Permission Template Access roles behaviors

				Consensus vs. Needs Confirmaton	Behavior	Access Role	Works now for Collections	Expected to work based on description for Collections	Works now for Admin Sets	Expected to work based on description for Admin Sets	Comments
cs-c	cs-as	m-c	m-as				green = works as expected and agreed upon		red = does NOT work as expected and agreed upon		yellow = unsure
Impacting collections/adminsets
√	√		√		edit_access in solr_doc to collection/adminset	manager	YES	manager can modify collection metadata	YES	manager can edit the set metadata, participants, and release and visibility settings
√	√		√			depositor	NO		NO		NOTE: Creator of the AS does not have edit access at master
√	√		√			viewer	NO		NO		NOTE: Creator of the AS does not have edit access at master

√	√		√		read_access in solr doc to collection/adminset	manager	NO		NO
√	?		?	Should depositors have read access? I propose an additional setting for sharing that allows this to be ON/OFF for a collection type.		depositor	NO	depositor can view the collection	NO		In general... for collections, you likely will want depositors to have read_access. For example, if a team is jointly curating a collection, depositors to the collection will want to view the collection. for admin_sets, you may not want depositors to have read_access. For example, if you only use the default admin set, you may not want to grant all users access to view that admin set.
√	X		X	I propose that Viewer of admin sets SHOULD have read access.		viewer	YES	viewer can view the collection even if the visibility permissions of the collection otherwise would not permit them to view it.	NO		Rationale... A user who is granted special access to a collection/admin set have a higher need to be able to see the collection/admin set's metadata and list of works.

√	√				access to collection/adminset index via Managed Collections tab	manager	YES		YES		NOTE: Managed Collections does not yet exist at master.
√	X			If granted read access, depositors will see admin sets in Managed Collections.		depositor	YES	depositor can view the collection	NO		Depositors do NOT see admin sets in Managed Collections. NOTE: Managed Collections does not yet exist at master.
√	X			If granted read access, viewers will see admin sets in Managed Collections.		viewer	YES	viewer can view the collection even if the visibility permissions of the collection otherwise would not permit them to view it.	NO		Viewers do NOT see admin sets in Managed Collections. NOTE: Managed Collections does not yet exist at master.

					create collection/adminset	any user	SORT OF		ADMINs only		For collections, who can create collections of a particular type is limited to collection type managers and creators. The admin set collection type also controls who can create admin sets, but the collection type for admin sets is hard coded to only allow admins to do this.

√	√		√		delete collection/adminset	manager	YES	manager delete the collection	YES
√	?		?			depositor	NO		NO?		Can't see admin sets. Need to re-test after granting read access.
√	?		?			viewer	NO		NO?		Can't see admin sets. Need to re-test after granting read access.

√	√		√		access to collection/adminset show page	manager	YES		YES		via :edit access to the collection
X	?		?	Need to grant collection/admin set depositor read access to view show page.		depositor	NO	depositor can view the collection	NO		PROPOSED change to YES-- via :read access to the collection & admin set
√	?		?	Need to grant admin set viewer read access to view show page.		viewer	YES		NO		PROPOSED change to YES for admin sets -- via :read access to the admin set

√	√		√		access to collection/adminset edit page	manager	YES	manager can modify collection metadata	YES	manager can edit the set metadata, participants, and release and visibility settings
√	√		√			depositor	NO		NO
√	√		√			viewer	NO		NO

√	√		√		add works to collection/adminset	manager	YES	manager can add to and remove works from the collection	NEW ONLY		admin sets via New Work form only
X	√		√	Granting read access will allow depositor to add works from admin show page.		depositor	NO	depositor can add works to to the collection	NEW ONLY	depositor can add new works to this administrative set	admin sets via New Work form only Currently, without read access to collection, a depositor can only add works to a collection via Work → Relationship Tab OR via bulk add to collection on Dashboard → Works index page. Edit Works → Relationships Tab – DOES NOT include collections where user is depositor, but it SHOULD. PROPOSED change to grant depositor read access will allow depositors to add works from the collection admin show page.
√	√		√			viewer	NO		NO

					remove works from collection/adminset	manager	YES, IF	manager can add to and remove works from the collection	NO		YES IF requires_membership? false NO IF requires_membership? true NOTE: Admin sets uses the master UI which does not surface the ability to remove works from the adminset show page.
						depositor	?		NO		Can't right now for sure because the depositor can't get to the page where Remove is allowed. NOTE: Admin sets uses the master UI which does not surface the ability to remove works from the adminset show page.
						viewer	NO		NO		NOTE: Admin sets uses the master UI which does not surface the ability to remove works from the adminset show page.

			√		move works between collection/adminset	manager	YES	manager can add to and remove works from the collection	YES		YES when moving between collections of the same type YES when moving between different collection types IF requires_membership? false Minimally, manager has to be a manager/depositor to both collections NOTE: Move is currently only allowed from edit work Relationships tab, by selecting different collections/admin set.
			√			depositor	NO		YES/NO		For admin sets... requires edit access to the work. Can change for works the depositor created.
						viewer	NO		NO
				Consensus vs. Needs Confirmaton	Behavior	Access Role	Works now for Collections	Expected to work based on description for Collections	Works now for Admin Sets	Expected to work based on description for Admin Sets	Comments
Impacting works
					edit_access in solr_doc to new works	manager	YES	manager can edit work metadata	YES	manager can edit work metadata	Applied at create time when a work is created in just one collection. Admin set participants are applied every time a work is created. Collection and admin set permissions are additive.
						depositor	NO		NO
						viewer	NO		NO

					read_access in solr doc to collection/adminset	manager	NO		NO
						depositor	NO	depositor can view the collection	NO
						viewer	YES	viewer can view it even if the visibility permissions of the collection otherwise would not permit them to view it	YES	viewer can view works in the set regardless of the visibility settings applied to the work	Applied at create time when a work is created in just one collection. Admin set participants are applied every time a work is created. Collection and admin set permissions are additive.
					All other access to works is based on the edit and read access grants and is controlled by the standard abilities process.

For Admin Sets:

permission_ template_ access	admin set solr doc	ability: can? create_in_adminset	can access through UI via Dashboard → Administrative Sets	work solr doc	comments
Definition on participants tab: Managers of this administrative set can edit the set metadata, participants, and release and visibility settings (via Dashboard → Administrative Sets) edit work metadata (controlled by manager having edit_access on work) add to or remove files from a work (controlled by manager having edit_access on work) add new works to the set NOTE: Manager is granted access to works and their files only FOR WORKS CREATED AFTER USER BECAME MANAGER Additional things a manager can do not specifically mentioned in the definition move works to another set where user is manager move works to another set where user is depositor view the admin set through Dashboard → Administrative Sets delete empty admin set (NOT in the definition, but you can do this with edit_access)					Any differences from Collections? (checked if same) edit the collection metadata, sharing, discovery, etc. edit work metadata (works created directly in collection) add to or remove files from a work add new works to the collection move works to another collection where user is manager move works to another collection where user is depositor remove works from collection (not allowed for admin sets) delete empty collection delete collection with works (not allowed for admin sets)
:manage	edit_access	true	YES	edit_access	Admin user creating the admin set is not given edit_access as a user until a manager is added. This does not have much of an impact as the user is part of the admin group and gets access through that group.
Depositors of this administrative set can can add new works to this administrative set.
:deposit	N/A	true	NO		Access to works are granted only for works the user creates.
Viewers of this administrative set can view works in the set regardless of the visibility settings applied to the work. For example, viewers can view works in this set even if the works are currently embargoed or restricted. Additional functionality expected not directly mentioned in the definition view the admin set through Dashboard → Administrative Sets (NOT in the definition, but QA expected to be able to do this)
:view	N/A	false	NO	read_access	The user is NOT given read access to the admin set and therefore cannot view the admin set through the UI.

For Collections:

permission_ template_ access	definition in UI	collection solr doc	ability: can? create_in_collection	work solr doc	comments
Managers of this collection can add to and remove works from the collection modify collection metadata (including metadata, branding, sharing (to set roles), discovery (aka visibility), relationships (for nesting)) delete the collection
:manage		edit_access	true	edit_access	admin is always a manager
:deposit	Depositors of this collection can view the collection add works to it, even if the visibility permissions of the collecton otherwise would not permit them to view it.	read_access	true		access to works are granted only for works the user creates
:view	Viewers of this collection can view it even if the visibility permissions of the collection otherwise would not permit them to view it.	read_access	false	read_access

NOTE: There is a difference in definitions and in read_access set on admin_sets and collections for depositors and viewers. I would propose that Admin Sets use the same behavior as collections. This change will results in Depositors and Viewers being able to view the admin show page of the admin set AND see them listed in Managed Collections tab in Dashboard → Collections.

This makes sense for viewers since they must have some special connection with the admin set to be able to see works in it even when they are embargoed or private. This can make sense for depositors when there are multiple admin sets being used for organization.

My concern is for the special case of a site using a default admin set because they have to. Users must be able to deposit in it. In this case, the default admin set is the full set of all works in the repository. It does not make sense for users to view the show page for that admin set or see it in Managed Collections.