NOTE:
...
The scripts below are replaced by the tool set now built into Synapse. To access:
Log into Synapse as an ACT member.
Go to the dataset of interest.
Select Tools > Change User Access - or - Manage Access Requirements
If the tools built in to Synapse do not meet your needs, kindly contact the Synapse Engineering Team via JIRA.
| Table of Contents |
|---|
This page contains the instructions to be followed by the Access and Compliance team for managing access restrictions on data in Synapse.
...
| Code Block |
|---|
whoHasAccess<-function(entityId) {
aas<-synRestGET(sprintf("/entity/%s/accessApproval", entityId))$results
ups<moreResults<-T
aas<-list()
approvedUsers<offset<-list()0
cat(sprintf("There are %d access approvals for entity %s\n", length(aas), entityId))
for (aa in aaspageSize<-25
while (moreResults) {
# catpage<-synRestGET(sprintf("approval id=%s requirement id=%s, user id=%s\n", aa$id, aa$requirementId, aa$accessorId))/entity/%s/accessApproval?limit=%s&offset=%s", entityId, pageSize, offset))$results
userId<-aa$accessorId
if (length(page)==0) moreResults<-F
reqId<-aa$requirementId aas <- append(aas, page)
if (!any(approvedUsers[[userId]]==reqId)) { offset<-offset+pageSize
}
approvedUsers[[userId]]<-append(approvedUsers[[userId]], reqIdups<-list()
approvedUsers<-list()
}
if (is.null(ups[[userId]])) {
cat(sprintf("There are %d access approvals for entity %s\n", length(aas), entityId))
for (aa in aas) {
ups[[userId]]<-synRestGET# cat(sprintf("/userProfile/%s", userIdapproval id=%s requirement id=%s, user id=%s\n", aa$id, aa$requirementId, aa$accessorId))
}userId<-aa$accessorId
cat(".")reqId<-aa$requirementId
} if cat("\n")
(!any(approvedUsers[[userId]]==reqId)) {
for (userId in names(approvedUsers)) { displayName<-upsapprovedUsers[[userId]]<-append(approvedUsers[[userId]]$displayName, reqId)
userName<-ups[[userId]]$userName}
if (is.null(displayNameups[[userId]])) {
catups[[userId]]<-synRestGET(sprintf("/userProfile/%s (id=%s", userId))
is approved for access requirement(s) %s\n", userName, userId, }
cat(".")
}
cat("\n")
for (userId in names(approvedUsers)) {
displayName<-ups[[userId]]$displayName
paste(approvedUsersuserName<-ups[[userId]], collapse=",")))$userName
} elseif (is.null(displayName)) {
cat(sprintf("%s (usernameid=%s,) id=%s) is approved for access requirement(s) %s\n", displayName, userName, userId,
paste(approvedUsers[[userId]], collapse=",")))
} else {
} } |
How to find out if a specific user has access to a data object:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
doesUserHaveAccess<-function(entityId, principalId) { aas<-synRestGETcat(sprintf("/entity/%s/accessApproval", entityId))$results approvedRequirements<-list() cat(sprintf("There are %d access approvals for entity %s\n", length(aas), entityId)) for (aa in aas) {%s (username=%s, id=%s) is approved for access requirement(s) %s\n", displayName, userName, userId, # cat(sprintf("approval id=%s requirement id=%s, user id=%s\n", aa$id, aa$requirementId, aa$accessorIdpaste(approvedUsers[[userId]], collapse=","))) userId<-aa$accessorId} } reqId<-aa$requirementId } |
How to find out if a specific user has access to a data object:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
doesUserHaveAccess<-function(entityId, principalId) { moreResults<-T if (userId==principalId && !any(approvedRequirements==reqId)) { aas<-list() offset<-0 pageSize<-25 while approvedRequirements<-append(approvedRequirements, reqId(moreResults) { catpage<-synRestGET(sprintf("\nuser %s was approved for requirement %s by %s on %s\n", principalId, reqId, aa$createdBy, aa$createdOn)) }/entity/%s/accessApproval?limit=%s&offset=%s", entityId, pageSize, offset))$results if (length(page)==0) moreResults<-F aas <- cat(".")append(aas, page) } offset<-offset+pageSize cat("\n")} allRequirements<approvedRequirements<-list() ars<-synRestGETcat(sprintf("/entity/%s/accessRequirement"There are %d access approvals for entity %s\n", length(aas), entityId))$results for (araa in arsaas) { allRequirements<-append(allRequirements, ar$id) }# cat(sprintf("approval id=%s requirement