Any possible actionRepository AdministratorI am the superuser!Indiana University
X44Edit a collectionCollection Manager, Editor, DepositorCorrect collection information, or complete it.Indiana University
X45Set collection access controlCollection ManagerGive read-only access to the collectionIndiana University
X46Add Managers to systemRepository AdministratorI am the superuser!Indiana Universitycovers 23 to 32, 39, 47, 67; but also other tasks not listed.
X47Add Users to permission-based roles including Managers, Editors and Depositors to collectionCollection Managerto manage access to my collectionIndiana UniversitySame as #66
X48Add Depositor to collectionCollection Editorto help manager with some of the collection management tasks.Indiana UniversityIncluded maybe in #21
X49Add Managers, Editors and Depositors to AdminSetCollection Managerto manage access to my collectionIndiana UniversityIncluded maybe in #21
X50Add Depositor to AdminSetCollection Editorto help manager with some of the collection management tasks.Indiana UniversityIncluded maybe in #21
X51Set access control on workCollection Manager, Editor, DepositorGive read-only access to a specific workIndiana UniversityIncluded maybe in #21
X52Edit unpublished worksCollection Manager, Editor, Depositorto get the work information up-to-dateIndiana University
X53Move a work to another collectionCollection Managerto reorganize collectionsIndiana University
X54Move a work to another AdminSetCollection Managerto reorganize collectionsIndiana University
X55Publish a workCollection Managerto make work available to those who are set to have read access to itIndiana UniversitySuperseded by #63.
X56Edit published worksCollection Managerto update the information on the worksIndiana University
57Create a work in my Admin Set, but require a Repository Admin to accept itCollection Manager, Editor, Depositorto add works, but only if the project staff approvesWGBHFrom Emory: is this essentially a mediated deposit workflow??
X58Create, edit, delete an Admin SetRepository AdministratorSo that someone has the ability to do these things.WGBHSame as entry 39
X59View, but not edit, all works in my collectionCollection Viewerto do research or assessments without changing any dataWGBHSubset of entry 80.
X60Embargo my workAuthenticated UserI have to keep it private for 2 yearsUniversity of North CarolinaFor IU, this is for a different role, not just any authenticated user.
X61Keep my work private to my institutionAuthenticated UserUniversity of North CarolinaFor IU, this is for a different role, not just any authenticated user.
X62Keep my work private to only meAuthenticated UserUniversity of North CarolinaFor IU, this is for a different role, not just any authenticated user.
X63Make my work publicAuthenticated UserUniversity of North Carolina
64I want to assign a primary Library collection affiliation for a work, but be able to control its use in an Exhibition collection that might include works from other Library CollectionsCollection Managerso that its source context is not lost if it is added to a user created or exhibit collection and so that I can manage permissions at the Collection-levelEmoryIs it possible to assign a primary Collection assignment of one type, but then share works with a different Collection type?
65I want to assign permissions at the top level of an entity and have them propagate to their children, but be override-able at lower levels if neededRepository Administrator, Collection Managerso that it is faster for me to assign permissions to appropriate internal staff users or groups on a collection by collection basisEmory✔✔
X66I want self-service ability to assign and maintain a set of users within an existing permissions groupRepository Administrator, Collection Managerso that I don't have to request developer assistance or application redeployment to perform routine tasksEmoryScreenshot- add users to a group via GUI
X67I want self-service ability to create a Group of users that I can assign to various permissionsRepository Administratorso that I don't have to request developer assistance or application redeployment to perform routine tasksEmory
X68I want self servivce ability to manage a subset of groups and users relative to my immediate organization/departmentCollection Managerso that I can more easily manage my Library’s staff permissions without having to request full administrator access to the applicationEmoryIn a multiple Library scenario. Emory will have at least 5 campus libraries depositing to a shared repository environment
✔ Nested groups?
X69I want to restrict editing of selected parts of the digital object's metadata to specialized personnelCollection Managerso that I can minimize unwanted changes to the object in its preservation stateEmoryE.g. student assistants can edit Descriptive Metadata only, but not be able to replace files or modify preservation metadata. Or, we can restrict changes to Rights-related metadata to selected staff only. [I anticipate this will be unlikely to be achieve with metadata in particular (RDF/PCDM)...]
X70I want to restrict editing of selected parts of the digital object's supplemental preservation files to specialized personnelRepository Administrator, Collection Managerso that I can minimize unwanted changes to the object in its preservation stateEmoryAs in, File-set level permissions. This may already be doable in Hyrax? We will have different types of supplemental files per object.
?71I want to be able to view individual staff/assistants' user activity for users modifying objects/files in my collections/dept onlyRepository Administrator, Collection Managerso that I can contact a specific user about their workEmoryConfirm: currently only Admin users only can see user activity in the hyrax dashboard? Want to see relevant user activity, not all user activity. Could address this by having Coll Managers contact Admin users for a report
72I want to run reports about analytics and inventory that are scoped to my Library or collection hierarchy onlyCollection Managerso that I can exclude extraneous data about other Libraries' content and usersEmoryIn an environment with multiple depositing Libraries where we will have hundreds of collections. This may be partially addressed by HAWG work, but I'm noting it more for the permissions aspect
X73I want to restrict Deletion capabilities to Admins only or enforce via a workflowRepository Administratorbecause deletion is subject to local policyEmoryThis is related to 74, but more critical than 74. Need to constrain the out of the box Hyrax ability to delete
?74I want to be able to deselect/select individual abilities assigned to a System Role in a self service capacityRepository Administratorso that I can customize default system Roles with less developer assistanceEmoryE.g. selected Roles are not able to Delete. Having a UI with checkboxes to activate/deactivate pre-set abilities is one approach✔✔✔
X75I want to constrain the types of Collections that Self Deposit/non-Library users createRepository Administratorso that user-created collections are not competing with Library-curated collections in search and discovery contextEmoryAddressed with new Collection Creator role (through Collection Extensions)
X76I want to delineate Library Staff/curating users from self deposit usersRepository Administratorso that I can restrict certain system-wide activities to users who are Library staff onlyEmorySelf depositors should not be able to perform preservation activities, see administrative metadata, etc. just because they have an account to deposit. Could this be addressed by managing abilities on the Authorized User level? When you sign up you get minimal access, but if you're staff your access can be increased?
