NOTE:
...
The scripts below are replaced by the tool set now built into Synapse. To access:
Log into Synapse as an ACT member.
Go to the dataset of interest.
Select Tools > Change User Access - or - Manage Access Requirements
If the tools built in to Synapse do not meet your needs, kindly contact the Synapse Engineering Team via JIRA.
| Table of Contents |
|---|
This page contains the instructions to be followed by the Access and Compliance team for managing access restrictions on data in Synapse.
...
| Code Block |
|---|
# log in to Synapse
library(synapseClient)
synapseLogin(<your user name>, <your password>)
# use the synapse identifier for the data object to be put under access control
entityIds<-list("syn987654")
# # create the Tier Three access requirement
subjectIds<-lapply(entityIds, function(x){list(id=x,type="ENTITY")})
openJiraIssue<-TRUE # set to true or false to control whether the web portal allows the user to open a JIRA issue
actContactInfo<-"Please complete the following form and email it to the Access and Compliance Team at act@sagebase.org.<br/> 1) Your name:<br/> 2) Your organization: <br/> 3) Your IRB number: <br/> "
ar <- list(concreteType="org.sagebionetworks.repo.model.ACTAccessRequirement", subjectIds=subjectIds, accessType="DOWNLOAD", actContactInfo=actContactInfo, openJiraIssue=openJiraIssue)
ar<-synRestPOST("/accessRequirement", ar)
|
When someone tries to download the data from the Web interface, they will be presented with instructions for contacting the Access and Compliance Team to request download access.
...
How to add a wiki page to an access requirement:
In the above examples the text of the access requirement was embedded directly in the actContactInfo, ensure that any anchor tags (<a>) include the attribute target="blank", e.g.:
| Code Block |
|---|
actContactInfo<-"Please complete this form and send to act@sagebase.org:<br/><a href=\"https://staging.synapse.org/#!Synapse:syn2295117\" target=\"_blank\">https://staging.synapse.org/#!Synapse:syn2295117</a>"
|
This is necessary to make the browser open a new tab to show the approval form.
How to delete an existing access requirement:
If a requirement is deleted, all the approvals for said requirement are deleted as well. To delete from R:
| Code Block |
|---|
requirementId<-"7"
synRestDELETE(paste("/accessRequirement/", requirementId, sep=""))
|
How to update an existing access requirement:
An access requirement may be changed after it is created. The main use for this is to add files to an existing requirement. You can also change the displayed text.
...
requirement (in the 'termsOfUse' or 'actContactInfo' field). An alternative is to create a wiki page and attach it to the access requirement. Synapse will then show the markdown from the wiki page when the access requirement is displayed. To do this, first create the access requirement as shown above, but omit 'termsOfUse' or 'actContactInfo'. Then issue the following command
| Code Block |
|---|
wikipage <- list(title="title", markdown="put markdown here", attachmentFileHandleIds=c("101", "102", "103"))
synRestPOST(sprintf("/access_requirement/%s/wiki", ar$id), wikipage) |
where you are to replace "title", "markdown" and the list of attachmentFileHandleIds with their actual values. If you have already created a wiki that you wish ot use:
| Code Block |
|---|
wikipage <- synGetWiki(synGet("syn12345")) # Note: replace "syn12345" with the ID of the project, folder or file that has the wiki page.
wikipage$id<-NULL
wikipage$parentWikiId<-NULL
if (length(wikipage$attachmentFileHandleIds)==1) wikipage$attachmentFileHandleIds<-list(wikipage$attachmentFileHandleIds)
synRestPOST(sprintf("/access_requirement/%s/wiki", ar$id), wikipage) |
When someone tries to download the data from the Web interface, they will be presented with instructions for contacting the Access and Compliance Team to request download access.
How to link to an approval form to an access requirement:
In the actContactInfo, ensure that any anchor tags (<a>) include the attribute target="blank", e.g.:
| Code Block |
|---|
actContactInfo<-"Please complete this form and send to act@sagebase.org:<br/><a href=\"https://staging.synapse.org/#!Synapse:syn2295117\" target=\"_blank\">https://staging.synapse.org/#!Synapse:syn2295117</a>"
|
This is necessary to make the browser open a new tab to show the approval form.
