OMERO 5.4 introduced the concept of a restricted administrator. These are generally more powerful than normal OMERO users and group owners but they do not have all the powers of full administrators such as root. A restricted administrator is the same as a full administrator except that in specific ways it is as if they are not an administrator at all. Those specific ways are exactly the restrictions listed in their user’s Experimenter.config property. For that property, a name of AdminPrivilege:Dance (just an example!) with a value of false indicates that the restricted administrator’s ability to dance is not that of a full administrator. Their ability to dance is instead that of a normal user who is not a member of the system group. A member of the system group with an empty config property is a full administrator without restrictions.
The meta.ome.xml mapping lists all the values of the AdminPrivilege enumeration. Each of those values corresponds to a kind of operation for which full administrators have greater privilege. If an administrator has any of the below restrictions then they do not have greater privilege for the corresponding operation. It instead becomes as if they were but a normal user in that respect.
It often makes sense to apply all but a certain bundle of restrictions to a user. For example, users working with other users’ data may benefit from being able to go beyond their normal group restrictions only for the operations of WriteOwned, WriteManagedRepo, WriteScriptRepo, Chgrp. A facility manager importing on behalf of other users may appropriately be given all but the Sudo restriction. A human resources representative may be given all but the ModifyGroup, ModifyGroupMembership, ModifyUser restrictions. Much depends on how personnel roles are handled in each specific institution.
Warning
The ReadSession restriction should be applied to all restricted administrators. Without that restriction members of the system group can read other users’ session UUIDs and join those sessions as the user. In contrast, while an administrator without the Sudo restriction can become other users, the security system prevents their using sudo to elevate their own administrative powers. An administrator cannot sudo to become root to escape their restrictions. A security filter assists in enforcing ReadSession.
Since OMERO 5.4 the admin service offers operations for managing restrictions on administrators. createLightSystemUser creates a new restricted administrator. getAdminPrivileges and setAdminPrivileges manage the restrictions on an existing administrator.
Using setAdminPrivileges to set an empty list of privileges fills that user’s Experimenter.config property with a false value for every AdminPrivilege name. That user does not thus become like a normal user: they retain all administrative powers not explicitly restricted, such as being able to read all users’ images.
Even for a normal user who is not a member of the system group and has no administrative powers, restrictions can still be set in their Experimenter.config property. Such restrictions have no effect while that user is not an administrator as they have no administrative powers to restrict.
getCurrentAdminPrivileges is useful for OMERO clients to find how the currently logged-in administrator is restricted. getAdminsWithPrivileges identifies the administrators who are sufficiently unrestricted in a given way.
OMERO model objects have a details property that bears information on object permissions. In addition to the existing methods like canEdit and canDelete, the canChgrp and canChown methods were introduced in OMERO 5.4. Client software may find these permissions methods a useful guide as to what the current administrator may do to which objects.
Since OMERO 5.4 the event context for the current session, available from the admin service, has additional data members:
Since OMERO 5.4 the repo property of OriginalFile is mapped into the OMERO object model. Because the interpretation of an OriginalFile instance depends upon with which repository the file is associated, for security reasons the server greatly restricts the mutation of this property: users cannot simply switch a file from one repository to another.
The server must allow some setting of repo. It currently uses an indirect means of authenticating legitimately set values. Each running server has a secret key recorded in the uuid property of Node. This key is not available to OMERO clients, it is internal to the server. To set a new file’s repo the repository DAO prefixes the file’s name with the server’s secret key. A database trigger recognizes this key from the node table, removes the prefix from the name, then allows the value of repo to be set.
While BasicACLVoter and OmeroInterceptor carry the bulk of the burden of enforcing restrictions on administrators, together with AdminImpl for the user and group management restrictions, the database system itself is also a key enforcement mechanism.
The update service is one means by which administrators may attempt to perform restricted operations. Hibernate’s interceptors are not wholly suited to blocking exactly the prohibited actions so further barriers are built into the database that trigger upon specific data changes. The database must therefore have enough information to judge if an operation is permitted. OMERO 5.4 introduced two tables:
An example database trigger would be user_config_delete_trigger on the experimenter_config table. This trigger raises an exception if, for example, an AdminPrivilege:Dance name with a false value is to be removed from the config of a member of the system group by a user who themself is restricted from dancing. This prevents the administrator whose dancing is restricted from lifting that restriction from another administrator so that they may be the one to newly dance.