Use case to be addressed by public release (May 2022):
As a researcher finding the MTB website, I want to try out the researcher tools, create a study, and see how it works. I would need to make an account. I expect that to be an MTB account, but it’s actually a Synapse account.
If I want to look at public assessments, I can do that anonymously. However, if I want to create a test study to see how it works, I will need to join an org. If I join an existing org, then I need an org admin to approve and assign roles. Otherwise, I would need to make a new org.
When creating a study, it is related to a Synapse project (Is this currently a new project only for this study? Or is it a general MTB project?). As the researcher, I should have access to my study’s data, but not all of MTB’s data. And I want to add collaborators to my study.
Note that as a registered user in Synapse, the researcher can only create studies but not launch them at this point. But do they need to add other administrative users to their study at this point? And would those users need controlled access to Synapse?
How aware of Synapse account status (registered vs certified) do we need to be in Bridge?
What roles can currently create studies in Bridge?
Issues with the process above:
The researcher does not immediately have access to their Synapse project. They have to be invited to a team (by Alx or Dwayne) and set as a Team Manager.
Adding a new researcher to the study in Bridge does not automatically add them to a team in the Synapse project.
If an administrative user is in Bridge but not added through Synapse, can their Synapse ID be linked after the fact? Can user accounts in different apps in Bridge share a Synapse ID?
Note on current user administration:
When creating a study, Bridge creates a Synapse project with two teams, admin and read-only. The exporter has admin access. Giving another user access requires inviting them to a team and then optionally managing their role on the team. Adding members is a manual process. It’s possible that this could be managed through an API in Bridge.
Option for public release - make the creator of a study an admin of the related Synapse project
If the Synapse user of the actual study creator was used to create the Synapse project, then they would automatically be the admin.
When the study creator then adds other users to their study, Bridge should also be able to add those users to the related Synapse project through an invite to a team.
Problem: Dwayne pointed out that if the study creator is the admin on the project, they will have unlimited access to the data in the project. As in, they can edit the raw data.
Synapse is inaccessible for 1 hour a week. If someone makes user access changes in Bridge during that time, what problems could that cause? Is there a request queue that resolves later or would Synapse reject the call.
Bridge features and changes required:
Ability to ask Synapse for a user’s current permissions.
Ability to update a Synapse user’s project permissions.
Reworking study bootstrapping to use a study creator’s Synapse account.
Likely task - mapping permissions between Bridge roles and Synapse access control lists.
For instance, if someone has the Researcher role and access to studyA and studyB, does that indicate some default access to related projects in Synapse? Would they be expected to have read but not write access? Would a Study Coordinator automatically need read access as well?
Possible refactoring project - splitting the administrative and participant interfaces in Bridge.
Participants will not need access to Synapse at any time. So separating them would help keep the participant accounts from being affecting by changes to administrative account management.
Future option - have Synapse be the user accounts manager for administrative accounts in Bridge
Bridge resources could be included in Synapse’s ACL and Bridge administrative users' permissions could be tracked there. This would make Synapse the source for all access and identity control.
Simplifies user management for administrators using both Synapse and Bridge in tandem.
The most direct route to this would be treating a study/app as a resource and a Bridge Role as an access level. But that would require Synapse to allow that to be set in the first place, which seems like an odd requirement.
Bridge could require a full overhaul of how it manages administrative access in this case.