DNAnexus Documentation
APIDownloadsIndex of dx CommandsLegal
  • Overview
  • Getting Started
    • DNAnexus Essentials
    • Key Concepts
      • Projects
      • Organizations
      • Apps and Workflows
    • User Interface Quickstart
    • Command Line Quickstart
    • Developer Quickstart
    • Developer Tutorials
      • Bash
        • Bash Helpers
        • Distributed by Chr (sh)
        • Distributed by Region (sh)
        • SAMtools count
        • TensorBoard Example Web App
        • Git Dependency
        • Mkfifo and dx cat
        • Parallel by Region (sh)
        • Parallel xargs by Chr
        • Precompiled Binary
        • R Shiny Example Web App
      • Python
        • Dash Example Web App
        • Distributed by Region (py)
        • Parallel by Chr (py)
        • Parallel by Region (py)
        • Pysam
      • Web App(let) Tutorials
        • Dash Example Web App
        • TensorBoard Example Web App
      • Concurrent Computing Tutorials
        • Distributed
          • Distributed by Region (sh)
          • Distributed by Chr (sh)
          • Distributed by Region (py)
        • Parallel
          • Parallel by Chr (py)
          • Parallel by Region (py)
          • Parallel by Region (sh)
          • Parallel xargs by Chr
  • User
    • Login and Logout
    • Projects
      • Project Navigation
      • Path Resolution
    • Running Apps and Workflows
      • Running Apps and Applets
      • Running Workflows
      • Running Nextflow Pipelines
      • Running Batch Jobs
      • Monitoring Executions
      • Job Notifications
      • Job Lifecycle
      • Executions and Time Limits
      • Executions and Cost and Spending Limits
      • Smart Reuse (Job Reuse)
      • Apps and Workflows Glossary
      • Tools List
    • Cohort Browser
      • Chart Types
        • Row Chart
        • Histogram
        • Box Plot
        • List View
        • Grouped Box Plot
        • Stacked Row Chart
        • Scatter Plot
        • Kaplan-Meier Survival Curve
      • Locus Details Page
    • Using DXJupyterLab
      • DXJupyterLab Quickstart
      • Running DXJupyterLab
        • FreeSurfer in DXJupyterLab
      • Spark Cluster-Enabled DXJupyterLab
        • Exploring and Querying Datasets
      • Stata in DXJupyterLab
      • Running Older Versions of DXJupyterLab
      • DXJupyterLab Reference
    • Using Spark
      • Apollo Apps
      • Connect to Thrift
      • Example Applications
        • CSV Loader
        • SQL Runner
        • VCF Loader
      • VCF Preprocessing
    • Environment Variables
    • Objects
      • Describing Data Objects
      • Searching Data Objects
      • Visualizing Data
      • Filtering Objects and Jobs
      • Archiving Files
      • Relational Database Clusters
      • Symlinks
      • Uploading and Downloading Files
        • Small File Sets
          • dx upload
          • dx download
        • Batch
          • Upload Agent
          • Download Agent
    • Platform IDs
    • Organization Member Guide
    • Index of dx commands
  • Developer
    • Developing Portable Pipelines
      • dxCompiler
    • Cloud Workstation
    • Apps
      • Introduction to Building Apps
      • App Build Process
      • Advanced Applet Tutorial
      • Bash Apps
      • Python Apps
      • Spark Apps
        • Table Exporter
        • DX Spark Submit Utility
      • HTTPS Apps
        • Isolated Browsing for HTTPS Apps
      • Transitioning from Applets to Apps
      • Third Party and Community Apps
        • Community App Guidelines
        • Third Party App Style Guide
        • Third Party App Publishing Checklist
      • App Metadata
      • App Permissions
      • App Execution Environment
        • Connecting to Jobs
      • Dependency Management
        • Asset Build Process
        • Docker Images
        • Python package installation in Ubuntu 24.04 AEE
      • Job Identity Tokens for Access to Clouds and Third-Party Services
      • Enabling Web Application Users to Log In with DNAnexus Credentials
      • Types of Errors
    • Workflows
      • Importing Workflows
      • Introduction to Building Workflows
      • Building and Running Workflows
      • Workflow Build Process
      • Versioning and Publishing Global Workflows
      • Workflow Metadata
    • Ingesting Data
      • Molecular Expression Assay Loader
        • Common Errors
        • Example Usage
        • Example Input
      • Data Model Loader
        • Data Ingestion Key Steps
        • Ingestion Data Types
        • Data Files Used by the Data Model Loader
        • Troubleshooting
      • Dataset Extender
        • Using Dataset Extender
    • Dataset Management
      • Rebase Cohorts and Dashboards
      • Assay Dataset Merger
      • Clinical Dataset Merger
    • Apollo Datasets
      • Dataset Versions
      • Cohorts
    • Creating Custom Viewers
    • Client Libraries
      • Support for Python 3
    • Walkthroughs
      • Creating a Mixed Phenotypic Assay Dataset
      • Guide for Ingesting a Simple Four Table Dataset
    • DNAnexus API
      • Entity IDs
      • Protocols
      • Authentication
      • Regions
      • Nonces
      • Users
      • Organizations
      • OIDC Clients
      • Data Containers
        • Folders and Deletion
        • Cloning
        • Project API Methods
        • Project Permissions and Sharing
      • Data Object Lifecycle
        • Types
        • Object Details
        • Visibility
      • Data Object Metadata
        • Name
        • Properties
        • Tags
      • Data Object Classes
        • Records
        • Files
        • Databases
        • Drives
        • DBClusters
      • Running Analyses
        • I/O and Run Specifications
        • Instance Types
        • Job Input and Output
        • Applets and Entry Points
        • Apps
        • Workflows and Analyses
        • Global Workflows
        • Containers for Execution
      • Search
      • System Methods
      • Directory of API Methods
      • DNAnexus Service Limits
  • Administrator
    • Billing
    • Org Management
    • Single Sign-On
    • Audit Trail
    • Integrating with External Services
    • Portal Setup
    • GxP
      • Controlled Tool Access (allowed executables)
  • Science Corner
    • Scientific Guides
      • Somatic Small Variant and CNV Discovery Workflow Walkthrough
      • SAIGE GWAS Walkthrough
      • LocusZoom DNAnexus App
      • Human Reference Genomes
    • Using Hail to Analyze Genomic Data
    • Open-Source Tools by DNAnexus Scientists
    • Using IGV Locally with DNAnexus
  • Downloads
  • FAQs
    • EOL Documentation
      • Python 3 Support and Python 2 End of Life (EOL)
    • Automating Analysis Workflow
    • Backups of Customer Data
    • Developing Apps and Applets
    • Importing Data
    • Platform Uptime
    • Legal and Compliance
    • Sharing and Collaboration
    • Product Version Numbering
  • Release Notes
  • Technical Support
  • Legal
Powered by GitBook

