OMERO: read-only access for owned data

Hi all,

I have the following situation in our facility and thinking about the right conception:
Employee changes the working group X and works now for working group Y.
As a member of working group Y the employee should only have read-only access of the data created for working group X. How can I map this in the OMERO permission system?

I have thought of following three possibilities:

  1. employee is no longer member of the omero group X in OMERO
    pro: employee has no access to the data in the omero group X owned by the employee as far as I understand
    con: filter view (by owner) no longer possible in group X for this data (except by searching for the employee name)
    con: add employee as a coop-partner to the group X reactivate access
  2. employee get a new account in OMERO (former account is inactive)
    pro: employeer has no longer full permissions to former created data
    con: multiple accounts in OMERO with similar names can lead to misunderstandings
  3. change ownership of the data (for example to PI) and save creator of the data as key-value
    con: not really a “clean” solution, i think

I find the 3 possibilities not really satisfying. I would be happy to discuss further ideas or misconception!

Cheers,
Susanne

What we have started doing is to use OMERO groups for the group of people involved in a specific project instead of the group of people that work for the same PI. This means that if a researcher moves from PI X to PI Y, they can remain in the groups since they’re likely to continue in the project (provided that the project lead wants to keep them involved).

Pros:

  • researcher keeps access to their old projects and not forever on all projects
    of their old group.

Cons:

  • You get too many projects.

To workaround the problem of ending with too many projects, we also have:

  • one OMERO group per PI group
  • a private OMERO group

We recommend people to place their data in one of those two groups, and only get a project based group when there really is a project with more people involved.

Hi David,

thank you for your hint! I had simplified the problem in the description to make it easier to understand. You are right, we have also working groups as well as collaboration/project and service groups. But maybe we have to reconsider our group concept because of this case…

@joshmoore: Is it the case that people have no way to access their data if they have been excluded from the corresponding group?

@carandraug Thank you so much for outlining the group system you are using in your institution. Indeed, the OMERO permissions system does nto allow you to do much better than that, this is a current limitation.

@sukunis To answer your direct question

Is it the case that people have no way to access their data if they have been excluded from the corresponding group?

No, there are still some ways for them to access their data, one of which would be OMERO.downloader, see https://omero-guides.readthedocs.io/projects/download/en/latest/download.html?highlight=omero.downloader#image-export-using-omero-downloader-demo-only .
The data can be accessed by these users also using the CLI command omero fs images
Nevertheless, our main OMERO.web graphical client (as well as OMERO.insight) will give no chance for such user to see their data. On top of this , OMERO.web and OMERO.insight might perform unexpected behaviour in case the users attempt to access their images in the groups they are not members of using those two clients, see for example https://github.com/ome/omero-web/issues/236

For these reasons, we would discourage using the workflow where the owner of the data is not a member of the group where the data is in as a suggested workflow for your users. Our main clients are simply not ready for such eventuality. Hope that is clear, please do not hesitate to ask if not.

Thank you both again for your reports and questions.

All the best

Petr

1 Like

Thank you @pwalczysko , I decided to change the ownership because this is what the group owner could also do by using OMERO.cli.

All the best,
Susanne

1 Like