GA4GH ControlledAccessGrants for authorizing approver/owners

[viklund]

It would be neat if the resources one is allowed to manage access to were delivered through GA4GH visas, probably using the ControlledAccessGrant. These visas can be generated by the REMS instance one is currently logging into or some other system.

Maybe this is already possible but I didn't find anything in the docs.

[Macroz]

We are working on such features. If you search the issues/project board with GA4GH you should find the status.

[Macroz]

This should also be relevant but somehow the search doesn't find it so well. https://github.com/CSCfi/rems/pull/2344

[opqdonut]

You can fetch GA4GH visas using the experimental /api/permissions API. See here for docs: https://github.com/CSCfi/rems/blob/master/docs/ga4gh-visas.md

The API is included in the latest release (2.13), but the docs weren't in that release so they're only available on master for now...

Hope that helps!

[opqdonut]

Now that I reread your original message @viklund, I see you're talking about "the resources one is allowed to manage access to". So do you mean that REMS would receive a GA4GH visa that would grant a user the right to handle applications for a certain resource? If so, we don't currently have any plans like that.

The right to approve applications is currently managed by setting a handler for a workflow via the REMS API or UI.

[viklund]

Yes. Thats what i meant. I was a bit unclear. Its probably a bit tricky to implement - but would be neat.

[Macroz]

So would these appear through the user's claims? We have the researcher-status-by, i.e., bona fide status (see e.g. #2513). The right to work as a decider comes from an OIDC claim so we could have others to give out the handler access right. The problem is likely that these are quite organization specific?

Another possibility is an intermediary API that receives permissions from somewhere / fetches them regularly and updates REMS using the regular API.