Audience: Sage ACT
Table of Contents
Table of Contents | ||
---|---|---|
|
...
Overview
One of the configuration options when setting up an Access Requirement (AR) is user type. Both click-wraps and ACT-managed ARs can be configured so that users must be validated in order to be granted data access. Users who are not validated will not be able to click the “Agree” button on a click-wrap and will not be able to submit a data access application for an ACT-managed AR.
Profile validation is a process by which users have their identity verified by ACT. Users submit an ORCID profile, a signed Synapse Pledge, and a signed identity attestation document to ACT, and then ACT must review the documentation to ensure the documents are acceptable and match the user’s Synapse profile information. For privacy and security reasons, ACT must utilize a remote desktop to review profile validation requests so that submitted documents are not downloaded onto any personal devices.
Configuring the Profile Validation Request Environment
Before validating Synapse profiles, ACT must set up VPN access and a Windows instance using Amazon Web Services (AWS). This allows ACT to validate profiles without downloading users’ personal information onto an ACT member’s laptop. You must always utilize a remote desktop to review profile validation requests.
1. Establish VPN Access
Instructions for establishing a VPN instance can be found /wiki/spaces/IT/pages/722239495. Please reach out to Aaron Hayden the Sage IT Team if you have any questions.
Once you have downloaded the VPN, message #sageit on slack and request that you be added to the Sage VPN group.
2. Download a remote desktop application
First, make sure you have created a Jumpcloud account. Most new employees at Sage create a Jumpcloud account during their first week at Sage. You will use your Jumpcloud account credentials when setting up your remote desktop.
For Macs: Once you connect to your VPN, you will need to download a remote desktop application. The most secure way to do this is to go through the Mac app store and download a remote desktop app. “Microsoft Remote Desktop” is a good option. Use your http://sagebase.org email to create your Apple ID. As you proceed through the steps of creating your account, choose “none” under payment methods to avoid applying a credit card to the account.
Note that you may get an error stating that you do not have any Microsoft devices connected to your application. Once you establish your EC2 Windows Instance following the steps in the next section, your remote desktop will be established for the profile validation.
For PCs: Reach out to Aaron Hayden the Sage IT Team for guidance.
3. Establish your EC2 Windows Instance using the Service Catalogue
The instructions below will allow you to configure your remote desktop environment:
...
6. Test that you can access your remote desktop by following the steps listed under “Validating Profiles” below (you can skip steps 9-15 unless you have profiles to validate). To launch the remote desktop, double click on the PC instance that you established in the remote desktop app.
Reviewing Profile Validation Requests
Once a user submits a profile validation request, an email will be triggered to ACT@sagebionetworks.org. Therefore, ACT does not need to check the Profile Validation Dashboard daily for new requests, and instead can just review the dashboard when an email is received.
How to Navigate to the Profile Validation Dashboard in your Remote Desktop
Start your VPN instance (Tunnelblick for Mac users).
Go to https://sc.sageit.org and login
Go to your “Provisioned products list” and select the Windows instance you have established for validating profiles.
Click the “Actions” button and select “Start” and then “Run Action” when prompted.
Navigate back to the “Provisioned products list” and wait until your Instance “Status” changes from “Under_change” to “Available”
Open your remote desktop app (likely “Microsoft Remote Desktop”) and select your instance.
Click “Continue” when prompted and this should launch your instance (it will look like a Windows Desktop).
The first time you access the internet within your Windows instance you’ll need to log into Synapse with your credentials (your VPN browser will not know your login or password the first time). It is a good idea to bookmark the Synapse site on your VPN browser for future access and have Google remember your password. Once logged into Synapse, all of your starred pages will be available and accessible like usual. If you haven’t already, it can be useful to star the ACT Zone (Int) page for quick access.
From the main ACT Zone page, go to ‘Profile Validation Approval Process’ which can be found in the left hand side menu towards the bottom.
Check the Synapse Profile Validations Submissions Dashboard.
Click the person’s “User ID”
How to Review Requests
For the profile validation request to be approved:
Ensure the user’s ORCID profile is public and contains at least one piece of information (i.e. education, employment, etc.).
Ensure the user has completely filled out the Synapse Pledge by typing their name, checking the bubbles, and signing their name at the bottom. Typed signatures are not acceptable, but electronic signatures are acceptable.
Ensure the user attached an identity attestation document in English. Document options include:
Letter from a signing official (not themselves) on official letterhead attesting to their identity
Notarized letter attesting to their identity
A copy of a professional license (i.e. medical license, etc.)
Enrollment credentials using official letterhead
Note that government issued IDs may be accepted, but not IDs from a university or place of work (for international government IDs, google the ID type to make sure it’s legit)
If all of the above criteria are met, you can approve the user by clicking the ‘Approve’ box. The user will automatically receive a confirmation email that their profile validation is approved.
If the user does not meet all of the above criteria, you will click the ‘Reject’ box, which will generate text for a rejection email:
Click the checkbox(s) for the appropriate rejection reasons - be sure to select all that apply
Click “Generate Response"
Review email message and make any necessary changes or additions
Scroll down and click “Send”
After approving or rejecting the request, you will see a comments box.
If they were approved, leave the box blank.
If they were rejected, write a brief explanation for the rejection (e.g., Pledge not signed, ORCID profile not public, Missing identity document)
How to Close Out of your Environment
Once you have reviewed all pending requests, exit out of the browser and close your remote desktop window.
Go to your “Provisioned products list” and select the Windows instance you have established for validating profiles.
Click the “Actions” button and select “Stop”.
Disconnect your tunnelblick connection.
Common User Errors
ORCID profile:
Not public: “No Public Info Available”
Does not have one piece of information (i.e. education, employment, etc.)
The Synapse Pledge:
Has typed a signature instead of a signed signature
Identity Attestation Document:
Not on letterhead
Not in English
Student or Work Identification Badge
...
Resources
...