Page Comparison

...

• User visits Synapse page for sensitive data (e.g. the Bridge data).
• User sees that data is Controlled (tier 3)
• User opens dialog, showing text for the access restriction, e.g. "Please become 'verified' (following instructions on your home page), and send a description of how you intend to use this data along with the Synapse ID of this data to SynapseAccessandComplianceTeam@synapse.org".
• User visits home page.  Instructions say, "Fill out your user profile and link to your ORCID then click 'get verified'.
• User fills out their user profile, links their ORCID, clicks link "Become Verified".
• Portal sends user to wiki that contains instructions... "Complete your user profile including name, organization; link your ORCID; then email SynapseAccessandComplianceTeam@synapse.org, including a completed ID verification document." 
• User completes user profile and emails ACT, including ID verification document and data use statement.
• ACT receives email.  From the user's Synapse user name (the prefix of the 'from' email address) ACT member determines the ACT management page https://www.synapse.org/#!ACTVerify:<username>.
• ACT reviews ID verification document and user profile.
• ACT member clicks 'Verify Identity' on verification page.
• Synapse captures snapshot of reviewed information (VerificationBundle, below), records that user is verified, sends notification to userForm opens with slots for first name, last name, organization, location, country and ORCID, prefilled from user profile.  Form also prompts for verification document.  Form highlights fields which will become publicly visible (e.g. name and affiliation are visible, attached doc's are not).
• User completes form and links ORCID (if necessary) and uploads/attaches verification document, clicks "Submit."
• ACT receives notification of verification submission.
• ACT visits page listing pending submissions, clicks on one, opening up a display of the submission.  This page also shows user's email address(es).
• ACT may reject submission:  Submission is deleted; rejection notification is sent to user (including reason?); User may repeat "Become verified..."
• ACT may accept submission:
• Submission is marked as accepted.

• "Verified" now appears on user's page.  "Verify Identity" changes to "Remove ID Verification" on the ACT Page.User receives verification notification.  Anyone clicking on "verified" sees the name, organization, location, country, ORCID that were verified, plus the date verification occurred.
• Notification is sent to user.
• User now completes "tier 3" request, sending data use statement to ACT.
• ACT receives email, checks that user was verified.
• ACT visits page for sensitive data, clicks "Grant access", finds the user based on their user name, and clicks "OK".
• User is notified that they are now granted access.
• User tries to access data, is prompted to reaffirm oath. User agrees.
• User can now access data.

Audit Workflow

ACT receives suggestion that verified information is inaccurate.

ACT visits user's page, opens up submission which shows submitted info, email addresses, documentation, date approved and by whom.

ACT reviews and clicks "Remove verification."

Anonymity Request Workflow

User emails ACT requesting anonymity be restored.

ACT visits user's page, clicks "Remove verification."

Future:  Need TOU AR gated on being certified and verified.

Open questionsQuestions

does verification require renewal after a set time? NO

...

• Ability for ACT to "grant access".  This command needs to prompt for a user id, and then find an ACT terms of use for the currently shown entity.  If successful, then it should create an access approval using this pair.

Services  NOTE THE FOLLOWING NEED TO BE UPDATED

...