...
A data contributor works with the Sage Access and Compliance Team (ACT) to establish that a new data set added to Synapse can only be downloaded by a NIH qualified researchers. This means, when a caller attempts to download this dataset, Synapse must first check with the NIH to determine if the caller is actually a an NIH qualified researchersresearcher. GA4GH provides a technical specification to facilitate this type of authentication/authorization exchange between two system: GA4GH Passports.
...
A new AccessRequirement (AR) type that can be created/managed by ACT to define one or more Claims Claims that the caller must have in order to download restricted data.
A new Action type that informs callers when a passport visa is required in order to download a file.
Extend the Synapse OIDC Authentication system:
Add new OAuthProviderBinding implementation to connect with each passport Broker that we wish to support.
Extend the Synapse generated access_tokens system to append passport claims provided by passport Brokers to the Synapse access_token.
Add a passport visa interceptor that will validate passport visas from the Synapse access token and forward the valid sub-set to the thread local
Extend the EntityAuthorizationManagerImpl to match AR visa conditions to the principal’s visas in the thread local.
...
Currently, an ACT managed access requirement (AR) , is created by a member of ACT to restrict download access to one or more file files within Synapse. When a user wishes to download a file that is the subject of a managed AR, they will typical typically need to first submit a data access request to ACT. The user will only be able to download the file after ACT has approved their submission. The approval process often involves providing information that demonstrates their qualification as a researcher.
The GA4GH passport specification was designed for the case where the system that holds data and the system that approves data access are not the same. In the introduction we introduced an example where Synapse controls data that can only be access by NIH qualified researchresearchers. For this example, Synapse must defer to a an NIH system to determine if a user is a an NIH qualified researcher. In the GA4GH passport specification terms, Synapse would be the passport clearinghouse, while the NIH system would be the passport broker. The broker provides authentication information about the user in the form of one or more passport visas, and the clearinghouse uses the passport visas to make authorization decisions.
...
| Code Block | ||
|---|---|---|
| ||
{
"description": "This is an ACT managed access requirement used to require that a user has obtained one or more GA4GH Passport Visa Claims in order to access the associated subjects.",
"extends": {
"$ref": "org.sagebionetworks.repo.model.ManagedACTAccessRequirement"
},
"properties": {
"visaConditions": {
"description": "The conditions define how this access requirement matches to each required GA4GH passport visa. Each condition group can contain one or more VisaContionsVisaConditions. Conditions within each group are delimited with an 'AND' while groups are delimited with an 'OR'",
"type": "array",
"items": {
"$ref": "org.sagebionetworks.repo.model.ar.ConditionGroup"
}
}
}
} |
...
Clients use the ‘GET /entity/{id}/actions/download’ service to help guide callers with “unmet” access requirements. This service provides a list of “Actions” that the caller will need to take , in order to meet all of the AR ARs associated with a file.
With the new passport AR, a caller will need to acquire one or more GA4GH passport visas from one or more passport broker brokers before they will be permitted to download any file that is the subject of the passport AR.
...