[Enhancement] "Globally" shared artifacts

[rkboyce]

Some implementers of Atlas/WebAPI need to restrict read access to artifacts e.g., to just those user accounts that have authored the artifacts. This functionality became available in v2.14 of WebAPI and Atlas. In such a case, a user can only see the artifacts they own and that they have explicitly been given READ access to. As a result, it becomes desirable to have a way to share at least some artifacts "globally", meaning to all users of the system. For example, in a data commons environment, the leadership might want to provide certain concept sets and cohorts as examples to the broad community of users. This is an enhancement proposal to add that ability.

Pre-conditions:

• Atlas and WebAPI versions >= 2.14 with security enabled and security.defaultGlobalReadPermissions set to 'false' in WebAPI
• In the WebAPI - a system role that all users will receive that indicates the ability to read globally-shared artifacts (e.g., 'shared artifacts reader')
• (optional) In the WebAPI - A non-system role used to restrict the ability to share artifacts globally to a specific set of users (e.g., 'shared artifacts owner')

Suggested changes to Atlas:

• js/config-local.js:

  • a new config configLocal.permissionManagementRoleId
    • By default set to an empty string ('') indicating that all users can share globally.
    • Optionally, it can be set to the id of the a non-system role used to restrict the ability to share artifacts globally to a specific set of users

• The configure access modal:

  • js/components/security/access/configure-access-modal.js: functions to grant and revoke 'global' read access. These simply call existing async functions to have WebAPI add or remove GET permissions for a given artifact to the sec_role_permission table for all users with the 'shared artifacts reader' role
  • js/components/security/access/configure-access-modal.html: toggle buttons that a user can click to share or unshare a given artifact globally.

• The "manager" JS pages for each of the Atlas sub-apps (e.g., for cohort definitions js/pages/cohort-definitions/cohort-definition-manager.js and for concept sets js/pages/concept-sets/conceptset-manager.js) :

  • a new observable to flag if a user is allowed to share (userCanShare). This is set to false by default and changed to true in two cases:
    • the configLocal.permissionManagementRoleId is set to an empty string (default) or,
    • an async function (checkIfRoleCanShare) that checks if the user has the role id assigned to configLocal.permissionManagementRoleId returns true

• The "manager" HTML pages for each of the Atlas sub-apps:

  • a knockout.js IF block around the code that renders the access modal button (the lock icon) so that the button:
    • is shown if permission management is set to true in config-local.js (default value for enablePermissionManagement) AND the userCanShare flag is true

With these changes, it is possible to allow either all users, or a sub-set of users, to share any artifact with all other users. Artifacts are read-only when shared.

Questions:

• Shared cohort artifacts are read only but the users who are viewing them can run cohort generation. This might need to be restricted so that that users have to copy the artifacts (thereby becoming the owner of the copy) before generation. How should this be done (e.g., see /js/pages/cohort-definitions/cohort-definition-manager.html ~ line 290)?

[rkboyce]

I added a video and a draft pull request to further discussion on this feature.