Categorization and Permissions
This document describes the various categories of permission that affect data and module viewership and use. Otherwise known as fine-grained permissions, these systems define who can view or use various modules and data types.
The key components that affect who can view or access various data or modules include:
Data access permissions
Data Explorer permissions
Data management permissions
1. Data access permissions
Data Usage Policies allow high level control of data access by assigning each Data Source Document to a category of data and controlling which users are allowed to access that category. The following Data Usage Policies are available with the FEWS NET Data Platform:
Public: Data labeled under this usage policy are available to all users, including those with and without access to the FEWS NET Data Warehouse or Data Explorer.
FEWS NET Only: Data labeled under this usage policy are available to internal Project staff only.
Restricted: Data labeled under this usage policy are only available to users who have been granted specific permission by a system administrator.
Early Warning Analysis Only: Data labeled under this usage policy are only available to the Early Warning Team for use in analysis.
Additional Data Usage Policies can be created as necessary to accurately categorize the data. For example, additional Data Usage Policies could be created to restrict data to specific implementing partners, or to designate that data can be shared with external groups that have USAID funding.
Each Data Source Document has a single Data Usage Policy attached that describes the primary access control for data belonging to the specific Data Source Document.
A Data Series inherits the Data Usage Policy of the parent Data Source Document, unless specified. It is possible to set a different Data Usage Policy directly for a Data Series, overriding the inherited Data Usage Policy. This allows different groups of users access to a subset of the Data Series included within a Data Source Document.
A best practice approach is to set the Data Usage Policy that applies to the majority of the__ Data Series within the Data Source Document_,_ and then identify the Data Series that require different usage policies and adjust individually as needed.
Users are given access to data in a specific Data Usage Policy by granting the user the access_datausagepolicy
permission on that Data Usage Policy. The best practice is to only grant the access_datausagepolicy
permission to a group rather than to individual users.
For example, the access_datausagepolicy
permission for the FEWS NET Only Data Usage Policy is granted to the Field Office, Home Office, Regional Office, Hub, and USAID Management Team groups. Any user who is a member of one of these groups can access data categorized as FEWS NET Only.
Data Source Document and Data Series access
Accessing data via permissions on Data Usage Policies is the easiest way to give users access to all the data in a similar category, but it is not appropriate for all situations. Sometimes FEWS NET needs to grant a user or group of users access to some of the data in a Data Usage Policy without granting them access to all of it. For example:
A researcher asks FEWS NET for access to all the data for a particular data domain in a country. The data includes a mixture of Public and FEWS NET Only data. After reviewing the researcher’s request, FEWS NET concludes that given the intended purpose and publication approach, it is appropriate to share the data. If the researcher is granted the access_datausagepolicy
permission on the FEWS NET Only Data Usage Policy then they will be able to download all the data they need. However they will also be able to download all other FEWS NET Only data, which is not the intention.
In these circumstances FEWS NET can grant access to specific Data Source Documents by assigning the user the access_datasourcedocument
permission on the specific Data Source Document they need to access. A user with the access_datasourcedocument
permission on a Data Source Document can download the data contained by that document regardless of the Data Usage Policy attached to it. In the example above FEWS NET can grant the researcher the access_datasourcedocument
permission on the FEWS NET Only Data Source Document that they require the data for and then their download will include all the data they need, without granting them access to FEWS NET Only data for other countries or data domains.
In the same way that the Data Usage Policy can be set on a Data Series to override the Data Usage Policy set on the Data Source Document, it is also possible to override the access permissions for a Data Series by assigning a user the access_dataseries
permission on individual Data Series. If the researcher from the example above only needed data for a subset of crops FEWS NET could grant them the access_dataseries
permission on those specific Data Series rather than granting them access to the whole Data Source Document using access_datasourcedocument
.
Assigning permissions to users
To give specific groups or users access_datausagepolicy
, access_datasourcedocument
or access_dataseries
permissions on a specific Data Usage Policy, Data Source Document, or Data Series, use the following steps:
Navigate to the page of the specific Data Usage Policy, Data Source Document, or Data Series for which you will be assigning permissions.
Select the Object permissions button.
Enter the name of the user or group.
Assign the appropriate permissions.
Note: Object in this context is the specific Data Usage Policy, Data Source Document, or Data Series that we want to assign permissions for.
Caution: Never assign access_datausagepolicy
, access_datasourcedocument
or access_dataseries
permissions directly to a user or a group. They must only be assigned from a particular Data Usage Policy, Data Source Document, or Data Series page. If these permissions are incorrectly assigned as a general permission to a user or group, rather than an object-level permission, they will allow access to all the data in the system.
2. Data Explorer permissions
Access to the FEWS NET Data Explorer is separate to the permissions described above and is granted to each data domain individually by assigning permissions to a group that the user is a member of. For example, to be able to access the Price tab in Data Explorer the user must be assigned the view_marketproduct
permission.
If a user has the permission to use a domain within Data Explorer then the data that they can access within that domain is controlled by the Data Usage Policies and data access permissions described above. For example:
If a user has no permissions other than view_marketproduct
, then they will be able to access the Data Explorer, which will contain a single tab that gives access to Market Price data that has the Public Data Usage Policy. If the user also has access_datausagepolicy
, access_datasourcedocument
or access_dataseries
on specific Data Usage Policies, Data Source Documents or Data Series, respectively, then the user will also be able to find and extract that data.
Note that a user may have data access permissions but not permissions to use the Data Explorer, in which case a user can still extract data directly using the FEWS NET Data Warehouse REST API.
Dataset visibility
Within Data Explorer, saved Data Sets have visibility restrictions that are outlined below:
Owner: Data are only viewable to the owner of the Data Set, otherwise defined as the creator of the Data Set.
Group: Data are viewable by anyone included within the group that the creator is part of.
Public: Data are viewable by anyone with access to the FEWS NET Data Warehouse or Data Explorer.
Note: This means that the Data Set is visible. It does not give access to the underlying data. For example, if a Public Data Set contains data for a FEWS NET Only Data Source Document then all users can see the Data Set and use it to select data, but users without the appropriate permissions will receive an extract that excludes the FEWS NET Only data.
3. Data management permissions
The access_datausagepolicy
, access_datasourcedocument
and access_dataseries
permissions give the user the ability to find and extract the data within the Data Warehouse, but not make any changes to it.
Permission to add and change data is handled by the manage_datasourcedocument
permission.
When new data sources are identified, a user with appropriate permissions, such as the Home Office Data Manager, creates a new Data Source Document and then assigns the manage_datasourcedocument
permission on that Data Source Document to the group of users who will be responsible for maintaining it, typically the Field Office group for the country that the data source is for.
Users need the manage_datasourcedocument
permission on a Data Source Document in order to be able to add or change the Data Series in the Data Source Document or to upload new data by using Add Data Collection, Edit an existing Data Collection, Add Data Series, Change Data Series (including the pages for specific domains such as Change Market Product, etc.), Add Data Point and Change Data Point.