Skip Ribbon Commands
Skip to main content

Skip Navigation LinksDocDB Primer for Permissions and URLs

​​​Not on the right page? Go back to the DUNE DocDB "how to" page​.

​​​​Three ​method​​​​s for accessing d​​ocum​​​ents in DocDB

dune-docdb-front-page.png


DocDB houses both protected documents and public documents. If you only want to see public documents, click "Public" under Accessing DocDB. No password is requrired for these.

If you want to see documents that have any level of protection, you will need to go in either with a group username and password (click "Private"), single sign-on (SSO) which uses either your services account, or agold-cert-50.pngcertificate (click Single Sign-On), or you can click "Certificate Version of DUNE DocDB".

Links to info for SSO:

If you are a DocDB user, do the following:

   • For more information on using DocDB after single sign-on is enabled, read this article: https://fermi.service-now.com/kb_view.do?sysparm_article=KB0012933

   • Users of the private (DocDB password) version of DocDB and users who have a CERN, OSG or non-Fermilab CILogon certificate who prefer to use single sign-on instead, can switch by taking the actions described in this article:

https://fermi.service-now.com/kb_view.do?sysparm_article=KB0012933




Th​e URL for a document in Doc​​DB may ​​​take different forms!

Once you are in, the URL reflects the way that you got in: 

    • Publichttp://docs.dunescience.org/cgi-bin/ShowDocument?docid=​
    • Username/Passwordhttps://docs.dunescience.org/cgi-bin/private/ShowDocument?docid=
    • Certificatehttps://docscert.dunescience.org/cgi-bin/cert/ShowDocument?docid=
    • New as of July 2019: SSO: https://docs.dunescience.org/cgi-bin/sso/ShowDocument?docid=

This is important because, for example, if you give somebody a URL to a document with the "https" and "docscert" (not docs), and they don't use a certificate, they won't get in. Similarly, if their DocDB session is already open with certificate access and in a different window they click on a "private" link, they'll be asked for a username and password.

Near the bottom of this page, we describe more ways the URL can vary; you can link to a document or to a file within a document, you can specify an "as of" date or a version...

New documentation as of July 2019 on SSO: 

WHAT ARE WE DOING?
Computing will be enabling single sign-on (SSO) authentication for centrally managed DocDB instances.


WHAT IS THE IMPACT TO YOU?
   • Centrally managed DocDB instances may be down for a few minutes within the maintenance window.
   • After the maintenance window, users will be able to use their Services password to access the single sign-on version of their DocDB instances.
   • If you use the public or private (DocDB password) version of DocDB or you use the certificate version with a CERN, OSG or non-Fermilab CILogon certificate, you can continue using those versions as before. No changes or actions are required, unless you wish to switch to using single sign-on. If you use an expired certificate, you will be redirected to the single sign-on version of DocDB.
   • Fermilab CILogon certificate users will automatically be redirected from the certificate version to the single sign-on version, and their certificate DocDB account settings and permissions will automatically be transferred to their single sign-on DocDB account. These users will automatically have the same settings and permissions in their single sign-on DocDB as they had in their certificate DocDB without having to take any steps to apply for access.
   • DocDB instance administrators may receive access requests from private (DocDB password) or CERN, OSG and non-Fermilab CILogon certificate DocDB users who wish to switch to using single sign-on to access DocDB. 


WHAT DO YOU NEED TO DO?
If you are a DocDB user, do the following:
   • For more information on using DocDB after single sign-on is enabled, read  article KB0012933.
   • Users of the private (DocDB password) version of DocDB and users who have a CERN, OSG or non-Fermilab CILogon certificate who prefer to use single sign-on instead, can switch by taking the actions described in article KB0012933.

If you are a DocDB instance administrator, do the following:
   • Forward this message to your DocDB users.
   • Read article KB0013108 for important information and instructions you'll need for administrating your DocDB after single sign-on is enabled.



How do permissi​​ons on document​s work? ​​ R​​emember: username/password access came first...

