In the following, we want to provide you with an overview how DSS Container Auto Group Links work.
Let's suppose, we start with the following (existing) groups in TUMonline:
- GROUP1: Alice, Bop, Cesar
- GROUP2: Bop
And let's suppose that Cesar has already
READ_WRITE access to our DSS Data Container
Now suppose, we want to give GROUP1
READ_ONLY access to the DSS Data Container
pr74qo-dss-0003. So we link GROUP1 to the DSS Data Container with access mode
READ_ONLY, using the DSSWeb Self-Service portal.
Now what happens is that a regularly running Update Job will detect this new Group Link, compare the access rights that result from the group link with the already existing container access rights and create the still missing invitations or update changed ones. When computing required creations/updates, the Update Job follows the following rules:
- Manual invitations take precedence over automatic invitations
READ_WRITEinvitations take precedence over
So in our example the Update Job would create two new
READ_ONLY Invitations for Alice and Bop. As Cesar already has an invitation on the container, the update job will skip Cesar as manual invitations take precedence over automatic invitations.
Now suppose, we also link GROUP2 to the DSS Data Container with access mode
READ_WRITE. What will happen the next time the Update Job is running is, that it changes the invitation for Bop from
READ_WRITE invitations take precedence over
Now suppose, Alice is removed from GROUP1. Next time the Update Job is running it will delete Alice's invitation for
pr74qo-dss-0003 as she is no member of any group anymore.
Now suppose, we remove the Link between GROUP1 and
pr74qo-dss-0003. In this case, the Update Job will leave Cesar's invitation untouched, as manual invitations take precedence over automatic invitations. And it will downgrade Bops invitation from
READ_ONLY because Bop is also a member of GROUP2, which is still linked with
Now suppose, we also remove the Link between GROUP2 and
pr74qo-dss-0003. In this case, the Update Job will revoke Bop's access rights for the container completely.