Permissions

Introduction
Permission Levels Overview
Permission Levels
1. Group Permissions
2. Project Permissions
Permission Inheritance
1. STEM Branch Inheritance
  1. Inheritance Rules
2. Personal Attributes Inheritance
  1. Group Level Inheritance
Public Sharing
1. Project Public Sharing
2. Personal Attributes Public Sharing
Permission Management
1. Project Permissions
2. Group Permissions

Introduction

BrainSTEM implements a hierarchical permission system that governs access control across the platform. This system enables flexible collaboration while maintaining data security through inheritance-based permissions.

permissions

Permission Levels Overview

Permission levels	Groups	Projects	Personal Attributes
Permission scope	3 levels, users only	4 levels for groups & users	4 levels for groups & users
Members	Inherit project permissions	Read access to: - subjects - sessions - modules	Read access to: - attributes - equipments
Contributors	-	Create/edit/delete models	Create/edit/delete equipments
Managers	Add/remove members	Add/remove members & groups	Add/remove members & groups
Owners	Manage group details Add/remove managers	Edit project details Add/remove managers	Edit attribute details Add/remove managers

Permission Levels

Group Permissions

Groups are the foundation of BrainSTEM’s permission system, offering three distinct permission levels:

Permission Level	Capabilities
Owner	- Manage group details and settings - Add/remove managers - Associate group with laboratory - Rename group - Manage public access settings
Manager	- Add/remove regular members - Create member invitations - Remove users from group
Member	- Access group resources - Inherit project permissions assigned to group - View group content - Leave group voluntarily

Project Permissions

Projects implement four permission levels that can be assigned to both individual users and groups:

Permission Level	Capabilities
Owner	- Manage project details - Add/remove managers - Has all Manager permissions
Manager	- Add/remove project members - Add/remove project groups - Has all Contributor permissions
Contributor	- Create/edit/delete project related models - Has all Member permissions
Member	- Read access to project, project-related subjects - Read access to sessions and modules

When applied to groups, these permissions extend to all group members automatically.

Group Permission Level	Effect on Group Members
Owner Groups	- All group members can manage project details - All group members can add/remove managers - Includes all Manager group permissions
Manager Groups	- All group members can add/remove project members - All group members can add/remove project groups - Includes all Contributor group permissions
Contributor Groups	- All group members can create/edit/delete project related models - Includes all Member group permissions
Member Groups	- All group members get read access to project, project-related subjects - All group members get read access to sessions and modules

Permission Inheritance

STEM Branch Inheritance

The STEM branch follows this hierarchical pattern:

Project
├── Subject
│   ├── Subject Logs
│   └── Procedure
│       └── Action Logs
├── Session
│   ├── Behavior
│   ├── Manipulation
│   └── Data acquisition
├── Collection
└── Cohort

Inheritance Rules

Parent Level	Inheritance Pattern	Inheriting Components
Project	All project components inherit base permissions	Subjects, Sessions, Collections, Cohorts
Subject	Direct inheritance with cascading effects	Subject Logs, Procedures, Action Logs (via Procedures)
Session	Module-level inheritance	Behaviors, Data acquisitions, Manipulations

Personal Attributes Inheritance

Personal attributes follow their own inheritance structure from groups:

Personal Attributes
├── Setups
│   └── Equipments
├── Inventories
│   └── Consumable Stocks
├── Data Repositories
└── Behavioral Paradigms

Group Level Inheritance

Parent Level	Inheritance Pattern	Inheriting Components
Group	Direct inheritance from associated groups	Personal Attributes (Behavioral Paradigms, Data Storage, Setups, Inventories)
Experimental Setup	Direct inheritance with module-level access	Equipments
Inventory	Direct inheritance with module-level access	Consumable Stocks

All personal attributes inherit permissions directly from their associated groups
Group membership automatically grants access to personal attributes

When a project is made public:
All associated components become publicly accessible
Only project owners can make a project public
Public access is read-only for anonymous users
Authorized users retain their edit capabilities

Each personal attribute requires individual public sharing settings
Only owners can modify public access settings
Public status required for behavioral paradigms, data storage, and setups used in public projects

Permissions

Table of contents

Introduction

Permission Levels Overview

Permission Levels

Group Permissions

Project Permissions

Permission Inheritance

STEM Branch Inheritance

Inheritance Rules

Personal Attributes Inheritance

Group Level Inheritance

Public Sharing

Project Public Sharing

Personal Attributes Public Sharing

Permission Management

Project Permissions

Group Permissions