### Permissioning non-standardized data in the ADE
Technically speaking, access to a table in the Agency Data Exchange is defined by:
- the Access Control Entry (ACE): the identifier of the user (Step 3 below)
- the Access Control List Key (ACL-key): the identifier of the data to give access on (Steps 1 & 2 below)

As in the previous notebooks, we start by loading the libraries, setting up OpenLattice authentication, and loading OpenLattice API-clients.  
_Note_ for instructions on how to install the `openlattice` python library of APIs, please see [this link](https://help.openlattice.com/article/104-overview-and-installation-of-api-clients)

In [1]:
from sqlalchemy import create_engine
import pandas as pd
import openlattice
import os

Set up your Openlattice authentication. Find your jwt token from the tab called `Account` in the upper left after logging in here: https://staging.openlattice.com/orgs/#/orgs.


In [2]:
baseurl = 'https://api.openlattice.com' # prod
jwt = ""

configuration = openlattice.Configuration()
configuration.host = baseurl
configuration.access_token = jwt

Import the necessary Openlattice APIs for the tasks at hand. These rely on the "configuration" object we made above, that holds one's authentication.

In [3]:
entitysetsAPI = openlattice.EntitySetsApi(openlattice.ApiClient(configuration))
datasetAPI = openlattice.DatasetApi(openlattice.ApiClient(configuration))
orgAPI = openlattice.OrganizationsApi(openlattice.ApiClient(configuration))
dataAPI = openlattice.DataApi(openlattice.ApiClient(configuration))
permissionsAPI = openlattice.PermissionsApi(openlattice.ApiClient(configuration))
principalAPI = openlattice.PrincipalApi(openlattice.ApiClient(configuration))

### 1. Creating the ACL-key part 1:  first create a dictionary with the table and columns we want to give access to.
I did this here in a roundabout way by loading the top of the table, printing columns and then copy/pasting into a dictionary. I am **sure** there are better ways.

Do any steps that make sense (ie not necessarily these).

In [4]:
# Load data
# import geopandas as gpd

# Using sqlalchemy to connect to Postgres. First we create a function to create the connection engine.
def get_engine(db, user, pw, prod=True):
    host = 'atlas.openlattice.com:30001' if prod else 'localhost'
    jdbc = f"postgresql://{user}:{pw}@atlas.openlattice.com:30001/{db}"
#     postgresql://{username}:{password}@atlas.openlattice.com:30001/{database}

    engine = create_engine(jdbc)
    return(engine)

# Openlattice demo org 
connection_args = {
    "db": "org_1d5aa1f44d2246a597cddcc6820e7ff8", 
    'user': "",
    'pw': ""
}

prod_engine = get_engine(connection_args['db'], 
                         connection_args['user'], 
                         connection_args['pw'], prod = True)

In [7]:
fake_people_df = pd.read_sql_query("select * from fake_people limit 25", 
                            prod_engine)

In [8]:
fake_people_df.columns

Index(['index', 'trainingid', 'intid', 'firstname', 'middlename', 'lastname',
       'ssn', 'sex', 'dob', 'race', 'ethnicity', 'weight', 'height'],
      dtype='object')

Now make the needed dictionary!

In [9]:
tables_to_give_access = {
    'fake_people': ['index', 'trainingid', 'intid', 'firstname', 'middlename', 'lastname',
       'ssn', 'sex', 'dob', 'race', 'ethnicity', 'weight', 'height']
}

**Not necessary for this workflow but just FYI** - you can also list out all of your the accessible datasets in each organization.

In [10]:
OrgId = '1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8' #Openlattice Demo org
datasets = datasetAPI.get_external_database_tables(OrgId)
datasets = pd.DataFrame([x.to_dict() for x in datasets]).set_index('name')
datasets.head(30)

Unnamed: 0_level_0,id,title,description,organization_id
name,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1
zzz_bhr_entities_clean_2020_5_26_17_27_3_PST,25193301-2413-4054-89e6-ef9721f5cec6,zzz_bhr_entities_clean_2020_5_26_17_27_3_PST,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8
fake_people,3c0262e1-075a-4d1a-a73d-440ba619929e,fake_people,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8
demo_arrests,f92f80d7-1288-4cd2-9e1c-2d6393b03b94,demo_arrests,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8


### 2. Creating the ACL-key part 2:  Look up the id_table and id_column
In the OpenLattice backend, each table and column within it has a unique identifying UUID (in case names might overlap), that one needs to input while using the OpenLattice Permissions API. We can look up this needed information in the table constructed below.  
If one is a member of an organization and knows the OrgID, you can grab the datasets and their metadata for all data that you have access to.
- obtain the Organization ID from the Openlattice Orgs app, in the landing page for that specific organization. (https://staging.openlattice.com/orgs/)

In [11]:
OrgId = '1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8' #Openlattice Demo org

The following code uses our `datasetAPI.get_external_database_tables_with_column_metadata` call to extract information, and then creates a pandas dataframe of all of the datasets in an organization, their columns, and associated metadata.

