From 7e2be617db63bc1c25ce6d261ae8605fd9c2a011 Mon Sep 17 00:00:00 2001 From: llewellyn-sl <113503285+llewellyn-sl@users.noreply.github.com> Date: Wed, 21 Jan 2026 08:07:52 +0000 Subject: [PATCH 1/7] Update permissions documentation from Platform Platform commit: d437392c2633808666e3ed132e3c44bbb7a152e7 Changed files: docs/grants_operations.md Triggered by: daria-seqera feat: Add operation to delete from workspace by userId [PLAT-4447] (#10108) --- .../orgs-and-teams/custom-roles.md | 281 +++++++++--------- platform-repo | 1 + 2 files changed, 144 insertions(+), 138 deletions(-) create mode 160000 platform-repo diff --git a/platform-enterprise_docs/orgs-and-teams/custom-roles.md b/platform-enterprise_docs/orgs-and-teams/custom-roles.md index ae251bbd0..ea23f0a9b 100644 --- a/platform-enterprise_docs/orgs-and-teams/custom-roles.md +++ b/platform-enterprise_docs/orgs-and-teams/custom-roles.md @@ -30,156 +30,160 @@ Individual permissions grant read, write, execute, admin, or delete access for e | Permission | Description | API endpoint | |------------|-------------|--------------| | **compute_environment:read** | List all compute environments | `GET /compute-envs` | -| | View compute environment details | `GET /compute-envs/{computeEnvId}` | +| | View compute environment details | `GET /compute-envs/{computeEnvId}` | | **compute_environment:write** | Create a new compute environment | `POST /compute-envs` | -| | Edit an existing compute environment | `PUT /compute-envs/{computeEnvId}` | -| | Set a compute environment as primary | `POST /compute-envs/{computeEnvId}/primary` | -| | Validate compute environment name availability | `GET /compute-envs/validate` | +| | Edit an existing compute environment | `PUT /compute-envs/{computeEnvId}` | +| | Set a compute environment as primary | `POST /compute-envs/{computeEnvId}/primary` | +| | Disable compute environment | `POST /compute-envs/{computeEnvId}/disable` | +| | Enable compute environment | `POST /compute-envs/{computeEnvId}/enable` | +| | Validate compute environment name availability | `GET /compute-envs/validate` | | **compute_environment:delete** | Delete a compute environment | `DELETE /compute-envs/{computeEnvId}` | | **credentials:read** | List all credentials in workspace | `GET /credentials` | -| | View credential details | `GET /credentials/{credentialsId}` | +| | View credential details | `GET /credentials/{credentialsId}` | | **credentials:write** | Add new credentials | `POST /credentials` | -| | Edit existing credentials | `PUT /credentials/{credentialsId}` | -| | Validate credentials | _(Used by Platform)_ | -| | Validate credential name availability | `GET /credentials/validate` | +| | Edit existing credentials | `PUT /credentials/{credentialsId}` | +| | Validate credentials | _(Used by Platform)_ | +| | Validate credential name availability | `GET /credentials/validate` | | **credentials:delete** | Delete credentials | `DELETE /credentials/{credentialsId}` | | **credentials_encrypted:read** | Get encrypted credentials | _(Used by Platform)_ | | **pipeline_secrets:read** | List all pipeline secrets | `GET /pipeline-secrets` | -| | View pipeline secret details | `GET /pipeline-secrets/{secretId}` | +| | View pipeline secret details | `GET /pipeline-secrets/{secretId}` | | **pipeline_secrets:write** | Create a new pipeline secret | `POST /pipeline-secrets` | -| | Validate secret name availability | `GET /pipeline-secrets/validate` | -| | Edit an existing pipeline secret | `PUT /pipeline-secrets/{secretId}` | +| | Validate secret name availability | `GET /pipeline-secrets/validate` | +| | Edit an existing pipeline secret | `PUT /pipeline-secrets/{secretId}` | | **pipeline_secrets:delete** | Delete a pipeline secret | `DELETE /pipeline-secrets/{secretId}` | | **platform:read** | List available platforms | `GET /platforms` | -| | List platform regions | `GET /platforms/{platformId}/regions` | -| | View platform details | `GET /platforms/{platformId}` | -| **essential:read** | List available features | _(Used by Platform)_ | +| | List platform regions | `GET /platforms/{platformId}/regions` | +| | View platform details | `GET /platforms/{platformId}` | #### Data | Permission | Description | API endpoint | |------------|-------------|--------------| | **data_link:read** | List all data-links (cloud buckets) | `GET /data-links` | -| | Browse data-link contents | `GET /data-links/{dataLinkId}/browse` | -| | View data-link details | `GET /data-links/{dataLinkId}` | +| | Browse data-link contents | `GET /data-links/{dataLinkId}/browse` | +| | Browse data-link contents at the given path | `GET /data-links/{dataLinkId}/browse/{path}` | +| | View data-link details | `GET /data-links/{dataLinkId}` | | **data_link:write** | Refresh data-link cache | `GET /data-links/cache/refresh` | -| | Browse data-link directory tree | `GET /data-links/{dataLinkId}/browse-tree` | -| | Download files from data-link | `GET /data-links/{dataLinkId}/download` | -| | Generate download URL for data-link files | `GET /data-links/{dataLinkId}/generate-download-url` | -| | Generate download script | `GET /data-links/{dataLinkId}/script/download` | -| | Upload files to data-link | `POST /data-links/{dataLinkId}/upload` | -| | Complete file upload to data-link | `POST /data-links/{dataLinkId}/upload/finish` | -| | Create a custom data-link | `POST /data-links` | -| | Edit data-link metadata | `PUT /data-links/{dataLinkId}` | +| | Browse data-link directory tree | `GET /data-links/{dataLinkId}/browse-tree` | +| | Download files from data-link | `GET /data-links/{dataLinkId}/download/{filePath}` | +| | Generate download URL for data-link files | `GET /data-links/{dataLinkId}/generate-download-url` | +| | Generate download script | `GET /data-links/{dataLinkId}/script/download` | +| | Upload files to data-link | `POST /data-links/{dataLinkId}/upload` | +| | Upload files to data-link at the given path | `POST /data-links/{dataLinkId}/upload/{dirPath}` | +| | Complete file upload to data-link | `POST /data-links/{dataLinkId}/upload/finish` | +| | Complete file upload to data-link at the given path | `POST /data-links/{dataLinkId}/upload/finish/{dirPath}` | +| | Create a custom data-link | `POST /data-links` | +| | Edit data-link metadata | `PUT /data-links/{dataLinkId}` | | **data_link:delete** | Delete files from data-link | `DELETE /data-links/{dataLinkId}/content` | -| | Remove a data-link from workspace | `DELETE /data-links/{dataLinkId}` | +| | Remove a data-link from workspace | `DELETE /data-links/{dataLinkId}` | | **data_link:admin** | Hide data-links | _(Used by Platform)_ | -| | Show data-links | _(Used by Platform)_ | +| | Show data-links | _(Used by Platform)_ | | **dataset:read** | List datasets (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets` | -| | List workspace dataset versions (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/versions` | -| | List dataset versions (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/{datasetId}/versions` | -| | View dataset metadata (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/{datasetId}/metadata` | -| | Download dataset files (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/{datasetId}/v/{version}/n/{fileName}` | -| | List all datasets | `GET /datasets` | -| | List latest dataset versions | `GET /datasets/versions` | -| | List versions for a specific dataset | `GET /datasets/{datasetId}/versions` | -| | List datasets used in a pipeline launch | `GET /launch/{launchId}/datasets` | -| | View dataset metadata | `GET /datasets/{datasetId}/metadata` | -| | Download dataset files | `GET /datasets/{datasetId}/v/{version}/n/{fileName}` | +| | List workspace dataset versions (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/versions` | +| | List dataset versions (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/{datasetId}/versions` | +| | View dataset metadata (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/{datasetId}/metadata` | +| | Download dataset | `GET /workspaces/{workspaceId}/datasets/{datasetId}/v/{version}/n/{fileName}` | +| | List all datasets | `GET /datasets` | +| | List latest dataset versions | `GET /datasets/versions` | +| | List versions for a specific dataset | `GET /datasets/{datasetId}/versions` | +| | List datasets used in a pipeline launch | `GET /launch/{launchId}/datasets` | +| | View dataset metadata | `GET /datasets/{datasetId}/metadata` | +| | Download dataset files | `GET /datasets/{datasetId}/v/{version}/n/{fileName}` | | **dataset:write** | Create dataset (legacy endpoint) | `POST /workspaces/{workspaceId}/datasets` | -| | Edit dataset (legacy endpoint) | `PUT /workspaces/{workspaceId}/datasets/{datasetId}` | -| | Upload dataset (legacy endpoint) | `POST /workspaces/{workspaceId}/datasets/{datasetId}/upload` | -| | Create a new dataset | `POST /datasets` | -| | Edit dataset metadata | `PUT /datasets/{datasetId}` | -| | Upload files to dataset | `POST /datasets/{datasetId}/upload` | +| | Edit dataset (legacy endpoint) | `PUT /workspaces/{workspaceId}/datasets/{datasetId}` | +| | Upload dataset (legacy endpoint) | `POST /workspaces/{workspaceId}/datasets/{datasetId}/upload` | +| | Create a new dataset | `POST /datasets` | +| | Edit dataset metadata | `PUT /datasets/{datasetId}` | +| | Upload files to dataset | `POST /datasets/{datasetId}/upload` | | **dataset:delete** | Delete dataset (legacy endpoint) | `DELETE /workspaces/{workspaceId}/datasets/{datasetId}` | -| | Delete a single dataset | `DELETE /datasets/{datasetId}` | -| | Delete multiple datasets | `DELETE /datasets` | -| **dataset:admin** | Hide datasets | `POST /datasets/hide` | -| | Show datasets | `POST /datasets/show` | -| | Disable dataset version | `POST /datasets/{datasetId}/versions/{version}/disable` | +| | Delete a single dataset | `DELETE /datasets/{datasetId}` | +| | Delete multiple datasets | `DELETE /datasets` | +| **dataset:admin** | Hide any workspace user's datasets | `POST /datasets/hide` | +| | Show any workspace user's datasets | `POST /datasets/show` | +| | Disable any workspace user's dataset version | `POST /datasets/{datasetId}/versions/{version}/disable` | | **dataset_label:write** | Add