A key to remember is that the username/password method (with the private" URLs) came first, and certificates came later, so permissions are based around usernames. Also remember, these are SHARED usernames associated with defined access groups.

Permissions are set individually for each document (i.e., each number) such that certain access groups can view only or view and modify the document.  (A given DocDB document/number may contain multiple files; the files share the permissions set for that document.)

Note that each version of a document can have separate metadata and therefore separate permissions.

dunedocdbuserhierarchy.pngHierarchy of Permissions:

DocDB uses access groups (each associated with a shared username) that are structured hierarchically, with "dominant" and "subordinate" groups. See graphic, at left.

Each DocDB document specifies two levels of permissions in terms of groups: which groups can view, and which can modify.

If you log in under a group that has subordinates, you have permissions to see and/or update any document that the subordinate group can, plus you can see and/or update documents with permissions set specifically for your (more dominant) group

It's helpful to know that the groups dunepm and lbnfpm ("pm" is for "project management") are both dominant to dune, and that dune is dominant to both the review and doe (not shown) groups.

For most people, a certificate only needs to be set for the most dominant group they will need, usually dune. (See "Now, what if you have a certificate?" below.) Since the hierarchy is multi-threaded, a few people (more likely those associated with the projects) will need to have their certificate associated with more than one group.

Now, ​what if ​​you have​ a gold-cert-50.pngcertificate? 

Your certificate is paired with an access group, and using it is equivalent to logging in with the associated (shared) username and password. Certificates can be paired with multiple access groups; this is useful when the groups have some non-overl​apping, or parallel, permissions (e.g., dunepm and lbnfpm).

Your certificate uniquely identifies you to the system, and it can be paired with whatever set of access groups YOU require. You will have permissions to everything that any of these groups can access.​

The CILogon Certificates that we recommend expire after 13 months, then you need to renew.  Fermilab CI Logon certificates will automatically transfer to SSO (July 2019); no action required.

Other certificates will still work after SSO is implemented, but will not redirect to an SSO URL.

You never have to enter a password EXCEPT when you click on a "private" style link... beware!

​More ways the U​​RL can vary...

You can link to a document (number), to a specific file, or to either as of a particular date. Or to a specific version of either. This is documented in the generic DocDB instructions under Referring to Your Document and Files. Here are some examples.

In these examples, we use the username/password flavor of the URL and a sample document 662 that contains a PDF file (we'll pretend that it's not public!).


How to 'Logout' of DocDB to switch usernames you are using to access documents

If you have used a specific username/password combination to access documents (for example 'dune') and you want to now use a different username/password combination to access documents (for example (dunepm), use the following url to make this switch.  You will be prompted to reenter your username/password. You need to cut and paste the following URL into your browser (making this an active link will not work).

https://nobody@docs.dunescience.org/cgi-bin/private/DocumentDatabase/


How the DocDb URLs have changed (so you know kind of URL you are looking at)

DocDB URLs have changed for both username/password access and certificate access.  Old-style URLs are automatically redirected to the appropriate URL so older links to DocDb will still work. The table below lists the old and current URL's for both methods of access so you can identify URL's you may encounter. The part of the URL that will help indicate the access method is in bold.

​Old/Current?​Username/Certificate Access?URL
​New (July 2019)
Single sign-on (SSO) for Cert and services account access
​https://docs.dunescience.org/cgi-bin/sso/ShowDocument?docid=42
​Current
Username/Passwordhttps://docs.dunescience.org/cgi-bin/private/ShowDocument?docid=42
​Current​Certificatehttps://docscert.dunescience.org/cgi-bin/cert/ShowDocument?docid=42
​OldUsername/Passwordhttps://docs.dunescience.org:441/cgi-bin/ShowDocument?docid=42
​Old​Certificatehttps://docs.dunescience.org:440/cgi-bin//ShowDocument?docid=42
​Old​Username/Passwordhttps://docs.dunescience.org:8080/cgi-bin/ShowDocument?docid=42