ACT should be able to manage a user’s certification status
Personas
User: The personas logged into Synapse. Every user logged into Synapse must obtain certification from the system before being able to perform any actions such as uploading or downloading. Certification is mandatory for all the Synapse users to ensure proper system utilization.
ACT: Sage Access & Compliance Team is a specialized group within the organization tasked with overseeing and ensuring adherence to access control policies and compliance regulations. The team plays a critical role in safeguarding sensitive data and maintaining the integrity of systems and processes.
Introduction
The user certification process consists of two steps: first, the user must submit a quiz with a minimum passing score, and second, the user is added to the certified group. The certification signifies that the user understands the compliance standards. If ACT detects any suspicious behavior from the user, their certification may be revoked, requiring them to go through the certification process again.
Why should ACT have the ability to access users' personal data and revoke certification?
ACT team focuses on compliance with relevant regulations and standards. They stay abreast of legal requirements, industry best practices, and internal policies to ensure that systems and users meet all necessary compliance standards. This includes conducting regular audits, assessments, and reviews to identify and address any compliance gaps or issues.
If ACT suspects that a user's activities indicate a lack of understanding of the regulations, the user will be required to undergo certification again.
Current certification system
After creating a Synapse profile and logging into the system, users are prompted to become certified. They must complete a quiz with a minimum required score to pass. Once the quiz is successfully passed, the user is added to the CERTIFIED_USERS group and maintains certification for future use.
APIs involved in the process are mentioned below:
Service | Description | Request | Response |
|---|---|---|---|
Get the test to become a Certified User. | None | ||
Submit a response to the Certified User test |
|
| |
Retrieve the Passing Record on the User Certification test for the given user. | None |
APIs only accessed by admin
The below APIs are only accessible by Synapse administrators and must be run from within the Sage VPN and are not available to the ACT. These services are only used for testing purposed to setup the user as certified user without submitting the test. They should not be accessible to any other user or team (ACT).
Service | Description |
|---|---|
DELETE /admin/certifiedUserTestResponse/{id} | Deletes the test record (We do not want ACT to delete the user’s passed test record) |
PUT /admin/user/{id}/certificationStatus | Changes the status of the user by ignoring whether user has passed the test or not. (We do not want ACT to use this service. If ACT uses this service to set the status as REVOKED. we will lose the history, that user has passed the test and ACT wants the user to submit the test again.) |
Key considerations
If the user is new and has not previously submitted a quiz, they should be able to submit the test.
If the user has submitted the test but has never achieved a passing score, they should still be able to submit the test.
ACT should be able to revoke a user's certification without deleting the history of the user's test results.
User must pass the test after ACT has revoked their certification to become certified again.
If the user has previously passed the test, they should be able to submit a new test.
Proposal
The new API will allow ACT to revoke certification of a user. Specifically, it will the update the user's latest passing record by changing the new boolean revoked=true and isCertified= false and update the revokedOn= now.
Possible states of a passing record of the user
Passed | Revoked | isCertified |
|---|---|---|
True | False | True |
False | False | False |
True | True | False |
New API
Develop a new API specifically designed for revoking user certifications, ensuring that only ACT has the authority to initiate certification revocations.
API URL | Description | Request | Response |
|---|---|---|---|
PUT /user/{id}/revokeCertification | This service will change the last passing record by changing the boolean revoked = true and revokedOn = now and isCertified= false | None |
PassingRecord.json
{
"type":"object",
"description":"A record of whether a given user passed a given test",
"properties":{
"userId":{
"type": "string",
"description":"The principal id of the user"
},
"quizId":{
"type": "integer",
"description":"The id of the quiz"
},
"responseId":{
"type": "integer",
"description":"The id of the user's response"
},
"score":{
"type": "integer",
"description":"The score the user received on the test"
},
"passed":{
"type": "boolean",
"description":"Whether the user passed the given test"
},
"passedOn":{
"type": "string",
"format":"date-time",
"description":"Date/time when the user passed the test (omitted if the user has not passed)"
},
"corrections":{
"description":"For each response, whether it was correct",
"type": "array",
"items": {
"type":"object",
"$ref":"org.sagebionetworks.repo.model.quiz.ResponseCorrectness"
}
},
"revoked": {
"description": "By default this is false. ACT will set it to true, if they determine user must re-certified.",
"type": "boolean"
},
"revokedOn": {
"description": "By default this is null. The date when ACT set the revoked to true.",
"type": "string",
"format":"date-time"
},
"isCertified": {
"description": "The value is calculated from the booleans passed and revoked.",
"type": "boolean"
}
}
}
This new API is extending PassingRecord with new fields revoked, revokedOn and isCertified.
Data warehouse changes
Add new columns revoked, revoked_on and isCertified in warehouse.certifiedquizsnapshots Glue table
Add new column mapping in warehouse_certifiedquizSnapshots Glue job.
Backfill the existing data:
We should backfill the existing data with revoked= false , revoked_on = None and isCertified= true/false.