Copyright 2025 DNAnexus

On this page
  • Project Billing and Transfer
  • API Method Specifications
  • API method: /project-xxxx/invite
  • API method: /project-xxxx/decreasePermissions
  • API method: /project-xxxx/leave
  • API method: /project-xxxx/transfer
  • API method: /project-xxxx/acceptTransfer

Was this helpful?

Export as PDF
  1. Developer
  2. DNAnexus API
  3. Data Containers

Project Permissions and Sharing

Project permissions define the degree to which members can modify, create, and share project content, and whether they can change the project's members or owner.

Last updated 1 month ago

Was this helpful?

A user or org may be granted access to a project at any of the following permission levels:

  • NONE: Allows no access to a data container.

  • VIEW: Allows read-only access to data objects and their metadata in a

    data container.

  • UPLOAD: Allows "VIEW", plus the ability to create new folders and data objects, to modify the metadata of open data objects, and to close data objects. UPLOAD can also modify open files.

  • CONTRIBUTE: Allows "UPLOAD", plus the ability to modify the contents of all types of data objects and to delete objects if the "PROTECTED" flag on the container is set to false.

  • ADMINISTER: Allows "CONTRIBUTE", plus the ability to modify the member list and to modify or delete the data container.

A user is granted explicit permission to a project if the project is shared directly with the user. A user is granted implicit permission to a project if the project is shared with an org of which the user is an administrator or a member with appropriate . Explicit and implicit project permissions are not mutually exclusive, and the actual permission level or access that a user has to a project is the GREATER of the two.

If you have ADMINISTER access to a project, then you can modify the list of users who can access the project by users to particular permission levels (no action is taken if they already have the specified access level), or users' permissions to specified levels (potentially completely revoking all permissions, if desired).

If you do not have ADMINISTER access to a project, then you do not have any ability to modify the permission level of any other project member. However, you will always have the ability to the project.

Project Billing and Transfer

All storage and compute costs for a particular project are billed to a particular billing account (retrieved as the field billTo in the API method) . It is possible, however, to another user to take over the project's data and be the new billing account for the project. If the invitee , the project is transferred over, and all job history is preserved. Note that any jobs that are launched before the transfer is accepted are still billed to the original billing account.

See the specifications below for more details.

API Method Specifications

API method: /project-xxxx/invite

Specification

Invites a DNAnexus user or org to the project at the specified permission level. An email address can be used to specify the invitee in the case of a user invitee. If the invitee already has access to the project but at a lower permission level than the one specified, then the permission level of the invitee will be upgraded to the specified permission level.

