User roles overview
In CanDIG, there are five main user roles, from most privileged to least privileged they are:
- Site admin
- Site curator
- Program curator
- Team member
- CanDIG Authorized User
User roles summary table
A summary of what each user role can do within a deployed CanDIG site is in the table below. The full technical breakdown of which endpoints each user can access is controlled through opa and is found in paths.json
| Role | Register program | Edit user auth | Submit & delete data | view donor data | view agg. data |
|---|---|---|---|---|---|
| Site admin | |||||
| Site curator | |||||
| Program curator | |||||
| Team member | |||||
| CanDIG Authorized User |
Legend
| Icon | Can perform action at a site? |
|---|---|
| Yes, for all data at a site | |
| Yes, but only where the user has been specifically authorized for a particular program/dataset | |
| No. |
1. Site admin
A Site admin automatically has access to read, submit and delete all data in the platform. They have special permissions to use particular endpoints that other user roles cannot access. They are also responsible for assigning roles to users and approving pending access requests. Additionally, they have the ability to ‘pre-approve’ users.
2. Site curator
To become a Site curator, a Site admin must give a user Site curator privileges. Once given Site curator status, a user can then register, ingest and delete any program at a site. As they can register programs, they also can give Program curator and Team member privileges to users. The Site curator role is intended to be used when there are a few dedicated curators who will be ingesting all data at a site and they are all authorized to see all data that will be ingested at that site.
3. Program curator
A Program curator can only perform actions (read, ingest, delete) on the specific program(s) they have been given Program curator status on. They are not authorized to see or edit other programs at the site.
4. Team members
Team members can only be granted access to read specific programs/datasets in the platform, not submit or delete data. Team members are considered part of the team that owns or curated the program. They are assigned through a program registration, which can either be submitted by a Site Admin, Site curator or Program curator for that particular program.
5. CanDIG Authorized User
A CanDIG Authorized User is the base level for any user that should be able to login to and explore the CanDIG data portal. Additional roles are added on top of this base level. It is expected that CanDIG will be configured to use an external institutional identity provider that is connected to the Keycloak instance that runs as part of the CanDIGv2 stack. While this setup allows anyone with valid institutional credentials to authenticate to CanDIG, only CanDIG Authorized Users can gain access to view aggregate statistics of any data that has been ingested into the CanDIG network. To become a CanDIG Authorized User, users with institutional credentials need to either be pre-approved by a Site admin, or request access to the specific CanDIG instance via the web portal, and then be approved by the Site admin. The step-by-step flow of these processes is shown diagrammatically below. Once given status as a CanDIG Authorized User, the user can explore the data portal and perform queries that return aggregate statistics only. If the user wants to gain access to details about each donor within a program, they would need to apply for access through a Data Access Request (DAR) that would be reviewed by a Data Access Committee (DAC). If granted access by the DAC, the Site admin can grant access for the CanDIG Authorized User to access the specific programs that were applied for in the DAR for the approved amount of time.
Request flow
The process for a user to become a
CanDIG Authorized Userif requesting through the data portal.
Pre-approval flow
The process for a user to become a
CanDIG Authorized Userif they have been pre-approved.
