Permissions

Permissions

is an option for CloudObject and related cloud functions that specifies permissions for classes of users to access or perform operations.

Details

  • Possible settings include:
  • "Public"accessible for primary action by anyone
    "Private"private to the owner
    "unixstring"permissions for everyone specified in Unix string format
    {class1->per1,class2->per2,}different permissions specified for different classes of users or requests
  • The setting "Public" allows execution of APIFunction, FormFunction, and related constructs. It allows reading and interaction for notebook and CDF objects. For other objects, it allows reading only.
  • Possible classes of users or requesters include:
  • Alleveryone
    "Authenticated"everyone signed in as a cloud user
    "Owner"owner of the object
    {user1,user2,}an explicit list of users
    PermissionsGroup["name"]users in a permissions group
    PermissionsKey["key"]requesters with a valid permissions key
    <|"prop1"val1,"prop2"val2,|>requesters for which the propi match vali
  • Users can be referenced by their Wolfram ID names, email addresses, or cloud user UUID strings of the form "user-uuid".
  • Possible elements in the association to define requesters include:
  • "CloudUserID"formcloud user ID of the requesting user conforms to form
    "GeoLocationCountry"forminferred country of origin conforms to form
    "StartDate"datecurrent date is after the specified date
    "EndDate"datecurrent date is before the specified date
  • Dates are specified using DateObject. Countries are specified as Entity objects, or by their standard names (e.g. "UnitedStates").
  • For "CloudUserID" and "GeoLocationCountry", the following can be used:
  • "prop"valueallow only the specified value
    "prop"{value1,value2,}allow any of the valuei
    "prop""Disallow"{value1,}disallow any of the valuei
    "prop"<|"Allow"aval,"Disallow"dval|>allow the values aval; disallow the dval
  • Values for "CloudUserID" can be given as string patterns that include the wildcard character *.
  • Permissions allowed for particular classes of users are specified by giving lists of capabilities.
  • Core file-related capabilities include:
  • "Read"read content from the object
    "Write"write content permanently to the object
    "Execute"execute code in the object (e.g. via a form or API)
    Automaticallow the primary action on the object
    Allallow all actions on the object
  • Core file-related capabilities can also be specified as Unix-like permissions strings of the form "rwx" etc.
  • For APIFunction, FormFunction, and related cloud functions, the primary action associated with Automatic is "Execute". For notebooks, it is "Interact".
  • Additional capabilities related to notebooks include:
  • "Edit"allow editing of the notebook document
    "Save"allow saving of the notebook
    "CellEdit"edit content in existing cells
    "CellCreate"create new cells
    "CellDelete"delete existing cells
    "Evaluate"evaluate code in cells
    "Interact"allow use of interactive content (e.g. Manipulate)
  • "Write" allows arbitrary rewriting of a CloudObject. "Save" allows only material generated by saving a notebook view.
  • "Read" and "Write" affect what is permanently stored in a CloudObject.
  • "Edit" allows temporary modification in a notebook view. "Write" is required to allow modifications to be saved permanently.
  • "Write" is possible only for authenticated users.
  • $Permissions gives the default setting for the Permissions option.

Examples

open allclose all

Basic Examples  (5)

Deploy a cloud object that can be accessed by the world:

By default, deployed cloud objects can be accessed only by the owner:

Make the object accessible by anyone:

Deploy a 3D contour plot that is only visible to a certain user:

Allow anyone with a permissions key ("secret") to access a form:

Allow all capabilities to anyone with a wolfram.com cloud user ID:

Scope  (15)

All  (1)

Allow anyone to read a notebook:

Authenticated  (1)

Allow anyone who is logged in to read a notebook:

Users who are not logged in will be prompted to log in.

Specific Users  (1)

Allow a list of users to access a notebook:

Grant different permission capabilities to different users:

Permissions Group  (1)

Create a permissions group and allow its members to access a notebook:

Permissions Constraints  (10)

Allow users with a user ID in the example.com domain to read a notebook:

Grant access based on a wildcard pattern in the user ID:

Allow anyone except example.com users to access a notebook:

Exclude a user from a pattern:

Allow users from a specific location to access a notebook:

Allow anyone to access a notebook two days from today:

Allow anyone to access a notebook until a specific date:

Allow anyone to access a notebook for a week starting two days from today:

Allow users with a user ID in the example.com domain to access a notebook until a specific date:

Allow only example.com users from Japan to access a notebook for a week:

Mulitiple Users Classes  (1)

Allow user@wolfram.com to have both "Read" and "Interact" capabilities, accumulated from applicable rules:

Applications  (3)

Allow a user to view a notebook:

Deploy a notebook that allows interactions:

Deploy a notebook allowing a user to modify it:

Editing of notebooks only works in the "Product" view, not the "Deployed" view.

Introduced in 2014
 (10.0)
 |
Updated in 2016
 (10.4)
2016
 (11.0)
2019
 (12.0)