Inputs

  • invitee string The entity that will receive access should the invite be accepted; must be a user or org ID, or an email address (email addresses will be resolved to a user, if possible)

  • level string A permission level; must be one of "VIEW", "UPLOAD", "CONTRIBUTE", or "ADMINISTER"

  • suppressEmailNotification boolean (optional, default false) If true, then do not send an email notification to the invitee

Outputs

  • id string or null Invite ID, or null if the invite did not need to be created (i.e. invitee already has at least the requested permission)

  • state string State of the invite

Errors

  • ResourceNotFound

    • invitee is not a valid email address, or is not an existing DNAnexus user or org

  • InvalidInput

    • level is not provided OR level is not a valid permission level string

  • PermissionDenied

    • Must have ADMINISTER access to the project, be the billTo with a full scope token (if the billTo is a user) , or be an admin of the billTo with a full scope token (if the billTo is an org)

    • Must have ADMINISTER access to the project to invite another user or org

API method: /project-xxxx/decreasePermissions

Specification

Decreases the requested permissions for the specified entities on the project. If the existing permissions for an entity are already at most as much as the requested permission level, then no change is made to that entity’s permissions. The existing permissions for entities not included in the input hash are not affected.

Inputs

  • key A user or org ID for which the permission level should be decreased

  • value string or null Permission level that the entity's access permissions to be decreased to, i.e. one of "VIEW", "UPLOAD", "CONTRIBUTE", and "ADMINISTER", or the value null to indicate that the entity's permissions should be revoked entirely

Outputs

  • id string ID of the manipulated project

Errors

  • ResourceNotFound (the specified project does not exist)

  • InvalidInput

    • The input is not a hash

    • A value in the hash is neither the null value nor one of the allowed permission level strings "VIEW", "UPLOAD", "CONTRIBUTE", or "ADMINISTER"

    • If a specified user is the billTo of the project, then the value corresponding to that user may only be "ADMINISTER"

  • InvalidState (there is a pending transfer on the project, and the request would decrease the invitee's permissions to less than VIEW)

  • PermissionDenied (ADMINISTER access required)

API method: /project-xxxx/leave

Specification

Renounces the requesting user’s access to the specified project. The user will no longer have access to the project unless the project is public. The billTo of a project, if a user, is not allowed to leave the project.

Inputs

  • organization string (optional) ID of an org. If a string, then will leave the project on behalf of the organization (i.e. will revoke all project permissions granted to the organization)

Outputs

  • id string ID of the manipulated project

Errors

  • InvalidInput (the requesting user may not be the billTo of the project)

  • ResourceNotFound (the specified project does not exist)

  • PermissionDenied

    • A full scope token is required

    • If organization is specified, then the requesting user must be an administrator of that organization

API method: /project-xxxx/transfer

Specification

Invites another account to take over the billing for the project. In effect, this will change the billing account for the project and all associated containers (workspaces for running jobs, etc.) . If there are any jobs running at the time of transfer, their compute costs are still billed to the first billing account.

As a result of calling this API method, the invited account receives VIEW access (if necessary) , a notification is sent to the invited account holder, and the project enters a pending state. If the transfer is later cancelled before it is accepted, the invited account's permissions level to the project is reverted to the level that was held before this API method was called.

The transfer invitation can be cancelled at any time by calling this API method again with invitee set to null. Calling this API method with a different invitee will cancel any previous transfer invitations.

Inputs

  • invitee string or null email or user ID of the account to which to transfer the project's contents, or null to cancel a pending transfer

  • suppressEmailNotification boolean (optional, default false) If true, do not send an email notification to the invitee

Outputs

  • id string ID of the manipulated project

Errors

  • InvalidInput (input is not a hash, invitee is not a string, suppressEmailNotification is provided but is not a boolean)

  • ResourceNotFound (the specified project does not exist, the specified invitee does not exist as an account ID)

  • PermissionDenied

    • Must have ADMINISTER access to the project, or be an ADMIN of the org that the project is billed to.

  • InvalidState

    • invitee is already billed for the project

    • The project is sponsored (sponsorship must be terminated before attempting a transfer)

API method: /project-xxxx/acceptTransfer

Specification

Accept billing responsibility for the project, possibly on behalf of an org. Upon success, all storage charges, and compute charges for new jobs, will be charged to the new billing account, and the requesting user will be granted ADMINISTER permission to this project.

Inputs

  • billTo string (optional, default is the billTo of the requesting user) billing account (user or org ID) that will be responsible for the project

Outputs

  • id string ID of the manipulated project

Errors

  • PermissionDenied

    • Cannot be invoked by a job

    • Must be the current invitee of the pending transfer for this project

    • If billTo is a user ID, then it must the the ID of the requesting user

    • If billTo is an org ID, then the requesting user must have allowBillableActivities permission in the org

    • If the project has the containsPHI flag set, the new billTo for the project must have the phiFeaturesEnabled flag set

    • If the project has the externalUploadRestricted flag set to true, the new billTo for the project must have the externalUploadRestrictedControl license feature

    • If the project has the httpsAppIsolatedBrowsing flag set to true, the new billTo for the project must have the httpsAppIsolatedBrowsingControl license feature

    • The requested billTo does not have this project's region as one of its permittedRegions

Invitees can see a list of pending transfer invitations by calling on themselves and providing the boolean flag pendingTransfers set to true.

Can not change the billTo of project-xxxx while the project contains a

DBCluster
organization permissions
inviting
decreasing
leave
invite
accepts
/project-xxxx/describe
/user-xxxx/describe