Authorization tracking change

[dylanmcreynolds]

During the strategic planning session, Hari recommended NOT tying the group indicator in runs (or other objects like page) directly to the object, rather to the team who is being given access.

What's being done now

Currently, on ingestion, the run_start document is injected with a data_groups field. This field contains an array of strings, each string corresponding to a team name. When a user queries a list of runs or wants to view an individual run, splash checks to see if that user is in at least one team that is in that list.

Teams can be changed after the fact but data_groups that a run is assigned are static. The data_groups is an array so that multiple teams can have access. You might add a team for the beamline's staff and another for the visiting research team.

Proposal

As I understand the proposal, a collection of run ids would be maintained outside of the run_start document. This collection would store the runs that a team has access to.

This would potentically give a quicker way of querying what runs a team has access to. However, the query would be multi-part. It would have to create a set of the union of all the runs that that all of the teams that the user is a member of has access to, then send that list of uids to another query that asks for details about those runs.

[J-avery32]

@dylanmcreynolds have you finished this issue yet?