...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Version | Summary |
---|---|
07/08/2024 | Updated to align with One Sage release. |
8/10/22 | Updated process and link to new AWS VPN instructions |
02/22/2022 | Updated EC2 instance and VPN instructions |
12/28/2021 | Updated format to align with policy version tables |
12/15/2021 | Added version tracking table. |
07/08/2021 | Updated |
Audience: Sage ACT
Table of Contents
Table of Contents | ||
---|---|---|
|
...
Overview
One of the configuration options when setting up an Access Requirement (AR) is user type. Both click-wraps and ACT-managed ARs can be configured so that users must be validated in order to be granted data access. Users who are not validated will not be able to click the “Agree” button on a click-wrap and will not be able to submit a data access application for an ACT-managed AR.
Profile validation is a process by which users have their identity verified by ACT. Users submit an ORCID profile, a signed completed Synapse Pledge, and a signed identity attestation document to ACT, and then ACT must review the documentation to ensure the documents are acceptable and match the user’s Synapse profile information. For privacy and security reasons, ACT must utilize a remote desktop to review profile validation requests so that submitted documents are not downloaded onto any personal devices.
Configuring the Profile Validation Request Environment
Before validating Synapse profiles, ACT must set up VPN access and a Windows instance using Amazon Web Services (AWS). This allows ACT to validate profiles without downloading users’ personal information onto an ACT member’s laptop. You must always utilize a remote desktop to review profile validation requests.
1. Establish VPN Access
Instructions for establishing a an AWS VPN instance client can be found /wiki/spaces/IT/pages/7222394951705246745. Please reach out to the Sage IT Team if you have any questions.Once you have downloaded the VPN, message #sageit on slack and request that you be added to the Sage VPN group.
2. Download a remote desktop application
First, make sure you have created a Jumpcloud JumpCloud account. Most new employees at Sage create a Jumpcloud JumpCloud account during their first week at Sage. You will use your Jumpcloud JumpCloud account credentials when setting up your remote desktop.
For Macs: Once you connect to your VPN, you will need to download a remote desktop application. The most secure way to do this is to go through the Mac app store and download a remote desktop app. “Microsoft Remote Desktop” is a good option. Use your http://sagebase.org Sage Bionetworks email to create your Apple ID. As you proceed through the steps of creating your account, choose “none” under payment methods to avoid applying a credit card to the account.
Note that you may get an error stating that you do not have any Microsoft devices connected to your application. Once you establish your EC2 Windows Instance following the steps in the next section, your remote desktop will be established for the profile validation.
For PCs: Reach out to the Sage IT Team for guidance For remote desktop applications, please see instructions below.
3. Establish your EC2 Windows Instance using the Service Catalogue
The instructions below will allow you to configure your remote desktop environment:
Start
...
your AWS VPN client with JumpCloud integration.
To create your virtual windows machine (or ‘instance’) please follow the steps listed for your device here: Service Catalog Provisioning. You will be creating an EC2 Windows Instance with
...
JumpCloud Integration.
Once your instance has been created
...
in the Service Catalogue scroll down to AWS events. From there click on Output Value and then the Outputs Tab. You should see the following information:
...
4. You will need the “WindowsInstancePrivateIpAddress” value for your remote desktop. Add a PC and the name should match this IP address, as shown in the image below. Use your jumpcloud usernameNext, in your Windows search bar, type “Remote Desktop Connection” and open the app. Type in the IP address and your JumpCloud user name. Click connect.
5. If you are using Microsoft Remote Desktop client, the PC tab will look like this:
...
6. Test that you can access your remote desktop by following the steps listed under “Validating Profiles” below (you can skip steps 9-15 unless you have profiles to validate). To launch the remote desktop, double click on the PC instance that you established in the remote desktop app.
Reviewing Profile Validation Requests
Once a user submits a profile validation request, an email will be triggered to ACT@sagebionetworks.org. Therefore, ACT does not need to check the Profile Validation Dashboard daily for new requests, and instead can just review the dashboard when an email is received.
How to Navigate to the Profile Validation Dashboard in your Remote Desktop
Start your
...
AWS VPN client.
Go to https://sc.sageit.org and
...
log in.
Go to your “Provisioned products list” and select the Windows EC2 instance you have established for validating profiles.
Click the “Actions” button and select “Start” and then
...
“Perform Action” when prompted.
...
On the top right of the “Provisioned product details”, click the refresh button next to the Actions button. The status will change to “Under Change”. Periodically click the refresh button until the status changes to “Available”. Now your Instance is available for use.
Open your remote desktop app (likely “Microsoft Remote Desktop”)
...
.
Click
...
“Connect” when prompted and this should launch your instance (it will look like a Windows Desktop). Open an Internet browser to access the Profile Validation page.
...
Note, the first time you access the
...
Internet within your Windows instance you’ll need to log into Synapse with your credentials (your VPN browser will not know your login or password the first time). It is a good idea to bookmark the Synapse site on your VPN browser for future access and have Google remember your password. Once logged into Synapse, all of your starred pages will be available and accessible like usual. If you haven’t already, it can be useful to star the ACT Zone
...
page for quick access.
From the main ACT Zone page, go to ‘Profile Validation
...
Dashboard’ which can be found in the left hand side menu towards the bottom.
...
Click the “Profile Validation Dashboard” link in the Wiki to review requests.
...
Click the person’s “User ID”
How to Review Requests
For the profile validation request to be approved:
Ensure the user’s ORCID profile is public and contains at least one piece of information (i.e. education, employment, etc.).
Ensure the user
...
attached an identity attestation document in English. Document options include:
Letter from a signing official (not themselves) on official letterhead attesting to their identity
Notarized letter attesting to their identity
A copy of a professional license (i.e. medical license, etc.
...
Enrollment credentials using official letterhead
...
)
If all of the above criteria are met, you can approve the user by clicking the ‘Approve’
...
button. The user will automatically receive a confirmation email that their profile validation is approved.
If the user does not meet all of the above criteria, you will click the ‘Reject’ box, which will generate text for a rejection email:
Click the checkbox(s) for the appropriate rejection reasons - be sure to select all that apply
Click “Generate Response"
Review email message and make any necessary changes or additions
Scroll down and click “Send”
After approving or rejecting the request, you will see a comments box.
If they were approved, leave the box blank.
If they were rejected, write a brief explanation for the rejection (e.g., Pledge not signed, ORCID profile not public, Missing identity document).
How to Close Out of your Environment
Once you have reviewed all pending requests, exit out of the browser and close your remote desktop window.
Go to your “Provisioned
...
product details” and select the Windows instance you have established for validating profiles.
Click the “Actions” button and select “Stop”.
Click “Perform Action”.
Disconnect your
...
VPN connection.
Monthly Maintenance: Deleting Downloads to Protect Sensitive Information
ACT members need to regularly delete the contents of their downloads folder to ensure sensitive documents (e.g., passports, driver's licenses, state IDs) are not stored in the remote environment. Follow these steps to delete the downloads and empty the trash bin:
Open Google Chrome and go to your downloads history.
Click the three vertical dots on the right side of the screen.
Select “Open downloads folder.”
Select all files in the downloads folder.
Move the selected files to the trash.
Open the trash bin.
Select “Empty trash.”
Return to the downloads history in Google Chrome.
Click the three vertical dots again.
Select “Clear all.”
Common User Errors
ORCID profile:
Not public: “No Public Info Available”
Does not have one piece of information (i.e. education, employment, etc.)
...
The Synapse Pledge:
...
Identity Attestation Document:
Not on letterhead
Not in English
Student or Work Identification Badge
...
Resources