Skip to content

Silo Security changes for role updates #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
goddesswarship wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

Silo Security changes for role updates #60

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
bff8fee
Update index.md
goddesswarship Oct 18, 2024
fdb1674
Update index.md
goddesswarship Oct 18, 2024
9fb020b
Update index.md
goddesswarship Oct 21, 2024
f66418a
Update photo-keywords.md
goddesswarship Oct 21, 2024
81bb1e8
Update bulk-import-logs.md
goddesswarship Oct 21, 2024
e8746ac
Update data-integrity.md
goddesswarship Oct 21, 2024
6d48e06
Update org-admin.md
goddesswarship Oct 21, 2024
307ea08
Update site-admin.md
goddesswarship Oct 21, 2024
627d57e
Update index.md
goddesswarship Oct 21, 2024
7aca7f5
Update Security/index.md
goddesswarship Oct 21, 2024
154e74f
Update to Introduction/security-overview.md
goddesswarship Oct 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 2 additions & 35 deletions docs/introduction/security-overview.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,38 +1,5 @@
# Security Overview

Wildbook provides broad flexibility in **securing data ownership** and **visibility**. For example, a Wildbook could be completely secured to only ever be accessible to a User who has logged in, blocking any public visibility of data.
Wildbook provides flexibility in **securing data ownership** and **visibility**. For example, a Wildbook could be completely secured to only ever be accessible to a user who has logged in, blocking any public visibility of data. In another configuration, Wildbook can be a very visible repository of global data (see [Sharkbook](https://www.sharkbook.ai/)) but only allow for data curation by pre-approved users.

In another configuration, Wildbook can be a very visible repository of global data (see the [sharkbook.ai formerly Wildbook for Whalesharks ](https://www.whaleshark.org/) for an example) but only allow for data curation by authenticated and pre-approved researchers and volunteers. And there are many possible configurations in between.

Check with the Administrator of your Wildbook(s) for more information about the security model followed.

## General Security Models

Wildbooks generally follow **two security models**.

### Silo Security

**Silo Security** provides a secure sandbox for individual Users to enter and curate their data. Here is a quick summary:

* Your User data is visible only to you.
* You can share data visibility and data curation with other, specific Users in Wildbook via pairwise Collaborations, which must be reciprocally approved at the "view-only" and "edit" levels, respectively.
* Other users can potentially match individual animals from your catalog but must have a Collaboration with you to set the match ID and affect your catalog.
* Other Users attempting to view your data will be blocked from reviewing your Encounters and Marked Individuals and be prompted to extend you an invitation for a Collaboration. Invitations and acceptances can sent inside Wildbook.

[For more information about Silo Security, click here.](../security/silo-security/index.md)

Examples of Silo Security-based Wildbooks include:

* [Flukebook](https://www.flukebook.org)
* [African Carnivore Wildbook](https://africancarnivore.wildbook.org)

### Location-based Role Security

**Location-based Role Security** pairs User Roles in Wildbook with specific study sites around the globe, as reflected in the **Encounter.locationID** data field. For example, a User with the "Mozambique" role assigned to their User Account can edit data assigned to Encounters with the the **locationID** (a.k.a "study site") named "Mozambique".

In this mode, all researchers within a catalog can view all data, but only Users with the correct location role can curate a particular Encounter. This model creates effective groups of collaborators in a geographic location while providing global visibility to the broader research community.

Examples of Location-based Role Security Wildbooks include:

* [sharkbook.ai formerly Wildbook for Whalesharks](https://www.whaleshark.org/)
* [MantaMatcher](https://www.mantamatcher.org)
To learn more, see [Silo Security](../security/silo-security/index.md).
26 changes: 7 additions & 19 deletions docs/security/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,30 +7,18 @@ my-account
silo-security/index
```

Wildbook provides broad flexibility in securing **data ownership** and **visibility**. For example, a Wildbook could be completely secured to only ever be accessible to a User who has logged in, blocking any public visibility of data. In another configuration, Wildbook can be a very visible repository of global data (see the [Sharks Wildbook](https://www.sharkbook.ai) for an example) but only allow for data curation by authenticated and pre-approved researchers and volunteers. And there are many possible configurations in between. Check with the Administrator of your Wildbook(s) for more information about the security model followed.
Wildbook provides flexibility in securing **data ownership** and **visibility**. For example, a Wildbook could be completely secured to only ever be accessible to a user who has logged in, blocking any public visibility of data. In another configuration, Wildbook can be a very visible repository of global data (see [Sharkbook](https://www.sharkbook.ai)) but only allow for data curation by pre-approved users.

## General Security Models
### Silo Security Model

Wildbooks generally follow **two security models**.
[Silo Security](silo-security/index.md) provides a secure sandbox for individual users to enter and curate their data.

### Silo Security

[Silo Security](silo-security/index.md) provides a secure sandbox for individual Users to enter and curate their data. Here is a quick summary:

* Your User data is visible only to you.
* You can share data visibility and data curation with other, specific Users in Wildbook via pairwise Collaborations, which must be reciprocally approved at the "view-only" and "edit" levels, respectively.
* Other users can potentially match individual animals from your catalog but must have a Collaboration with you to set the match ID and affect your catalog.
* Other users attempting to view your data will be blocked from reviewing your Encounters and Marked Individuals and be prompted to extend you an invitation for a Collaboration. Invitations and acceptances can be sent inside Wildbook.
* Your user data is visible only to you.
* You can share data specific users in Wildbook via [Collaborations](../security/silo-security/index.md#Collaborations), which must be reciprocally approved at the "view-only" and "edit" level.
* Users can match individual animals from your catalog but must have an edit Collaboration with you to set the match ID and affect your catalog.
* Users attempting to view your data will be blocked from seeing your Encounters and Marked Individuals and be prompted to send you a Collaboration request.

Examples of Silo Security-based Wildbooks include:

* [Flukebook](https://www.flukebook.org)
* [African Carnivore Wildbook](https://africancarnivore.wildbook.org)

### Location-based Role Security

Location-based Role Security pairs User Roles in Wildbook with specific study sites around the globe, as reflected in the **Encounter.locationID** data field. For example, a User with the "Mozambique" role assigned to their User Account can edit data assigned to Encounters with the the **locationID** (a.k.a "study site") named "Mozambique". In this mode, all researchers within a catalog can view all data, but only Users with the correct location role can curate a particular Encounter. This model creates effective groups of collaborators in a geographic location while providing global visibility to the broader research community.
Examples of Location-based Role Security Wildbooks include:

* [Sharkbook](https://www.sharkbook.ai)
* [MantaMatcher](https://www.mantamatcher.org)
9 changes: 0 additions & 9 deletions docs/security/silo-security/bulk-import-logs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1 @@
# Bulk Import Logs

As an Org-Admin, you can manage any Bulk Import in the system.

1. Go to **Administer**, then **Bulk Import Logs**.
2. Select the desired Bulk Import task from the list.
3. You can take any of the following actions:
1. **Send to detection:** Send all imported Encounters to Detection. This can only be done if all Encounters have not been sent to Detection.
2. **Send to identification:** Send all imported Encounters to Detection and Identification. This can only be done if all Encounters have not been sent to Detection.
3. **Delete ImportTask:** Delete the Bulk Import and the related data. This can be done at any time.
6 changes: 3 additions & 3 deletions docs/security/silo-security/data-integrity.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,15 @@ Check your data for annotations that have been assigned to two or more different

Look for duplicated annotations to clean up your data set. From here you can also see which bulk imports contributed to the duplicate annotations or if a single bulk import contained multiple duplicate annotations.

## Check Annotation iaClasses and MediaAsset States by Species (visible to admins only)
## Check Annotation iaClasses and MediaAsset States by Species (visible to staff, admins, and orgAdmins only)

Look for old iaClasses on annotations and media assets that are stuck in a "pending" state. This can cause poor matching performance as they are ignored. The species list allows you to inspect the iaClass values assigned for each species as well as the detection state of media assets in the database.

## URL Access Security Checks (visible to admins only)
## URL Access Security Checks (visible to staff only)

Look for URLs in Wildbook that should or should not be accessible to the public or users with certain roles.

## Wildbook Machine Learning Queue Monitoring (visible to admins only)
## Wildbook Machine Learning Queue Monitoring (visible to staff only)

See a current snapshot and 24 hour historical review of the machine learning pipeline. This can help you determine if a specific user's uploads are contributing to a backlog.

Expand Down
67 changes: 54 additions & 13 deletions docs/security/silo-security/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,6 @@
```{toctree}
:hidden:

org-admin
site-admin
photo-keywords
data-integrity
library-management
Expand All @@ -13,17 +11,58 @@ bulk-import-logs

The **Silo Security model** lets users decide who they share their data with. The users who most commonly use it are those working on academic research or at-risk species.