In [12]:
datasets_with_columns = datasetAPI.get_external_database_tables_with_column_metadata(
    organization_id = OrgId)
columns = pd.DataFrame([x.to_dict() for y in datasets_with_columns for x in y.columns])
tables = pd.DataFrame([x.table.to_dict() for x in datasets_with_columns])

datasets_with_columns = pd.merge(
    tables, 
    columns, 
    left_on = ['organization_id', 'id'], 
    right_on = ['organization_id', 'table_id'],
    suffixes = ('_table', '_column')
)
datasets_with_columns


Unnamed: 0,id_table,name_table,title_table,description_table,organization_id,id_column,name_column,title_column,description_column,table_id,data_type,primary_key,ordinal_position
0,f92f80d7-1288-4cd2-9e1c-2d6393b03b94,demo_arrests,demo_arrests,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,d2c8d0c7-6025-4081-940d-74c9d028f01f,IncidentStreet,IncidentStreet,,f92f80d7-1288-4cd2-9e1c-2d6393b03b94,,False,25
1,f92f80d7-1288-4cd2-9e1c-2d6393b03b94,demo_arrests,demo_arrests,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,8717771d-02d9-4302-91b9-2110cea1a16c,TranspOfficerLastName,TranspOfficerLastName,,f92f80d7-1288-4cd2-9e1c-2d6393b03b94,,False,44
2,f92f80d7-1288-4cd2-9e1c-2d6393b03b94,demo_arrests,demo_arrests,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,c3009957-7002-4be6-871d-3aa02aec4af9,BirthDate,BirthDate,,f92f80d7-1288-4cd2-9e1c-2d6393b03b94,,False,9
3,f92f80d7-1288-4cd2-9e1c-2d6393b03b94,demo_arrests,demo_arrests,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,585ea15c-7654-4e9b-8c7c-d8e0471d74a3,ReleaseDate,ReleaseDate,,f92f80d7-1288-4cd2-9e1c-2d6393b03b94,,False,34
4,f92f80d7-1288-4cd2-9e1c-2d6393b03b94,demo_arrests,demo_arrests,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,3a02407b-7edf-40fc-8cd5-99d88111cfd5,ArrestDate,ArrestDate,,f92f80d7-1288-4cd2-9e1c-2d6393b03b94,,False,5
...,...,...,...,...,...,...,...,...,...,...,...,...,...
119,25193301-2413-4054-89e6-ef9721f5cec6,zzz_bhr_entities_clean_2020_5_26_17_27_3_PST,zzz_bhr_entities_clean_2020_5_26_17_27_3_PST,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,8bb3eefb-d126-4532-89b2-bf20c530aeb2,ol.id,ol.id,,25193301-2413-4054-89e6-ef9721f5cec6,,False,8
120,25193301-2413-4054-89e6-ef9721f5cec6,zzz_bhr_entities_clean_2020_5_26_17_27_3_PST,zzz_bhr_entities_clean_2020_5_26_17_27_3_PST,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,d916375b-7f19-46f1-82eb-13ec9de90b45,bhr.dob,bhr.dob,,25193301-2413-4054-89e6-ef9721f5cec6,,False,23
121,25193301-2413-4054-89e6-ef9721f5cec6,zzz_bhr_entities_clean_2020_5_26_17_27_3_PST,zzz_bhr_entities_clean_2020_5_26_17_27_3_PST,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,71ba560e-6308-4c39-97d0-d9c799b72d16,bhr.deescalationTechniques,bhr.deescalationTechniques,,25193301-2413-4054-89e6-ef9721f5cec6,,False,3
122,25193301-2413-4054-89e6-ef9721f5cec6,zzz_bhr_entities_clean_2020_5_26_17_27_3_PST,zzz_bhr_entities_clean_2020_5_26_17_27_3_PST,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,3f5a8d06-3687-4e21-ba95-eb2e002d5e9d,bhr.incidentNarrative,bhr.incidentNarrative,,25193301-2413-4054-89e6-ef9721f5cec6,,False,38


In [13]:
## If you want:

## Check that the table I want is in the results - it is!
# datasets_with_columns['name_table'].unique()

## Look at a table of interest
datasets_with_columns.loc[datasets_with_columns['name_table'] == 'fake_people']




Unnamed: 0,id_table,name_table,title_table,description_table,organization_id,id_column,name_column,title_column,description_column,table_id,data_type,primary_key,ordinal_position
47,3c0262e1-075a-4d1a-a73d-440ba619929e,fake_people,fake_people,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,cced1202-d8dd-4c7d-95e0-2ab14f92c4e4,weight,weight,,3c0262e1-075a-4d1a-a73d-440ba619929e,,False,12
48,3c0262e1-075a-4d1a-a73d-440ba619929e,fake_people,fake_people,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,f7abe31c-1e77-4011-80ff-4f458005c256,height,height,,3c0262e1-075a-4d1a-a73d-440ba619929e,,False,13
49,3c0262e1-075a-4d1a-a73d-440ba619929e,fake_people,fake_people,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,eca33889-4bd4-4ff3-87dd-5bf0040610ef,firstname,firstname,,3c0262e1-075a-4d1a-a73d-440ba619929e,,False,4
50,3c0262e1-075a-4d1a-a73d-440ba619929e,fake_people,fake_people,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,a6cd7339-f02a-4cc1-bd5f-5e3409b4f76a,ethnicity,ethnicity,,3c0262e1-075a-4d1a-a73d-440ba619929e,,False,11
51,3c0262e1-075a-4d1a-a73d-440ba619929e,fake_people,fake_people,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,c28a864d-5e3e-4526-ac54-48b5b76d79c1,trainingid,trainingid,,3c0262e1-075a-4d1a-a73d-440ba619929e,,False,2
52,3c0262e1-075a-4d1a-a73d-440ba619929e,fake_people,fake_people,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,20c2142f-f85d-45b1-88fc-1969e791f5f7,lastname,lastname,,3c0262e1-075a-4d1a-a73d-440ba619929e,,False,6
53,3c0262e1-075a-4d1a-a73d-440ba619929e,fake_people,fake_people,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,f5c6aab0-071b-43b8-8ccc-fafb82231310,intid,intid,,3c0262e1-075a-4d1a-a73d-440ba619929e,,False,3
54,3c0262e1-075a-4d1a-a73d-440ba619929e,fake_people,fake_people,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,53308462-160d-46e7-9ba7-84f0b7f254e0,dob,dob,,3c0262e1-075a-4d1a-a73d-440ba619929e,,False,9
55,3c0262e1-075a-4d1a-a73d-440ba619929e,fake_people,fake_people,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,65169134-e2b8-4554-b7ad-250f627602b5,race,race,,3c0262e1-075a-4d1a-a73d-440ba619929e,,False,10
56,3c0262e1-075a-4d1a-a73d-440ba619929e,fake_people,fake_people,,1d5aa1f4-4d22-46a5-97cd-dcc6820e7ff8,06381711-37f9-4c88-b68a-e4a1c0ffc597,sex,sex,,3c0262e1-075a-4d1a-a73d-440ba619929e,,False,8


### 3. Create the principal object that one is giving access to.

If we want to add permissions to a new user, we can search for their unique user id with the `principalApi`.  For example, if I want to look up myself (Kim Engie), I can search for my last name (less common than my first). In this example we are looking up a headless account, `datascience@openlattice.com`.  

What we need is the `user_id` for each person.  
  
_TIPS:_ If you can't find someone by last name try putting a `*` in front of it (e.g., `*engie`)

In [63]:
## find principals for users 
principalAPI.search_all_users("datascience")

{'auth0|5d0c1502deb4ef0d29eb8857': {'com_openlattice_organization': [],
  'email': 'datascience@openlattice.com',
  'nickname': 'datascience',
  'roles': ['AuthenticatedUser'],
  'user_id': 'auth0|5d0c1502deb4ef0d29eb8857',
  'username': 'datascience@openlattice.com'}}

In [14]:
## Create the principal. 
perm_principal = openlattice.Principal(type="USER", id= "auth0|5d0c1502deb4ef0d29eb8857") 

### 3. Give permissions
We loop over the dictionary constructed in Step 1, and grant access to the principal in Step 3. Again, access is defined by:
- the Access Control Entry (ACE): the identifier of the user
- the Access Control List Key (ACL-key): the identifier of the data to give access on

The permissions API goes through and gives permissions to each column in a table separately. 

In [15]:
for table, columns in tables_to_give_access.items():
    for column in columns:
        print("Giving access on column %s on table %s"%(column, table))
#         row = datasets_with_columns.loc[(table, column)]
        row = datasets_with_columns.loc[(datasets_with_columns['name_table'] == table) & \
                                        (datasets_with_columns['name_column'] == column)]
        ace = openlattice.Ace(
            principal = perm_principal,
            permissions = ["READ"]
        )

        acldata = openlattice.AclData(action = "ADD",
                            acl = openlattice.Acl(acl_key = [str(row.id_table.iloc[0]), str(row.id_column.iloc[0])],aces = [ace])
                                     )
        permissionsAPI.update_acl(acldata)

Giving access on column index on table fake_people
Giving access on column trainingid on table fake_people
Giving access on column intid on table fake_people
Giving access on column firstname on table fake_people
Giving access on column middlename on table fake_people
Giving access on column lastname on table fake_people
Giving access on column ssn on table fake_people
Giving access on column sex on table fake_people
Giving access on column dob on table fake_people
Giving access on column race on table fake_people
Giving access on column ethnicity on table fake_people
Giving access on column weight on table fake_people
Giving access on column height on table fake_people
