[2] | 1 | <%inherit file="/base.mako"/> |
---|
| 2 | |
---|
| 3 | <%def name="title()">Galaxy Administration</%def> |
---|
| 4 | |
---|
| 5 | <h2>Administration</h2> |
---|
| 6 | |
---|
| 7 | <p>The menu on the left provides the following features</p> |
---|
| 8 | <ul> |
---|
| 9 | <li><strong>Security</strong> - see the <strong>Data Security and Data Libraries</strong> section below for details |
---|
| 10 | <p/> |
---|
| 11 | <ul> |
---|
| 12 | <li> |
---|
| 13 | <strong>Manage users</strong> - provides a view of the registered users and all groups and non-private roles associated |
---|
| 14 | with each user. |
---|
| 15 | </li> |
---|
| 16 | <p/> |
---|
| 17 | <li> |
---|
| 18 | <strong>Manage groups</strong> - provides a view of all groups along with the members of the group and the roles associated with |
---|
| 19 | each group (both private and non-private roles). The group names include a link to a page that allows you to manage the users and |
---|
| 20 | roles that are associated with the group. |
---|
| 21 | </li> |
---|
| 22 | <p/> |
---|
| 23 | <li> |
---|
| 24 | <strong>Manage roles</strong> - provides a view of all non-private roles along with the role type, and the users and groups that |
---|
| 25 | are associated with the role. The role names include a link to a page that allows you to manage the users and groups that are associated |
---|
| 26 | with the role. The page also includes a view of the data library datasets that are associated with the role and the permissions applied |
---|
| 27 | to each dataset. |
---|
| 28 | </li> |
---|
| 29 | </ul> |
---|
| 30 | </li> |
---|
| 31 | <p/> |
---|
| 32 | <li><strong>Data</strong> |
---|
| 33 | <p/> |
---|
| 34 | <ul> |
---|
| 35 | <li> |
---|
| 36 | <strong>Manage data libraries</strong> - Data libraries enable a Galaxy administrator to upload datasets into a data library. Currently, |
---|
| 37 | only administrators can create data libraries. |
---|
| 38 | <p/> |
---|
| 39 | When a data library is first created, it is considered "public" since it will be displayed in the "Data Libraries" view for any user, even |
---|
| 40 | those that are not logged in. The Galaxy administrator can restrict access to a data library by associating roles with the data library's |
---|
| 41 | "access library" permission. This permission will conservatively override the [dataset] "access" permission for the data library's contained |
---|
| 42 | datasets. |
---|
| 43 | <p/> |
---|
| 44 | For example, if a data library's "access library" permission is associated with Role1 and the data library contains "public" datasets, the |
---|
| 45 | data library will still only be displayed to those users that have Role1. However, if the data library's "access library" permission is |
---|
| 46 | associated with both Role1 and Role2 and the data library contains datasets whose [dataset] "access" permission is associated with only Role1, |
---|
| 47 | then users that have Role2 will be able to access the library, but will not see those contained datasets whose [dataset] "access" permission |
---|
| 48 | is associated with only Role1. |
---|
| 49 | <p/> |
---|
| 50 | In addition to the "access library" permission, permission to perform the following functions on the data library (and it's contents) can |
---|
| 51 | be granted to users (a library item is one of: a data library, a library folder, a library dataset). |
---|
| 52 | <p/> |
---|
| 53 | <ul> |
---|
| 54 | <li><strong>add library item</strong> - Role members can add library items to this data library or folder</li> |
---|
| 55 | <li><strong>modify library item</strong> - Role members can modify this library item</li> |
---|
| 56 | <li><strong>manage library permissions</strong> - Role members can manage permissions applied to this library item</li> |
---|
| 57 | </ul> |
---|
| 58 | <p/> |
---|
| 59 | The default behavior is for no permissions to be applied to a data library item, but applied permissions are inherited downward (with the exception |
---|
| 60 | of the "access library" permission, which is only available on the data library itself). Because of this, it is important to set desired permissions |
---|