How to delete an existing access requirement:
If a requirement is deleted, all the approvals for said requirement are deleted as well. To delete from R:
| Code Block |
|---|
requirementId<-"7"
synRestDELETE(paste("/accessRequirement/", requirementId, sep=""))
|
How to update an existing access requirement:
An access requirement may be changed after it is created. The main use for this is to add files to an existing requirement. You can also change the displayed text.
| Code Block |
|---|
# Say there is currently an access restriction on just one file, syn2319165. > entityIds<-list("syn2319165") > currentRestrictions<-synRestGET(paste("/entity/", entityIds[[1]], "/accessRequirement", sep="")) # Check that there is just one restriction > currentRestrictions$totalNumberOfResults [1] 1 # set 'ar' to be the restriction > ar<-currentRestrictions$results[[1]] # now verify what is the current entity list for the access restriction > ar$subjectIds [[1]] id type "syn2319165" "ENTITY" # Now let's make the restriction apply to two files rather than one. > entityIds<-list("syn2319165", "syn2341872") > subjectIds<-lapply(entityIds, function(x){list(id=x,type="ENTITY")}) > ar$subjectIds<-subjectIds # # # # Optionally change the text of the access requirement # If the Access Requirement is an "ACT" (Tier 3) Access Requirement, then the field is called "actContactInfo": ar$actContactInfo<-"new ACT contact info" # # -- OR -- # # If the Access Requirement is a "Terms of use" ("click wrap") Access Requirement, then the field is called "termsOfUse": ar$termsOfUse<-"new click-wrap text" # # # (The above two fields are the only mutable ones: the list of entities and the displayed text.) # # This command sends the modified restriction to Synapse. > ar<-synRestPUT(paste("/accessRequirement/", ar$id, sep=""), ar) > ar$subjectIds [[1]] id type "syn2319165" "ENTITY" [[2]] id type "syn2319165" "ENTITY" # Now let's make the restriction apply to two files rather than one. > entityIds<-list("syn2319165", "syn2341872") > subjectIds<-lapply(entityIds, function(x){list(id=x,type="ENTITY")}) > ar$subjectIds<-subjectIds # # # # Optionally change the text of the access requirement # If the Access Requirement is an "ACT" (Tier 3) Access Requirement, then the field is called "actContactInfo": ar$actContactInfo<-"new ACT contact info" # # -- OR -- # # If the Access Requirement is a "Terms of use" ("click wrap") Access Requirement, then the field is called "termsOfUse": ar$termsOfUse<-"new click-wrap text" # # # (The above two fields are the only mutable ones: the list of entities and the displayed text.) # # This command sends the modified restriction to Synapse. > ar<-synRestPUT(paste("/accessRequirement/", ar$id, sep=""), ar) > ar$subjectIds [[1]] "syn2341872" "ENTITY" |
How to list the access requirements for a data object:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
listRequirementsForEntity<-function(entityId) {
ars<-synRestGET(sprintf("/entity/%s/accessRequirement", entityId))$results
for (ar in ars) {
if (ar$concreteType=="org.sagebionetworks.repo.model.ACTAccessRequirement") {
text<-ar$actContactInfo
} else {
text<-ar$termsOfUse
}
cat(sprintf("id=%s type=%s text=%s...\n", ar$id, substring(text=ar$concreteType, first=1+nchar("org.sagebionetworks.repo.model.")), substr(text, 1, 50)))
}
}
|
How to find out who has access to a data object:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
whoHasAccess<-function(entityId) { moreResults<-T aas<-list() offset<-0 pageSize<-25 while (moreResults) { page<-synRestGET(sprintf("/entity/%s/accessApproval?limit=%s&offset=%s", entityId, pageSize, offset))$results if (length(page)==0) moreResults<-F aas <- append(aas, page) offset<-offset+pageSize } ups<-list() approvedUsers<-list() cat(sprintf("There are %d access approvals for entity %s\n", length(aas), entityId)) for (aa in aas) { # cat(sprintf("approval id=%s requirement id=%s, user id=%s\n", aa$id, aa$requirementId, aa$accessorId)) type "syn2319165" "ENTITY" [[2]]userId<-aa$accessorId reqId<-aa$requirementId id if type "syn2341872"(!any(approvedUsers[[userId]]==reqId)) { "ENTITY" |