id=%s, user id=%s\n", aa$id, aa$requirementId, aa$accessorId)) if (length(allRequirements)>0) allRequirements<-sort(unlist(allRequirements)) userId<-aa$accessorId if (length(approvedRequirements)>0) approvedRequirements<-sort(unlist(approvedRequirements)) reqId<-aa$requirementId if (identical(allRequirements, approvedRequirementsuserId==principalId && !any(approvedRequirements==reqId)) { message(sprintf("User %s DOES have access approvals for ALL %d access requirement(s) on %s", principalId, length(allRequirements), entityId)) } else { approvedRequirements<-append(approvedRequirements, reqId) cat(sprintf("\nuser %s was approved for requirement %s by %s on %s\n", principalId, reqId, aa$createdBy, aa$createdOn)) } cat(".") } if (length(approvedRequirements>0)) { cat("\n") allRequirements<-list() messagears<-synRestGET(sprintf("User %s does NOT have access approvals/entity/%s/accessRequirement", entityId))$results for all(ar the %d access requirement(s) on %s, only for %s",in ars) { allRequirements<-append(allRequirements, ar$id) } principalId,if (length(allRequirements)>0), entityId, paste(approvedRequirements, collapse=","))) allRequirements<-sort(unlist(allRequirements)) if (length(approvedRequirements)>0) approvedRequirements<-sort(unlist(approvedRequirements)) } else { if (identical(allRequirements, approvedRequirements)) { message(sprintf("User %s doesDOES NOT have access approvals for ANY of theALL %d access requirement(s) on %s", principalId, length(allRequirements), entityId)) } else { } } }if |
(TODO: We can also display the date/time when approval was granted.)
How to grant access for a specific access requirement:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
grantAccess<-function(requirementId, principalId) {(length(approvedRequirements>0)) { actApproval <- listmessage(sprintf(concreteType="org.sagebionetworks.repo.model.ACTAccessApproval", requirementId=requirementId, accessorId=principalId, approvalStatus="APPROVED") actApproval<-synRestPOST("/accessApproval", actApproval) } |
How to remove access to a data object:
The following deletes access approvals for all requirements found on the object, for the given user.
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
removeAccess<-function(entityId, principalId) { aas<-synRestGET(sprintf("/entity/%s/accessApproval", entityId))$results"User %s does NOT have access approvals for all the %d access requirement(s) on %s, only for %s", principalId, length(allRequirements), entityId, paste(approvedRequirements, collapse=","))) } else { message(sprintf("User %s does NOT have access approvals for ANY of the %d access requirement(s) on %s", principalId, length(allRequirements), entityId)) } } } |
(TODO: We can also display the date/time when approval was granted.)
How to grant access for a specific access requirement:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
grantAccess<-function(requirementId, principalId) {
actApproval <- list(concreteType="org.sagebionetworks.repo.model.ACTAccessApproval", requirementId=requirementId, accessorId=principalId, approvalStatus="APPROVED")
actApproval<-synRestPOST("/accessApproval", actApproval)
}
|
How to remove access to a data object:
The following deletes access approvals for all requirements found on the object, for the given user.
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
removeAccess<-function(entityId, principalId) {
moreResults<-T
aas<-list()
offset<-0
pageSize<-25
while (moreResults) {
page<-synRestGET(sprintf("/entity/%s/accessApproval?limit=%s&offset=%s", entityId, pageSize, offset))$results
if (length(page)==0) moreResults<-F
aas <- append(aas, page)
offset<-offset+pageSize
}
cat(sprintf("There are %d access approvals for entity %s\n", length(aas), entityId))
for (aa in aas) {
# cat(sprintf("approval id=%s requirement id=%s, user id=%s\n", aa$id, aa$requirementId, aa$accessorId))
userId<-aa$accessorId
reqId<-aa$requirementId
if (userId==principalId) {
synRestDELETE(sprintf("/accessApproval/%s", aa$id))
cat(sprintf("\nRemoved access approval for access requirement %s.\n", reqId))
}
cat(".")
