- General access to study data
- Adding new database users
- Adding new REDCap users
- Providing Switchboard access
- Providing Fred Hutch S3 access
See this Slack message pointing to a Google Drive folder, maintained by Robin, that describes access to Metabase, REDCap, etc.
Before adding a new study member to the production database, confirm that Robin has the right agreements and documentation for the user to allow database access. For external collaborators, this is a DTUA. For internal team members, this is a CDA and training documentation (GCP, Human Subjects).
Next, create a new user with the id3c user create
command.
Once you've created new database credentials with the appropriate grants, send them in an encrypted email to the new study member. One way to do this is to add the word "secure" (unquoted) in the subject. You may choose to follow the template below:
I just created an account for your use only to directly access our production database (ID3C).
Your username is $USERNAME. Your access token/password is: $PASSWORD Please keep these confidential and secure.
There are many ways to connect, but you can use the command-line PostgreSQL client psql to test like this:
psql --host production.db.seattleflu.org production $USERNAME
This will prompt you for your token/password. If you're connecting frequently, you can also setup a password file that PostgreSQL can use to remember your password (https://www.postgresql.org/docs/10/libpq-pgpass.html).
Please remember the data usage policies associated with accessing the database, as outlined in the DTUA you signed. If you have any questions, the @dev-team can help answer them on the #id3c or #informatics channels in the Seattle Flu Study Slack.
The production database has firewall rules that allow only access to certain IP addresses or IP ranges. The list of allowed IP addresses is described elsewhere. Generally speaking, you'll need to be connected to your institution's network (either on campus or via a VPN) to get access to the database. The UW Medicine and Fred Hutch VPNs are allowed.
To use the UW Medicine VPN, you'll need to create an AMC account. AMC (Academic Medical Center) accounts are used inside UW Medicine to connect to various UW Med resources, including the UW Medicine VPN. Here is the info about getting an AMC account. Your manager/supervisor/department authority should complete the form for you. Don't submit it for yourself.
Once you get your AMC account, go to this link to get instructions for installing the VPN client. (You need an AMC account to access this page.)
Sometimes, we'll add someone's home IP address to our firewall's allowlist. This is currenlty only used for legacy exceptions or rare circumstances where VPN access could not be maintained. Newly onboarding users should first attempt to gain access through one of the institution's VPNs. To retrieve your public IPv4 address, once connected to your home internet, go to https://www.whatismyip.com/.
Before adding a new study member to any REDCap project, confirm the DTUA is executed with Robin. Then, use this script to programmatically import a user to all REDCap with permissions equivalent to an existing REDCap user.
Add users in the form of [email protected]
to the authorized-users file.
For Switchboard, you'll typically be adding new users to the bat-lab
group.
Then, sudo git pull
your new commit into /etc/apache2
on backoffice.
Note: You'll need to forward your authentication agent by logging onto the backoffice server with
ssh -A
.
You may need to run sudo systemctl reload apache2
for apache2 to notice the updated authz users file.
The steps for providing Lead Dawgs access are similar to those for providing Switchboard access.
For Lead Dawgs, you'll typically be adding users to the uw-kiosk-team
user group.
Providing study members with access to the Fred Hutch-managed AWS S3 bucket requires sending an email to Fred Hutch Sci Comp ([email protected]) like the one below:
Hi Sci Comp,
Could you grant an external collaborator of ours access to the Bedford lab's Economy Cloud S3 bucket (fh-pi-bedford-t)?
{Affiliation} — {Name} <{Email}>
I'd like to restrict access to specific read/write operations scoped to specific object prefixes. Attached is the respective IAM policy document for {Affiliation}.
Note: if you're granting permissions to a non-Fred Hutch, SFS software developer, consider modifying the above language to something like:
I'd like to grant them read/write access to all files within the fh-pi-bedford-t/seattleflu object prefix.
When sending an email, be sure to CC the Bedford Lab dev team as well as the study member requesting access. See the next section for example IAM policies to attach to the email.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::fh-pi-bedford-t",
"Condition": {
"StringLike": {
"s3:prefix": "seattleflu/*"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::fh-pi-bedford-t/seattleflu/bbi/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::fh-pi-bedford-t",
"Condition": {
"StringLike": {
"s3:prefix": "seattleflu/*"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::fh-pi-bedford-t/seattleflu/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::fh-pi-bedford-t",
"Condition": {
"StringLike": {
"s3:prefix": "seattleflu/*"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::fh-pi-bedford-t/seattleflu/sch/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::fh-pi-bedford-t",
"Condition": {
"StringLike": {
"s3:prefix": "seattleflu/*"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::fh-pi-bedford-t/seattleflu/swedish/*"
}
]
}