Permissions and access control

There are multiple levels of user permissons available in CATMAID. All of them are configured from within the admin interface, reachable by appending /admin to your regular CATMAID URL and opening it in a browser.

Permissions can be given to either users or groups. Users can be members of multiple groups and using them makes user and permission management often a little bit easier.

Project access and visibility

Users can access projects through either the top menu bar, a front page (data view), a deep link or directly through the API. Which projects users can see and access by these means is determined by whether they have can-browse permission on those projects.

To view and change project permissions, open a project in CATMAID’s admin view and click “Object permissions” in the upper right corner. There it is possible to add either individual users or groups to the various permissions that exists for projects (including can-browse).

If users or groups have can-annotate permissions they are allowed to create new data (e.g. neuron reconstructions or ontology classifications) in a project. This permission also makes it possible to edit data that was created by other users. However, for this another test comes into play as well and not every user can edit the data of all other users. See next section for more details.

The can-administer permission provides access to additional group management and user ananlysis tools, mainly useful for group managers. It will add additional tools to the statistics widget in the web-client.

The anonymous user is with respect to project visibility a special case. If a project should be publicly visible, the anonymous user needs to have can-browse permissions on the project, but another permission is needed as well: in the anonymous user’s own user settings the general “catmaid | can browse projects” setting has to be assigned. With this, the anonymous user acts just like a regular user and can be assigned project specific can-browse and can-annotate permissions.

Editing data of other users

Users with can-annotate permission on a project can create new data and by default, users can’t edit data of each other. However, they are allowed to to so if they are member of a group with a name matching the data creator’s login name. So user A can edit user B’s data if user A is member of a group named B. Superusers can edit data of everyone.