ACVP spec is incomplete with respect to creating/updating vendor contacts

[mmccarl]

environment ACVP Spec

testSessionId N/a vsId N/A

The ACVP spec does not include contact information for creating or updating a vendor.

i have observed that the GET vendors/vendorId does return a field named 'contactsUrl', which when accesed returns an array of contact objects, but there's no documented way to change the contents of that array.

How do you create/update the contacts for a vendor (preferably using existing contact URLs)? Sample JSONs would be wonderful.

[jarnold01]

hi @mmccarl , not sure if this is the best answer to your question, but a link I've provided to ACVTS users in this past to explain the overall process and metadata organization/relationships is this one:

https://github.com/usnistgov/ACVP/wiki/ACVTS-End-User-Documentation

I'm sure if there is a better answer to this that someone else on the team has, they will reply as well, but I thought I would throw it out there in the hopes that it will help.

[livebe01]

Hi @mmccarl, I just took a look at the Vendor Resources section of the ACVP spec and it doesn't look like it includes how to create/update the contacts list for a vendor. Although it does look like we describe how to access the contacts listing for a vendor. Let me take a closer look and get back with you.

[livebe01]

Hi @mmccarl, the answer to "how to manipulate the 'contactsUrl'?" is through the Person records. A Person is associated with a Vendor, i.e., the 'vendorUrl'. Querying /vendors/{vendorId}/contacts will return a list of Persons whose vendorUrls match up with that vendorId. To affect what's returned by 'contactsUrl', create/update/delete Person records.

[mmccarl]

thanks for the response, but changing the Person record isn't what we want to do. the Person record is associated with the Module and is correct for that usage. It is also associated with the Vendor record (it is included in the 'contactsUrl' array), but we want to remove if from that list. Therefore, we don't want to change the Person record, just remove (or replace) the reference to it in the Vendor record.

According to the spec 'Create a New Vendor' JSON doesn't include a contact (it just has emails and phones), so I'm not even sure how the contact got associated with the vendor in the first place. Does the contact get associated with the vendor when the "Register New Module" request is processed? that seems to be the only place where both the vendorUrl and contactUrls are referenced together.

for reference, you can look at the following: /acvp/v1/modules/13716 - contains 'vendorUrl' and 'contactUrls' which contains /acvp/v1/persons/17184 /acvp/v1/vendors/12655 - contains 'contactsUrl' /acvp/v1/vendors/12655/contacts - contains 'url' which also contains /acvp/v1/persons/17184

[livebe01]

From what I understand, /acvp/v1/vendors/12655/contacts contains 'url' which contains /acvp/v1/persons/17184 because /acvp/v1/persons/17184 contains a value of /acvp/v1/vendors/12655 for vendorUrl.

[mmccarl]

ah, is see.... it seems counter-intuitive that the vendor record is updated via the person info. i ran down the wrong rabbit hole. i'll give it a shot and see what happens.

[locksmithone]

A design question regarding the CAVP database.

Do we have a Vendor table, a Persons table, and a table relationship between Vendor and Persons (perhaps the Contacts)?

On Thu, May 5, 2022 at 7:27 AM mmccarl @.***> wrote:

ah, is see.... it seems counter-intuitive that the vendor record is updated via the person info. i ran down the wrong rabbit hole. i'll give it a shot and see what happens.

— Reply to this email directly, view it on GitHub https://github.com/usnistgov/ACVP-Server/issues/202#issuecomment-1118488536, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHDIKS46JGF7P6LZY7OBHDVIO5EVANCNFSM5UM6AM6Q . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[livebe01]

Sure, here's what it looks like: Vendor table (Organizations actually) People table. A Person record in that table has a OrganizationId Implementation table. A record in that table has an OrganizationId ImplementationContacts table. Records there link a Person to an Implementation

From what our database developer was telling me, the big point (from our perspective) of associating people with an organization is "making it so you only have to choose from the people from an organization instead of from all the people in the world (and also making it so you can tell the difference between people with the same name from different organizations) [when you're choosing a person(s) to be the contact(s) for an implementation]."

[locksmithone]

In this case, what would happen if one Person P, previously from Organization A, now switches to Organization B?

On Thu, May 5, 2022 at 9:30 AM livebe01 @.***> wrote:

Sure, here's what it looks like: Vendor table (Organizations actually) People table. A Person record in that table has a OrganizationId Implementation table. A record in that table has an OrganizationId ImplementationContacts table. Records there link a Person to an Implementation

From what our database developer was telling me, the big point (from our perspective) of associating people with an organization is "making it so you only have to choose from the people from an organization instead of from all the people in the world (and also making it so you can tell the difference between people with the same name from different organizations) [when you're choosing a person(s) to be the contact(s) for an implementation]."

— Reply to this email directly, view it on GitHub https://github.com/usnistgov/ACVP-Server/issues/202#issuecomment-1118625682, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHDIKV37Y6EKXZYMRFZABTVIPLRRANCNFSM5UM6AM6Q . You are receiving this because you commented.Message ID: @.***>

[livebe01]

We'd recommend that Organization A create a new person.

[mmccarl]

i agree that "making it so you only have to choose from the people from an organization instead of from all the people in the world (and also making it so you can tell the difference between people with the same name from different organizations) [when you're choosing a person(s) to be the contact(s) for an implementation]" is a noble idea, however it hasn't really come to pass because there are many duplicate vendor entries in the database (some vendors have 150 or more entries). finding the right contact would mean searching all of those vendor entries.