In the following, we want to provide you with an overview how DSS Container Auto Group Links work.


Let's suppose, we start with the following (existing) groups in TUMonline:

  • GROUP1: Alice, Bop, Cesar
  • GROUP2: Bop

And let's suppose that Cesar has already READ_WRITE access to our DSS Data Container pr74qo-dss-0003.


Now suppose, we want to give GROUP1 READ_ONLY access to the DSS Data Container pr74qo-dss-0003. So we link GROUP1 to the DSS Data Container with access mode READ_ONLY, using the DSSWeb Self-Service portal.

Now what happens is that a regularly running Update Job will detect this new Group Link, compare the access rights that result from the group link with the already existing container access rights and create the still missing invitations or update changed ones. When computing required creations/updates, the Update Job follows the following rules:

  1. Manual invitations take precedence over automatic invitations
  2. READ_WRITE invitations take precedence over READ_ONLY invitations

So in our example the Update Job would create two new READ_ONLY Invitations for Alice and Bop. As Cesar already has an invitation on the container, the update job will skip Cesar as manual invitations take precedence over automatic invitations.


Now suppose, we also link GROUP2 to the DSS Data Container with access mode READ_WRITE. What will happen the next time the Update Job is running is, that it changes the invitation for Bop from READ_ONLY to READ_WRITE as READ_WRITE invitations take precedence over READ_ONLY invitations.


Now suppose, Alice is removed from GROUP1. Next time the Update Job is running it will delete Alice's invitation for pr74qo-dss-0003 as she is no member of any group anymore.


Now suppose, we remove the Link between GROUP1 and pr74qo-dss-0003. In this case, the Update Job will leave Cesar's invitation untouched, as manual invitations take precedence over automatic invitations. And it will downgrade Bops invitation from READ_WRITE to READ_ONLY because Bop is also a member of GROUP2, which is still linked with READ_ONLY permissions.


Now suppose, we also remove the Link between GROUP2 and pr74qo-dss-0003. In this case, the Update Job will revoke Bop's access rights for the container completely.


Related articles