labels to datasets | `POST /datasets/labels/add` | -| | Remove labels from datasets | `POST /datasets/labels/remove` | -| | Apply label sets to datasets | `POST /datasets/labels/apply` | +| | Remove labels from datasets | `POST /datasets/labels/remove` | +| | Apply label sets to datasets | `POST /datasets/labels/apply` | #### Pipelines | Permission | Description | API endpoint | |------------|-------------|--------------| | **action:read** | View action details | `GET /actions/{actionId}` | -| | View available action types | `GET /actions/types` | -| | List all actions in workspace | `GET /actions` | +| | View available action types | `GET /actions/types` | +| | List all actions in workspace | `GET /actions` | | **action:execute** | Trigger an action to run | `POST /actions/{actionId}/launch` | | **action:write** | Create a new action | `POST /actions` | -| | Edit an existing action | `PUT /actions/{actionId}` | -| | Test action configuration | _(Used by Platform)_ | -| | Pause a running action | `POST /actions/{actionId}/pause` | -| | Validate action name availability | `GET /actions/validate` | +| | Edit an existing action | `PUT /actions/{actionId}` | +| | Test action configuration | _(Used by Platform)_ | +| | Pause a running action | `POST /actions/{actionId}/pause` | +| | Validate action name availability | `GET /actions/validate` | | **action:delete** | Delete an action | `DELETE /actions/{actionId}` | -| **action_label:write** | Apply resource labels when creating actions | Sub-operation on `POST /actions` | -| | Apply resource labels when updating actions | Sub-operation on `PUT /actions/{actionId}` | -| | Add labels to actions | `POST /actions/labels/add` | -| | Remove labels from actions | `POST /actions/labels/remove` | -| | Apply label sets to actions | `POST /actions/labels/apply` | +| **action_label:write** | Apply resource labels when adding an action | Sub-operation on `POST /actions` | +| | Apply resource labels when editing an action | Sub-operation on `PUT /actions/{actionId}` | +| | Add labels to actions | `POST /actions/labels/add` | +| | Remove labels from actions | `POST /actions/labels/remove` | +| | Apply label sets to actions | `POST /actions/labels/apply` | | **container:read** | View container details | _(Used by Platform)_ | -| | List containers | _(Used by Platform)_ | -| | List workflow containers | _(Used by Platform)_ | +| | List containers | _(Used by Platform)_ | +| | List workflow containers | _(Used by Platform)_ | | **launch:read** | View launch details | `GET /launch/{launchId}` | | **pipeline:read** | View pipeline repository information | `GET /pipelines/info` | -| | View pipeline schema and parameters | `GET /pipelines/{pipelineId}/schema` | -| | View pipeline schema from repository URL | _(Used by Platform)_ | -| | View pipeline launch configuration | `GET /pipelines/{pipelineId}/launch` | -| | List available pipeline repositories | `GET /pipelines/repositories` | -| | List all pipelines in workspace | `GET /pipelines` | -| | View pipeline details | `GET /pipelines/{pipelineId}` | -| | Fetch pipeline optimization | _(Used by Platform)_ | -| | List pipeline versions | _(Used by Platform)_ | -| **pipeline:write** | Overwrite fields when creating workflow launch | Sub-operation on `POST /workflow/launch` | -| | Add a new pipeline to workspace | `POST /pipelines` | -| | Edit pipeline configuration | `PUT /pipelines/{pipelineId}` | -| | Configure pipeline | _(Used by Platform)_ | -| | Validate pipeline name availability | `GET /pipelines/validate` | -| | Validate pipeline version name | _(Used by Platform)_ | -| | Manage pipeline version | _(Used by Platform)_ | +| | View pipeline schema and parameters | `GET /pipelines/{pipelineId}/schema` | +| | View pipeline schema from repository URL | _(Used by Platform)_ | +| | View pipeline launch configuration | `GET /pipelines/{pipelineId}/launch` | +| | List available pipeline repositories | `GET /pipelines/repositories` | +| | List all pipelines in workspace | `GET /pipelines` | +| | View pipeline details | `GET /pipelines/{pipelineId}` | +| | Fetch pipeline optimization | _(Used by Platform)_ | +| | List pipeline versions | _(Used by Platform)_ | +| **pipeline:write** | Modify pipeline details when launching a pipeline run | Sub-operation on `POST /workflow/launch` | +| | Add a new pipeline to workspace | `POST /pipelines` | +| | Edit pipeline configuration | `PUT /pipelines/{pipelineId}` | +| | Configure pipeline | _(Used by Platform)_ | +| | Validate pipeline name availability | `GET /pipelines/validate` | +| | Validate pipeline version name availability | _(Used by Platform)_ | +| | Manage pipeline version | _(Used by Platform)_ | | **pipeline:delete** | Delete a pipeline | `DELETE /pipelines/{pipelineId}` | -| **pipeline_label:write** | Apply resource labels when launching workflows | Sub-operation on `POST /workflow/launch` | -| | Add labels to pipelines | `POST /pipelines/labels/add` | -| | Apply resource labels when creating pipelines | Sub-operation on `POST /pipelines` | -| | Apply resource labels when updating pipelines | Sub-operation on `PUT /pipelines/{pipelineId}` | -| | Remove labels from pipelines | `POST /pipelines/labels/remove` | -| | Apply label sets to pipelines | `POST /pipelines/labels/apply` | +| **pipeline_label:write** | Apply resource labels when launching a pipeline run | Sub-operation on `POST /workflow/launch` | +| | Add labels to pipelines | `POST /pipelines/labels/add` | +| | Apply resource labels when adding a pipeline | Sub-operation on `POST /pipelines` | +| | Apply resource labels when editing a pipeline | Sub-operation on `PUT /pipelines/{pipelineId}` | +| | Remove labels from pipelines | `POST /pipelines/labels/remove` | +| | Apply label sets to pipelines | `POST /pipelines/labels/apply` | | **workflow:read** | View run details | `GET /workflow/{workflowId}` | -| | View run progress | `GET /workflow/{workflowId}/progress` | -| | List tasks in a run | `GET /workflow/{workflowId}/tasks` | -| | View individual task details | `GET /workflow/{workflowId}/task/{taskId}` | -| | View run metrics | `GET /workflow/{workflowId}/metrics` | -| | List all runs in workspace | `GET /workflow` | -| | View run launch configuration | `GET /workflow/{workflowId}/launch` | -| | View run execution logs | `GET /workflow/{workflowId}/log` | -| | View task-specific logs | `GET /workflow/{workflowId}/log/{taskId}` | -| | Download run logs | `GET /workflow/{workflowId}/download` | -| | Download workflow workspace content | _(Used by Platform)_ | -| | Download task logs | `GET /workflow/{workflowId}/download/{taskId}` | -| | View workflow reports | _(Used by Platform)_ | -| | Download workflow report | _(Used by Platform)_ | -| | Fetch workflow optimization | _(Used by Platform)_ | -| | Check optimized workflow list | _(Used by Platform)_ | +| | View run progress | `GET /workflow/{workflowId}/progress` | +| | List tasks in a run | `GET /workflow/{workflowId}/tasks` | +| | View individual task details | `GET /workflow/{workflowId}/task/{taskId}` | +| | View run metrics | `GET /workflow/{workflowId}/metrics` | +| | List all runs in workspace | `GET /workflow` | +| | View run launch configuration | `GET /workflow/{workflowId}/launch` | +| | View run execution logs | `GET /workflow/{workflowId}/log` | +| | View task-specific logs | `GET /workflow/{workflowId}/log/{taskId}` | +| | Download run logs | `GET /workflow/{workflowId}/download` | +| | Download run content in a workspace | _(Used by Platform)_ | +| | Download task logs | `GET /workflow/{workflowId}/download/{taskId}` | +| | View run reports | _(Used by Platform)_ | +| | Download run report | _(Used by Platform)_ | +| | Fetch workflow optimization | _(Used by Platform)_ | +| | Check optimized workflow list | _(Used by Platform)_ | | **workflow:execute** | Launch a pipeline run | `POST /workflow/launch` | -| | Cancel a running pipeline | `POST /workflow/{workflowId}/cancel` | -| | Launch pipeline | _(Used by Platform)_ | +| | Cancel a running pipeline | `POST /workflow/{workflowId}/cancel` | +| | Launch a pipeline run | _(Used by Platform)_ | | **workflow:write** | Create execution trace | `POST /trace/create` | -| | Update trace heartbeat | `PUT /trace/{workflowId}/heartbeat` | -| | Mark trace begin | `PUT /trace/{workflowId}/begin` | -| | Mark trace complete | `PUT /trace/{workflowId}/complete` | -| | Update trace progress | `PUT /trace/{workflowId}/progress` | +| | Update trace heartbeat | `PUT /trace/{workflowId}/heartbeat` | +| | Mark trace begin | `PUT /trace/{workflowId}/begin` | +| | Mark trace complete | `PUT /trace/{workflowId}/complete` | +| | Update trace progress | `PUT /trace/{workflowId}/progress` | | **workflow:delete** | Delete a single run | `DELETE /workflow/{workflowId}` | -| | Delete multiple runs | `POST /workflow/delete` | +| | Delete multiple runs | `POST /workflow/delete` | | **workflow_label:write** | Add labels to runs | `POST /workflow/labels/add` | -| | Remove labels from runs | `POST /workflow/labels/remove` | -| | Apply label sets to runs | `POST /workflow/labels/apply` | -| **workflow_quick:execute** | Create quick launch when creating workflow launch | Sub-operation on `POST /workflow/launch` | -| | Launch quick pipeline | _(Used by Platform)_ | -| | Create GA4GH workflow run | `POST /ga4gh/wes/v1/runs` | +| | Remove labels from runs | `POST /workflow/labels/remove` | +| | Apply label sets to runs | `POST /workflow/labels/apply` | +| **workflow_quick:execute** | Launch quick pipeline | Sub-operation on `POST /workflow/launch` | +| | Launch quick pipeline | _(Used by Platform)_ | +| | GA4GH: create a run | `POST /ga4gh/wes/v1/runs` | | **workflow_star:read** | Check if run is starred (favourited) | `GET /workflow/{workflowId}/star` | | **workflow_star:write** | Star (favourite) a run | `POST /workflow/{workflowId}/star` | | **workflow_star:delete** | Unstar (unfavourite) a run | `DELETE /workflow/{workflowId}/star` | @@ -190,48 +194,49 @@ Individual permissions grant read, write, execute, admin, or delete access for e |------------|-------------|--------------| | **label:read** | List all workspace