What Wildbook are you working in? Whiskerbook (WKB)
A new organization to WKB is testing out various functionality and discovered an unexpected constraint with collaborations.
3 users each from the same organization, one of whom has OrgAdmin status, each contributed an encounter to the same ID’d individual while they each had an edit collaboration with each other.
Then one edit level collaboration was revoked. After that, all 3 users found that none of them had edit access to the individual anymore (including the user with OrgAdmin access). It was only once that edit-level collaboration was restored that edit access to that Marked Individual was restored.
Is this as designed? The concern is around times when one user might leave the organization which owns the data uploaded under their user ID.
If this is as designed, would it be possible to grant the OrgAdmin level role, edit access to all data uploaded by users who are members of that organization?
cc: @Lucas & @PaulK
Hey @ACWadmin1 ,
I got a little lost in the middle, so I need to clarify. It sounds like we start with three users: UserA UserB and UserC (UserC is an OrgAdmin)
- These users confirm Edit level collaborations with each other
- UserA submits EncA, UserB submits EncB, and UserC submits EncC
- EncA, EncB, and EncC are all found to be of the same animal, and are matched as IndividualOne
- All users revoke the Edit level collaboration with each other
- Now no one can edit IndividualOne
Is that accurate?
Hi @tanyastere , how are you? You’re correct on all points except #4. Only one user revoked the edit permission from one of the other users.
Oh, y’know, well enough. Built a fence this weekend with the dogs “helping”
That, I can say with absolute certainty, is a bug. And a very weird one. What we would expect to happen is everyone to maintain edit-access to the individual, and the two who still have Edit-level collaboration to be able to edit each other’s encounters.
I’ll take the request for how org-admin should work as some user-research-data, but this access issue is something we need to fix.
Tracking here: Revoking edit level collaboration breaks individual for collaborating users · Issue #299 · WildMeOrg/Wildbook · GitHub
Hey @ACWadmin1 @tanyastere
OK, I dug further into this, and what the users is experience is as-coded. Whether that’s a good thing is worthy of discussion.
Basically, a User is authroized to edit a MarkedIndividual if they validate the checks of a function called: Collaboration.canUserFullyEditMarkedIndividual(…)
The function basically checks 1) if the user is an admin or 2) if the user has edit-level access to every Encounter of the MarkedIndividual. If the user is not admin and doesn’t have edit access to even on Encounter of the MarkedIndividual…they have no edit privileges.
This seems…really strict.
What are your thoughts on what should happen?
Hi @jason & @tanyastere - I had a chat today with @Lucas on this topic. We agreed that this is too strict a constraint.
What we’d prefer is as follows:
If an edit-level collaboration is in place btw 2 users, research level only, then both should be able to edit each other’s Marked Individuals, regardless of whether the either user has any encounters assigned to that Marked Individual.
The reasoning is that in the siloed security model, we understand that collaborations allow full, bi-directional access to each of the collaborating users’ data, either view only or full edit. To have that qualified with Marked Individual records seems out of synch with the ‘all or nothing’ collaboration model. So if 2 users agree to a full edit-level collaboration, then they are accepting that the other user has full edit level capability across their entire dataset.
Note: if no collaboration is in place or if the collaboration is view-only, then there should be no access to edit another user’s records, including encounters as well as Marked Individual records.
And actually, until @Lucas raised this issue with me, the above is how I assumed the edit-level collaboration worked wrt Marked Individual records.
That said, the OrgAdmin role should have full edit level access to all members’ data, including Marked Individuals in order to ensure an authorized representative of the organization has full control of all of their org’s data, regardless of the individual user who uploads it. This is particularly important when staff leave an organization - the data can still be accessed and managed by that organization’s OrgAdmin.
I hope that’s doable. It would be useful across Wildbooks, I believe. Definitely in ACW & Whiskerbook for organizations like Reseau Lynx France and Panthera.
This sounds good. I will find time to implement. There are a few things ahead of it, but this is important.