Versions Compared

Version Old Version 4 New Version Current
Changes made by

Bruce Hoff

Bruce Hoff

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

(3) The user receives the email and is instructed to include it with their NRGR application.  If the user is the head of a lab, then each lab member wishing to access the data must perform step (1) and the applicant must include all the emailed tokens with the NRGR application.

 

Image Removed 

Image Added

(4) Upon approval of the applicant(s), the token email(s) are sent to a predefined email address.  The email includes a digital signature, authenticating an X-Originating-IP header, showing it as being originating from the NIMH.

(5) Upon receipt of the email, the digital signature in validatedX-Originating-IP header is checked, the tokens are extracted, and their HMACs validated.  Since the tokens are time stamped, a time limit can be imposed, ensuring out-of-date requests are rejected.  The tokens' contents are used to generate Access Approvals in Synapse, unlocking the data for those approved in NRGR.  The applicants are added to the data access group.  Email notification alerts the applicants to the completion of the process.  The Synapse table record created in step (2) is updated, providing the Synapse Access and Compliance Team (ACT) a dashboard of approval progress.  If a token is rejected (e.g. if the data is corrupt, the token is too old, or the signature is invalid), this is noted in the table.  If the applicant's Synapse user ID can be discerned from the record, an email rejection notice is sent to them.

...

A new Synapse user in a previously approved lab: The NRGR approval process considers an entire lab to be approved once a lab P.I. has completed their process.  Thus a new lab member may request access without involving NRGR.  In this case we require the new user to perform step (1) and for the authenticated PI to provide the token to the ACT, which is authorized to trigger step (5), bypassing the email from NIMH.

...

Case 2: New data is placed in Synapse.   Currently  NRGR policy requires the following in this case:  Currently approved users need additional approval to access the new data.  New users require one approval for both the old and new data.

...