From f9ee83c2e654d4b294b5ceb26c84dd61636422a6 Mon Sep 17 00:00:00 2001
From: mlm483 <128052931+mlm483@users.noreply.github.com>
Date: Fri, 26 Jul 2024 11:42:06 -0400
Subject: [PATCH 01/15] [BI-2255] - refactored ProgramSecuredRoleGroup enum

---
 .../api/auth/ProgramSecuredRoleGroup.java      |  5 +----
 .../controller/BreedingMethodController.java   |  2 +-
 .../v1/controller/ExperimentController.java    |  9 ++++-----
 .../api/v1/controller/JobController.java       |  2 +-
 .../api/v1/controller/ProgramController.java   | 16 ++++++++--------
 .../api/v1/controller/TraitController.java     | 12 ++++++------
 .../geno/SampleSubmissionController.java       |  8 ++++----
 .../brapi/v2/BrAPIGermplasmController.java     | 18 +++++++++---------
 .../brapi/v2/BrAPIImagesController.java        | 10 +++++-----
 .../brapi/v2/BrAPIListController.java          |  2 +-
 .../v2/BrAPIObservationLevelsController.java   |  2 +-
 .../v2/BrAPIObservationUnitController.java     | 12 ++++++------
 .../v2/BrAPIObservationVariableController.java |  8 ++++----
 .../brapi/v2/BrAPIObservationsController.java  | 12 ++++++------
 .../brapi/v2/BrAPIPedigreeController.java      |  6 +++---
 .../brapi/v2/BrAPIProgramsController.java      |  8 ++++----
 .../brapi/v2/BrAPIStudiesController.java       |  8 ++++----
 .../brapi/v2/BrAPITrialsController.java        |  8 ++++----
 .../brapi/v2/BrAPIV2Controller.java            |  6 +++---
 .../brapi/v2/CropController.java               |  2 +-
 .../brapi/v2/ProgramController.java            |  2 +-
 .../daos/impl/BreedingMethodDAOImpl.java       |  1 -
 22 files changed, 77 insertions(+), 82 deletions(-)

diff --git a/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java b/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java
index 8daf522e7..f8e862b04 100644
--- a/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java
+++ b/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java
@@ -17,13 +17,10 @@
 
 package org.breedinginsight.api.auth;
 
-import org.apache.commons.collections4.ListUtils;
-
 import java.util.List;
 
 public enum ProgramSecuredRoleGroup {
-    ALL_PROGRAM_ROLES(List.of(ProgramSecuredRole.MEMBER, ProgramSecuredRole.BREEDER)),
-    ALL(ListUtils.union(ALL_PROGRAM_ROLES.getProgramRoles(), List.of(ProgramSecuredRole.SYSTEM_ADMIN)));
+    PROGRAM_SCOPED_ROLES(List.of(ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.MEMBER, ProgramSecuredRole.BREEDER));
 
     private List<ProgramSecuredRole> programRoles;
 
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/BreedingMethodController.java b/src/main/java/org/breedinginsight/api/v1/controller/BreedingMethodController.java
index 9d80f9115..c15e338a1 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/BreedingMethodController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/BreedingMethodController.java
@@ -85,7 +85,7 @@ public HttpResponse<?> createProgramBreedingMethod(@PathVariable UUID programId,
     @Get("programs/{programId}/breeding-methods{?inUse}")
     @Produces(MediaType.APPLICATION_JSON)
     @AddMetadata
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<ProgramBreedingMethodEntity>>> getProgramBreedingMethods(@PathVariable UUID programId, @QueryValue(defaultValue = "false") Boolean inUse) {
         log.debug(String.format("fetching breeding methods for program: %s", programId));
 
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java b/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
index 77214c9cf..58e2d3e66 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
@@ -22,7 +22,6 @@
 import org.breedinginsight.model.Program;
 import org.breedinginsight.services.ProgramService;
 import org.breedinginsight.services.exceptions.DoesNotExistException;
-import org.breedinginsight.services.exceptions.UnprocessableEntityException;
 import org.breedinginsight.utilities.response.mappers.ExperimentQueryMapper;
 
 import javax.inject.Inject;
@@ -47,7 +46,7 @@ public ExperimentController(BrAPITrialService experimentService, ExperimentQuery
     }
 