How to list the access requirements for a data object:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
listRequirementsForEntity<-function(entityId) {
ars<-synRestGET(sprintf("/entity/%s/accessRequirement", entityId))$results
for (ar in ars) {
if (ar$concreteType=="org.sagebionetworks.repo.model.ACTAccessRequirement") {
text<-ar$actContactInfo
} else {
text<-ar$termsOfUse
}
cat(sprintf("id=%s type=%s text=%s...\n", ar$id, substring(text=ar$concreteType, first=1+nchar("org.sagebionetworks.repo.model.")), substr(text, 1, 50)))
}
}
|
How to find out who has access to a data object:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
whoHasAccess<-function(entityId) { aas< approvedUsers[[userId]]<-append(approvedUsers[[userId]], reqId) } if (is.null(ups[[userId]])) { ups[[userId]]<-synRestGET(sprintf("/entityuserProfile/%s/accessApproval", entityId))$results userId)) } cat(".") } cat("\n") for (userId in names(approvedUsers)) { ups<-list()displayName<-ups[[userId]]$displayName approvedUsers<-list() cat(sprintf("There are %d access approvals for entity %s\n", length(aas), entityId)) userName<-ups[[userId]]$userName if (is.null(displayName)) { for (aa in aas) { # cat(sprintf("approval id=%s requirement (id=%s,) user id=%s\n", aa$id, aa$requirementId, aa$accessorId)) userId<-aa$accessorId is approved for access requirement(s) %s\n", userName, userId, reqId<-aa$requirementId if (!anypaste(approvedUsers[[userId]]==reqId, collapse=","))) { } else { approvedUsers[[userId]]<-append(approvedUsers[[userId]], reqId) } if (is.null(ups[[userId]])) {cat(sprintf("%s (username=%s, id=%s) is approved for access requirement(s) %s\n", displayName, userName, userId, upspaste(approvedUsers[[userId]]<-synRestGET(sprintf("/userProfile/%s", userId, collapse=","))) } cat(".") } cat("\n") for (userId in names(approvedUsers)} } |
How to find out if a specific user has access to a data object:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
doesUserHaveAccess<-function(entityId, principalId) { moreResults<-T displayName<-ups[[userId]]$displayName aas<-list() offset<-0 userName<-ups[[userId]]$userName pageSize<-25 ifwhile (is.null(displayName)moreResults) { catpage<-synRestGET(sprintf("%s (id=%s) is approved for access requirement(s) %s\n", userName, userId, /entity/%s/accessApproval?limit=%s&offset=%s", entityId, pageSize, offset))$results paste(approvedUsers[[userId]], collapse=","))) if (length(page)==0) moreResults<-F } elseaas { cat(sprintf("%s (username=%s, id=%s) is approved for access requirement(s) %s\n", displayName, userName, userId, <- append(aas, page) offset<-offset+pageSize } approvedRequirements<-list() paste(approvedUsers[[userId]], collapse=","))) }cat(sprintf("There are %d access approvals for entity %s\n", length(aas), entityId)) }for } |
How to find out if a specific user has access to a data object:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
doesUserHaveAccess<-function(entityId, principalId(aa in aas) { aas<-synRestGET # cat(sprintf("/entity/%s/accessApproval", entityId))$resultsapproval id=%s requirement id=%s, user id=%s\n", aa$id, aa$requirementId, aa$accessorId)) userId<-aa$accessorId approvedRequirements<-list()reqId<-aa$requirementId if cat(sprintf("There are %d access approvals for entity %s\n", length(aas), entityId))(userId==principalId && !any(approvedRequirements==reqId)) { for approvedRequirements<-append(aaapprovedRequirements, inreqId) aas) { # cat(sprintf("approval\nuser id=%s%s was approved for requirement %s by id=%s, useron id=%s\n", principalId, aa$idreqId, aa$requirementIdaa$createdBy, aa$accessorIdaa$createdOn)) } cat(".") } userId<-aa$accessorId cat("\n") reqId<-aa$requirementIdallRequirements<-list() ars<-synRestGET(sprintf("/entity/%s/accessRequirement", entityId))$results iffor (userId==principalId && !any(approvedRequirements==reqId)ar in ars) { approvedRequirements<allRequirements<-append(approvedRequirementsallRequirements, reqIdar$id) } if cat(sprintf("\nuser %s was approved for requirement %s by %s on %s\n", principalId, reqId, aa$createdBy, aa$createdOn)) }(length(allRequirements)>0) allRequirements<-sort(unlist(allRequirements)) if (length(approvedRequirements)>0) approvedRequirements<-sort(unlist(approvedRequirements)) if (identical(allRequirements, approvedRequirements)) { catmessage(sprintf(".")User %s DOES have access }approvals for ALL %d access cat("\n"requirement(s) allRequirements<-list() ars<-synRestGET(sprintf("/entity/%s/accessRequirementon %s", entityId))$results for (ar in ars) { allRequirements<-appendprincipalId, length(allRequirements), ar$identityId)) } else { if (length(allRequirements)>0) allRequirements<-sort(unlist(allRequirements)) if (length(approvedRequirementsapprovedRequirements>0)>0) approvedRequirements<-sort(unlist(approvedRequirements)) if (identical(allRequirements, approvedRequirements)) {{ message(sprintf("User %s DOESdoes NOT have access approvals for all ALLthe %d access requirement(s) on %s, only for %s", principalId, length(allRequirements), entityId, paste(approvedRequirements, collapse=","))) } else { if (length(approvedRequirements>0))} else { message(sprintf("User %s does NOT have access approvals for ANY allof the %d access requirement(s) on %s, only for %s", principalId, length(allRequirements), entityId, paste(approvedRequirements, collapse=","))))) } } } |
(TODO: We can also display the date/time when approval was granted.)
How to grant access for a specific access requirement:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
grantAccess<-function(requirementId, principalId) { } else { actApproval <- list(concreteType="org.sagebionetworks.repo.model.ACTAccessApproval", requirementId=requirementId, accessorId=principalId, approvalStatus="APPROVED") message(sprintf("User %s does NOT have access approvals for ANY of the %d access requirement(s) on %s", actApproval<-synRestPOST("/accessApproval", actApproval) } |
How to remove access to a data object:
The following deletes access approvals for all requirements found on the object, for the given user.
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
removeAccess<-function(entityId, principalId) { moreResults<-T principalId, length(allRequirements), entityId))aas<-list() offset<-0 }pageSize<-25 } }while |
(TODO: We can also display the date/time when approval was granted.)
How to grant access for a specific access requirement:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
grantAccess<-function(requirementId, principalId) {(moreResults) { page<-synRestGET(sprintf("/entity/%s/accessApproval?limit=%s&offset=%s", entityId, pageSize, offset))$results actApproval <-if list(concreteType="org.sagebionetworks.repo.model.ACTAccessApproval", requirementId=requirementId, accessorId=principalId, approvalStatus="APPROVED")(length(page)==0) moreResults<-F aas actApproval<<-synRestPOST("/accessApproval" append(aas, actApprovalpage) } |
How to remove access to a data object:
The following deletes access approvals for all requirements found on the object, for the given user.
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
removeAccess<-function(entityId, principalId) { aas<-synRestGET(sprintf("/entity/%s/accessApproval", entityId))$results offset<-offset+pageSize } cat(sprintf("There are %d access approvals for entity %s\n", length(aas), entityId)) for (aa in aas) { # cat(sprintf("approval id=%s requirement id=%s, user id=%s\n", aa$id, aa$requirementId, aa$accessorId)) userId<-aa$accessorId reqId<-aa$requirementId if (userId==principalId) { synRestDELETE(sprintf("/accessApproval/%s", aa$id)) cat(sprintf("\nRemoved access approval for reqId<-aa$requirementIdaccess requirement %s.\n", reqId)) if (userId==principalId) { } synRestDELETE(sprintfcat("/accessApproval/%s", aa$id).") } cat(sprintf("\nRemoved access approval for access requirement %s.\n", reqId))"\n") } |
How to list the access requirements for a Team:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
listRequirementsForTeam<-function(teamId) { ars<-synRestGET(sprintf("/team/%s/accessRequirement", teamId))$results for (ar in ars) { } if cat(ar$concreteType=="org.sagebionetworks.repo.model.ACTAccessRequirement") { } text<-ar$actContactInfo cat("\n") } |