labels | `GET /labels` | | **label:write** | Create a new label | `POST /labels` | -| | Edit an existing label | `PUT /labels/{labelId}` | +| | Edit an existing label | `PUT /labels/{labelId}` | | **label:delete** | Delete a label | `DELETE /labels/{labelId}` | | **workspace:read** | View workspace details | `GET /orgs/{orgId}/workspaces/{workspaceId}` | -| | List workspace participants | `GET /orgs/{orgId}/workspaces/{workspaceId}/participants` | +| | List workspace participants | `GET /orgs/{orgId}/workspaces/{workspaceId}/participants` | | **workspace:write** | Edit workspace settings | `PUT /orgs/{orgId}/workspaces/{workspaceId}` | -| | Add a workspace participant | `PUT /orgs/{orgId}/workspaces/{workspaceId}/participants/add` | -| | Find workspace participant candidates | _(Used by Platform)_ | -| | Change participant role | `PUT /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}/role` | -| | Remove a workspace participant | `DELETE /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}` | +| | Add a workspace participant | `PUT /orgs/{orgId}/workspaces/{workspaceId}/participants/add` | +| | Find workspace participant candidates | _(Used by Platform)_ | +| | Change participant role | `PUT /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}/role` | +| | Remove a workspace participant (user or team) | `DELETE /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}` | +| | Remove a workspace user (member or collaborator) | `DELETE /orgs/{orgId}/workspaces/{workspaceId}/users/{userId}` | | **workspace:delete** | Delete the workspace | `DELETE /orgs/{orgId}/workspaces/{workspaceId}` | -| **workspace:admin** | Modify workspace ownership when updating participant role | Sub-operation on `PUT /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}/role` | -| | Delete workspace owner when deleting participant | Sub-operation on `DELETE /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}` | +| **workspace:admin** | Change participant role to/from Owner | Sub-operation on `PUT /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}/role` | +| | Remove a workspace Owner by participantId | Sub-operation on `DELETE /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}` | +| | Remove a workspace Owner by userId | Sub-operation on `DELETE /orgs/{orgId}/workspaces/{workspaceId}/users/{userId}` | | **workspace_self:delete** | Leave workspace (remove self as participant) | `DELETE /orgs/{orgId}/workspaces/{workspaceId}/participants` | | **workspace_studio:read** | View studio settings for workspace | `GET /orgs/{orgId}/workspaces/{workspaceId}/settings/studios` | -| **workspace_studio:write** | Edit studio session lifespan settings | `PUT /orgs/{orgId}/workspaces/{workspaceId}/settings/studios` | +| **workspace_studio:write** | Edit studio settings for workspace | `PUT /orgs/{orgId}/workspaces/{workspaceId}/settings/studios` | #### Studios | Permission | Description | API endpoint | |------------|-------------|--------------| | **studio:read** | View studio session details | `GET /studios/{sessionId}` | -| | View studio repository details | _(Used by Platform)_ | -| | List all studios in workspace | `GET /studios` | -| | List available studio templates | `GET /studios/templates` | -| | List checkpoints for a studio | `GET /studios/{sessionId}/checkpoints` | -| | View checkpoint details | `GET /studios/{sessionId}/checkpoints/{checkpointId}` | +| | View studio repository details | _(Used by Platform)_ | +| | List all studios in workspace | `GET /studios` | +| | List available studio templates | `GET /studios/templates` | +| | List checkpoints for a studio | `GET /studios/{sessionId}/checkpoints` | +| | View checkpoint details | `GET /studios/{sessionId}/checkpoints/{checkpointId}` | | **studio:execute** | List mounted data-links for studios | `GET /studios/data-links` | -| | Start a studio session | `PUT /studios/{sessionId}/start` | -| | Stop a studio session | `PUT /studios/{sessionId}/stop` | +| | Start a studio session | `PUT /studios/{sessionId}/start` | +| | Stop a studio session | `PUT /studios/{sessionId}/stop` | | **studio:write** | Create a new studio | `POST /studios` | -| | Edit checkpoint name | `PUT /studios/{sessionId}/checkpoints/{checkpointId}` | -| | Validate studio name availability | `GET /studios/validate` | +| | Edit checkpoint name | `PUT /studios/{sessionId}/checkpoints/{checkpointId}` | +| | Validate studio name availability | `GET /studios/validate` | | **studio:delete** | Delete a studio | `DELETE /studios/{sessionId}` | -| **studio:admin** | Admin operations on other users' Studios | | -| | Delete studio | Sub-operation on `DELETE /studios/{sessionId}` | -| | Start studio | Sub-operation on `PUT /studios/{sessionId}/start` | -| | Stop studio | Sub-operation on `PUT /studios/{sessionId}/stop` | -| | Extend studio lifespan (iframe) | _(Used by Platform)_ | -| | Extend studio lifespan | Sub-operation on `POST /studios/{sessionId}/lifespan` | -| | Admin access to studio | _(Used by Platform)_ | -| **studio_label:write** | Apply resource labels when starting studios | Sub-operation on `PUT /studios/{sessionId}/start` | -| | Edit studio resource labels | _(Used by Platform)_ | -| **studio_session:read** | Open studio | _(Used by Platform)_ | -| **studio_session:execute** | Extend studio lifespan (iframe) | _(Used by Platform)_ | +| **studio:admin** | Delete another user's private studio | Sub-operation on `DELETE /studios/{sessionId}` | +| | Start another user's private studio | Sub-operation on `PUT /studios/{sessionId}/start` | +| | Stop another user's private studio | Sub-operation on `PUT /studios/{sessionId}/stop` | +| | Extend another user's private studio session lifespan (iframe) | _(Used by Platform)_ | +| | Extend another user's private studio session lifespan | Sub-operation on `POST /studios/{sessionId}/lifespan` | +| | Administer another user's private studio | _(Used by Platform)_ | +| **studio_label:write** | Apply resource labels when starting a studio | Sub-operation on `PUT /studios/{sessionId}/start` | +| **studio_session:read** | Open a studio | _(Used by Platform)_ | +| **studio_session:execute** | Extend studio session lifespan (iframe) | _(Used by Platform)_ | +| | Extend studio session lifespan | `POST /studios/{sessionId}/lifespan` | | | Extend studio session lifespan | `POST /studios/{sessionId}/lifespan` | \ No newline at end of file diff --git a/platform-repo b/platform-repo new file mode 160000 index 000000000..d437392c2 --- /dev/null +++ b/platform-repo @@ -0,0 +1 @@ +Subproject commit d437392c2633808666e3ed132e3c44bbb7a152e7 From ba74d5f26e940ee78d3538caaa922a49862d7e47 Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Fri, 6 Feb 2026 13:47:11 -0500 Subject: [PATCH 2/7] Add Cloud support for custom roles permissions documentation - Create platform-cloud/docs/orgs-and-teams/custom-roles.md with Pro account requirement notice - Update cloud-sidebar.json to include custom-roles page in Administration section - Modify update-permissions-tables.py to update both Cloud and Enterprise custom-roles.md files - Update workflow PR description to reflect Cloud custom-roles updates This ensures permissions documentation stays in sync for both Cloud and Enterprise versions. Co-Authored-By: Claude Sonnet 4.5 --- .github/scripts/update-permissions-tables.py | 52 ++-- .github/workflows/update-permissions-docs.yml | 1 + platform-cloud/cloud-sidebar.json | 1 + .../docs/orgs-and-teams/custom-roles.md | 245 ++++++++++++++++++ 4 files changed, 275 insertions(+), 24 deletions(-) create mode 100644 platform-cloud/docs/orgs-and-teams/custom-roles.md diff --git a/.github/scripts/update-permissions-tables.py b/.github/scripts/update-permissions-tables.py index fed2ceb34..f85265579 100755 --- a/.github/scripts/update-permissions-tables.py +++ b/.github/scripts/update-permissions-tables.py @@ -240,31 +240,35 @@ def process_operations_grants(self) -> None: print(f"✅ Parsed {len(operations_tables)} operation tables: {', '.join(operations_tables.keys())}") - # Update custom-roles.md - target_file = self.docs_repo / 'platform-enterprise_docs' / 'orgs-and-teams' / 'custom-roles.md' + # Update both custom-roles.md files + target_files = [ + self.docs_repo / 'platform-cloud' / 'docs' / 'orgs-and-teams' / 'custom-roles.md', + self.docs_repo / 'platform-enterprise_docs' / 'orgs-and-teams' / 'custom-roles.md', + ] - for section_name, table_content in operations_tables.items(): - try: - print(f" Updating {section_name} section...") - self.update_operations_table(target_file, section_name, table_content) - self.successes.append(f"{target_file.relative_to(self.docs_repo)} ({section_name})") - print(f" ✅ Updated successfully") - except TableUpdateError as e: - error_msg = str(e) - print(f" ❌ {error_msg}") - self.errors.append({ - 'file': f"{target_file.relative_to(self.docs_repo)} ({section_name})", - 'error': error_msg, - 'type': 'update_error' - }) - except Exception as e: - error_msg = f"Unexpected error: {str(e)}" - print(f" ❌ {error_msg}") - self.errors.append({ - 'file': f"{target_file.relative_to(self.docs_repo)} ({section_name})", - 'error': error_msg, - 'type': 'unexpected_error' - }) + for target_file in target_files: + for section_name, table_content in operations_tables.items(): + try: + print(f" Updating {target_file.relative_to(self.docs_repo)} - {section_name} section...") + self.update_operations_table(target_file, section_name, table_content) + self.successes.append(f"{target_file.relative_to(self.docs_repo)} ({section_name})") + print(f" ✅ Updated successfully") + except TableUpdateError as e: + error_msg = str(e) + print(f" ❌ {error_msg}") + self.errors.append({ + 'file': f"{target_file.relative_to(self.docs_repo)} ({section_name})", + 'error': error_msg, + 'type': 'update_error' + }) + except Exception as e: + error_msg = f"Unexpected error: {str(e)}" + print(f" ❌ {error_msg}") + self.errors.append({ + 'file': f"{target_file.relative_to(self.docs_repo)} ({section_name})", + 'error': error_msg, + 'type': 'unexpected_error' + }) def generate_error_report(self) -> None: """Generate UPDATE_ERRORS.md if there were any errors.""" diff --git a/.github/workflows/update-permissions-docs.yml