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/export{?queryParams*}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @Produces(value={"text/csv", "application/vnd.ms-excel", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "application/octet-stream"})
     public HttpResponse<StreamedFile> datasetExport(
             @PathVariable("programId") UUID programId, @PathVariable("experimentId") UUID experimentId,
@@ -75,7 +74,7 @@ public HttpResponse<StreamedFile> datasetExport(
     }
 
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/dataset/{datasetId}{?stats}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @Produces(MediaType.APPLICATION_JSON)
     public HttpResponse<Response<Dataset>> getDatasetData(
             @PathVariable("programId") UUID programId,
@@ -102,7 +101,7 @@ public HttpResponse<Response<Dataset>> getDatasetData(
      * @return An HttpResponse with a Response object containing the newly created Dataset.
      */
     @Post("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/dataset")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @Produces(MediaType.APPLICATION_JSON)
     public HttpResponse<Response<Dataset>> createSubEntityDataset(
             @PathVariable("programId") UUID programId,
@@ -132,7 +131,7 @@ public HttpResponse<Response<Dataset>> createSubEntityDataset(
      * @throws ApiException if an error occurs while retrieving the datasets.
      */
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/datasets")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @Produces(MediaType.APPLICATION_JSON)
     public HttpResponse<Response<List<DatasetMetadata>>> getDatasets(
             @PathVariable("programId") UUID programId,
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/JobController.java b/src/main/java/org/breedinginsight/api/v1/controller/JobController.java
index 621493eb0..67b2e241d 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/JobController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/JobController.java
@@ -59,7 +59,7 @@ public JobController(SecurityService securityService, JobService jobService) {
     @Get("programs/{programId}/jobs")
     @Produces(MediaType.APPLICATION_JSON)
     @AddMetadata
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<Job>>> getProgramJobs(@PathVariable UUID programId) {
         log.debug(String.format("fetching jobs for program: %s", programId));
         try {
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java b/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java
index fedcbd751..a3052b5f1 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java
@@ -107,7 +107,7 @@ public HttpResponse<Response<DataResponse<Program>>> postProgramsSearch(
 
     @Get("/programs/{programId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @AddMetadata
     public HttpResponse<Response<Program>> getProgram(@PathVariable UUID programId) {
 
@@ -178,7 +178,7 @@ public HttpResponse archiveProgram(@PathVariable UUID programId) {
 
     @Get("/programs/{programId}/users{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<ProgramUser>>> getProgramUsers(
             @PathVariable UUID programId,
             @QueryValue @QueryValid(using = ProgramUserQueryMapper.class) @Valid QueryParams queryParams) {
@@ -194,7 +194,7 @@ public HttpResponse<Response<DataResponse<ProgramUser>>> getProgramUsers(
 
     @Post("/programs/{programId}/users/search{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<ProgramUser>>> searchProgramUsers(
             @PathVariable UUID programId,
             @QueryValue @QueryValid(using = ProgramUserQueryMapper.class) @Valid QueryParams queryParams,
@@ -211,7 +211,7 @@ public HttpResponse<Response<DataResponse<ProgramUser>>> searchProgramUsers(
 
     @Get("/programs/{programId}/users/{userId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @AddMetadata
     public HttpResponse<Response<ProgramUser>> getProgramUser(@PathVariable UUID programId, @PathVariable UUID userId) {
 
@@ -292,7 +292,7 @@ public HttpResponse archiveProgramUser(@PathVariable UUID programId, @PathVariab
 
     @Get("/programs/{programId}/locations{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<ProgramLocation>>> getProgramLocations(
             @PathVariable UUID programId,
             @QueryValue @QueryValid(using= ProgramLocationQueryMapper.class) @Valid QueryParams queryParams) {
@@ -311,7 +311,7 @@ public HttpResponse<Response<DataResponse<ProgramLocation>>> getProgramLocations
 
     @Post("/programs/{programId}/locations/search{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<ProgramLocation>>> postProgramLocationsSearch(
             @PathVariable UUID programId,
             @QueryValue @QueryValid(using= ProgramLocationQueryMapper.class) @Valid QueryParams queryParams,
@@ -335,7 +335,7 @@ public HttpResponse<Response<DataResponse<ProgramLocation>>> postProgramLocation
     @Get("/programs/{programId}/locations/{locationId}")
     @Produces(MediaType.APPLICATION_JSON)
     @AddMetadata
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<ProgramLocation>> getProgramLocations(@PathVariable UUID programId,
                                                                        @PathVariable UUID locationId) {
 
