Allow users to grant organizations permissions granularly




  • Official comment
    Alainna Wrigley

    Thanks for your suggestion to improve the ORCID Registry. We are going to put the idea under review by our team.

    Regarding granular permissions: It would be great if you could provide additional suggestions on how this might work, or examples of similar practice by other systems.

    Regarding panel to set defaults: This may be better for a new iDea. If this were implemented, it would likely be less granular than proposed as there are now only two permission scopes for an organization to add or edit data on ORCID records: /person/update (add/edit biographical details) and /activities/update (add/edit activities e.g. affiliations, funding, works, peer review). In addition, reading data on the ORCID record has record-wide permissions: /read-public or /read-limited.

    Warm regards,
    ORCID Community Team

    Comment actions Permalink
  • a.sokol
    I fully support the suggestion by Hao Ye. I do trust a number of reputable publishers to add or edit information on my publications, but I certainly do not wish them to edit my biographical data or information about funding, etc. I hope it would be very straightforward to give an option for choosing different rights of access and editing to any item, which is already recognised by ORCID. For example, when an interactive window is open for a user to approve access by a trusted organisation there could be a list of available items with different rights of access to each such as read, edit, and add that could be implemented as radio buttons, boxes, sliders or whatever else. This would work in the same way as file permissions in UNIX. At a slightly more sophisticated level, trusted publishers would have access only to their own publications, and trusted funding organisations to grants only their own grants, etc.
    Comment actions Permalink
  • Anonymous
    Extending this, if a third party is granted permission by the ORCID account holder to update specific fields - such as employment - then it should always be possible for the third party to remove the information they have posted and are acknowledged as the source. I am thinking specifically about employment and being able to remove employment status once someone leaves an organisation, even if the ORCID account owner 'revokes' access.
    Comment actions Permalink
  • Neal McBurnett

    I fully support the original idea.

    I don't even see an option now to only authorize permission  for a single instance. It just seems to be either broad permissions for the long term or none at all.

    It also isn't clear in the way the UX works whether or not I'll even be notified of any changes. If there is a guarantee that I'll hear about changes, it would be a bit more palatable. But as it is, it looks like I'm just signing over rights to update some undefined " research activities" and "limited-access information".

    Comment actions Permalink

Please sign in to leave a comment.