For complex Synapse projects, administrators manage a wide variety of data that requires different permissions for different user groups. In this scenario, creating a system for managing data access with Synapse teams is recommended. This method allows you to group users together according to the level of access they require and then assign permissions to the entire team rather than to many individuals.
When creating teams to manage data access, consider the following questions:
Who needs to be able to view this project?
Who needs to be able to edit or add content to this project?
Who should be in charge of changing permissions to modify user access?
Does any content in this project need different permissions than the whole project? For example:
Raw data vs. processed data folders shared with specific groups
Internal meeting notes in a private folder vs. methodology and SOP documents shared publicly
Using Teams for Permissions
Teams are groups of Synapse users; learn more about creating and managing teams. If you are working with many Synapse users on a project, and you want to allow some users to view or download data, and other users to add new data, you should consider using teams to manage your project permissions.
For example, you can create a “project administrators” team and grant that team permission to administer the project. Then you can add or remove people from the team rather than modifying the sharing settings on the entire project to grant each individual administrative permissions.
This approach is especially useful if you have more than one project that the same group of people will be working on. Using teams for permissions can also help prevent administrative errors like forgetting to remove someone from a project if they leave your collaboration.
Recommended Team Types
For many collaborations, a small group of users administers the project, a larger group contributes data, and an even larger group downloads that data for their independent research. In these cases, we recommend creating groups for each of these permission types: an administrative team with “administer” permissions, a data curation or content creation team with “can edit” permissions, and a downloading team with “can view/download” permissions.
Because permissions are additive, a user who is in all three teams has the permissions of the highest level granted. In other words, if you add a single user to three different teams, “administer”, “can edit”, and “download”, the user will have “administer” permissions. If you remove that user from the “administer” team, they will have “can edit” permissions.
Local Sharing Settings
Sometimes, users wish to create private spaces for certain groups within larger, public projects. This is possible using local sharing settings to restrict content to specific teams.
To create a private folder within a public project, click the Project Settings button, then select Project Sharing Settings. Add specific team names that should have access to all project content. Next, click Make Public and select the appropriate access levels for all registered users and anyone on the web.
Next, navigate to the new Folder, and click on Folder Tools. Select Folder Sharing Settings, then click Create Local Sharing Settings. Click on the Make Private button and confirm that fields for All registered Synapse users and Anyone on the web have been removed. Save your changes.
The folder with then be shared only with the specific teams that the entire project is shared with, and not the general public. Removing local sharing settings on an item will assign default permissions from the parent folder or project.
Triaging Sharing Settings with Views
Creating local sharing settings for many folders, sub-folders, or other items in Synapse can become complex to manage as a project grows. You or another administrator may alter local sharing settings unintentionally, or you may want to audit your sharing settings periodically. One way to manage these settings is by creating a view to see sharing settings at a glance.
An important component to managing sharing settings is the benefactor ID, or
benefactorId. This identifier is the name of the parent folder or project that sharing settings are inherited from. When you first create a project, the project itself is the “benefactor” for sharing settings, meaning all items within that project inherit the same settings, and there is only one benefactor ID for everything in the project.
When you create local sharing settings on an item, a second benefactor ID is created. The project is still providing the sharing settings for the rest of the content, but wherever you set local sharing settings on a folder, this folder is now the benefactor for anything inside it.
The benefactor ID is useful because you can include it in a view of every item in the project and use it to review all permissions at once. This view will help you find items where local sharing settings are active, causing new benefactor IDs to appear. In the example below, the folder name, benefactor ID, and the project ID for three folders are shown in a view.
All of the folders in this view belong to the same project,
Demo_Project, and their corresponding project IDs in the third column are the same. In the second column,
Folder 1 and
Folder 3 are both inheriting their sharing settings from the parent project,
Demo_Project. However, Folder 2 has local sharing settings applied that are different from the parent project, and the benefactor ID has changed.
For views with hundreds or thousands of rows, you can also use a SQL-like query to identify items that have different permissions than the parent project. The query below compares the benefactor ID of each item to the project ID and displays any items where the two do not match. You can modify the query to look at at files, tables, or all content in your view:
SELECT id,parentId,type FROM syn12162270 WHERE type = 'folder' AND benefactorId <> projectId
For more information on how to use SQL-like queries in Synapse, see the Searching Tables and Views page.