b/.github/workflows/update-permissions-docs.yml index 9b7254825..0fffc5019 100644 --- a/.github/workflows/update-permissions-docs.yml +++ b/.github/workflows/update-permissions-docs.yml @@ -132,6 +132,7 @@ jobs: - `platform-enterprise_docs/orgs-and-teams/roles.md` (Role permissions table) #### From `docs/grants_operations.md`: + - `platform-cloud/docs/orgs-and-teams/custom-roles.md` (Operations tables by section) - `platform-enterprise_docs/orgs-and-teams/custom-roles.md` (Operations tables by section) ### Review Checklist diff --git a/platform-cloud/cloud-sidebar.json b/platform-cloud/cloud-sidebar.json index 4d29b05e8..6b23a9b0a 100644 --- a/platform-cloud/cloud-sidebar.json +++ b/platform-cloud/cloud-sidebar.json @@ -154,6 +154,7 @@ "orgs-and-teams/organizations", "orgs-and-teams/workspace-management", "orgs-and-teams/roles", + "orgs-and-teams/custom-roles", "monitoring/dashboard", "administration/credit-management" ] diff --git a/platform-cloud/docs/orgs-and-teams/custom-roles.md b/platform-cloud/docs/orgs-and-teams/custom-roles.md new file mode 100644 index 000000000..705a41153 --- /dev/null +++ b/platform-cloud/docs/orgs-and-teams/custom-roles.md @@ -0,0 +1,245 @@ +--- +title: "Custom roles" +description: "Introduction to custom roles in Seqera Platform." +date created: "2025-11-17" +last updated: "2025-11-17" +tags: [roles, user-roles, custom roles, rbac, permissions] +--- + +:::info +Custom roles are only available to Seqera Platform Cloud Pro accounts. +::: + +Seqera Platform supports custom roles to define permissions-based access control at a more granular level than the six default [workspace participant roles](./roles.md#workspace-participant-roles). + +### Create custom roles + +Organization owners can add custom roles and assign read, write, execute, admin, and delete permissions for every Seqera resource type: + +1. Select your organization name from the organization and workspace switcher in the top navigation. +1. Select **Access control** to view the list of default and custom roles available in your organization. +1. Select **Add role**. +1. Enter a role **Name** and optional **Description**. +1. From the **Permissions** list, select the **Read**, **Write**, **Execute**, **Admin**, and **Delete** permissions your custom role requires for each resource type. +1. Select **Add** to create the custom role and return to the **Access control** roles list. + +Select **Edit** or **Delete** to manage existing custom roles in the list. + +### Permissions + +Individual permissions grant read, write, execute, admin, or delete access for each Seqera entity. Individual read and write permissions may grant access for multiple operations via the Platform UI, API, and other programmatic tools such as Platform CLI. For example, the `action:read` permission allows a user to view the list of actions in a workspace, view the details of a specific action, and view available action types. + +#### Compute + +| Permission | Description | API endpoint | +|------------|-------------|--------------| +| **compute_environment:read** | List all compute environments | `GET /compute-envs` | +| | View compute environment details | `GET /compute-envs/{computeEnvId}` | +| **compute_environment:write** | Create a new compute environment | `POST /compute-envs` | +| | Edit an existing compute environment | `PUT /compute-envs/{computeEnvId}` | +| | Set a compute environment as primary | `POST /compute-envs/{computeEnvId}/primary` | +| | Disable compute environment | `POST /compute-envs/{computeEnvId}/disable` | +| | Enable compute environment | `POST /compute-envs/{computeEnvId}/enable` | +| | Validate compute environment name availability | `GET /compute-envs/validate` | +| **compute_environment:delete** | Delete a compute environment | `DELETE /compute-envs/{computeEnvId}` | +| **credentials:read** | List all credentials in workspace | `GET /credentials` | +| | View credential details | `GET /credentials/{credentialsId}` | +| **credentials:write** | Add new credentials | `POST /credentials` | +| | Edit existing credentials | `PUT /credentials/{credentialsId}` | +| | Validate credentials | _(Used by Platform)_ | +| | Validate credential name availability | `GET /credentials/validate` | +| **credentials:delete** | Delete credentials | `DELETE /credentials/{credentialsId}` | +| **credentials_encrypted:read** | Get encrypted credentials | _(Used by Platform)_ | +| **pipeline_secrets:read** | List all pipeline secrets | `GET /pipeline-secrets` | +| | View pipeline secret details | `GET /pipeline-secrets/{secretId}` | +| **pipeline_secrets:write** | Create a new pipeline secret | `POST /pipeline-secrets` | +| | Validate secret name availability | `GET /pipeline-secrets/validate` | +| | Edit an existing pipeline secret | `PUT /pipeline-secrets/{secretId}` | +| **pipeline_secrets:delete** | Delete a pipeline secret | `DELETE /pipeline-secrets/{secretId}` | +| **platform:read** | List available platforms | `GET /platforms` | +| | List platform regions | `GET /platforms/{platformId}/regions` | +| | View platform details | `GET /platforms/{platformId}` | + +#### Data + +| Permission | Description | API endpoint | +|------------|-------------|--------------| +| **data_link:read** | List all data-links (cloud buckets) | `GET /data-links` | +| | Browse data-link contents | `GET /data-links/{dataLinkId}/browse` | +| | Browse data-link contents at the given path | `GET /data-links/{dataLinkId}/browse/{path}` | +| | View data-link details | `GET /data-links/{dataLinkId}` | +| **data_link:write** | Refresh data-link cache | `GET /data-links/cache/refresh` | +| | Browse data-link directory tree | `GET /data-links/{dataLinkId}/browse-tree` | +| | Download files from data-link | `GET /data-links/{dataLinkId}/download/{filePath}` | +| | Generate download URL for data-link files | `GET /data-links/{dataLinkId}/generate-download-url` | +| | Generate download script | `GET /data-links/{dataLinkId}/script/download` | +| | Upload files to data-link | `POST /data-links/{dataLinkId}/upload` | +| | Upload files to data-link at the given path | `POST /data-links/{dataLinkId}/upload/{dirPath}` | +| | Complete file upload to data-link | `POST /data-links/{dataLinkId}/upload/finish` | +| | Complete file upload to data-link at the given path | `POST /data-links/{dataLinkId}/upload/finish/{dirPath}` | +| | Create a custom data-link | `POST /data-links` | +| | Edit data-link metadata | `PUT /data-links/{dataLinkId}` | +| **data_link:delete** | Delete files from data-link | `DELETE /data-links/{dataLinkId}/content` | +| | Remove a data-link from workspace | `DELETE /data-links/{dataLinkId}` | +| **data_link:admin** | Hide data-links | _(Used by Platform)_ | +| | Show data-links | _(Used by Platform)_ | +| **dataset:read** | List datasets (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets` | +| | List workspace dataset versions (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/versions` | +| | List dataset versions (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/{datasetId}/versions` | +| | View dataset metadata (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/{datasetId}/metadata` | +| | Download dataset | `GET /workspaces/{workspaceId}/datasets/{datasetId}/v/{version}/n/{fileName}` | +| | List all datasets | `GET /datasets` | +| | List latest dataset versions | `GET /datasets/versions` | +| | List versions for a specific dataset | `GET /datasets/{datasetId}/versions` | +| | List datasets used in a pipeline launch | `GET /launch/{launchId}/datasets` | +| | View dataset metadata | `GET /datasets/{datasetId}/metadata` | +| | Download dataset files | `GET /datasets/{datasetId}/v/{version}/n/{fileName}` | +| **dataset:write** | Create dataset (legacy endpoint) | `POST /workspaces/{workspaceId}/datasets` | +| | Edit dataset (legacy endpoint) | `PUT /workspaces/{workspaceId}/datasets/{datasetId}` | +| | Upload dataset (legacy endpoint) | `POST /workspaces/{workspaceId}/datasets/{datasetId}/upload` | +| | Create a new dataset | `POST /datasets` | +| | Edit dataset metadata | `PUT /datasets/{datasetId}` | +| | Upload files to dataset | `POST /datasets/{datasetId}/upload` | +| **dataset:delete** | Delete dataset (legacy endpoint) | `DELETE /workspaces/{workspaceId}/datasets/{datasetId}` | +| | Delete a single dataset | `DELETE /datasets/{datasetId}` | +| | Delete multiple datasets | `DELETE /datasets` | +| **dataset:admin** | Hide any workspace user's datasets | `POST /datasets/hide` | +| | Show any workspace user's datasets | `POST /datasets/show` | +| | Disable any workspace user's dataset version | `POST /datasets/{datasetId}/versions/{version}/disable` | +| **dataset_label:write** | Add labels to datasets | `POST /datasets/labels/add` | +| | Remove labels from datasets | `POST /datasets/labels/remove` | +| | Apply label sets to datasets | `POST /datasets/labels/apply` | + +#### Pipelines + +| Permission | Description | API endpoint | +|------------|-------------|--------------| +| **action:read** | View action details | `GET /actions/{actionId}` | +| | View available action types | `GET /actions/types` | +| | List all actions in workspace | `GET /actions` | +| **action:execute** | Trigger an action to run | `POST /actions/{actionId}/launch` | +| **action:write** | Create a new action | `POST /actions` | +| | Edit an existing action | `PUT /actions/{actionId}` | +| | Test action configuration | _(Used by Platform)_ | +| | Pause a running action | `POST /actions/{actionId}/pause` | +| | Validate action name availability | `GET /actions/validate` | +| **action:delete** | Delete an action | `DELETE /actions/{actionId}` | +| **action_label:write** | Apply resource labels when adding an action | Sub-operation on `POST /actions` | +| | Apply resource labels when editing an action | Sub-operation on `PUT /actions/{actionId}` | +| | Add labels to actions | `POST /actions/labels/add` | +| | Remove labels from actions | `POST /actions/labels/remove` | +| | Apply label sets to actions | `POST /actions/labels/apply` | +| **container:read** | View container details | _(Used by Platform)_ | +| | List containers | _(Used