Create DCC groups for EPIC 2

[lliming]

For Epic 2, we need groups for the following permissions, for each DCC.

• Review submissions for this DCC
• Approve a submission for this DCC
• Create new submissions for this DCC

In Epic 1, we created the "Review submissions for this DCC" group for each DCC, and some DCCs have begun onboarding. (See the "Epic 1 groups" folder in this repo for the details.)

Now we need to create the groups for the approve and create submission permissions.

[lliming]

Should we use sub-groups? Globus permits groups to have sub-groups. The way it works, however, is that members of sub-groups are automatically members of the parent group. (If you add a new person to a sub-group, that person is automatically added to the parent group.) This behavior doesn't seem to map to our needs. The one benefit I can see to using sub-groups is that it might make it easier for us to keep track of the groups. On the other hand, it would also introduce another group (the parent group) that has the union of members of all the sub-groups, and I don't know what that would be useful for. There's a danger that it could be misused in place of a more appropriate sub-group.

I recommend we not use sub-groups, but instead simply create new groups for the two new permissions that parallel the existing reviewer groups.

[lliming]

Do we need a fourth group for each DCC? It's been proposed that we may need a fourth permission for each DCC, called an "administrator" or something like that. The idea is that members of that group would be able to do things not permitted by the other groups, such as delete submissions for example. However, there hasn't been a clear definition of what the actual permissions or actions to be enabled are.

I recommend we not create a new group until we have a specific need. If we add new features that require access control, we can create the groups to control access at that time.

[lliming]

@karlcz @rpwagner @ACharbonneau Please review the comments above and comment here if you do not agree with the two recommendations I made. Specifically: (1) We DO NOT use Globus's sub-groups to link the groups we use for DCC permissions for Epic 2, and (2) We DO NOT create a fourth group for DCC "superuser" or "administrator" privileges until/unless we have specific actions for it to enable.

There's a third recommendation implicit in these, which is that we reuse the DCC "Reviewer" groups that we created in Epic 1 (& documented in this repo) for the permission to view the DCC's submission registry. (In Epic 1, that group enabled access to the "Data Review" tab, which was a single submission view. In Epic 2, the "Data Review" tab will be a view of the registry showing all submissions for DCCs the user is a member of by virtue of group membership.)

If there are no objections in a few days, I'll go ahead and create the new groups for the "create submissions" and "approve a submission" permissions.

[lliming]

There's another possibility to be considered... Should we have a parent group for all of the DCC permission groups of the same type? E.g., a parent "reviewers" group with sub-groups for each DCC's reviewers; a parent "approvers" group with sub0groups for each DCC's approvers; etc. Since membership in a sub-group automatically confers membership in the parent group, this would mean that anyone onboarded to a DCC's permission group would automatically be added to the parent group for that permission. For example, if I am a member of the "CFDE GTEx Submission Reviewers" group, I might notice that I'm also a member of a "CFDE Submission Reviewers" group.

Each DCC would still be able to manage its own permission groups. (Being a manager of a sub-group doesn't automatically make you a manager of the parent group.) But we (CFDE CC) would be able to use the parent groups to answer the question, "who has the X role for one or more DCC?" Which might be useful in a few ways.... (1) We could have a single group of people who are authorized to use the submission tool. (2) We could have a single group of people who would actually see something useful if they click the "Data Review" tab.

[lliming]

Groups have been created for 11 DCCs: GTEx Kids First HMP MoTrPAC Metabolomics LINCS 4DN ExRNA SPARC HuBMAP IDG

Next step is to invite Amanda and Titus and promote them to administrators. After that, next step is to update the tracking files here in Github.

[karlcz]

Could you list the new groups and group UUIDs here? That would allow me to start adding them to the registry config in parallel...

