Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Enhancement] "Globally" shared artifacts #2928

Open
rkboyce opened this issue Apr 23, 2024 · 2 comments · May be fixed by #2956
Open

[Enhancement] "Globally" shared artifacts #2928

rkboyce opened this issue Apr 23, 2024 · 2 comments · May be fixed by #2956
Assignees
Milestone

Comments

@rkboyce
Copy link
Contributor

rkboyce commented Apr 23, 2024

Some implementers of Atlas/WebAPI need to restrict read access to artifacts e.g., to just those user accounts that have authored the artifacts. This functionality became available in v2.14 of WebAPI and Atlas. In such a case, a user can only see the artifacts they own and that they have explicitly been given READ access to. As a result, it becomes desirable to have a way to share at least some artifacts "globally", meaning to all users of the system. For example, in a data commons environment, the leadership might want to provide certain concept sets and cohorts as examples to the broad community of users. This is an enhancement proposal to add that ability.

Pre-conditions:

  • Atlas and WebAPI versions >= 2.14 with security enabled and security.defaultGlobalReadPermissions set to 'false' in WebAPI
  • In the WebAPI - a system role that all users will receive that indicates the ability to read globally-shared artifacts (e.g., 'shared artifacts reader')
  • (optional) In the WebAPI - A non-system role used to restrict the ability to share artifacts globally to a specific set of users (e.g., 'shared artifacts owner')

Suggested changes to Atlas:

  • js/config-local.js:

    • a new config configLocal.permissionManagementRoleId
      • By default set to an empty string ('') indicating that all users can share globally.
      • Optionally, it can be set to the id of the a non-system role used to restrict the ability to share artifacts globally to a specific set of users
  • The configure access modal:

    • js/components/security/access/configure-access-modal.js: functions to grant and revoke 'global' read access. These simply call existing async functions to have WebAPI add or remove GET permissions for a given artifact to the sec_role_permission table for all users with the 'shared artifacts reader' role
    • js/components/security/access/configure-access-modal.html: toggle buttons that a user can click to share or unshare a given artifact globally.
  • The "manager" JS pages for each of the Atlas sub-apps (e.g., for cohort definitions js/pages/cohort-definitions/cohort-definition-manager.js and for concept sets js/pages/concept-sets/conceptset-manager.js) :

    • a new observable to flag if a user is allowed to share (userCanShare). This is set to false by default and changed to true in two cases:
      • the configLocal.permissionManagementRoleId is set to an empty string (default) or,
      • an async function (checkIfRoleCanShare) that checks if the user has the role id assigned to configLocal.permissionManagementRoleId returns true
  • The "manager" HTML pages for each of the Atlas sub-apps:

    • a knockout.js IF block around the code that renders the access modal button (the lock icon) so that the button:
      • is shown if permission management is set to true in config-local.js (default value for enablePermissionManagement) AND the userCanShare flag is true

With these changes, it is possible to allow either all users, or a sub-set of users, to share any artifact with all other users. Artifacts are read-only when shared.

Questions:

  • Shared cohort artifacts are read only but the users who are viewing them can run cohort generation. This might need to be restricted so that that users have to copy the artifacts (thereby becoming the owner of the copy) before generation. How should this be done (e.g., see /js/pages/cohort-definitions/cohort-definition-manager.html ~ line 290)?
@anthonysena anthonysena added this to the v2.15 milestone Apr 23, 2024
@rkboyce
Copy link
Contributor Author

rkboyce commented Apr 23, 2024

I added a video and a draft pull request to further discussion on this feature.

@anthonysena
Copy link
Collaborator

Hi @rkboyce just wanted to see if you had a PR ready for review for this feature?

@anthonysena anthonysena linked a pull request Nov 19, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants