OMERO 5.4 introduced the concept of a restricted administrator. The meaning and representation of the server’s underlying permissions restrictions is described in developer documentation. OMERO.web offers easy management of restrictions and is recommended for setting up restricted administrators via its Admin tab.
OMERO.cli does not offer easy management of restrictions because support is yet to be added. In the meantime it can already manipulate administrator restrictions in the awkward manner described hereunder.
Warning
OMERO.web provides a simplified view of the available restrictions: the permissions mapping is such that checking one box in the web interface may lift multiple underlying restrictions from an administrator. The recommended OMERO.web management interface may thus prove confusing if OMERO.cli has been used to set a combination of restrictions that does not correspond to those bundles of related restrictions available in OMERO.web.
For an administrator with user ID 123,
$ bin/omero hql "SELECT ap.name FROM Experimenter user JOIN user.config AS ap WHERE user.id = 123 AND ap.name LIKE 'AdminPrivilege:%' AND LOWER(ap.value) <> 'true' ORDER BY ap.name"
lists their applicable restrictions such that the administrator may not exercise privileges for that operation.
For an administrator with user ID 123,
$ bin/omero obj map-set Experimenter:123 config AdminPrivilege:SomePrivilege false
restricts them so that they may no longer exercise SomePrivilege.
For an administrator with user ID 123,
$ bin/omero obj map-set Experimenter:123 config AdminPrivilege:SomePrivilege true
removes a restriction so that they may exercise SomePrivilege.
Note
You may not clear a restriction from an administrator if you have that same restriction applying to yourself.
Warning
Never clear AdminPrivilege:ReadSession from a restricted administrator unless clearing all their restrictions to make them into a full administrator. No restricted administrator should be able to read all OMERO sessions.