Version | Summary |
---|---|
02/22/2022 | Updated EC2 instance and VPN instructions |
12/28/2021 | Updated format to align with policy version tables |
12/15/2021 | Added version tracking table. |
07/08/2021 | Updated |
Audience: Sage ACT
Table of Contents
Overview
One of the configuration options when setting up an Access Requirement (AR) is user type. Both click-wraps and ACT-managed ARs can be configured so that users must be validated in order to be granted data access. Users who are not validated will not be able to click the “Agree” button on a click-wrap and will not be able to submit a data access application for an ACT-managed AR.
Profile validation is a process by which users have their identity verified by ACT. Users submit an ORCID profile, a signed Synapse Pledge, and a signed identity attestation document to ACT, and then ACT must review the documentation to ensure the documents are acceptable and match the user’s Synapse profile information. For privacy and security reasons, ACT must utilize a remote desktop to review profile validation requests so that submitted documents are not downloaded onto any personal devices.
Configuring the Profile Validation Request Environment
Before validating Synapse profiles, ACT must set up VPN access and a Windows instance using Amazon Web Services (AWS). This allows ACT to validate profiles without downloading users’ personal information onto an ACT member’s laptop. You must always utilize a remote desktop to review profile validation requests.
1. Establish VPN Access
Instructions for establishing a VPN instance can be found /wiki/spaces/IT/pages/722239495. Please reach out to the Sage IT Team if you have any questions.
Once you have downloaded the VPN, message #sageit on slack and request that you be added to the Sage VPN group.
2. Download a remote desktop application
First, make sure you have created a Jumpcloud account. Most new employees at Sage create a Jumpcloud account during their first week at Sage. You will use your Jumpcloud account credentials when setting up your remote desktop.
For Macs: Once you connect to your VPN, you will need to download a remote desktop application. The most secure way to do this is to go through the Mac app store and download a remote desktop app. “Microsoft Remote Desktop” is a good option. Use your http://sagebase.org email to create your Apple ID. As you proceed through the steps of creating your account, choose “none” under payment methods to avoid applying a credit card to the account.
Note that you may get an error stating that you do not have any Microsoft devices connected to your application. Once you establish your EC2 Windows Instance following the steps in the next section, your remote desktop will be established for the profile validation.
For PCs: Remote desktop applications instructions for PCs are located here https://sagebionetworks.jira.com/wiki/spaces/SC/pages/938836322/Service+Catalog+Provisioning#Connect-to-Windows-desktop .
3. Establish your EC2 Windows Instance using the Service Catalogue
The instructions below will allow you to configure your remote desktop environment:
Start Tunnelblick (Macs) or Sophos SSL (PCs).
To create your virtual windows machine (or ‘instance’) please follow the steps listed here: Service Catalog Provisioning. You will be creating an EC2 Windows Instance with Jumpcloud Integration.
Once your instance has been created in the Service Catalogue scroll down to AWS events. From there click on Output Value and then the Outputs Tab. You should see the following information:
4. You will need the “WindowsInstancePrivateIpAddress” value for your remote desktop. To install Microsoft Remote Desktop Client refer to these instructions https://sagebionetworks.jira.com/wiki/spaces/SC/pages/938836322/Service+Catalog+Provisioning#Connect-to-Windows-desktop .
5. If you are using Microsoft Remote Desktop client, the PC tab will look like this:
6. Test that you can access your remote desktop by following the steps listed under “Validating Profiles” below (you can skip steps 9-15 unless you have profiles to validate). To launch the remote desktop, double click on the PC instance that you established in the remote desktop app.
Reviewing Profile Validation Requests
Once a user submits a profile validation request, an email will be triggered to ACT@sagebionetworks.org. Therefore, ACT does not need to check the Profile Validation Dashboard daily for new requests, and instead can just review the dashboard when an email is received.
How to Navigate to the Profile Validation Dashboard in your Remote Desktop
Start your VPN instance (Tunnelblick for Mac users or Sophos SSL for PC users).
Go to https://sc.sageit.org and login
Go to your “Provisioned products list” and select the Windows instance you have established for validating profiles.
Click the “Actions” button and select “Start” and then “Perform Action” when prompted.
On the top right of the “Provisioned product details”, click the refresh button next to the Actions button. The status will change to “Under Change”. Periodically click the refresh button until the status changes to “Available”. Now your Instance is available for use.
Open your remote desktop app (likely “Microsoft Remote Desktop”) and select your instance.
Click “Connect” when prompted and this should launch your instance (it will look like a Windows Desktop). Open an Internet browser to access the Profile Validation page.
Note, the first time you access the Internet within your Windows instance you’ll need to log into Synapse with your credentials (your VPN browser will not know your login or password the first time). It is a good idea to bookmark the Synapse site on your VPN browser for future access and have Google remember your password. Once logged into Synapse, all of your starred pages will be available and accessible like usual. If you haven’t already, it can be useful to star the ACT Zone page for quick access.
From the main ACT Zone page, go to ‘Profile Validation Dashboard’ which can be found in the left hand side menu towards the bottom.
Click the “Profile Validation Dashboard” link in the Wiki to review requests.
How to Review Requests
For the profile validation request to be approved:
Check the requestor’s Synapse profile to verify the user is Certified.
Ensure the user’s ORCID profile is public and contains at least one piece of information (i.e. education, employment, etc.).
Ensure the user has completely filled out the Synapse Pledge by typing their name, checking the bubbles, and signing their name at the bottom. Typed signatures are not acceptable, but electronic signatures are acceptable.
Ensure the user attached an identity attestation document in English. Document options include:
Letter from a signing official (not themselves) on official letterhead attesting to their identity
Notarized letter attesting to their identity
A copy of a professional license (i.e. medical license, etc.)
If all of the above criteria are met, you can approve the user by clicking the ‘Approve’ button. The user will automatically receive a confirmation email that their profile validation is approved.
If the user does not meet all of the above criteria, you will click the ‘Reject’ box, which will generate text for a rejection email:
Click the checkbox(s) for the appropriate rejection reasons - be sure to select all that apply
Click “Generate Response"
Review email message and make any necessary changes or additions
Scroll down and click “Send”
After approving or rejecting the request, you will see a comments box.
If they were approved, leave the box blank.
If they were rejected, write a brief explanation for the rejection (e.g., Pledge not signed, ORCID profile not public, Missing identity document)
How to Close Out of your Environment
Once you have reviewed all pending requests, exit out of the browser and close your remote desktop window.
Go to your “Provisioned product details” and select the Windows instance you have established for validating profiles.
Click the “Actions” button and select “Stop”.
Click “Perform Action”.
Disconnect your VPN connection.
Common User Errors
ORCID profile:
Not public: “No Public Info Available”
Does not have one piece of information (i.e. education, employment, etc.)
The Synapse Pledge:
Has typed a signature instead of a signed signature
Identity Attestation Document:
Not on letterhead
Not in English
Student or Work Identification Badge
Resources