by Platform)_ | +| | List workflow containers | _(Used by Platform)_ | +| **launch:read** | View launch details | `GET /launch/{launchId}` | +| **pipeline:read** | View pipeline repository information | `GET /pipelines/info` | +| | View pipeline schema and parameters | `GET /pipelines/{pipelineId}/schema` | +| | View pipeline schema from repository URL | _(Used by Platform)_ | +| | View pipeline launch configuration | `GET /pipelines/{pipelineId}/launch` | +| | List available pipeline repositories | `GET /pipelines/repositories` | +| | List all pipelines in workspace | `GET /pipelines` | +| | View pipeline details | `GET /pipelines/{pipelineId}` | +| | Fetch pipeline optimization | _(Used by Platform)_ | +| | List pipeline versions | _(Used by Platform)_ | +| **pipeline:write** | Modify pipeline details when launching a pipeline run | Sub-operation on `POST /workflow/launch` | +| | Add a new pipeline to workspace | `POST /pipelines` | +| | Edit pipeline configuration | `PUT /pipelines/{pipelineId}` | +| | Configure pipeline | _(Used by Platform)_ | +| | Validate pipeline name availability | `GET /pipelines/validate` | +| | Validate pipeline version name availability | _(Used by Platform)_ | +| | Manage pipeline version | _(Used by Platform)_ | +| **pipeline:delete** | Delete a pipeline | `DELETE /pipelines/{pipelineId}` | +| **pipeline_label:write** | Apply resource labels when launching a pipeline run | Sub-operation on `POST /workflow/launch` | +| | Add labels to pipelines | `POST /pipelines/labels/add` | +| | Apply resource labels when adding a pipeline | Sub-operation on `POST /pipelines` | +| | Apply resource labels when editing a pipeline | Sub-operation on `PUT /pipelines/{pipelineId}` | +| | Remove labels from pipelines | `POST /pipelines/labels/remove` | +| | Apply label sets to pipelines | `POST /pipelines/labels/apply` | +| **workflow:read** | View run details | `GET /workflow/{workflowId}` | +| | View run progress | `GET /workflow/{workflowId}/progress` | +| | List tasks in a run | `GET /workflow/{workflowId}/tasks` | +| | View individual task details | `GET /workflow/{workflowId}/task/{taskId}` | +| | View run metrics | `GET /workflow/{workflowId}/metrics` | +| | List all runs in workspace | `GET /workflow` | +| | View run launch configuration | `GET /workflow/{workflowId}/launch` | +| | View run execution logs | `GET /workflow/{workflowId}/log` | +| | View task-specific logs | `GET /workflow/{workflowId}/log/{taskId}` | +| | Download run logs | `GET /workflow/{workflowId}/download` | +| | Download run content in a workspace | _(Used by Platform)_ | +| | Download task logs | `GET /workflow/{workflowId}/download/{taskId}` | +| | View run reports | _(Used by Platform)_ | +| | Download run report | _(Used by Platform)_ | +| | Fetch workflow optimization | _(Used by Platform)_ | +| | Check optimized workflow list | _(Used by Platform)_ | +| **workflow:execute** | Launch a pipeline run | `POST /workflow/launch` | +| | Cancel a running pipeline | `POST /workflow/{workflowId}/cancel` | +| | Launch a pipeline run | _(Used by Platform)_ | +| **workflow:write** | Create execution trace | `POST /trace/create` | +| | Update trace heartbeat | `PUT /trace/{workflowId}/heartbeat` | +| | Mark trace begin | `PUT /trace/{workflowId}/begin` | +| | Mark trace complete | `PUT /trace/{workflowId}/complete` | +| | Update trace progress | `PUT /trace/{workflowId}/progress` | +| **workflow:delete** | Delete a single run | `DELETE /workflow/{workflowId}` | +| | Delete multiple runs | `POST /workflow/delete` | +| **workflow_label:write** | Add labels to runs | `POST /workflow/labels/add` | +| | Remove labels from runs | `POST /workflow/labels/remove` | +| | Apply label sets to runs | `POST /workflow/labels/apply` | +| **workflow_quick:execute** | Launch quick pipeline | Sub-operation on `POST /workflow/launch` | +| | Launch quick pipeline | _(Used by Platform)_ | +| | GA4GH: create a run | `POST /ga4gh/wes/v1/runs` | +| **workflow_star:read** | Check if run is starred (favourited) | `GET /workflow/{workflowId}/star` | +| **workflow_star:write** | Star (favourite) a run | `POST /workflow/{workflowId}/star` | +| **workflow_star:delete** | Unstar (unfavourite) a run | `DELETE /workflow/{workflowId}/star` | + +#### Settings + +| Permission | Description | API endpoint | +|------------|-------------|--------------| +| **label:read** | List all workspace labels | `GET /labels` | +| **label:write** | Create a new label | `POST /labels` | +| | Edit an existing label | `PUT /labels/{labelId}` | +| **label:delete** | Delete a label | `DELETE /labels/{labelId}` | +| **workspace:read** | View workspace details | `GET /orgs/{orgId}/workspaces/{workspaceId}` | +| | List workspace participants | `GET /orgs/{orgId}/workspaces/{workspaceId}/participants` | +| **workspace:write** | Edit workspace settings | `PUT /orgs/{orgId}/workspaces/{workspaceId}` | +| | Add a workspace participant | `PUT /orgs/{orgId}/workspaces/{workspaceId}/participants/add` | +| | Find workspace participant candidates | _(Used by Platform)_ | +| | Change participant role | `PUT /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}/role` | +| | Remove a workspace participant (user or team) | `DELETE /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}` | +| | Remove a workspace user (member or collaborator) | `DELETE /orgs/{orgId}/workspaces/{workspaceId}/users/{userId}` | +| **workspace:delete** | Delete the workspace | `DELETE /orgs/{orgId}/workspaces/{workspaceId}` | +| **workspace:admin** | Change participant role to/from Owner | Sub-operation on `PUT /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}/role` | +| | Remove a workspace Owner by participantId | Sub-operation on `DELETE /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}` | +| | Remove a workspace Owner by userId | Sub-operation on `DELETE /orgs/{orgId}/workspaces/{workspaceId}/users/{userId}` | +| **workspace_self:delete** | Leave workspace (remove self as participant) | `DELETE /orgs/{orgId}/workspaces/{workspaceId}/participants` | +| **workspace_studio:read** | View studio settings for workspace | `GET /orgs/{orgId}/workspaces/{workspaceId}/settings/studios` | +| **workspace_studio:write** | Edit studio settings for workspace | `PUT /orgs/{orgId}/workspaces/{workspaceId}/settings/studios` | + +#### Studios + +| Permission | Description | API endpoint | +|------------|-------------|--------------| +| **studio:read** | View studio session details | `GET /studios/{sessionId}` | +| | View studio repository details | _(Used by Platform)_ | +| | List all studios in workspace | `GET /studios` | +| | List available studio templates | `GET /studios/templates` | +| | List checkpoints for a studio | `GET /studios/{sessionId}/checkpoints` | +| | View checkpoint details | `GET /studios/{sessionId}/checkpoints/{checkpointId}` | +| **studio:execute** | List mounted data-links for studios | `GET /studios/data-links` | +| | Start a studio session | `PUT /studios/{sessionId}/start` | +| | Stop a studio session | `PUT /studios/{sessionId}/stop` | +| **studio:write** | Create a new studio | `POST /studios` | +| | Edit checkpoint name | `PUT /studios/{sessionId}/checkpoints/{checkpointId}` | +| | Validate studio name availability | `GET /studios/validate` | +| **studio:delete** | Delete a studio | `DELETE /studios/{sessionId}` | +| **studio:admin** | Delete another user's private studio | Sub-operation on `DELETE /studios/{sessionId}` | +| | Start another user's private studio | Sub-operation on `PUT /studios/{sessionId}/start` | +| | Stop another user's private studio | Sub-operation on `PUT /studios/{sessionId}/stop` | +| | Extend another user's private studio session lifespan (iframe) | _(Used by Platform)_ | +| | Extend another user's private studio session lifespan | Sub-operation on `POST /studios/{sessionId}/lifespan` | +| | Administer another user's private studio | _(Used by Platform)_ | +| **studio_label:write** | Apply resource labels when starting a studio | Sub-operation on `PUT /studios/{sessionId}/start` | +| **studio_session:read** | Open a studio | _(Used by Platform)_ | +| **studio_session:execute** | Extend studio session lifespan (iframe) | _(Used by Platform)_ | +| | Extend studio session lifespan | `POST /studios/{sessionId}/lifespan` | From 87e0e653aae90d566c845e8f9bcd585b1479c074 Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Fri, 6 Feb 2026 14:03:01 -0500 Subject: [PATCH 3/7] Add API exclusion flags to Netlify deploy preview Set EXCLUDE_PLATFORM_API and EXCLUDE_OPENAPI to true for deploy previews to prevent build failures from large API documentation. Co-Authored-By: Claude Sonnet 4.5 --- netlify.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/netlify.toml b/netlify.toml index d71841d05..89374c5b7 100644 --- a/netlify.toml +++ b/netlify.toml @@ -15,6 +15,8 @@ [context.deploy-preview.build.environment] INCLUDE_NEXT="true" + EXCLUDE_PLATFORM_API="true" + EXCLUDE_OPENAPI="true" # Seqera API docs are too large to host / build on netlify on their own. # The appropriate ENVVAR is set to disable the API Builds on Netlify for the main docs site. From 98c093eed0bd463872d99d1552a35e21ad3fa152 Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Fri, 6 Feb 2026 14:15:18 -0500 Subject: [PATCH 4/7] Update .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 076d89e4d..41140f047 100644 --- a/.gitignore +++ b/.gitignore @@ -40,6 +40,7 @@ internal/tmp # OSS repo clones multiqc_docs/multiqc_repo wave_docs/wave_repo +platform-repo/* # Python __pycache__/ From b0459936da4902660fbf36dc8749800c8ac87791 Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Fri, 6 Feb 2026 14:17:34 -0500 Subject: [PATCH 5/7] Update .gitmodules --- .gitmodules | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitmodules b/.gitmodules index e69de29bb..33a19c8ec 100644 --- a/.gitmodules +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "platform-repo"] + path = platform-repo + url = https://github.com/seqeralabs/platform.git From f5e2215c251b1d7b3a6da1a6b1587a4acb6510fa Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Fri, 6 Feb 2026 14:21:41 -0500 Subject: [PATCH 6/7] Remove platform-repo submodule The platform-repo is only needed temporarily during the workflow execution to extract permissions tables. It should not be a permanent submodule. - Remove platform-repo from .gitmodules - Remove platform-repo directory - Add platform-repo/ to .gitignore to prevent future commits This fixes Netlify deployment failures caused by the inaccessible submodule. Co-Authored-By: Claude Sonnet 4.5 --- .gitmodules | 3 --- platform-repo | 1 - 2 files changed, 4 deletions(-) delete mode 160000 platform-repo diff --git a/.gitmodules b/.gitmodules index 33a19c8ec..e69de29bb 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +0,0 @@ -[submodule "platform-repo"] - path = platform-repo - url = https://github.com/seqeralabs/platform.git diff --git a/platform-repo b/platform-repo deleted file mode 160000 index d437392c2..000000000 --- a/platform-repo +++ /dev/null @@ -1 +0,0 @@ -Subproject commit d437392c2633808666e3ed132e3c44bbb7a152e7 From 064b62126dbfcc77d930449b984f350f76974de0 Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Fri, 6 Feb 2026 14:39:52 -0500 Subject: [PATCH 7/7] Update version-25.3 custom-roles.md with latest permissions tables Sync the version-25.3 custom-roles documentation with the latest permissions tables from the current Enterprise version. This ensures parity for the upcoming 25.3 patch release. Key updates: - Updated table formatting (empty cells vs repeated permission names) - Added missing operations (disable/enable compute environment) - Improved descriptions for workspace operations - Removed deprecated essential:read permission - Updated Studios admin permissions structure Co-Authored-By: Claude Sonnet 4.5 --- .../orgs-and-teams/custom-roles.md | 295 +++++++++--------- 1 file changed, 150 insertions(+), 145 deletions(-) diff --git a/platform-enterprise_versioned_docs/version-25.3/orgs-and-teams/custom-roles.md b/platform-enterprise_versioned_docs/version-25.3/orgs-and-teams/custom-roles.md index ae251bbd0..ab9f3ac1b 100644 --- a/platform-enterprise_versioned_docs/version-25.3/orgs-and-teams/custom-roles.md +++ b/platform-enterprise_versioned_docs/version-25.3/orgs-and-teams/custom-roles.md @@ -6,7 +6,7 @@ last updated: "2025-11-17" tags: [roles, user-roles, custom roles, rbac, permissions] --- -Seqera Platform supports custom roles to define permissions-based access control at a more granular level than the six default [workspace participant roles](./roles.md#workspace-participant-roles). +Seqera Platform supports custom roles to define permissions-based access control at a more granular level than the six default [workspace participant roles](./roles.md#workspace-participant-roles). ### Create custom roles @@ -15,171 +15,175 @@ Organization owners can add custom roles and assign read, write, execute, admin, 1. Select your organization name from the organization and workspace switcher in the top navigation. 1. Select **Access control** to view the list of default and custom roles available in your organization. 1. Select **Add role**. -1. Enter a role **Name** and optional **Description**. -1. From the **Permissions** list, select the **Read**, **Write**, **Execute**, **Admin**, and **Delete** permissions your custom role requires for each resource type. -1. Select **Add** to create the custom role and return to the **Access control** roles list. +1. Enter a role **Name** and optional **Description**. +1. From the **Permissions** list, select the **Read**, **Write**, **Execute**, **Admin**, and **Delete** permissions your custom role requires for each resource type. +1. Select **Add** to create the custom role and return to the **Access control** roles list. -Select **Edit** or **Delete** to manage existing custom roles in the list. +Select **Edit** or **Delete** to manage existing custom roles in the list. ### Permissions -Individual permissions grant read, write, execute, admin, or delete access for each Seqera entity. Individual read and write permissions may grant access for multiple operations via the Platform UI, API, and other programmatic tools such as Platform CLI. For example, the `action:read` permission allows a user to view the list of actions in a workspace, view the details of a specific action, and view available action types. +Individual permissions grant read, write, execute, admin, or delete access for each Seqera entity. Individual read and write permissions may grant access for multiple operations via the Platform UI, API, and other programmatic tools such as Platform CLI. For example, the `action:read` permission allows a user to view the list of actions in a workspace, view the details of a specific action, and view available action types. #### Compute | Permission | Description | API endpoint | |------------|-------------|--------------| | **compute_environment:read** | List all compute environments | `GET /compute-envs` | -| | View compute environment details | `GET /compute-envs/{computeEnvId}` | +| | View compute environment details | `GET /compute-envs/{computeEnvId}` | | **compute_environment:write** | Create a new compute environment | `POST /compute-envs` | -| | Edit an existing compute environment | `PUT /compute-envs/{computeEnvId}` | -| | Set a compute environment as primary | `POST /compute-envs/{computeEnvId}/primary` | -| | Validate compute environment name availability | `GET /compute-envs/validate` | +| | Edit an existing compute environment | `PUT /compute-envs/{computeEnvId}` | +| | Set a compute environment as primary | `POST /compute-envs/{computeEnvId}/primary` | +| | Disable compute environment | `POST /compute-envs/{computeEnvId}/disable` | +| | Enable compute environment | `POST /compute-envs/{computeEnvId}/enable` | +| | Validate compute environment name availability | `GET /compute-envs/validate` | | **compute_environment:delete** | Delete a compute environment | `DELETE /compute-envs/{computeEnvId}` | | **credentials:read** | List all credentials in workspace | `GET /credentials` | -| | View credential details | `GET /credentials/{credentialsId}` | +| | View credential details | `GET /credentials/{credentialsId}` | | **credentials:write** | Add new credentials | `POST /credentials` | -| | Edit existing credentials | `PUT /credentials/{credentialsId}` | -| | Validate credentials | _(Used by Platform)_ | -| | Validate credential name availability | `GET /credentials/validate` | +| | Edit existing credentials | `PUT /credentials/{credentialsId}` | +| | Validate credentials | _(Used by Platform)_ | +| | Validate credential name availability | `GET /credentials/validate` | | **credentials:delete** | Delete credentials | `DELETE /credentials/{credentialsId}` | | **credentials_encrypted:read** | Get encrypted credentials | _(Used by Platform)_ | | **pipeline_secrets:read** | List all pipeline secrets | `GET /pipeline-secrets` | -| | View pipeline secret details | `GET /pipeline-secrets/{secretId}` | +| | View pipeline secret details | `GET /pipeline-secrets/{secretId}` | | **pipeline_secrets:write** | Create a new pipeline secret | `POST /pipeline-secrets` | -| | Validate secret name availability | `GET /pipeline-secrets/validate` | -| | Edit an existing pipeline secret | `PUT /pipeline-secrets/{secretId}` | +| | Validate secret name availability | `GET /pipeline-secrets/validate` | +| | Edit an existing pipeline secret | `PUT /pipeline-secrets/{secretId}` | | **pipeline_secrets:delete** | Delete a pipeline secret | `DELETE /pipeline-secrets/{secretId}` | | **platform:read** | List available platforms | `GET /platforms` | -| | List platform regions | `GET /platforms/{platformId}/regions` | -| | View platform details | `GET /platforms/{platformId}` | -| **essential:read** | List available features | _(Used by Platform)_ | +| | List platform regions | `GET /platforms/{platformId}/regions` | +| | View platform details | `GET /platforms/{platformId}` | #### Data | Permission | Description | API endpoint | |------------|-------------|--------------| | **data_link:read** | List all data-links (cloud buckets) | `GET /data-links` | -| | Browse data-link contents | `GET /data-links/{dataLinkId}/browse` | -| | View data-link details | `GET /data-links/{dataLinkId}` | +| | Browse data-link contents | `GET /data-links/{dataLinkId}/browse` | +| | Browse data-link contents at the given path | `GET /data-links/{dataLinkId}/browse/{path}` | +| | View data-link details | `GET /data-links/{dataLinkId}` | | **data_link:write** | Refresh data-link cache | `GET /data-links/cache/refresh` | -| | Browse data-link directory tree | `GET /data-links/{dataLinkId}/browse-tree` | -| | Download files from data-link | `GET /data-links/{dataLinkId}/download` | -| | Generate download URL for data-link files | `GET /data-links/{dataLinkId}/generate-download-url` | -| | Generate download script | `GET /data-links/{dataLinkId}/script/download` | -| | Upload files to data-link | `POST /data-links/{dataLinkId}/upload` | -| | Complete file upload to data-link | `POST /data-links/{dataLinkId}/upload/finish` | -| | Create a custom data-link | `POST /data-links` | -| | Edit data-link metadata | `PUT /data-links/{dataLinkId}` | +| | Browse data-link directory tree | `GET /data-links/{dataLinkId}/browse-tree` | +| | Download files from data-link | `GET /data-links/{dataLinkId}/download/{filePath}` | +| | Generate download URL for data-link files | `GET /data-links/{dataLinkId}/generate-download-url` | +| | Generate download script | `GET /data-links/{dataLinkId}/script/download` | +| | Upload files to data-link | `POST /data-links/{dataLinkId}/upload` | +| | Upload files to data-link at the given path | `POST /data-links/{dataLinkId}/upload/{dirPath}` | +| | Complete file upload to data-link | `POST /data-links/{dataLinkId}/upload/finish` | +| | Complete file upload to data-link at the given path | `POST /data-links/{dataLinkId}/upload/finish/{dirPath}` | +| | Create a custom data-link | `POST /data-links` | +| | Edit data-link metadata | `PUT /data-links/{dataLinkId}` | | **data_link:delete** | Delete files from data-link | `DELETE /data-links/{dataLinkId}/content` | -| | Remove a data-link from workspace | `DELETE /data-links/{dataLinkId}` | +| | Remove a