edit

README.md

@@ -2,36 +2,63 @@
 
 A collection of scripts to handle permissions in DSP.
 
+
 ## Local setup to run the scripts in this repository
 
 Set up the poetry virtual environment:
 
-- install poetry with `curl -sSL https://install.python-poetry.org | python3 -`
+- Install poetry with `curl -sSL https://install.python-poetry.org | python3 -`
   (for Windows, see [https://python-poetry.org/docs/](https://python-poetry.org/docs/))
-- execute `poetry install`, which will:
+- Execute `poetry install`, which will:
     - create a virtual environment (if there isn't already one)
     - install all dependencies from `poetry.lock`
+- Set the virtual environment's Python interpreter as default interpreter in your IDE,
+  so that your IDE uses the correct Python version and the correct dependencies.
+
 
 ## The DSP permissions system
 
 There are 3 permissions systems:
 
-- **AP**: administrative permissions
-- **OAP**: object access permissions
+- **AP**: Administrative Permissions
+    - define what users of a certain group can do on project level (e.g. create resources, modify groups, etc.)
+- **OAP**: Object Access Permissions
     - define permissions of objects (resources and values)
     - OAPs grant rights to certain user groups.
     - The `<permissions>` tags in the XML of DSP-TOOLS define OAPs.
-- **DOAP**: default object access permissions
+- **DOAP**: Default Object Access Permissions
     - configured on a per-project basis
     - defines what should happen if a resource/property/value is created without OAP.
     - If a new project without DOAPs is created, there is a default DOAP configuration.
       (Until now it isn't possible to specify DOAPs when creating a project.)
 
+The permissions system of DSP is documented
+[here](https://docs.dasch.swiss/2023.10.01/DSP-API/05-internals/design/api-admin/administration/).
+
+The `/admin/permissions` endpoint of DSP-API is documented
+[here](https://docs.dasch.swiss/2023.10.01/DSP-API/03-endpoints/api-admin/permissions/).
+
+
+### APs: Administrative Permissions
+
+A user group can have one or more of the following permissions:
+# is allowed to create resources inside the project
+`ProjectResourceCreateAllPermission`
+# is allowed to create resources of certain classes inside the project
+`ProjectResourceCreateRestrictedPermission`
+# is allowed to do anything on project level
+`ProjectAdminAllPermission`
+# is allowed to modify group info and group membership on all groups belonging to the project
+`ProjectAdminGroupAllPermission`
+# is allowed to modify group info and group membership on certain groups belonging to the project
+`ProjectAdminGroupRestrictedPermission`
+# is allowed to change the permissions on all objects belonging to the project
+`ProjectAdminRightsAllPermission`
+
+
 ### OAPs: Object Access Permissions
 
 OAPs grant **rights** to certain **user groups**.
-[See the docs](https://docs.dasch.swiss/2023.03.01/DSP-API/05-internals/design/api-admin/administration/#permissions)
-for more information.
 
 OAPs are attached to either a resource or a value (value of a property),
 but not to a property.
@@ -93,6 +120,7 @@ If a user creates a resource, DSP checks the following places for DOAPs:
 [See the docs](https://docs.dasch.swiss/2023.03.01/DSP-API/05-internals/design/api-admin/administration/#permission-precedence-rules)
 for more details.
 
+
 ## Typical use cases
 
 If permissions need to be changed, it is usually because of one of the following reasons:
@@ -107,6 +135,7 @@ If permissions need to be changed, it is usually because of one of the following
 If we modify DOAPs, we usually have to modify them for the groups `ProjectMember` and `ProjectAdmin`,
 because these are the two groups that always exist.
 
+
 ## Changing DOAPs
 
 ### Understanding scopes

project_data/F18E/APs_original.json

@@ -0,0 +1,21 @@
+{
+  "Project F18E has 1 APs": [
+    {
+      "forGroup": "http://www.knora.org/ontology/knora-admin#ProjectAdmin",
+      "forProject": "http://rdfh.ch/projects/MsOaiQkcQ7-QPxsYBKckfQ",
+      "hasPermissions": [
+        "ProjectResourceCreateAllPermission",
+        "ProjectAdminAllPermission"
+      ],
+      "iri": "http://rdfh.ch/permissions/F18E/JUY5IEcBTamqTQcjP9VI9Q"
+    },
+    {
+      "forGroup": "http://www.knora.org/ontology/knora-admin#ProjectMember",
+      "forProject": "http://rdfh.ch/projects/MsOaiQkcQ7-QPxsYBKckfQ",
+      "hasPermissions": [
+        "ProjectResourceCreateAllPermission"
+      ],
+      "iri": "http://rdfh.ch/permissions/F18E/XwwqVvWgSmmHrobQubg1uQ"
+    }
+  ]
+}

project_data/F18E/DOAPs_original.json

@@ -0,0 +1,48 @@
+{
+  "Project F18E has 2 DOAPs": [
+    {
+      "target": {
+        "project": "http://rdfh.ch/projects/MsOaiQkcQ7-QPxsYBKckfQ",
+        "group": "http://www.knora.org/ontology/knora-admin#ProjectAdmin"
+      },
+      "scope": {
+        "CR": [
+          "http://www.knora.org/ontology/knora-admin#ProjectAdmin"
+        ],
+        "D": [
+          "http://www.knora.org/ontology/knora-admin#Creator",
+          "http://www.knora.org/ontology/knora-admin#ProjectMember"
+        ],
+        "M": [],
+        "V": [
+          "http://www.knora.org/ontology/knora-admin#KnownUser",
+          "http://www.knora.org/ontology/knora-admin#UnknownUser"
+        ],
+        "RV": []
+      },
+      "doap_iri": "http://rdfh.ch/permissions/F18E/_fc8cFcQTEiz9K0Y4K0Pew"
+    },
+    {
+      "target": {
+        "project": "http://rdfh.ch/projects/MsOaiQkcQ7-QPxsYBKckfQ",
+        "group": "http://www.knora.org/ontology/knora-admin#ProjectMember"
+      },
+      "scope": {
+        "CR": [
+          "http://www.knora.org/ontology/knora-admin#ProjectAdmin"
+        ],
+        "D": [
+          "http://www.knora.org/ontology/knora-admin#Creator",
+          "http://www.knora.org/ontology/knora-admin#ProjectMember"
+        ],
+        "M": [],
+        "V": [
+          "http://www.knora.org/ontology/knora-admin#KnownUser",
+          "http://www.knora.org/ontology/knora-admin#UnknownUser"
+        ],
+        "RV": []
+      },
+      "doap_iri": "http://rdfh.ch/permissions/F18E/6ta44L99Q6-EM9EcCEM0fA"
+    }
+  ]
+}

project_data/F18E/OAPs_original/resource_XwwqVvWgSmuHRobQubg9uQ.json

@@ -0,0 +1,19 @@
+{
+  "scope": {
+    "CR": [
+      "http://www.knora.org/ontology/knora-admin#ProjectAdmin"
+    ],
+    "D": [
+      "http://www.knora.org/ontology/knora-admin#Creator"
+    ],
+    "M": [
+      "http://www.knora.org/ontology/knora-admin#ProjectMember"
+    ],
+    "V": [],
+    "RV": [
+      "http://www.knora.org/ontology/knora-admin#UnknownUser",
+      "http://www.knora.org/ontology/knora-admin#KnownUser"
+    ]
+  },
+  "object_iri": "http://rdfh.ch/0102/XwwqVvWgSmuHRobQubg9uQ"
+}