| 61 | on a new data library when it is created. When this is done, new folders and datasets added to the data library will automatically inherit those |
---|
| 62 | permissions. In the same way, permissions can be applied to a folder, which will be automatically inherited by all contained datasets and sub-folders. |
---|
| 63 | <p/> |
---|
| 64 | The "Data Libraries" menu item allows users to access the datasets in a data library as long as they are not restricted from accessing them. |
---|
| 65 | Importing a library dataset into a history will not make a copy of the dataset, but will be a "pointer" to the dataset on disk. This |
---|
| 66 | approach allows for multiple users to use a single (possibly very large) dataset file. |
---|
| 67 | </li> |
---|
| 68 | </ul> |
---|
| 69 | </li> |
---|
| 70 | <p/> |
---|
| 71 | <li><strong>Server</strong> |
---|
| 72 | <p/> |
---|
| 73 | <ul> |
---|
| 74 | <li> |
---|
| 75 | <strong>Reload a tool's configuration</strong> - allows a new version of a tool to be loaded while the server is running |
---|
| 76 | </li> |
---|
| 77 | <p/> |
---|
| 78 | <li> |
---|
| 79 | <strong>Profile memory usage</strong> - measures system memory used for certain Galaxy functions |
---|
| 80 | </li> |
---|
| 81 | <p/> |
---|
| 82 | <li> |
---|
| 83 | <strong>Manage jobs</strong> - displays all jobs that are currently not finished (i.e., their state is new, waiting, queued, or |
---|
| 84 | running). Administrators are able to cleanly stop long-running jobs. |
---|
| 85 | </li> |
---|
| 86 | </ul> |
---|
| 87 | </li> |
---|
| 88 | <p/> |
---|
| 89 | <li><strong>Forms</strong> |
---|
| 90 | <p/>To be completed |
---|
| 91 | </li> |
---|
| 92 | <p/> |
---|
| 93 | <li><strong>Sequencing Requests</strong> |
---|
| 94 | <p/>To be completed |
---|
| 95 | </li> |
---|
| 96 | <p/> |
---|
| 97 | <li><strong>Cloud</strong> |
---|
| 98 | <p/>To be completed |
---|
| 99 | </li> |
---|
| 100 | </ul> |
---|
| 101 | <p/> |
---|
| 102 | <p><strong>Data Security and Data Libraries</strong></p> |
---|
| 103 | <p/> |
---|
| 104 | <strong>Security</strong> - Data security in Galaxy is a new feature, so familiarize yourself with the details which can be found |
---|
| 105 | here or in our <a href="http://g2.trac.bx.psu.edu/wiki/SecurityFeatures" target="_blank">data security page</a>. The data security |
---|
| 106 | process incorporates users, groups and roles, and enables the application of certain permissions on datasets, specifically "access" |
---|
| 107 | and "manage permissions". By default, the "manage permissions" permission is associated with the dataset owner's private role, and |
---|
| 108 | the "access" permission is not set, making the dataset public. With these default permissions, users should not see any difference |
---|
| 109 | in the way Galaxy has behaved in the past. |
---|
| 110 | <ul> |
---|
| 111 | <li> |
---|
| 112 | <strong>Users</strong> - registered Galaxy users that have created a Galaxy account. Users can belong to groups and can |
---|
| 113 | be associated with 1 or more roles. If a user is not authenticated during a Galaxy session, they will not have access to any |
---|
| 114 | of the security features, and datasets they create during that session will have no permissions applied to them (i.e., they |
---|
| 115 | will be considered "public", and no one will be allowed to change permissions on them). |
---|
| 116 | </li> |
---|
| 117 | <p/> |
---|
| 118 | <li> |
---|
| 119 | <strong>Groups</strong> - a set of 0 or more users which are considered members of the group. Groups can be associated with 0 |
---|
| 120 | or more roles, simplifying the process of applying permissions to the data between a select group of users. |
---|
| 121 | </li> |
---|
| 122 | <p/> |
---|
| 123 | <li> |
---|
| 124 | <strong>Roles</strong> - associate users and groups with specific permissions on datasets. For example, users in groups A and B |
---|
| 125 | can be associated with role C which gives them the "access" permission on datasets D, E and F. Roles have a type which is currently |
---|
| 126 | one of the following: |
---|
| 127 | <ul> |
---|
| 128 | <li> |
---|
| 129 | <strong>private</strong> - every user is associated automatically with their own private role. Administrators cannot |
---|
| 130 | manage private roles. |
