date	comment
201912	Created
202108	Reviewed - no change

The page describes Sage's best practices for manipulating user profile data in the application. In general, we avoid updating the database directly when we can use APIs to perform the work, so we use a client for most of this.

If a Synapse user is unable to access their account, it may require administrator action to restore access. Changes to user profiles must be approved by ACT to ensure continuity of access restrictions. ACT may use the account validation process.
If a user is locked out an administrative change to their primary email address is the only way to allow them to complete a password reset. This change requires meeting ACT's requirements for verifying identity.
Currently, Synapse will only allow the user to call the API that adds an email address to a their profile (some calls can be overridden by administrators; this call is not one of them).
1. To make this change, spoof the user's identity by using an API key or session token from the database to make this call.
2. The R client can be used to complete this process through this approach (as was done in this case):
  1) retrieve the user's API key from the Synapse database where USER_PID is the principal ID of the user account.
```
> select SECRET_KEY from CREDENTIAL where principal_ID=USER_PID;
```
  2) In R:
```
> library(synapser)
> library(rjson)
> uname<-"ruichang"
> userId<-"3388298"
> apiKey<-"...." # from database
> synLogin(uname, apiKey=apiKey)
> newEmail<-"....@...."
>  synRestPOST(paste0("/account/", userId, "/emailValidation?portalEndpoint=https%3A%2F%2Fwww.synapse.org%2F%23%21Account%3A"), toJSON(list(email=newEmail)))
```
  3) Ask user to forward the email received from Synapse:
  4) In R:
```
> library(wkb)
> library(synapser)
> userId<-"USER_PID"
> apiKey<-"...." # from database
> synLogin(uname, apiKey=apiKey)
> urlEmbeddedToken<-"..." # the long, hex encoded string following "Account:" in the URL in the email
> emailValidationSignedToken<-rawToChar(hex2raw(urlEmbeddedToken))
>  synRestPOST("/email?setAsNotificationEmail=true", emailValidationSignedToken)
```
  5) Go to the password reset page in Synapse and enter the new email.
  6) Inform user that their email has been added and that they can expect a password reset email which they can use to regain control of their account.

Browser not supported