Permissions are granted at Encounter-level, meaning a user can access any **Sighting**, **Individual**, or **Survey** as long as they have access to the **Encounter** those belong to.
Permissions are granted at the Encounter level, meaning a user can access any **Sighting**, **Individual**, or **Survey** as long as they have access to the **Encounter** those belong to.

## User Roles

* **Contributor** - users that are limited to only submit Sightings
* **Researcher** - users that can manage their own data (Sightings and Individuals) and collaborations,  match and merge individuals, and search
* **User Manager** - users that can create and edit users, and manage user collaborations
* **Exporter** - users that can export all the data they own and collaborate with
* **Administrator** - users that can manage data and configure the Codex platform they belong to
* **machinelearning** - not functional
* **rest** - not functional
**researcher**
* Users that can manage their data and that of users they have an edit collaboration with, view data of users they have a view collaboration with, export their data and that of users they have a collaboration with, view their data integrity checks, and match and merge individuals.

**orgAdmin**
* Users that can create and edit users within their org, manage user collaborations within their org, create other orgAdmins for their org, export data within their org, view data integrity checks within their org. OrgAdmins cannot edit the data or roles of any user with the **staff** or **admin** role, even within the same org.

**admin**
* Users that can view ecological-related data integrity checks and configure the Wildbook platform they belong to (such as managing [photo keywords](photo-keywords.md)).

**staff**
* This role is intended for Conservation X Labs organization members and is managed in the Wildbook's configuration setting (not within the platform). Staff can create, delete, and edit users; create and delete orgs; manage all user data; configure the Wildbook platform they belong to; and view user-related and ecological-related data integrity checks.

## Managing Users

### Adding Users

OrgAdmins can create and add users to their organization. To get the orgAdmin role, contact a user with the *staff* or *orgAdmin* role of the organization you want to help administer. To create a new user:

1. Go to **Administer**, then **User Management**.
2. Look for the **Create/Edit User** section.
3. Enter a *username, email, and password*.
4. Select the appropriate role based on the permission level you want the user to have. This is multi-select as the roles are not hierarchical. OrgAdmins cannot assign or remove the **admin** or **staff** role from other users.
5. Under **Organization Membership**, select your organization to add a user to it.
6. Click **Save**.

### Deleting Users

Only users with the **staff** role can delete another user.

### Adding Users to your Organization

1. Go to **Administer**, then **User Management.**
2. In the filter box, type a *username, first or last name, or other identifying information*.
3. Select a user from the user grid.
4. Find the **Organization Membership** field in the user’s information.
5. Select your organization to add a user to it.
6. Click **Save**.

### Addressing Bulk Import Concerns

OrgAdmins can manage **bulk imports** for any user in their organization.

1. Go to **Administer**, then **Bulk Import Logs**.
2. Select the desired *Bulk Import task* from the list.
3. Scroll to the bottom. You can take any of the following actions:
* **Send to detection**: Send all imported Encounters to Detection. This can only be done if all Encounters have not been sent to Detection.
* **Send to identification**: Send all imported Encounters to Detection and Identification. This can only be done if all Encounters have not been sent to Detection.
* **Delete ImportTask**: Delete the Bulk Import and the related data. This can be done at any time.

## Collaborations

Expand Down Expand Up @@ -60,15 +99,17 @@ The person who initiates the collaboration has an assumed acceptance, so the rec
You can view an encounter if:

* You reported the Encounter.
* You’re a Site Admin.
* You have the staff role.
* You're an orgAdmin and the Encounter belongs to a member of your org.
* You have a Collaboration with another user that allows for view access.
* The Encounter was publicly submitted and not assigned to another User.

## Editing Permissions

You can edit an encounter if:

* You’re a site admin.
* You have the staff role.
* You're an orgAdmin and the Encounter belongs to a member of your org.
* You reported the Encounter.
* You have a collaboration with the owner and the owner grants you edit rights. *Note that edit rights can be revoked at any time.*

Expand All @@ -77,4 +118,4 @@ You can edit an encounter if:
While the Silo Security model provides heightened security for your data, you can allow members of the public, like *citizen scientists*, to see your catalog (Encounter and Marked Individuals) by following these steps:

* Create a User Account in Wildbook with *‘public*’ as a username. This User has no roles and is not intended for login. Make sure to give it a secure password.
* Extend a *view-only collaboration* to the user *‘public’*. The public user account will automatically accept the collaboration.
* Extend a *view-only collaboration* to the user *‘public’*. The public user account will automatically accept the collaboration.
55 changes: 0 additions & 55 deletions docs/security/silo-security/org-admin.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,56 +1 @@
# Org admin

Under Silo Security, users are grouped under organizations, which typically align with real-world organizations. To ensure that organizational goals are met, Wild Me established the **Org-Admin Role**. These are platform members who will handle user management and address bulk import concerns for their organization.

## How to apply for the Org-Admin Role

To get the Org-Admin Role, contact either a *site admin* or an *org-admin* of the organization you want to help administer.

## Managing Users

### Adding Users

As an Org-Admin, you are able to create and add users to your organization. Here’s what you need to know to create a new user:

1. Go to **Administer**, then **User Management**.
2. Look for the **Create/Edit User** section.
3. Enter a *username, email, and password*.
4. Select the appropriate role based on the permission level you want the user to have. This is multi-select as the roles are not hierarchical.
* **orgAdmin** - users with administrative access to manage the organization.
* **Contributor** - users that access are limited to only submit Sightings
* **Researcher** - users that can manage their own data (Sightings and Individuals) and collaborations,  match and merge individuals, and search
* **User Manager** - users that can create and edit users, and manage user collaborations
* **Exporter** - users that can export all the data they own and collaborating with
* **Administrator** - users that can manage data and configure the Wildbook platform they belong to
* **Regions** - users that can see all data related to the region listed
5. Under **Organization Membership**, select your organization to add a user to it.
6. Click **Save**.

### Deleting Users

*Note: Make sure to remove all roles associated with the user account you want to disable and change their password. We recommend disabling over deleting a user account if their data is trusted.*

1. Go to **Administer**, then **User Management**.
2. In the filter box, type a *username, first or last name, or other identifying information.*
3. Select a user from the user grid.
4. Click **Delete User** beneath the user’s information.

## Adding Users to your Organization

1. Go to **Administer**, then **User Management.**
2. In the filter box, type a *username, first or last name, or other identifying information*.
3. Select a user from the user grid.
4. Find the **Organization Membership** field in the user’s information.
5. Select your organization to add a user to it.
6. Click **Save**.

## Addressing Bulk Import Concerns

As an Org-Admin, you can manage **bulk imports** for any user in your organization.

1. Go to **Administer**, then **Bulk Import Logs**.
2. Select the desired *Bulk Import task* from the list.
3. Scroll to the bottom. You can take any of the following actions:
* **Send to detection**: Send all imported Encounters to Detection. This can only be done if all Encounters have not been sent to Detection.
* **Send to identification**: Send all imported Encounters to Detection and Identification. This can only be done if all Encounters have not been sent to Detection.
* **Delete ImportTask**: Delete the Bulk Import and the related data. This can be done at any time.
4 changes: 2 additions & 2 deletions docs/security/silo-security/photo-keywords.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Photo Keywords

Keywords are labels displayed on all annotations associated with a media asset.
Keywords are labels displayed on all annotations associated with a media asset. They can be managed by users with the **admin** role.

## Add a new keyword

Expand All @@ -19,4 +19,4 @@ Keywords are labels displayed on all annotations associated with a media asset.
1. Go to **Administer**, then **Photo Keywords**.
2. Using the *Keyword to rename* field, select the existing keyword you want to rename.
3. In the *New keyword description (visible to users)* field, enter your preferred keyword.
4. Click **Rename**. *(Note: All instances of the original keyword will now display as the new keyword.)*
4. Click **Rename**. *(Note: All instances of the original keyword will now display as the new keyword.)*
Loading