Database profile for National Investigator / Central Investigator

[ij-cope]

National Investigators should have overview of all data entered in their country to assist with identifying missing data, SAE enquiries etc.

Central Investigator should have overview of all data entered in the database.

However! National Investigators and Central Investigator should be blinded to the randomisation arm of the kidneys and all the fields that might give information on randomisation (eg PO2 of the perfusate, was the oxygen bottle opened etc).

Ina Jochmans has her profile set to National Investigator (and Central Investigator) but currently cannot view any forms in the Production Environment.

For me this is not an urgent issue and am happy for Carl to focus on more urgent matters as I expect National and Central Investigators to mainly test in the test environment and not be directly involved with actual data entry. Review of missing data and data entered can be done based on reports (will file issue).

[marshalc]

This is more of a priority than it first appears, as it links into the issue of "re-opening" cases (Issues #168, #176, and previously #51).

Context

We have the following roles identified:

• Perfusion Technician
• Transplant Co-ordinator
• Research Nurse / Follow-up
• National Co-ordinator
• Central Co-ordinator
• Statistician
• Sys-admin
• Local Investigator
• Other Project Member
• Biobank Coordinator
• Chief Investigator
• Principle Investigator
• Central Investigator
• National Investigator
• Transplant Theatre Contact

However, only a small number of these roles have system permissions defined for them. The remainders are treated as non-users.

Issue #51 talks about limiting access based on geographic boundaries, something that is non-trivial and was turned down in order to get more pressing work completed back in Apr 2016.

This is also of relevance to Issue #161 in terms of a new class of user able to backfill missing data.

Given recent findings suggesting poor data handling (Issue #180), the principle of trusting users to manage their own limits rather than the system imposing them for them seems weak.

Problem scope

Identifying all role uses and permissions is likely to be too time consuming, so we need to focus on the essential roles that are coming to the fore now that we've got data entry started by TTs.

This would suggest current priorities are:

• National and Central Co-ordinators being able to amend closed cases (Issue #168)
• National and Central Investigators being able to get overviews of existing data (Issue #172)
• Research Nurse / Follow up being able to fill out the FU forms (Issue #164)
• Other Project Member (?) as a role for data back fill? Or set these users as National Co-ordinators for the duration of their function? (Issue #161)

To get this ball rolling I need help defining a specification for the permissible actions and limitations for these roles.

[ij-cope]

Thanks @marshalc, I would suggest to prioritise this to the top of the list for our face to face meeting as input of all involved will be needed and it will be more efficient to talk through.

[marshalc]

Added to discussion for 12th Jan

[marshalc]

Central Co-ordinators: (Ally & Sarah)

• AAA

National Co-ordinators: (Aujke, Ally, Sarah)

• As Central Co-ordinators, but geographically limited...

Central Investigators (Ina)

• Read only access to all
• Blinded: Randomisation, Questions about Oxygen, PO2 measured.

National Investigators (Ina, Sijbrand, Isobel)

• Read only access to all
• As Central Investigators, but country restricted

Local Investigators (see list!)

• Can only use AE, QoL, and FU forms

Research Nurse / Follow-up

• Same as Local Investigator

Geographical limitations determined by:

• Donors where retrieval team (NOT hospital) was in their country
• Recipients where transplant hospital was in their country
• AEs restricted by recipient transplant hospital, where available (for LI) and by country for NI

Data back fill (planned to be done in the UK) given the Central Co-ordinator Roles

[marshalc]

Local Investigators and Research Nurses need to be implemented for the 0.6.5 release.

The other roles can wait for 0.7.0 (create a new issue for that one)

[marshalc]

Specifically rework the S/AE listings for quick reference (i.e. filtered), and Followups

[marshalc]

Skipping how we implement this with QuerySet and Model.Manager objects, we first need to establish a matrix showing how roles interact with each object, and identify any extra permissions that need to be created, along with identifying the parameters we will be filtering upon.

[marshalc]

Currently testing a filtered get_querystring model manager + two new permissions on the VersionControlMixin model.

Note, we need to check this works for more than just the listing, so investigate things like has_change_permission

[marshalc]

Need to link StaffProfiles to Auth.Groups - As not all Staff are Users, we can't just defer to Groups (where the authorisation and permissions live) because they won't exist. However, StaffProfile and Groups need to have an effective parity so that permissions can be set on groups, and for users, those groups need to be matched to their profile roles.

[marshalc]

Restrictions also need to be temporal because Organs move around locations at different times:

• Donor's location is set upon procurement
• Organ's location isn't set until it is in a Recipient
• Recipient's get their location from the latest OrganAllocation
• S/AE's get their location from Recipient's Organ's latest OrganAllocation
• Follow Ups get their location from Recipient's Organ's latest OrganAllocation
• Samples... well, TT's should be the only ones handling them, and they don't have geographic restrictions, but that isn't definitive... they also move independently of the organ's or people they came from... need to ponder.

[marshalc]

New permissions defined in VersionControlMixin:

• view : Can view the data, but not modify it
• restrict_to_national : Can only use data from the same location country
• restrict_to_local : Can only use data from the same location

These permission will need to be assigned to the relevant groups (the ones that need to be programatically added retrospectively to match the StaffProfile records), and then ObjectManagers being created for any critical models - typically as safe_objects sub-functions.

NB: Any model class that extends VersionControlMixin, also needs to have their Meta subclass extend VersionControlMixin.Meta otherwise the permissions are not inherited.

[marshalc]

Awaiting results of #208 before we can return to this

[marshalc]

Can't determine any practical value in geographically restricting Samples, so not adding those permissions.

[marshalc]

RECAP

• Three new permissions have been added where applicable:
  • Restrict to Country / Location for geography limits
  • View Only for data that can be seen, but not modified
  • Hide From for Randomisation data that needs to be hidden whilst other data may be seen
• Roles are now expressed as Auth.Groups. These have a 1-1 mapping with the previous StaffPerson.StaffJob records.
• An initial permission set has been determined and added to the database for all of these Roles
• All models have had an Object Manager added to begin to filter results once the views are updated
• A method of determining the "location" of a record has been set for all objects that feature a geographic boundary permission

TODO

1. Work through all the views and templates to ensure they are now using and checking for permissions where possible
   • Queries should feature the for_user() element in all chains
2. Issue #168 - Opening and Amending of closed cases
3. Issue #164 - Relates to work needed on the Follow Up forms in terms of display
4. Confirm that S/AE and Follow Listings are now filtered based on location

[marshalc]

Completed with the noted FU exceptions that are in that issue.