Help

Close

Overview

The EDI Identity and Access Manager allows you to control access to your resources in the EDI repository.

User Profiles

  • Your user profile represents you in the EDI repository. It contains your display information (name, avatar), and the permissions that govern access to resources.
  • You can view your user profile on the Profile page, edit your profile on the Edit Profile page, and select which avatar to use on the Select Avatar page.
  • Each profile is associated with a single identity provider account (e.g., Google, ORCID).
  • You can create multiple profiles by signing in with different identity provider accounts. The accounts may be from the same or different identity providers.
  • You can link multiple profiles together to gain combined access to all their resources, while signing in to just one of them.

Accounts

  • The Accounts page shows a list of your profiles and their associated identity provider accounts.
  • Each account (e.g., Google, ORCID) you use to sign in creates a separate user profile.
  • You can link different profiles together to inform EDI that the profiles represent the same user. See the Link Profile help for details.

Linking Profiles

  • You can link profiles from the Accounts page.
  • Linking your profiles enables you to gain combined access to all resources across those profiles, while signing in to just one of them.
  • The profile you are currently signed in to (shown at the top right) is your primary profile. The profile you sign in to during the linking procedure, becomes a linked profile. After linking, signing in to either will sign you in to your primary profile.
  • Your primary profile keeps all its resources and gains access to those of linked profiles. Linked profiles also keep their resources.
  • If you link an account already linked to other profiles, all those profiles become linked to your primary profile.
  • If the account you link does not have a profile, one is created and linked automatically.

Unlinking Profiles

  • You can unlink profiles from the Accounts page.
  • Unlinking a profile causes it to become a primary profile, which you can sign in to separately again.
  • Your primary profile keeps all its resources and loses access to those of the unlinked profile.
  • The unlinked profile also keeps its resources.
  • No profiles or resources are removed.

Groups

  • You manage groups on the Groups page.
  • Groups allow you to organize access to your data objects efficiently. Instead of granting access to individuals one by one, you can add them to a group and manage access collectively.
  • Adding a member to a group grants them immediate access to all resources the group has access to, while removing them revokes that access.

Group Memberships

  • The Group Memberships page shows all groups in which you are a member.
  • Each group has one or more owners who can manage group membership and settings.
  • To join a group, contact the group owner. If you are the owner, you can join your own group from the Groups page.
  • Group memberships grant you access to the group's resources. Leaving a group will revoke this access.
  • You can leave groups of which you no longer wish to be a member.

Search Packages

  • Search packages by scope, identifiers and revisions. For identifiers and revisions, you can use:
    • A single number (123).
    • A bounded range (100-200).
    • A range without an upper or lower bound (100- or -100).
    • Leave empty to search all.

Search resources

  • Search resources, such as groups, by type, label and wildcards.
  • A wildcard is either an asterisk (*) or a question mark (?). An asterisk matches zero or more characters, while a question mark matches exactly one character. For label, you can use:
    • A full label (Tom's Example Group).
    • A partial label with one or more wildcards (*Example Group*).
    • Leave empty to search all.

Permissions

  • The Permissions page allows you to manage access to your resources.
  • Permissions determine which user profiles and groups can access a resource, and at what level.
  • You can grant permissions to individual user profiles and to groups.
  • To set permissions for a resource:
    • In the Resource Search page, search for resources for which you have Owner access.
    • In the Select Resources panel in the Permissions page, select one or more resources. Expand the tree nodes to select resources at a more granular level.
    • To add access for a new profile or group:
      • Use the 'Add Users and Groups' field to search for the desired profile or group.
      • You can search for profiles by their EDI-ID, name, or email address. For groups, you can search by EDI-ID, group name, or group description. The search starts after you type a few characters, and is applied to the start of each field. EDI-IDs can be specified both with and without the 'EDI-' prefix.
      • Only a limited number of results are shown, so you may need to refine your search if the desired profile or group does not appear in the list.
      • By default, the selected profile or group, receives Reader access, which you may then update to a higher access level if desired.
    • To modify access levels:
      • Select the desired access level from the dropdown menu next to the profile or group.
      • If a profile og group has different access levels on the selected resources, only the highest access level is shown. When you modify the access level, the new access level is applied to all selected resources. E.g., if a profile has Reader access on one resource, and Editor access on another resource, the access level will show as Editor for the profile. If you change the access level to Reader, both resources will be updated to have Reader access for the profile. If instead you wish to change the access level to Editor on both resources, since the profile is already showing with Editor access, you will need either select the lower level resource separately, or you can first set the permissions on both resources to Reader, and then back to Editor.
    • To remove access:
      • Select None in the dropdown menu next to the profile or group.
      • All the selected resources will be updated to reflect the new access level.
  • Supported access levels:
    • None: Access is denied.
    • Reader: Allows reading the resource.
    • Editor: Allows modifying the resource.
    • Owner: Allows managing permissions for the resource. Anyone with this access level can grant or revoke Reader, Editor, and Owner access to other profiles and groups.
  • Access levels are cumulative, so Editor includes Reader, and Owner includes both Reader and Editor access.
  • Group access levels:
    • Reader: allows reading the group details (e.g., name and description), and the group members.
    • Editor: allows changing the group details, and add and remove group members.
    • Owner: allows managing permissions for the group.
  • A resource always retains at least one user profile or group with Owner access. If you attempt to revoke the last remaining Owner access on a resource, the operation will be denied.
  • Note: You may lock yourself out of managing permissions for a resource by reducing your own permissions on the resource to an access level lower than Owner. E.g., if your only Owner access to a resource is via a group in which you are a member, reducing the group's access level will remove your access to change permissions on the resource. This will cause the resource to immediately drop off the Permissions page, and you will need to contact someone with Owner access if you wish to restore your access in the future.

Avatars

  • You can select your avatar on the Avatars page.
  • Avatars are used to visually represent you in the EDI repository.
  • You can add avatars by linking profiles from the Accounts page.
  • If you update your avatar in an identity provider account, it will be reflected in your profile.
  • Currently, avatars are only supported for Google, Microsoft and GitHub accounts.

EDI Authentication Token

  • Tokens are managed on the Token page.
  • The EDI Authentication Token is your personal access token for the EDI repository. It's a JSON Web Token (JWT), containing user profile information and permissions. When you sign in to an EDI service, your browser receives the token as a cookie.
  • For rare cases, it may be useful to have a copy of your token outside your browser, in which case you can copy or download it from the Token page.
  • The token can be used directly for API access, but since it's short-lived, we recommend using API access keys instead.
  • You may refresh your token programmatically any time before it expires, by passing it to the refreshToken() API method. After your token expires, however, it cannot be refreshed, and you will need to sign in again to obtain a new token.

API Access Keys

  • API keys are created and managed on the API Access Keys page.
  • API keys allow temporary programmatic access to resources without sharing login credentials.
  • In order to authenticate your requests to the EDI repository APIs and programmatically access your resources, create a key and use it with the getTokenByKey() API method to obtain an EDI authentication token. Then pass the token in a Cookie: edi-token=... header of your requests.
  • An API key can authenticate either a user profile or a user group, as selected in the Principal field.
  • Each API key has an expiration date and can also be deleted by the user at any time.
  • Users can generate multiple API keys for different purposes.
  • Use the API key to generate an EDI authentication token, then use the token to access resources.