search

OHDSI / WebAPI

OHDSI WebAPI contains all OHDSI services that can be called from OHDSI applications
Apache License 2.0
128 stars 166 forks source link

Filter cohorts and concepts but read permissions - penultimate draft pull request #2297

Closed rkboyce closed 1 year ago

rkboyce commented 1 year ago

Now filtering works for concept sets and cohort definitions. Wanted to check if this is going ok and then discuss if we should keep going for all of the other applications now or do the rest for 2.15 release. Also, need to discuss where revised system permission should go (i.e., in the release code or just instructions).

rkboyce commented 1 year ago

This updated draft pull request implements the READ permissions filtering across all the following applications in Atlas:

Of the above, Prediction is still having issues in testing but it seems to be on the Atlas client side. I am submitting this draft so that code review can occur while I work out the issue and do a bit more testing.

NOTE: These changes will need to come with a new system role that the admins could select which I am calling the 'Read Restricted Atlas User' role. I think the following query could be the basis for adding SQL to flyway to create this role: 

select distinct sp.*
from ohdsi.sec_role_permission srp 
  inner join ohdsi.sec_permission sp on srp.permission_id = sp.id 
where srp.role_id in (6,10) -- 'cohort reader', 'Atlas Users'
 and sp.value not in 
    (  
        'conceptset:*:get',
        'conceptset:*:expression:get',
        'conceptset:*:version:*:expression:get',               
        --
        'cohortdefinition:*:get',
        'cohortdefinition:*:info:get',
        'cohortdefinition:*:version:get',
        'cohortdefinition:*:version:*:get',        
        --        
        'cohort-characterization:*:get',
        'cohort-characterization:*:generation:get',
        'cohort-characterization:generation:*:get',
        'cohort-characterization:design:get',
        'cohort-characterization:*:design:get',
        'cohort-characterization:design:*:get',
        'cohort-characterization:*:version:get',
        'cohort-characterization:*:version:*:get',
        --
        'pathway-analysis:*:get',
        'pathway-analysis:*:generation:get',
        'pathway-analysis:generation:*:get',
        'pathway-analysis:generation:*:result:get',
        'pathway-analysis:generation:*:design:get',
        'pathway-analysis:*:version:get',
        'pathway-analysis:*:version:*:get'
        --
        'ir:*:get',
        'ir:*:copy:get',
        'ir:*:info:get',
        'ir:*:design:get',
        'ir:*:version:get',
        'ir:*:version:*:get'
        --      
        'estimation:*:get',
        'estimation:*:copy:get',
        'estimation:*:download:get',
        'estimation:*:export:get',
        'estimation:*:generation:get'
        --
        'prediction:*:get',
        'prediction:*:copy:get',
        'prediction:*:download:get',
        'prediction:*:export:get',
        'prediction:*:generation:get',
        'prediction:*:exists:get'
    )
order by sp.value 
;
rkboyce commented 1 year ago

This is closed because the update should have happened on draft pull request 2245