---|
| 131 | </li> |
---|
| 132 | <li> |
---|
| 133 | <strong>user</strong> - this is currently not used, but eventually any registered user will be able to create a new role |
---|
| 134 | and this will be it's type. |
---|
| 135 | </li> |
---|
| 136 | <li> |
---|
| 137 | <strong>sharing</strong> - a role created automatically during a Galaxy session that enables a user to share data with |
---|
| 138 | another user. This can generally be considered a temporary role. |
---|
| 139 | </li> |
---|
| 140 | <li><strong>admin</strong> - a role created by a Galaxy administrator.</li> |
---|
| 141 | </ul> |
---|
| 142 | </li> |
---|
| 143 | <p/> |
---|
| 144 | <li> |
---|
| 145 | <strong>Dataset Permissions</strong> - applying the following permissions will to a dataset will result in the behavior described. |
---|
| 146 | <ul> |
---|
| 147 | <li> |
---|
| 148 | <strong>access</strong> - users associated with the role can import this dataset into their history for analysis. |
---|
| 149 | <p> |
---|
| 150 | If no roles with the "access" permission are associated with a dataset, the dataset is "public" and may be accessed by anyone |
---|
| 151 | that can access the data library in which it is contained. See the <strong>Manage data libraries</strong> section above for |
---|
| 152 | details. Public datasets contained in public data libraries will be accessible to all users (as well as anyone not logged in |
---|
| 153 | during a Galaxy session) from the list of data libraries displayed when the "Data Libraries" menu item is selected. |
---|
| 154 | </p> |
---|
| 155 | <p> |
---|
| 156 | Associating a dataset with a role that includes the "access" permission restricts the set of users that can access it. |
---|
| 157 | For example, if 'Role A' includes the "access" permission and 'Role A' is associated with the dataset, only those users |
---|
| 158 | and groups who are associated with 'Role A' may access the dataset. |
---|
| 159 | </p> |
---|
| 160 | <p> |
---|
| 161 | If multiple roles that include the "access" permission are associated with a dataset, access to the dataset is derived |
---|
| 162 | from the intersection of the users associated with the roles. For example, if 'Role A' and 'Role B' are associated with |
---|
| 163 | a dataset, only those users and groups who are associated with both 'Role A' AND 'Role B' may access the dataset. When |
---|
| 164 | the "access" permission is applied to a dataset, Galaxy checks to make sure that at least 1 user belongs to all groups and |
---|
| 165 | roles associated with the "access" permission (otherwise the dataset would be restricted from everyone). |
---|
| 166 | </p> |
---|
| 167 | <p> |
---|
| 168 | In order for a user to make a dataset private (i.e., only they can access it), they should associate the dataset with |
---|
| 169 | their private role (the role identical to their Galaxy user name / email address). Associating additional roles that |
---|
| 170 | include the "access" permission is not possible, since it would render the dataset inaccessible to everyone. |
---|
| 171 | <p> |
---|
| 172 | To make a dataset private to themselves and one or more other users, the user can create a new role and associate the dataset |
---|
| 173 | with that role, not their "private role". Galaxy makes this easy by telling the user they are about to share a private dataset |
---|
| 174 | and giving them the option of doing so. If they respond positively, the sharing role is automatically created for them. |
---|
| 175 | </p> |
---|
| 176 | <p> |
---|
| 177 | Private data (data associated with roles that include the "access" permission) must be made public in order to be used |
---|
| 178 | with external applications like the "view at UCSC" link, or the "Perform genome analysis and prediction with EpiGRAPH" |
---|
| 179 | tool. Being made publically accessible means removing the association of all roles that include the "access" permission |
---|
| 180 | from the dataset. |
---|
| 181 | <p> |
---|
| 182 | </li> |
---|
| 183 | <li><strong>manage permissions</strong> - Role members can manage the permissions applied to this dataset</li> |
---|
| 184 | </ul> |
---|
| 185 | </li> |
---|
| 186 | </ul> |
---|
| 187 | <br/> |
---|