X77I want to embargo sub-levels of the workCollection Manager, Editor, Depositorso that sensitive or proprietary details included in an abstract or table of contents for my work are not visible, but other metadata isEmoryWe have customized this in our Hyrax ETDs application, sharing in case it is more broadly applicable
?78I want to manage visibility and edit access to Preservation Workflow/Events information related to a workRepository Administrator, Collection Managerso that I can minimize unwanted changes to preservation audits for an objectEmoryNoting this as a non-standard, custom entity that we will develop locally
X79I want to manage visibility and edit access to administrative files such as agreements, MOUsRepository Administrator, Collection Managerso that this potentially sensitive information is preserved in the repository but is not editable or viewable except by selected staffEmoryNoting this as a non-standard, custom entity that we will develop locally. These can be handled as objects in a collection or Admin Set

IU: Is this different than entry 51?
UNC: We need this but for a slightly different use case. Okay to broader to "administartive files". Use case for IR could be "Deposit agreements, MOUs" for works that staff are depositing in bulk

Emory: I updated per UNC suggestion
X80Search, browse, View all works that I have permission to accessAuthenticated UserResearch, browsing, searchingIndiana University
81I want to bulk change permissions for an entire admin set and have the changes propogate to all works in the setRepository AdministratorUniversity of North Carolina
X82I want to be able to customize levels of visibility for my institution to include specific IP rangesRepository Administratorso that I can designate ranges of network access without requiring campus users to create repository accounts, and so that I can provide physical machine-based access to some materialEmoryE.g. restrict to campus network only; restrict to Reading Room
X83I want to be able to assign permissions using ADS groupsRepository Administrator, Collection Managerso that I can share groups with other applications. For instance, the ADS group that identifies students of the School of Music can be used to give those students viewing permissions to a collection of musical performances.Indiana University✔?
84I want to be able to change permissions for a selected list of works at once.Repository Administrator, Collection Managerso that I can rework/edit/correct permissions in bulk.Indiana University84 and 85 may not fall under permissions work proper
85I want to give Repository Administrator role to someone without having to redeploy the application.Repository Administratorso that this role can be managed by users (repo admins) and not by sys adminsIndiana University
X86I want to grant access to a work based on IP addressCollection Manager, EditorSo that collection managers can set access to items by IP address (c.f. #82)Indiana University[See also #82]
?87I want full access to all works assigned to a given Library-curated Collection (similar to how permissions are assigned via Admin Sets)Repository Administrator, Collection Managerso that I can avoid redundant Admin Sets and so that I can separate workflow-oriented deposit constraints for deposit activities from long term collection management activitiesEmoryThis relates to use case 19. We will have multiple mediated workflows requiring Admin Sets because of the 1:1 constraint, but then we will also have hundreds of Collections from different Libraries. The permissions patterns for managing material post-deposit will be Library-based, but because of the 1:1 with Admin Sets and workflows and how permissions propagate to works, we will likely have to do a lot of redundant permissions management on Admin Sets that lend themselves more naturally to Collection structures. Also, Admin Sets cannot be nested, but Collections can.
?88I want to control who can view different representations of a work or collection (such as IIIF, TTL, JSON)Repository Administrator, Collection ManagerI can ensure that appropriate users have access to the full data about an object, especially if some data properties are restricted or embargoedEmoryThis was noted by Anna Headley/Princeton, but also relates to use case 77
X89I want to control who can download different derivatives and files that are part of a workRepository Administrator, Collection ManagerI can restrict download access to selected files within an object packageEmoryNoted by Anna Headley/Princeton
Implies that we can split view and download actions
X90I want to export/publish an entire Collection's works or metadataRepository Administrator, Collection ManagerI can distribute material to Proquest, HathiTrust, DPLA, DPN, or other locations, or analyze metadata outside of the repository interfaceEmoryExport a whole collection. This is not currently in Hyrax functionality.
X91I want to export/publish selected works or metadataRepository Administrator, Collection ManagerI can distribute material to Proquest, HathiTrust, DPLA, DPN, or other locations, or analyze metadata outside of the repository interfaceEmoryExport an arbitrary selection of works/metadata. This is not currently in Hyrax functionality.
X92I want administrative data to have restricted access (only administrators).Collection Manager, Editor, DepositorSo that personal information may be protected (such as email address of person who deposited); and so that information related to workflow be unavailable to the general public.Indiana University
X93I want to be able to embargo a file associated with a work, even if the work itself is available and not embargoed.Collection Manager, Editor, DepositorSo that works that require special access permissions are discoverable.Indiana University
X94Create group
X95Edit group
X96View group
X97Delete group
X98Search / discover group
X99Edit group permissions