We're sorry to hear that you have encountered problems in working with
dataset libraries and security in Galaxy. Please see my explanations
below, and let me know if more clarification is needed or if you come
across behavior that differs from that described.
This is how Galaxy currently behaves. In Galaxy, a library, a library
folder and a library dataset are all associated with 3 "library"
permissions ( or privileges ):
1) modify library item: Role members can modify this library item
2) add library item: Role members can add library items to this
3) manage library permissions: Role members can manage roles
with this library item
These 3 privileges are all "grant" privileges in that if a user has a
role that is associated with the permission, the user can perform that
action. Roles can be associated with an individual user or a group,
a group can consist of 0 or more users. These 3 library level
permissions are all inherited downward in the library hierarchy, so if
you set permissions at the library level, any new folder added to the
top level of the library will inherit these "library" permissions.
same inheritance scheme works for library folders, so if you add a
sub-folder to a folder, the sub-folder will inherit the "library"
permissions of it's parent folder. Changing the "library" permissions
on a folder will therefore cause all newly added sub-folders to
those changed "library" permissions of it's parent. NOTE: this
currently only works for newly added folders and library datasets, but
we'll soon introduce a feature that will allow you to enforce this
inheritance on existing folders and library datasets.
A library datasets has 2 "library dataset" permissions in addition to
the above 3 "library" permissions:
1) manage permissions: Role members can manage the roles associated
2) access: Role members can import this dataset into their history for
analysis. NOTE: Users must have every role associated with the access
permission on this dataset in order to access it
Again, roles can be associated with an individual user or a group, and
the "library dataset" permission "manage permissions" is a grant
privilege, and has the same behavior as that "library" permission.
The "library dataset" permission "access" is a restrict permission.
no roles are associated with it, the library dataset is considered
public, and all users can access it in the library. However, if a
is associated with the "access" permission on the library dataset, a
user must have that role in order to access the dataset in the
If more than 1 role is associated with the "access" permission, then
a user must have all roles in order to access it.
This is not necessarily the case - for example, user can have
permission to add a library item, but not manage library permissions.
What behavior are you seeing that leads you to this conclusion?
This is currently possible. If the user is granted the 3 "library"
permissions on the folder to which he is adding the dataset, then he
will have those 3 "library" permissions on the dataset. The 2
dataset" permissions are taken from the user's default permissions for
datasets in their histories. The users' "default permissions" are
"manage permissions", with no role associated with the dataset
permission, making it public by default. These permissions can be
changed in the user's preferences ( click the User link in the top
bar in Galaxy ).
This is possible if the user that uploads the dataset either leaves it
public ( the default ), or associates a group role with the "access"
privilege on the library dataset.
This is possible as long as the group has a role that is associated
the various permissions on each library.
Do you mean user/group ( Galaxy has no concept that would
a user from a bioinformatician )? It depends on how you set up your
groups of users. You could have 1 group with all users, and associate
that group with a role, then associate that role with each "library"
Let me know if my explanations above do not make this clear.
Viewing a library item is managed by the "library dataset" "access"
permission. If a folder contains a public library dataset ( call it
), then the library, that folder, and D1 can be seen by any user.
However if the same folder contains a library dataset on which only
UserA has the "access" permission ( call it D2 ), then UserA will see
both D1 and D2, while all other users will see only D1.
We'll take this under consideration.