[lliming]

Group Name	UUID
NIH CFDE 4DN Approvers	d5548e18-5ff2-11eb-bd29-0aa21a0136a3
NIH CFDE 4DN Reviewers	642533ba-f832-11ea-880f-0ac4e6b272c3
NIH CFDE 4DN Submitters	b42cceba-5ff2-11eb-a5df-0ed99e3b11f1
NIH CFDE ExRNA Approvers	2d01f71e-5ff3-11eb-bd29-0aa21a0136a3
NIH CFDE ExRNA Reviewers	f6f4be74-5ff2-11eb-bd29-0aa21a0136a3
NIH CFDE ExRNA Submitters	1190f976-5ff3-11eb-bd29-0aa21a0136a3
NIH CFDE GTEx Approvers	e60ea783-5ff0-11eb-addd-0ed984e6d20d
NIH CFDE GTEx Reviewers	7977181e-f82f-11ea-b43a-0efde36f5027
NIH CFDE GTEx Submitters	a29ec8d8-5ff0-11eb-bd28-0aa21a0136a3
NIH CFDE HMP Approvers	7343a5c7-5ff1-11eb-a5df-0ed99e3b11f1
NIH CFDE HMP Reviewers	4e335e29-f831-11ea-b43e-0efde36f5027
NIH CFDE HMP Submitters	5905d80a-5ff1-11eb-bd29-0aa21a0136a3
NIH CFDE HuBMAP Approvers	46671d25-5ff6-11eb-bd29-0aa21a0136a3
NIH CFDE HuBMAP Reviewers	0a7f4ae9-5ff6-11eb-a5e2-0ed99e3b11f1
NIH CFDE HuBMAP Submitters	288815d1-5ff6-11eb-a4e1-0ac91f9c4c91
NIH CFDE IDG Approvers	22327b5c-5ff7-11eb-a5e2-0ed99e3b11f1
NIH CFDE IDG Reviewers	6455295d-5ff6-11eb-adde-0ed984e6d20d
NIH CFDE IDG Submitters	048182ef-5ff7-11eb-a4e1-0ac91f9c4c91
NIH CFDE Kids First Approvers	2ecb2518-5ff1-11eb-addd-0ed984e6d20d
NIH CFDE Kids First Reviewers	1863c500-f831-11ea-b43d-0efde36f5027
NIH CFDE Kids First Submitters	0bbc325f-5ff1-11eb-addd-0ed984e6d20d
NIH CFDE LINCS Approvers	87f66c3e-5ff2-11eb-bd29-0aa21a0136a3
NIH CFDE LINCS Reviewers	2b14318d-f832-11ea-880f-0ac4e6b272c3
NIH CFDE LINCS Submitters	61ab8b8e-5ff2-11eb-bd29-0aa21a0136a3
NIH CFDE Metabolomics Approvers	41d518ac-5ff2-11eb-bd29-0aa21a0136a3
NIH CFDE Metabolomics Reviewers	f423d7d8-f831-11ea-a93a-0a738d2d09bf
NIH CFDE Metabolomics Submitters	1a3a8a71-5ff2-11eb-addd-0ed984e6d20d
NIH CFDE MoTrPAC Approvers	f83a2c28-5ff1-11eb-bd29-0aa21a0136a3
NIH CFDE MoTrPAC Reviewers	8a32410e-f831-11ea-880f-0ac4e6b272c3
NIH CFDE MoTrPAC Submitters	d8231cd7-5ff1-11eb-a5df-0ed99e3b11f1
NIH CFDE SPARC Approvers	ec43c006-5ff5-11eb-bd29-0aa21a0136a3
NIH CFDE SPARC Reviewers	47534d7a-5ff3-11eb-bd29-0aa21a0136a3
NIH CFDE SPARC Submitters	640606d9-5ff3-11eb-adde-0ed984e6d20d

[lliming]

Amanda & Titus have been invited and Amanda is administrator on all groups.

[karlcz]

I've added all the groups to the registry's group list and linked the subset to DCC-specific roles for the 7 DCCs we've already onboarded.