data-link from workspace | `DELETE /data-links/{dataLinkId}` | | **data_link:admin** | Hide data-links | _(Used by Platform)_ | -| | Show data-links | _(Used by Platform)_ | +| | Show data-links | _(Used by Platform)_ | | **dataset:read** | List datasets (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets` | -| | List workspace dataset versions (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/versions` | -| | List dataset versions (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/{datasetId}/versions` | -| | View dataset metadata (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/{datasetId}/metadata` | -| | Download dataset files (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/{datasetId}/v/{version}/n/{fileName}` | -| | List all datasets | `GET /datasets` | -| | List latest dataset versions | `GET /datasets/versions` | -| | List versions for a specific dataset | `GET /datasets/{datasetId}/versions` | -| | List datasets used in a pipeline launch | `GET /launch/{launchId}/datasets` | -| | View dataset metadata | `GET /datasets/{datasetId}/metadata` | -| | Download dataset files | `GET /datasets/{datasetId}/v/{version}/n/{fileName}` | +| | List workspace dataset versions (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/versions` | +| | List dataset versions (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/{datasetId}/versions` | +| | View dataset metadata (legacy endpoint) | `GET /workspaces/{workspaceId}/datasets/{datasetId}/metadata` | +| | Download dataset | `GET /workspaces/{workspaceId}/datasets/{datasetId}/v/{version}/n/{fileName}` | +| | List all datasets | `GET /datasets` | +| | List latest dataset versions | `GET /datasets/versions` | +| | List versions for a specific dataset | `GET /datasets/{datasetId}/versions` | +| | List datasets used in a pipeline launch | `GET /launch/{launchId}/datasets` | +| | View dataset metadata | `GET /datasets/{datasetId}/metadata` | +| | Download dataset files | `GET /datasets/{datasetId}/v/{version}/n/{fileName}` | | **dataset:write** | Create dataset (legacy endpoint) | `POST /workspaces/{workspaceId}/datasets` | -| | Edit dataset (legacy endpoint) | `PUT /workspaces/{workspaceId}/datasets/{datasetId}` | -| | Upload dataset (legacy endpoint) | `POST /workspaces/{workspaceId}/datasets/{datasetId}/upload` | -| | Create a new dataset | `POST /datasets` | -| | Edit dataset metadata | `PUT /datasets/{datasetId}` | -| | Upload files to dataset | `POST /datasets/{datasetId}/upload` | +| | Edit dataset (legacy endpoint) | `PUT /workspaces/{workspaceId}/datasets/{datasetId}` | +| | Upload dataset (legacy endpoint) | `POST /workspaces/{workspaceId}/datasets/{datasetId}/upload` | +| | Create a new dataset | `POST /datasets` | +| | Edit dataset metadata | `PUT /datasets/{datasetId}` | +| | Upload files to dataset | `POST /datasets/{datasetId}/upload` | | **dataset:delete** | Delete dataset (legacy endpoint) | `DELETE /workspaces/{workspaceId}/datasets/{datasetId}` | -| | Delete a single dataset | `DELETE /datasets/{datasetId}` | -| | Delete multiple datasets | `DELETE /datasets` | -| **dataset:admin** | Hide datasets | `POST /datasets/hide` | -| | Show datasets | `POST /datasets/show` | -| | Disable dataset version | `POST /datasets/{datasetId}/versions/{version}/disable` | +| | Delete a single dataset | `DELETE /datasets/{datasetId}` | +| | Delete multiple datasets | `DELETE /datasets` | +| **dataset:admin** | Hide any workspace user's datasets | `POST /datasets/hide` | +| | Show any workspace user's datasets | `POST /datasets/show` | +| | Disable any workspace user's dataset version | `POST /datasets/{datasetId}/versions/{version}/disable` | | **dataset_label:write** | Add labels to datasets | `POST /datasets/labels/add` | -| | Remove labels from datasets | `POST /datasets/labels/remove` | -| | Apply label sets to datasets | `POST /datasets/labels/apply` | +| | Remove labels from datasets | `POST /datasets/labels/remove` | +| | Apply label sets to datasets | `POST /datasets/labels/apply` | #### Pipelines | Permission | Description | API endpoint | |------------|-------------|--------------| | **action:read** | View action details | `GET /actions/{actionId}` | -| | View available action types | `GET /actions/types` | -| | List all actions in workspace | `GET /actions` | +| | View available action types | `GET /actions/types` | +| | List all actions in workspace | `GET /actions` | | **action:execute** | Trigger an action to run | `POST /actions/{actionId}/launch` | | **action:write** | Create a new action | `POST /actions` | -| | Edit an existing action | `PUT /actions/{actionId}` | -| | Test action configuration | _(Used by Platform)_ | -| | Pause a running action | `POST /actions/{actionId}/pause` | -| | Validate action name availability | `GET /actions/validate` | +| | Edit an existing action | `PUT /actions/{actionId}` | +| | Test action configuration | _(Used by Platform)_ | +| | Pause a running action | `POST /actions/{actionId}/pause` | +| | Validate action name availability | `GET /actions/validate` | | **action:delete** | Delete an action | `DELETE /actions/{actionId}` | -| **action_label:write** | Apply resource labels when creating actions | Sub-operation on `POST /actions` | -| | Apply resource labels when updating actions | Sub-operation on `PUT /actions/{actionId}` | -| | Add labels to actions | `POST /actions/labels/add` | -| | Remove labels from actions | `POST /actions/labels/remove` | -| | Apply label sets to actions | `POST /actions/labels/apply` | +| **action_label:write** | Apply resource labels when adding an action | Sub-operation on `POST /actions` | +| | Apply resource labels when editing an action | Sub-operation on `PUT /actions/{actionId}` | +| | Add labels to actions | `POST /actions/labels/add` | +| | Remove labels from actions | `POST /actions/labels/remove` | +| | Apply label sets to actions | `POST /actions/labels/apply` | | **container:read** | View container details | _(Used by Platform)_ | -| | List containers | _(Used by Platform)_ | -| | List workflow containers | _(Used by Platform)_ | +| | List containers | _(Used by Platform)_ | +| | List workflow containers | _(Used by Platform)_ | | **launch:read** | View launch details | `GET /launch/{launchId}` | | **pipeline:read** | View pipeline repository information | `GET /pipelines/info` | -| | View pipeline schema and parameters | `GET /pipelines/{pipelineId}/schema` | -| | View pipeline schema from repository URL | _(Used by Platform)_ | -| | View pipeline launch configuration | `GET /pipelines/{pipelineId}/launch` | -| | List available pipeline repositories | `GET /pipelines/repositories` | -| | List all pipelines in workspace | `GET /pipelines` | -| | View pipeline details | `GET /pipelines/{pipelineId}` | -| | Fetch pipeline optimization | _(Used by Platform)_ | -| | List pipeline versions | _(Used by Platform)_ | -| **pipeline:write** | Overwrite fields when creating workflow launch | Sub-operation on `POST /workflow/launch` | -| | Add a new pipeline to workspace | `POST /pipelines` | -| | Edit pipeline configuration | `PUT /pipelines/{pipelineId}` | -| | Configure pipeline | _(Used by Platform)_ | -| | Validate pipeline name availability | `GET /pipelines/validate` | -| | Validate pipeline version name | _(Used by Platform)_ | -| | Manage pipeline version | _(Used by Platform)_ | +| | View pipeline schema and parameters | `GET /pipelines/{pipelineId}/schema` | +| | View pipeline schema from repository URL | _(Used by Platform)_ | +| | View pipeline launch configuration | `GET /pipelines/{pipelineId}/launch` | +| | List available pipeline repositories | `GET /pipelines/repositories` | +| | List all pipelines in workspace | `GET /pipelines` | +| | View pipeline details | `GET /pipelines/{pipelineId}` | +| | Fetch pipeline optimization | _(Used by Platform)_ | +| | List pipeline versions | _(Used by Platform)_ | +| **pipeline:write** | Modify pipeline details when launching a pipeline run | Sub-operation on `POST /workflow/launch` | +| | Add a new pipeline to workspace | `POST /pipelines` | +| | Edit pipeline configuration | `PUT /pipelines/{pipelineId}` | +| | Configure pipeline | _(Used by Platform)_ | +| | Validate pipeline name availability | `GET /pipelines/validate` | +| | Validate pipeline version name availability | _(Used by Platform)_ | +| | Manage pipeline version | _(Used by Platform)_ | | **pipeline:delete** | Delete a pipeline | `DELETE /pipelines/{pipelineId}` | -| **pipeline_label:write** | Apply resource labels when launching workflows | Sub-operation on `POST /workflow/launch` | -| | Add labels to pipelines | `POST /pipelines/labels/add` | -| | Apply resource labels when creating pipelines | Sub-operation on `POST /pipelines` | -| | Apply resource labels when updating pipelines | Sub-operation on `PUT /pipelines/{pipelineId}` | -| | Remove labels from pipelines | `POST /pipelines/labels/remove` | -| | Apply label sets to pipelines | `POST /pipelines/labels/apply` | +| **pipeline_label:write** | Apply resource labels when launching a pipeline run | Sub-operation on `POST /workflow/launch` | +| | Add labels to pipelines | `POST /pipelines/labels/add` | +| | Apply resource labels when adding a pipeline | Sub-operation on `POST /pipelines` | +| | Apply resource labels when editing a pipeline | Sub-operation on `PUT /pipelines/{pipelineId}` | +| | Remove labels from pipelines | `POST /pipelines/labels/remove` | +| | Apply label sets to pipelines | `POST /pipelines/labels/apply` | | **workflow:read** | View run details | `GET /workflow/{workflowId}` | -| | View run progress | `GET /workflow/{workflowId}/progress` | -| | List tasks in a run | `GET /workflow/{workflowId}/tasks` | -| | View individual task details | `GET /workflow/{workflowId}/task/{taskId}` | -| | View run metrics | `GET /workflow/{workflowId}/metrics` | -| | List all runs in workspace | `GET /workflow` | -| | View run launch configuration | `GET /workflow/{workflowId}/launch` | -| | View run execution logs | `GET /workflow/{workflowId}/log` | -| | View task-specific logs | `GET /workflow/{workflowId}/log/{taskId}` | -| | Download run logs | `GET /workflow/{workflowId}/download` | -| | Download workflow workspace content | _(Used by Platform)_ | -| | Download task logs | `GET /workflow/{workflowId}/download/{taskId}` | -| | View workflow reports | _(Used by Platform)_ | -| | Download workflow report | _(Used by Platform)_ | -| | Fetch workflow optimization | _(Used by Platform)_ | -| | Check optimized workflow list | _(Used by Platform)_ | +| | View run progress | `GET /workflow/{workflowId}/progress` | +| | List tasks in a run | `GET /workflow/{workflowId}/tasks` | +| | View individual task details | `GET /workflow/{workflowId}/task/{taskId}` | +| | View run metrics | `GET /workflow/{workflowId}/metrics` | +| | List all runs in workspace | `GET /workflow` | +| | View run launch configuration | `GET /workflow/{workflowId}/launch` | +| | View run execution logs | `GET /workflow/{workflowId}/log` | +| | View task-specific logs | `GET /workflow/{workflowId}/log/{taskId}` | +| | Download run logs | `GET /workflow/{workflowId}/download` | +| | Download run content in a workspace | _(Used by Platform)_ | +| | Download task logs | `GET /workflow/{workflowId}/download/{taskId}` | +| | View run reports | _(Used by Platform)_ | +| | Download run report | _(Used by Platform)_ | +| | Fetch workflow optimization | _(Used by Platform)_ | +| | Check optimized workflow list | _(Used by Platform)_ | | **workflow:execute** | Launch a pipeline run | `POST /workflow/launch` | -| | Cancel a running pipeline | `POST /workflow/{workflowId}/cancel` | -| | Launch pipeline | _(Used by Platform)_ | +| | Cancel a running pipeline | `POST /workflow/{workflowId}/cancel` | +| | Launch a pipeline run | _(Used by Platform)_ | | **workflow:write** | Create execution trace | `POST /trace/create` | -| | Update trace heartbeat | `PUT /trace/{workflowId}/heartbeat` | -| | Mark trace begin | `PUT /trace/{workflowId}/begin` | -| | Mark trace complete | `PUT /trace/{workflowId}/complete` | -| | Update trace progress | `PUT /trace/{workflowId}/progress` | +| | Update trace heartbeat | `PUT /trace/{workflowId}/heartbeat` | +| | Mark trace begin | `PUT /trace/{workflowId}/begin` | +| | Mark trace complete | `PUT /trace/{workflowId}/complete` | +| | Update trace progress | `PUT /trace/{workflowId}/progress` | | **workflow:delete** | Delete a single run | `DELETE /workflow/{workflowId}` | -| | Delete multiple runs | `POST /workflow/delete` | +| | Delete multiple runs | `POST /workflow/delete` | | **workflow_label:write** | Add labels to runs | `POST /workflow/labels/add` | -| | Remove labels from runs | `POST /workflow/labels/remove` | -| | Apply label sets to runs | `POST /workflow/labels/apply` | -| **workflow_quick:execute** | Create quick launch when creating workflow launch | Sub-operation on `POST /workflow/launch` | -| | Launch quick pipeline | _(Used by Platform)_ | -| | Create GA4GH workflow run | `POST /ga4gh/wes/v1/runs` | +| | Remove labels from runs | `POST /workflow/labels/remove` | +| | Apply label sets to runs | `POST /workflow/labels/apply` | +| **workflow_quick:execute** | Launch quick pipeline | Sub-operation on `POST /workflow/launch` | +| | Launch quick pipeline | _(Used by Platform)_ | +| | GA4GH: create a run | `POST /ga4gh/wes/v1/runs` | | **workflow_star:read** | Check if run is starred (favourited) | `GET /workflow/{workflowId}/star` | | **workflow_star:write** | Star (favourite) a run | `POST /workflow/{workflowId}/star` | | **workflow_star:delete** | Unstar (unfavourite) a run | `DELETE /workflow/{workflowId}/star` | @@ -190,48 +194,49 @@ Individual permissions grant read, write, execute, admin, or delete access for e |------------|-------------|--------------| | **label:read** | List all workspace labels | `GET /labels` | | **label:write** | Create a new label | `POST /labels` | -| | Edit an existing label | `PUT /labels/{labelId}` | +| | Edit an existing label | `PUT /labels/{labelId}` | | **label:delete** | Delete a label | `DELETE /labels/{labelId}` | | **workspace:read** | View workspace details | `GET /orgs/{orgId}/workspaces/{workspaceId}` | -| | List workspace participants | `GET /orgs/{orgId}/workspaces/{workspaceId}/participants` | +| | List workspace participants | `GET /orgs/{orgId}/workspaces/{workspaceId}/participants` | | **workspace:write** | Edit workspace settings | `PUT /orgs/{orgId}/workspaces/{workspaceId}` | -| | Add a workspace participant | `PUT /orgs/{orgId}/workspaces/{workspaceId}/participants/add` | -| | Find workspace participant candidates | _(Used by Platform)_ | -| | Change participant role | `PUT /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}/role` | -| | Remove a workspace participant | `DELETE /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}` | +| | Add a workspace participant | `PUT /orgs/{orgId}/workspaces/{workspaceId}/participants/add` | +| | Find workspace participant candidates | _(Used by Platform)_ | +| | Change participant role | `PUT /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}/role` | +| | Remove a workspace participant (user or team) | `DELETE /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}` | +| | Remove a workspace user (member or collaborator) | `DELETE /orgs/{orgId}/workspaces/{workspaceId}/users/{userId}` | | **workspace:delete** | Delete the workspace | `DELETE /orgs/{orgId}/workspaces/{workspaceId}` | -| **workspace:admin** | Modify workspace ownership when updating participant role | Sub-operation on `PUT /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}/role` | -| | Delete workspace owner when deleting participant | Sub-operation on `DELETE /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}` | +| **workspace:admin** | Change participant role to/from Owner | Sub-operation on `PUT /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}/role` | +| | Remove a workspace Owner by participantId | Sub-operation on `DELETE /orgs/{orgId}/workspaces/{workspaceId}/participants/{participantId}` | +| | Remove a workspace Owner by userId | Sub-operation on `DELETE /orgs/{orgId}/workspaces/{workspaceId}/users/{userId}` | | **workspace_self:delete** | Leave workspace (remove self as participant) | `DELETE /orgs/{orgId}/workspaces/{workspaceId}/participants` | | **workspace_studio:read** | View studio settings for workspace | `GET /orgs/{orgId}/workspaces/{workspaceId}/settings/studios` | -| **workspace_studio:write** | Edit studio session lifespan settings | `PUT /orgs/{orgId}/workspaces/{workspaceId}/settings/studios` | +| **workspace_studio:write** | Edit studio settings for workspace | `PUT /orgs/{orgId}/workspaces/{workspaceId}/settings/studios` | #### Studios | Permission | Description | API endpoint | |------------|-------------|--------------| | **studio:read** | View studio session details | `GET /studios/{sessionId}` | -| | View studio repository details | _(Used by Platform)_ | -| | List all studios in workspace | `GET /studios` | -| | List available studio templates | `GET /studios/templates` | -| | List checkpoints for a studio | `GET /studios/{sessionId}/checkpoints` | -| | View checkpoint details | `GET /studios/{sessionId}/checkpoints/{checkpointId}` | +| | View studio repository details | _(Used by Platform)_ | +| | List all studios in workspace | `GET /studios` | +| | List available studio templates | `GET /studios/templates` | +| | List checkpoints for a studio | `GET /studios/{sessionId}/checkpoints` | +| | View checkpoint details | `GET /studios/{sessionId}/checkpoints/{checkpointId}` | | **studio:execute** | List mounted data-links for studios | `GET /studios/data-links` | -| | Start a studio session | `PUT /studios/{sessionId}/start` | -| | Stop a studio session | `PUT /studios/{sessionId}/stop` | +| | Start a studio session | `PUT /studios/{sessionId}/start` | +| | Stop a studio session | `PUT /studios/{sessionId}/stop` | | **studio:write** | Create a new studio | `POST /studios` | -| | Edit checkpoint name | `PUT /studios/{sessionId}/checkpoints/{checkpointId}` | -| | Validate studio name availability | `GET /studios/validate` | +| | Edit checkpoint name | `PUT /studios/{sessionId}/checkpoints/{checkpointId}` | +| | Validate studio name availability | `GET /studios/validate` | | **studio:delete** | Delete a studio | `DELETE /studios/{sessionId}` | -| **studio:admin** | Admin operations on other users' Studios | | -| | Delete studio | Sub-operation on `DELETE /studios/{sessionId}` | -| | Start studio | Sub-operation on `PUT /studios/{sessionId}/start` | -| | Stop studio | Sub-operation on `PUT /studios/{sessionId}/stop` | -| | Extend studio lifespan (iframe) | _(Used by Platform)_ | -| | Extend studio lifespan | Sub-operation on `POST /studios/{sessionId}/lifespan` | -| | Admin access to studio | _(Used by Platform)_ | -| **studio_label:write** | Apply resource labels when starting studios | Sub-operation on `PUT /studios/{sessionId}/start` | -| | Edit studio resource labels | _(Used by Platform)_ | -| **studio_session:read** | Open studio | _(Used by Platform)_ | -| **studio_session:execute** | Extend studio lifespan (iframe) | _(Used by Platform)_ | -| | Extend studio session lifespan | `POST /studios/{sessionId}/lifespan` | \ No newline at end of file +| **studio:admin** | Delete another user's private studio | Sub-operation on `DELETE /studios/{sessionId}` | +| | Start another user's private studio | Sub-operation on `PUT /studios/{sessionId}/start` | +| | Stop another user's private studio | Sub-operation on `PUT /studios/{sessionId}/stop` | +| | Extend another user's private studio session lifespan (iframe) | _(Used by Platform)_ | +| | Extend another user's private studio session lifespan | Sub-operation on `POST /studios/{sessionId}/lifespan` | +| | Administer another user's private studio | _(Used by Platform)_ | +| **studio_label:write** | Apply resource labels when starting a studio | Sub-operation on `PUT /studios/{sessionId}/start` | +| **studio_session:read** | Open a studio | _(Used by Platform)_ | +| **studio_session:execute** | Extend studio session lifespan (iframe) | _(Used by Platform)_ | +| | Extend studio session lifespan | `POST /studios/{sessionId}/lifespan` | +| | Extend studio session lifespan | `POST /studios/{sessionId}/lifespan` |