How to create a simple user w/o any "create new" permissions?

[haimat]

Hi all - with the new permissions system in 2.0 (thanks a lot for that btw.) it seems that every user, even regular non-admins, are able to create new projects and organizations. Is there a way to create a simple user that is solely allowed to annotate jobs within organizations they have been assigned to, without allowing them to create any new projects or organizations?

[nmanovic]

@haimat , if the user has no privilege or worker privilege, it will not be able to create a project. Please see here https://github.com/openvinotoolkit/cvat/blob/develop/cvat/apps/iam/rules/projects.csv. By default all new users have users privilege. You can change that in settings for your CVAT instance: https://github.com/openvinotoolkit/cvat/blob/be334fdee95563b54c011290ffa6b4bbf9fd4296/cvat/settings/base.py#L237

[haimat]

@nmanovic Thanks, I have removed all permissions from my test user and now it is not able to create a new project or task or organization - exactly what I wanted. However, now this user is also not able to save annotations in a job any more. Adding just the "annotator" group also does not allow to save annotations.

So basically what I want is a user that is able to annotate in jobs of projects it is assigned to, but nothing else. It should not be able to create any new projects or tasks or anything else - just annotation only. How to achieve that?

[nmanovic]

@haimat , the short answer is you need correctly update rego rules. They define how to do that completely (as you saw). Split some allow rules on several ones. Let's say you have:

allow {
    { utils.VIEW, utils.VIEW_ANNOTATIONS, utils.EXPORT_DATASET,
      utils.VIEW_DATA, utils.EXPORT_ANNOTATIONS, utils.EXPORT_BACKUP }[input.scope]
    utils.is_sandbox
    is_task_staff
}

You can do the following trick below. Even it is not complete, it should give you the right idea.

is_task_admin {
    is_project_staff
}

is_task_admin {
    is_task_owner
}

allow {
    { utils.EXPORT_DATASET, utils.EXPORT_ANNOTATIONS, utils.EXPORT_BACKUP }[input.scope]
    utils.is_sandbox
    is_task_admin
}

allow {
    { utils.VIEW, utils.VIEW_ANNOTATIONS, utils.VIEW_DATA }[input.scope]
    utils.is_sandbox
    is_task_staff
}

[haimat]

Thanks for the information. So in other words there is no out-of-the-box way to achieve what I need? Out of curiousity: Is such a "annotaions only" user/role not something that would be interesting for CVAT in general?

[nmanovic]

Thanks for the information. So in other words there is no out-of-the-box way to achieve what I need? Out of curiousity: Is such a "annotaions only" user/role not something that would be interesting for CVAT in general?

If community needs such functionality, I'm OK to have it. We are happy to get contribution with the feature.

[nmanovic]

A useful link: https://www.openpolicyagent.org/docs/latest/policy-language/

[haimat]

Too bad this is not supported in CVAT. I really love the software and was updating to 2.0 because of this whole new rights management system - I assumed such an "annotations only" user for just one single organization would be supported in this new version. But unfortunately I have never ever worked with OPA so I am not sure how easy it would be for me to come up with a proper solution on my own here :(

[nmanovic]

@haimat , I will recommend to create an issue and see if it is a common issue and community is going to vote for the issue. I have no problems to exclude task:assignee from the ability to export data from a CVAT instance. Just need to understand that it is a common use case.

[haimat]

Great, thank you very much. Could you please post a link to the issue here then?