# Data sharing - iRODS permissions

In this tutorial we will show you how to share your data with other users in the iRODS system. To see the effects it is helpful to team up with a colleague!!!

## What are permissions

Permissions in iRODS are part of the data objects and collections. They give information and they allow other users of the same iRODS system to read and edit your data.

<img src="img/DataObject6.png" width="400">

In iRODS there are four types of permissions:

| Access | Meaning|
|:---:|:---|
|read| The user or the group can **read and download** the data.|
|write| The user or group can **modify data objects and upload data to collections**, but can not delete the data or collection.|
|own| The user or group can **share and delete** the data.|

## Give access to data objects and collections

In [None]:
from ibridges.interactive import interactive_auth
session = interactive_auth()

Let us have a look at the permissions of our demo data:

In [None]:
from ibridges.path import IrodsPath

irods_coll_path = IrodsPath(session, '~').joinpath('demo')
coll = irods_coll_path.collection
obj = irods_coll_path.joinpath('demofile.txt').dataobject

Like for the metadata we need to load the permissions.

In [None]:
from ibridges.permissions import Permissions
coll_perm = Permissions(session, coll)
print(coll_perm)

In a native iRODS instance you will see your own username who is labeled with `own`. In Yoda you will see three groups: *research-\<group\>*, *read-\<group\>* and the *\<datamanager\>* group. Every user in these groups has the respective permissions on the data.

Now we will give your colleague explicit access. **Note that if your colleague is also in one of the respective Yoda groups, the highest permission (the most powerful) will apply.**

In [None]:
coll_perm.set('write', '<username>')
print(coll_perm)

You will see a new entry with your colleague's iRODS name and *modify object*. We can get the default permission names like that:

In [None]:
coll_perm.available_permissions

Note that some permission-types have synonyms:

+ read object: 'read', 'read object', 'read_object'
+ modify object: 'write', 'modify object', 'modify_object'

## Remove access

To remove any permissions, we use the keyword *null*. Again, please note, if your colleague is still part of a group that has access to your data, this will have no effect.

In [None]:
coll_perm.set('null', '<username>')
print(coll_perm)

iBridges also prohibits that you lock yourself out of your data:

In [None]:
coll_perm.set('write', session.username)

All the above functionality can also be used for objects

In [None]:
obj_perm = Permissions(session, obj)
print(obj_perm)

## Collections: Inheritance

You might have noticed that collections carry a special permissions keyword *inheritance* which can be `True` or `False`. If inheritance is switched on all new data objects and subcollections will receive the same permissions as the parent collection.

Below we create a new collection, ans give access to your colleague and switch the inheritance on:

In [None]:
new_coll_path = IrodsPath(session, '~').joinpath('demo1')
coll = IrodsPath.create_collection(session, new_coll_path)
coll_perm = Permissions(session, coll)
coll_perm.set('write', '<username>')
coll_perm.set('inherit')
print(coll_perm)

Now we create a new subcollection:

In [None]:
subcoll = IrodsPath.create_collection(session, new_coll_path.joinpath('subcoll'))

And inspect the permissions. They should be the same as the ones above.

In [None]:
subcoll_perm = Permissions(session, subcoll)
print(subcoll_perm)

Now we will switch off the inheritance of the parent collection and create another subcollection:

In [None]:
coll_perm.set('noinherit')
print(coll_perm)

In [None]:
subcoll = IrodsPath.create_collection(session, new_coll_path.joinpath('subcoll1'))
subcoll_perm = Permissions(session, subcoll)
print(subcoll_perm)

You will see now that you `own` *subcoll1*, that the inheritance of this collection is also `False` and that you colleague has no permissions on the new subcollection.