Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filter cohorts and concepts but read permissions - penultimate draft pull request #2297

Closed
wants to merge 20 commits into from
Closed

Filter cohorts and concepts but read permissions - penultimate draft pull request #2297

wants to merge 20 commits into from

Conversation

rkboyce
Copy link
Contributor

@rkboyce rkboyce commented Jul 10, 2023

Now filtering works for concept sets and cohort definitions. Wanted to check if this is going ok and then discuss if we should keep going for all of the other applications now or do the rest for 2.15 release. Also, need to discuss where revised system permission should go (i.e., in the release code or just instructions).

rkboyce and others added 20 commits February 13, 2023 14:44
@rkboyce
helpful build steps
610af40
@rkboyce
Merge branch 'OHDSI:master' into filter_cohorts_and_concepts
20e985d
@rkboyce
This is the first working filtration of the conceptset lists so that …
b792094 
…a user only sees what their role has permission to read. This initial commit has a big issue in that a person who authors a conceptset cannot see the concept set unless a new permission is added. To be fixed.
@rkboyce
Merge branch 'filter_cohorts_and_concepts' of https://github.com/vinc…
db76dfe 
…i-ohdsi/WebAPI into HEAD
@rkboyce
Merge branch 'OHDSI:master' into filter_cohorts_and_concepts
feab759
@rkboyce
fixed issue where the creator of an artifact was skipped as having RE…
1762c70 
…AD access
@rkboyce
Merge branch 'filter_cohorts_and_concepts' of https://github.com/vinc…
61f30fb 
…i-ohdsi/WebAPI into filter_cohorts_and_concepts
@rkboyce
Merge branch 'OHDSI:master' into filter_cohorts_and_concepts
e41524a
@rkboyce
Merge pull request #1 from OHDSI/master
f001a2d 
merging upstream
@rkboyce
Merge branch 'master' into filter_cohorts_and_concepts
bcaa822
@rkboyce
changed the name, data type, and location for the configuration optio…
b8f5220 
…n used to tell the WebAPI to do filtering based on READ permissions. The new property is called security.defaultGlobalReadPermissions
@rkboyce
changed the name, data type, and location for the configuration optio…
c9b63ea 
…n used to tell the WebAPI to do filtering based on READ permissions. The new property is called security.defaultGlobalReadPermissions
@rkboyce
added draft READ permissions to the schemas and made partial progress…
477c46c 
… on getting the cohortdefinition filtering to work. Still need to fix the case where another user grants read permission to a single cohort definition to another user and then that definition is visible. Currently, somehow, all definitions authored by the granting user are showing in the grantee's Atlas. Once worked out, the task will be to repeat the steps for every one of the following files: src/main/java/org/ohdsi/webapi/security/model/CohortCharacterizationPermissionSchema.java src/main/java/org/ohdsi/webapi/security/model/CohortDefinitionPermissionSchema.java src/main/java/org/ohdsi/webapi/security/model/ConceptSetPermissionSchema.java src/main/java/org/ohdsi/webapi/security/model/EstimationPermissionSchema.java src/main/java/org/ohdsi/webapi/security/model/FeatureAnalysisPermissionSchema.java src/main/java/org/ohdsi/webapi/security/model/IncidenceRatePermissionSchema.java src/main/java/org/ohdsi/webapi/security/model/PathwayAnalysisPermissionSchema.java src/main/java/org/ohdsi/webapi/security/model/PredictionPermissionSchema.java src/main/java/org/ohdsi/webapi/security/model/ReusablePermissionSchema.java src/main/java/org/ohdsi/webapi/security/model/TagPermissionSchema.java
@rkboyce
partial progress through the list of schema files that need edited to…
317cf3e 
… apply the concept filtering to other artifact types
@rkboyce
what appears to be the appropriate READ permission schema for cohortd…
e26efba 
…efinitions. Tests OK
@rkboyce
the appropriate READ permission schema for cohortdefinitions. Tests OK
83befff
@rkboyce
added necessary code to filter cohort-characterizations based on read…
3d80d5c 
… permissions
@rkboyce
added filtering of cohort pathway analyses based on READ permissions
0d0690f
@rkboyce
added filtering of IR analyses returned from Atlas based on READ perm…
247effd 
…issions
@rkboyce
Implemented filtering of prediction entities depending on a users REA…
efa3557 
…D permissions - tested and not working completely. Strange permissions issue that appears to be entirely client-side.
@rkboyce
Copy link
Contributor Author

rkboyce commented Jul 16, 2023

This updated draft pull request implements the READ permissions filtering across all the following applications in Atlas:

  • concept sets
  • Cohort definition
  • Cohort characterization
  • Incident Rates
  • Estimation
  • Prediction

Of the above, Prediction is still having issues in testing but it seems to be on the Atlas client side. I am submitting this draft so that code review can occur while I work out the issue and do a bit more testing.

NOTE: These changes will need to come with a new system role that the admins could select which I am calling the 'Read Restricted Atlas User' role. I think the following query could be the basis for adding SQL to flyway to create this role:

select distinct sp.*
from ohdsi.sec_role_permission srp 
  inner join ohdsi.sec_permission sp on srp.permission_id = sp.id 
where srp.role_id in (6,10) -- 'cohort reader', 'Atlas Users'
 and sp.value not in 
    (  
    	'conceptset:*:get',
    	'conceptset:*:expression:get',
    	'conceptset:*:version:*:expression:get',    	       
    	--
        'cohortdefinition:*:get',
        'cohortdefinition:*:info:get',
        'cohortdefinition:*:version:get',
        'cohortdefinition:*:version:*:get',        
        --        
	    'cohort-characterization:*:get',
        'cohort-characterization:*:generation:get',
		'cohort-characterization:generation:*:get',
		'cohort-characterization:design:get',
		'cohort-characterization:*:design:get',
		'cohort-characterization:design:*:get',
		'cohort-characterization:*:version:get',
		'cohort-characterization:*:version:*:get',
		--
		'pathway-analysis:*:get',
		'pathway-analysis:*:generation:get',
		'pathway-analysis:generation:*:get',
		'pathway-analysis:generation:*:result:get',
		'pathway-analysis:generation:*:design:get',
		'pathway-analysis:*:version:get',
		'pathway-analysis:*:version:*:get'
		--
		'ir:*:get',
		'ir:*:copy:get',
		'ir:*:info:get',
		'ir:*:design:get',
		'ir:*:version:get',
		'ir:*:version:*:get'
		--		
		'estimation:*:get',
		'estimation:*:copy:get',
		'estimation:*:download:get',
		'estimation:*:export:get',
		'estimation:*:generation:get'
		--
		'prediction:*:get',
		'prediction:*:copy:get',
		'prediction:*:download:get',
		'prediction:*:export:get',
		'prediction:*:generation:get',
		'prediction:*:exists:get'
    )
order by sp.value 
;

@rkboyce rkboyce marked this pull request as ready for review July 16, 2023 04:48
@rkboyce
Copy link
Contributor Author

rkboyce commented Jul 19, 2023

This is closed because the update should have happened on draft pull request 2245

@rkboyce rkboyce closed this Jul 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rkboyce