Personas
Users: The personas logged into Synapse. Every user logged into Synapse must obtain certification from Synapse before being able to perform any actions such as uploading or downloading. Certification is mandatory for all Synapse users to ensure proper system utilization.
ACT : Sage Access & Compliance Team is a specialized group within the organization tasked with overseeing and ensuring adherence to access control policies and compliance regulations. The team plays a critical role in safeguarding sensitive data and maintaining the integrity of systems and processes.
Introduction
The user certification process consists of two steps: first, the user must submit a quiz with a minimum passing score, and second, the user is added to the certified group. The certification signifies that the user understands the compliance standards. However, if ACT suspects any suspicious activity from the user, the certification may be revoked, necessitating the user to undergo the certification process again.
Why ACT has the ability to access users' personal data and revoke certification?
ACT team focuses on compliance with relevant regulations and standards. They stay abreast of legal requirements, industry best practices, and internal policies to ensure that systems and users meet all necessary compliance standards. This includes conducting regular audits, assessments, and reviews to identify and address any compliance gaps or issues.
If ACT suspects that a user's activities indicate a lack of understanding of the regulations, the user will be required to undergo certification again.
Current certification system
After creating a Synapse profile and logging into the system, users are prompted to become certified. They must complete a quiz with a minimum required score to pass. Once the quiz is successfully passed, the user is added to the CERTIFIED_USERS group and maintains certification for future use.
API involved in process are following:
Service | Description | Request | Response |
|---|---|---|---|
Get the test to become a Certified User. | None | ||
Submit a response to the Certified User test | |||
Retrieve the Passing Record on the User Certification test for the given user. | None |
API’s only accessed by admin
The below API are only for admin and will not be available for ACT. As these API can only be run from a particular Jenkins machine. These service are only used for testing purposed to setup the user as certified user without submitting the test. They should not be accessible to any other user or team (ACT).
Service | Description |
|---|---|
DELETE /admin/certifiedUserTestResponse/{id} | Delete the test records( We do not want ACT to delete the users passed test record) |
PUT /admin/user/{id}/certificationStatus | Changes the status of user by ignoring wether user has passed the test or not. (If ACT use this service to set the status as REVOKED. we will lose the history, that user has passed the test and ACT wants user to submit the test again.) |
Key consideration
If the user is new and has not previously submitted a quiz, they should be able to submit the test.
If the user has submitted the test but has never achieved a passing score, they should still be able to submit the test.
ACT should be able to revoke users certification without deleting the history of the users test results.
User must pass the test to after ACT has revoked their certification to become certified again.
If the user has previously passed the test, they should be able to submit a new test.
Proposal
The new API will allow ACT to revoke certification of a user. Specifically it will the update the user's latest passing record by changing the new boolean revoked=true and isCertified= false and update the revokedOn= now.
User passing record possible states
Passed | Revoked | isCertified |
|---|---|---|
True | False | True |
False | False | False |
True | True | False |
New API
Develop a new API specifically designed for revoking user certifications, ensuring that only ACT has the authority to initiate certification revocations.
API URL | Description | Request | Response |
|---|---|---|---|
PUT /user/{id}/revokeCertification | This service will change the last passing record by changing the boolean revoked = true and revokedOn = now and isCertified= false | None |
PassingRecord.json
{
"type":"object",
"description":"A record of whether a given user passed a given test",
"properties":{
"userId":{
"type": "string",
"description":"The principal id of the user"
},
"quizId":{
"type": "integer",
"description":"The id of the quiz"
},
"responseId":{
"type": "integer",
"description":"The id of the user's response"
},
"score":{
"type": "integer",
"description":"The score the user received on the test"
},
"passed":{
"type": "boolean",
"description":"Whether the user passed the given test"
},
"passedOn":{
"type": "string",
"format":"date-time",
"description":"Date/time when the user passed the test (omitted if the user has not passed)"
},
"corrections":{
"description":"For each response, whether it was correct",
"type": "array",
"items": {
"type":"object",
"$ref":"org.sagebionetworks.repo.model.quiz.ResponseCorrectness"
}
},
"revoked": {
"description": "By default this is false. ACT will set it to true, if they determine user must re-certified.",
"type": "boolean"
},
"revokedOn": {
"description": "By default this is null. The date when ACT set the revoked to true.",
"type": "string",
"format":"date-time"
},
"isCertified": {
"description": "The value is calculated from the booleans passed and revoked.",
"type": "boolean"
}
}
}
This new API is extending PassingRecord with new fields revoked, revokedOn and isCertified.
Data warehouse changes
Add new columns revoked, revoked_on and isCertified in warehouse.certifiedquizsnapshots Glue table
Add new column mapping in warehouse_certifiedquizSnapshots Glue job.
Backfill the existing data:
We should backfill the existing data with revoked= false , revoked_on = None and isCertified= passed.