XNAT Docs Index

Related Pages

 Click here to expand...
Child pages
  • Understanding Data Sharing in XNAT's Security Structure

This documentation is for XNAT versions 1.6.0 - 1.6.5. You can find the latest documentation for XNAT 1.7 at https://xnat.org/documentation

Skip to end of metadata
Go to start of metadata

Quick Index

Access to data stored in XNAT is governed by the data's relation to (or participation in) a given project. "Project Participation" for subject and experiment data in XNAT is split into two kinds of relationships: Ownership and Sharing

Data Ownership

The first (and most important) relationship between projects and their data instances is ownership. Subjects and experiments are ‘owned’ by a single project (referred to as the primary project). The owners and members of the primary project are the users who control access to, and modification of that data. In practice, the primary project is the project which first inserted the data into XNAT (usually the project which acquired or recruited the data). When the data is added to the primary project (at data insertion) the user has the opportunity to give it a unique identifier (label) which will be used across XNAT to refer to the data.

Project Security

Access to data is governed by the relationships between projects and data instances. The permissions governing access to data are different depending on the nature of that relationship. There are four permission types which control user access/control of data.

Role/ActivityPermissionsProject OwnersProject MembersProject Collaborators
CreateThe ability to create data of this typeCC 
ReadThe ability to read, including downloading, data of this typeRRR
UpdateThe ability to modify existing data of this typeUU 
DeleteThe ability to remove data of this typeD  

However, the permissions available to a user in a project are different depending on the data’s relationship to the project.  

Sharing data

The second relationship between projects and their data instances is sharing. When a user decides to use data from Project A in his/her project (Project B), then he can add the data to his project by ‘sharing’ the data into it. Any user who can access a data instance, can add that data to his/her project. The user has the option of defining a project-based identifier (label), which will be used within project-scope to refer to this data.  

  • Shared Data (Read-Only) - Data which is shared into a project cannot be modified or deleted by the users in that project. Modification and deletion can only be performed by members of the data’s primary project.
  • Owned Data (All/some access) - The permissions which a user has for ‘owned’ data is determined by that user’s role in the project.

Data shared from Project A into Project B is not copied into Project B. It is the same data element, so any changes to the data in Project A are reflected in Project B.

"Project A"

Role/ActivityProject A OwnersProject A MembersProject A Collaborators
Create Data in Project ACC 
Read/Download Data from Project ARRR
Update Project A DataUU 
Delete Project A DataD  
Share Data (for example, into "Project B")SSS

"Project B" (Created by a collaborator of Project A)

Role/ActivityProject B OwnersProject B MembersProject B Collaborators
Create Data in Project BCC 
Read/Download Data in Project BRRR
Read/Download Shared Data from Project ARRR
Update Project B DataUU 
Delete Project B DataD  
Share Data (for example, into "Project C")SSS

As this pair of charts shows, data shared from Project A cannot be modified in Project B, except by people who have the appropriate permissions in Project A. Thus, even though the owner of Project B is a collaborator in Project A, this user does not have the appropriate permission to modify or delete that shared data in Project B.

Data identification

Generic ID

Any data instance (subject or experiment) has a generic ‘ID’ field. This field is used by XNAT to uniquely identify this instance throughout XNAT. This value is usually dynamically created by XNAT, behind the scenes.

Project-based labels

The data instances also have project-based identifiers (labels) which identify the item within a specific project.

XML Specification

The relationship between data and its project is captured at the xml level, in the definition of those data instances. There are four pertinent areas of the xml document (subject or experiment) which identify the data’s projects and identifiers.

<xnat:Subject ID="234234223" label="A_1" project="PROJECT_A">
   <xnat:sharing>
       <xnat:share label="B_1" project="PROJECT_B"/>
   </xnat:sharing>
</xnat:Subject>

The attributes are described in the table below.

AttributeDescription
IDThe generic ID used throughout the database to identify this item. It is the primary key of this item.
projectThe ID of the primary project which owns this data.
labelThe identifier used by the primary project to identify this item. This is used throughout the website and file system to refer to this item.
sharing/share

These are the projects into which this item has been shared:

  • The target project is indicated by the project ID in the project attribute.
  • The optional label attribute identifies the shared item within the shared project. In this example, the subject is labeled A_1 in its primary project PROJECT_A, but is labeled B_1 when it's shared into PROJECT_B.
  • No labels