Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

CREATE TABLE `NODE_ACCESS_REQUIREMENT` (
`SUBJECT_ID` bigint(20) NOT NULL,
`SUBJECT_TYPE` enum('ENTITY','EVALUATION','TEAM') NOT NULL,
`REQUIREMENT_ID` bigint(20) NOT NULL,
PRIMARY KEY (`SUBJECT_ID`,`SUBJECT_TYPE`,`REQUIREMENT_ID`),
KEY `SUBJECT_ACCESS_REQUIREMENT_REQUIREMENT_ID_FK` (`REQUIREMENT_ID`),
CONSTRAINT `SUBJECT_ACCESS_REQUIREMENT_REQUIREMENT_ID_FK` FOREIGN KEY (`REQUIREMENT_ID`) REFERENCES `ACCESS_REQUIREMENT` (`ID`) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

Current Workflow

Will only discuss Web client workflow since we are deprecating scripts that are using these services.ACT member used to create AccessRequirements via a script. We are deprecating the script and encouraging users to use the web client implementation. 

Creating an AccessRequirement and applying it to an entity works as following:

  1. An ACT member navigates to a subject A (entity or team) that they want to apply new AccessRequirement to.
  2. S/he creates an AccessRequirement B for the subject, setting up the terms, and specifying all requirements.
  3. Later new data C is added to Synapse.
  4. An ACT member determines that the new data should have the same AccessRequirement with A. S/he navigates to A and list A's AccessRequirement to find the one they are looking for.
  5. S/he changes the existing AccessRequirement, extends it to also apply to C.

Problems

  1. Currently, each AccessRequirement can be applied to multiple subjects. Every time a subject is added or removed from the AccessRequirement, the AccessRequirement is updated. 
  2. Since applying an AccessRequirement to a subject is a relationship between AccessRequirement and subject, adding or removing subjects from AccessRequirement should only change the relationship between the subjects and the AccessRequirement, and do not update the AccessRequirement.
  3. Entity's creator needs to contact ACT to apply an existing AccessRequirement to their entity.
  4. Also, changing this relationship may make the subject more or less accessible to users. The change should trigger a change message on the subject itself so that we can correctly authorize users' actions on the subject.

Proposed Solution

This section is open for discussion.

...

  • Add an API to change the relationship between an AccessRequirement and a list of RestrictableObjects. This action will trigger a change message for each subjects.
  • Create will work the same.
  • Update AccessRequirement APIs will only populate ACCESS_REQUIREMENT and ACCESS_REQUIREMENT_VERSION table. 
  • This option will keep the list of RestrictableObjectDescriptor in AccessRequirement DTO.

Pros:

  • Friendly to users since their workflow will stay the same.

Cons:

  • It is not clear that the association between a subject and an AccessRequirement is not a part of the AccessRequirement.

Option 2 - Allow

...

AccessRequirement to be created

...

without specifying Subjects

  • Remove the list of RestrictableObjectDescriptor from AccessRequirement DTO.
  • Create & Update AccessRequirement will not associate the AccessRequirement to any subjects.
  • Add new set of APIs to associate a subject to an AccessRequirement and to remove the association.
  • Add new APIs to list AccessRequirement one creates and have access to. 

Pros:

  • The API make it clear that the association between a subject and an AccessRequirement doesn't change the AccessRequirement itself. 

Cons: 

  • AccessRequirement itself can have similar terms. AccessRequirements do not have name. Without the context of which subject it applies too, it is hard for user to identify which AccessRequirement they wants.

New Services

These are new APIs for option 2.


ActionIntended UsersMethodURIRequest ParamsRequestBodyResponseBody
1Apply an AccessRequirement to a subjectACTPUT/accessRequirement/{id}/subjectsubjectId, subjectType

2Remove an AccessRequirement from a subjectACTDELETE/accessRequirement/{id}/subjectsubjectId, subjectType

3Listing a page of subjects that an AccessRequirement directly applies toAll usersGET/accessRequirement/{id}/subjectsnextPageToken
RestrictableObjectDescriptorResponse
4Listing a page of AccessRequirements that applies to a subject All usersPOST/accessRequirement/batch
BatchAccessRequirementRequestBatchAccessRequirementResponse



RestrictableObjectDescriptorResponse
List<RestrictableObjectDescriptor> subjects
String nextPageToken


BatchAccessRequirementRequest
RestrictableObjectDescriptor subject
String nextPageToken


BatchAccessRequirementResponse
List<AccessRequirement> results
String nextPageToken


Related JIRA tickets:

  • Jira Legacy
    serverJIRA (sagebionetworks.jira.com)
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverIdba6fb084-9827-3160-8067-8ac7470f78b2
    keyPLFM-4476
  • Jira Legacy
    serverJIRA (sagebionetworks.jira.com)
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverIdba6fb084-9827-3160-8067-8ac7470f78b2
    keyPLFM-4512
  • Jira Legacy
    serverJIRA (sagebionetworks.jira.com)
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverIdba6fb084-9827-3160-8067-8ac7470f78b2
    keySWC-3709
  • Jira Legacy
    serverJIRA (sagebionetworks.jira.com)
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverIdba6fb084-9827-3160-8067-8ac7470f78b2
    keyPLFM-4518