(Requirement) System must support revocation of user permissions
The system should be able to revoke any user's permissions and, ultimately, their direct access to the system, if the user is misbehaving within the system.
Although it is unclear as to who assigns permissions, I believe that the final responsibility and authority for access control is the DataONE administrator. As such, permissions and simple access to any part of the DataONE infrastructure, and perhaps member node infrastructure that is accessed through DataONE, should be revokable.
- Administrator can change permissions for a user for any object
- Permission changes are propagated through the system within XXX seconds
- Read, write access rules can be altered for a user for all content in the system