How to list the access requirements for a Team:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
listRequirementsForTeam<-function(teamId) { } else { ars<-synRestGET(sprintf("/team/%s/accessRequirement", teamId))$resultstext<-ar$termsOfUse for (ar} in ars) { cat(sprintf("id=%s type=%s if (ar$concreteType==text=%s...\n", ar$id, substring(text=ar$concreteType, first=1+nchar("org.sagebionetworks.repo.model.ACTAccessRequirement")) { , substr(text, 1, 50))) } text<-ar$actContactInfo } |
How to find out who was approved to join a Team:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
whoHasAccessToTeam<-function(teamId) { moreResults<-T } else { aas<-list() offset<-0 text<pageSize<-ar$termsOfUse25 while (moreResults) { } catpage<-synRestGET(sprintf("id=%s type=%s text=%s...\n/team/%s/accessApproval?limit=%s&offset=%s", ar$idteamId, substring(text=ar$concreteType, first=1+nchar("org.sagebionetworks.repo.model.")), substr(text, 1, 50))) } } |
How to find out who was approved to join a Team:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
whoHasAccessToTeam<-function(teamId) {pageSize, offset))$results if (length(page)==0) moreResults<-F aas <- append(aas, page) aas<-synRestGET(sprintf("/team/%s/accessApproval", teamId))$resultsoffset<-offset+pageSize } ups<-list() approvedUsers<-list() cat(sprintf("There are %d access approvals for Team %s\n", length(aas), teamId)) for (aa in aas) { userId<-aa$accessorId reqId<-aa$requirementId if (!any(approvedUsers[[userId]]==reqId)) { approvedUsers[[userId]]<-append(approvedUsers[[userId]], reqId) } if (is.null(ups[[userId]])) { ups[[userId]]<-synRestGET(sprintf("/userProfile/%s", userId)) } cat(".") } cat("\n") for (userId in names(approvedUsers)) { displayName<-ups[[userId]]$displayName userName<-ups[[userId]]$userName if (is.null(displayName)) { cat(sprintf("%s (id=%s) is approved for access requirement(s) %s\n", userName, userId, paste(approvedUsers[[userId]], collapse=","))) } else { cat(sprintf("%s (username=%s, id=%s) is approved for access requirement(s) %s\n", displayName, userName, userId, paste(approvedUsers[[userId]], collapse=","))) } } } |
...
| Code Block |
|---|
isUserApprovedToJoinTeam<-function(teamId, principalId(teamId, principalId) { moreResults<-T aas<-list() offset<-0 pageSize<-25 while (moreResults) { aas< page<-synRestGET(sprintf("/team/%s/accessApproval?limit=%s&offset=%s", teamId, pageSize, offset))$results if (length(page)==0) moreResults<-F aas <- append(aas, page) offset<-offset+pageSize } approvedRequirements<-list() cat(sprintf("There are %d access approvals for team %s\n", length(aas), teamId)) for (aa in aas) { userId<-aa$accessorId reqId<-aa$requirementId if (userId==principalId && !any(approvedRequirements==reqId)) { approvedRequirements<-append(approvedRequirements, reqId) cat(sprintf("\nuser %s was approved for requirement %s by %s on %s\n", principalId, reqId, aa$createdBy, aa$createdOn)) } cat(".") } cat("\n") allRequirements<-list() ars<-synRestGET(sprintf("/team/%s/accessRequirement", teamId))$results for (ar in ars) { allRequirements<-append(allRequirements, ar$id) } if (length(allRequirements)>0) allRequirements<-sort(unlist(allRequirements)) if (length(approvedRequirements)>0) approvedRequirements<-sort(unlist(approvedRequirements)) if (identical(allRequirements, approvedRequirements)) { message(sprintf("User %s DOES have access approvals for ALL %d access requirement(s) on %s", principalId, length(allRequirements), teamId)) } else { if (length(approvedRequirements>0)) { message(sprintf("User %s does NOT have access approvals for all the %d access requirement(s) on %s, only for %s", principalId, length(allRequirements), teamId, paste(approvedRequirements, collapse=","))) } else { message(sprintf("User %s does NOT have access approvals for ANY of the %d access requirement(s) on %s", principalId, length(allRequirements), teamId)) } } } |
...
For example, when removing access you need to a line that calls/invokes the command:
## after running the code above for removing a person's access to an entity, type this line with the correct entityID and principalID
removeAccess("syn123456","789012")
...