}
cat("\n")
}
|
...
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
whoHasAccessToTeam<-function(teamIdwhoHasAccessToTeam<-function(teamId) { moreResults<-T aas<-list() offset<-0 pageSize<-25 while (moreResults) { aas< page<-synRestGET(sprintf("/team/%s/accessApproval?limit=%s&offset=%s", teamId, pageSize, offset))$results if (length(page)==0) moreResults<-F aas <- append(aas, page) offset<-offset+pageSize } ups<-list() approvedUsers<-list() cat(sprintf("There are %d access approvals for Team %s\n", length(aas), teamId)) for (aa in aas) { userId<-aa$accessorId reqId<-aa$requirementId if (!any(approvedUsers[[userId]]==reqId)) { approvedUsers[[userId]]<-append(approvedUsers[[userId]], reqId) } if (is.null(ups[[userId]])) { ups[[userId]]<-synRestGET(sprintf("/userProfile/%s", userId)) } cat(".") } cat("\n") for (userId in names(approvedUsers)) { displayName<-ups[[userId]]$displayNameuserId]]$displayName userName<-ups[[userId]]$userName if (is.null(displayName)) { cat(sprintf("%s (id=%s) is approved for access requirement(s) %s\n", userName, userId, userName<-upspaste(approvedUsers[[userId]]$userName, collapse=","))) if (is.null(displayName))} else { cat(sprintf("%s (username=%s, id=%s) is approved for access requirement(s) %s\n", displayName, userName, userId, paste(approvedUsers[[userId]], collapse=","))) } else } } |
How to find out if a certain user was approved to join a Team:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
isUserApprovedToJoinTeam<-function(teamId, principalId) { moreResults<-T cat(sprintf("%s (username=%s, id=%s) is approved for access requirement(s) %s\n", displayName, userName, userId, aas<-list() offset<-0 pageSize<-25 while (moreResults) { paste(approvedUsers[[userId]], collapse=",")))page<-synRestGET(sprintf("/team/%s/accessApproval?limit=%s&offset=%s", teamId, pageSize, offset))$results if (length(page)==0) moreResults<-F } } } |
How to find out if a certain user was approved to join a Team:
Use the following function, which you can cut/paste into your R session:
| Code Block |
|---|
isUserApprovedToJoinTeam<-function(teamId, principalId) {aas <- append(aas, page) aas<-synRestGET(sprintf("/team/%s/accessApproval", teamId))$resultsoffset<-offset+pageSize } approvedRequirements<-list() cat(sprintf("There are %d access approvals for team %s\n", length(aas), teamId)) for (aa in aas) { userId<-aa$accessorId reqId<-aa$requirementId if (userId==principalId && !any(approvedRequirements==reqId)) { approvedRequirements<-append(approvedRequirements, reqId) cat(sprintf("\nuser %s was approved for requirement %s by %s on %s\n", principalId, reqId, aa$createdBy, aa$createdOn)) } cat(".") } cat("\n") allRequirements<-list() ars<-synRestGET(sprintf("/team/%s/accessRequirement", teamId))$results for (ar in ars) { allRequirements<-append(allRequirements, ar$id) } if (length(allRequirements)>0) allRequirements<-sort(unlist(allRequirements)) if (length(approvedRequirements)>0) approvedRequirements<-sort(unlist(approvedRequirements)) if (identical(allRequirements, approvedRequirements)) { message(sprintf("User %s DOES have access approvals for ALL %d access requirement(s) on %s", principalId, length(allRequirements), teamId)) } else { if (length(approvedRequirements>0)) { message(sprintf("User %s does NOT have access approvals for all the %d access requirement(s) on %s, only for %s", principalId, length(allRequirements), teamId, paste(approvedRequirements, collapse=","))) } else { message(sprintf("User %s does NOT have access approvals for ANY of the %d access requirement(s) on %s", principalId, length(allRequirements), teamId)) } } } |
...