Will Leaf work if Authorization.RolesMapping.Admin does not have an associated group?

[artgoldberg]

Hi Leaf Folks

Will Leaf work if Authorization.RolesMapping.Admin does not have an associated group? I'm asking because we want to deploy a leaf instance that accesses only de-identified data and can be accessed by everyone with an institutional account. Sinai's Single sign-on system (Azure AD) will implement that by creating just one group for the Leaf application, and then reporting anyone who logs in as part of that group. Naturally, that group would be regular leaf users.

My plan is to disable Admin for everyone, and perform all administration via modifications to the LeafDB.

I wonder whether there's another way to specify the admin users, perhaps by associating more than one Azure AD application with a leaf instance, or by some other trick. But I have more important things to do in the next few weeks.

Thanks
Arthur

[ndobb]

Hi @artgoldberg,

Yes, Leaf should work even if Authorization.RolesMapping.Admin is a non-existent group or blank string (we often set this as "NOT USED" in appsettings.json in these cases). The above plan makes sense.

You should be able to manage Leaf solely using LeafDB via SQL statements, and we do so (partially) as well. The only case I can think where this may be especially tricky is when defining Dynamic Datasets. Essentially, when you create a Dynamic Dataset for the Patient List (dynamic in the sense that SQL columns are custom and don't match a particular template), the LeafDB DynamicDatasetQuery table stores the output column metadata as json in a Schema field. This metadata tells the Leaf API what field types to expect and whether to de-identify them or not. Creating this json manually may be a pain, while the Leaf Admin UI creates the json automatically by analyzing your SQL statement.

If you don't use a "Dynamic" Dataset, but rather a FHIR template Dataset (ie, with predefined column name & types), this isn't necessary. More information on Dynamic vs. FHIR template Datasets can be found at https://leafdocs.rit.uw.edu/administration/datasets/#determine-the-template-and-query.

Regarding another way to specify admin users, I'm not sure. I'm not very familiar with Azure AD, and besides creating an Admin group and adding yourself to it, I can't think of any other way.

[artgoldberg]

Thanks for your extensive reply, @ndobb

Good to learn that Leaf will work without Admin access. We won't initially be using a Dynamic Dataset for the Patient List in the Leaf instance I'm talking about. And if we decide that we want to, it sounds like I could address the limitation you suggest by spinning up a temporary Leaf instance for development with Admin access that references the same LeafDB. I could use it to create the Dynamic Dataset.

Arthur