Skip to main page content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Access keys NCBI Homepage MyNCBI Homepage Main Content Main Navigation
. 2021 Nov 10;1(2):None.
doi: 10.1016/j.xgen.2021.100030.

GA4GH Passport standard for digital identity and access permissions

Craig Voisin  1 Mikael Linden  2   3 Stephanie O M Dyke  4 Sarion R Bowers  5 Pinar Alper  6 Maxmillian P Barkley  7 David Bernick  8 Jianpeng Chao  1 Mélanie Courtot  9 Francis Jeanson  10 Melissa A Konopko  5   11 Martin Kuba  12 Jonathan Lawson  8 Jaakko Leinonen  2 Stephanie Li  8   11 Vivian Ota Wang  13 Anthony A Philippakis  8 Kathy Reinold  8 Gregory A Rushton  8 J Dylan Spalding  2   3 Juha Törnroos  2   3 Ilya Tulchinsky  14 Jaime M Guidry Auvil  13 Tommi H Nyrönen  2   3
Affiliations

GA4GH Passport standard for digital identity and access permissions

Craig Voisin et al. Cell Genom. .

Abstract

The Global Alliance for Genomics and Health (GA4GH) supports international standards that enable a federated data sharing model for the research community while respecting data security, ethical and regulatory frameworks, and data authorization and access processes for sensitive data. The GA4GH Passport standard (Passport) defines a machine-readable digital identity that conveys roles and data access permissions (called "visas") for individual users. Visas are issued by data stewards, including data access committees (DACs) working with public databases, the entities responsible for the quality, integrity, and access arrangements for the datasets in the management of human biomedical data. Passports streamline management of data access rights across data systems by using visas that present a data user's digital identity and permissions across organizations, tools, environments, and services. We describe real-world implementations of the GA4GH Passport standard in use cases from ELIXIR Europe, National Institutes of Health, and the Autism Sharing Initiative. These implementations demonstrate that the Passport standard has provided transparent mechanisms for establishing permissions and authorizing data access across platforms.

Keywords: access; authorization; data; federation; genomics; identity; infrastructure; regulation; security; standard.

PubMed Disclaimer

Conflict of interest statement

A.A.P. is a venture partner at GV and an employee of Alphabet Corporation and has received funding from MSFT, Verily, IBM, Intel, Bayer, and Novartis.

Figures

None
Graphical abstract
Figure 1
Figure 1
Tiers of data access Datasets are commonly shared in databases with either open, registered, or controlled access, depending on the regulatory requirements. With higher regulatory requirements to control access, there is a need for increased security measures when accessing the dataset.
Figure 2
Figure 2
Passports in action Passports provide interoperable infrastructure to authenticate and authorize users across biomedical services at various stages of a research project or study. Once data are deposited in a database they are then made available to other users. Users may be able to access part, or all, of the dataset through a registered access mechanism using their Passport and visa(s), where these provide the necessary credentials for access. For datasets managed with controlled access, the user will need to submit a DAR to the DAC. If and when the DAR is approved, the DAC will issue a visa granting access to the dataset(s). The data user will then apply for access to the database and provide the visas, attesting their identity and access permissions, which are verified in order to gain access to the data.
Figure 3
Figure 3
Enabling federated data sharing A data user receives data access permissions from a DAC and can run their analysis in one or more computing environments (e.g., a cloud) which have a copy of the dataset. A Passport relays the data access permission granted by the DAC to the computing environment which enforces the data access rights, only granting access to the data users with proper data access permissions.
Figure 4
Figure 4
Linking identities in Passports Home organizations and DACs identify their data users with identifiers (green elements in the lower part of the figure), which are minted in the visas they issue. Cloud environments issue their own user identifiers (green elements in the upper part of the figure). The LinkedIdentities visa type is used for signaling that particular identifiers belong to the same person (green lines in figure).
Figure 5
Figure 5
GA4GH Passport system components In a controlled access scenario, the data user submits a DAR (purple document) to the DAC for approval. When the DAC approves the request, a visa assertion is added to the Passport Visa Assertion Repository (lower left). When the data user signs in to their account via the Passport Broker, the Visa Issuer loads their visa entries and signs them. The Passport broker collects the visas from the Visa Issuers, assembles the Passport, and gives it to the data user. When the data user accesses a Passport Clearinghouse, the Passport is included with requests such that the computing environment is made aware that access policies are met and access to the dataset can be permitted.
Figure 6
Figure 6
Passports may contain visas from multiple sources Visas are used to describe data users’ roles and access permissions. Users can collect multiple visas from various sources, including their institutional organization and data stewards via their corresponding DACs. These visas are collected into a data user’s Passport, which is checked by the environment where the data access takes place to authenticate the user’s identity and verify the access credentials needed to gain access to datasets.
Figure 7
Figure 7
Passport implementation protocols A technical protocol flow describing messages that are passed between Passport system components when a data user client accesses GA4GH Beacon services (ELIXIR Beacon Network, https://beacon-network.elixir-europe.org/). Figure 7 adds technical detail about how Passport implementation works to Figure 5 (Passport system components). Steps 1–4 (shown as arrows in Figure 7): “Authentication and authorization” as part of data user sign-in; step 5: “Run Analysis” or otherwise issue a request needing Passport authorization; step 6: “Results” returned as a response to the client.
See this image and copyright information in PMC

References

    1. Rehm H.L., Page A.J.H., Smith L., Adams J.B., Alterovitz G., Babb L.J., Barkley M.P., Baudis M., Beauvais M.J.S., Beck T., et al. GA4GH: International policies and standards for data sharing across genomic research and healthcare. Cell Genomics. 2021;1 100029-1–100029-33. - PMC - PubMed
    1. Lucas-Dominguez R., Alonso-Arroyo A., Vidal-Infer A., Aleixandre-Benavent R. The sharing of research data facing the COVID-19 pandemic. Scientometrics. 2021 doi: 10.1007/s11192-021-03971-6. Published online April 26, 2021. - DOI - PMC - PubMed
    1. Lappalainen I., Almeida-King J., Kumanduri V., Senf A., Spalding J.D., Ur-Rehman S., Saunders G., Kandasamy J., Caccamo M., Leinonen R., et al. The European Genome-phenome Archive of human data consented for biomedical research. Nat. Genet. 2015;47:692–695. - PMC - PubMed
    1. Saunders G., Baudis M., Becker R., Beltran S., Béroud C., Birney E., Brooksbank C., Brunak S., Van den Bulcke M., Drysdale R., et al. Leveraging European infrastructures to access 1 million human genomes by 2022. Nat. Rev. Genet. 2019;20:693–701. - PMC - PubMed
    1. Broeder D., Wartel R., Jones B., Kershaw P., Kelsey D., Lüders S., Lyall A., Nyrönen T., Weyer H.J. 2012. Federated Identity Management for research collaborations.https://cds.cern.ch/record/1442597?ln=en

LinkOut - more resources