@@ -423,7 +423,7 @@ public HttpResponse archiveProgramLocation(@PathVariable UUID programId,
 
     @Get("/programs/{programId}/observation-levels")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<ProgramObservationLevel>>> getProgramObservationLevels(@PathVariable UUID programId)
             throws DoesNotExistException {
         List<ProgramObservationLevel> programObservationLevels = programObservationLevelService.getByProgramId(programId);
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/TraitController.java b/src/main/java/org/breedinginsight/api/v1/controller/TraitController.java
index 3e6e1869c..2a4ad7b07 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/TraitController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/TraitController.java
@@ -77,7 +77,7 @@ public TraitController(TraitService traitService, SecurityService securityServic
 
     @Get("/programs/{programId}/traits{?traitsQuery*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<Trait>>> getTraits(
             @PathVariable UUID programId,
             @QueryValue @QueryValid(using = TraitQueryMapper.class) @Valid TraitsQuery traitsQuery) {
@@ -93,7 +93,7 @@ public HttpResponse<Response<DataResponse<Trait>>> getTraits(
 
     @Get("/programs/{programId}/traits/export{?fileExtension,isActive}")
     @Produces(value = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse getTraitsExport(
             @PathVariable("programId") UUID programId, @QueryValue(defaultValue = "XLSX") String fileExtension, @QueryValue(defaultValue = "true") Boolean isActive) {
         String downloadErrorMessage = "An error occurred while generating the download file. Contact the development team at bidevteam@cornell.edu.";
@@ -113,7 +113,7 @@ public HttpResponse getTraitsExport(
 
     @Post("/programs/{programId}/traits/search{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<Program>>> postTraitsSearch(
             @PathVariable UUID programId,
             @QueryValue @QueryValid(using = TraitQueryMapper.class) @Valid QueryParams queryParams,
@@ -130,7 +130,7 @@ public HttpResponse<Response<DataResponse<Program>>> postTraitsSearch(
     @Get("/programs/{programId}/traits/{traitId}")
     @Produces(MediaType.APPLICATION_JSON)
     @AddMetadata
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<Trait>> getTrait(@PathVariable UUID programId, @PathVariable UUID traitId) {
 
         try {
@@ -151,7 +151,7 @@ public HttpResponse<Response<Trait>> getTrait(@PathVariable UUID programId, @Pat
     @Get("/programs/{programId}/traits/{traitId}/editable")
     @Produces(MediaType.APPLICATION_JSON)
     @AddMetadata
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<Editable>> getTraitEditable(@PathVariable UUID programId, @PathVariable UUID traitId) {
 
         Editable editable = traitService.getEditable(programId, traitId);
@@ -235,7 +235,7 @@ public HttpResponse<Response<Trait>> archiveTrait(@PathVariable UUID programId,
 
     @Get("/programs/{programId}/traits/tags")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<String>>> getAllTraitTags(
             @PathVariable UUID programId) {
 
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/geno/SampleSubmissionController.java b/src/main/java/org/breedinginsight/api/v1/controller/geno/SampleSubmissionController.java
index 43923c71a..e99bb5e70 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/geno/SampleSubmissionController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/geno/SampleSubmissionController.java
@@ -74,7 +74,7 @@ public SampleSubmissionController(@Property(name = "brapi.vendor-submission-enab
 
     @Get("programs/{programId}/submissions")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = ProgramSecuredRoleGroup.ALL)
+    @ProgramSecured(roleGroups = ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES)
     public HttpResponse<Response<DataResponse<SampleSubmission>>> getProgramSampleSubmissions(@PathVariable UUID programId) {
         Optional<Program> program = programService.getById(programId);
         if(program.isEmpty()) {
@@ -91,7 +91,7 @@ public HttpResponse<Response<DataResponse<SampleSubmission>>> getProgramSampleSu
 
     @Get("programs/{programId}/submissions/{submissionId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = ProgramSecuredRoleGroup.ALL)
+    @ProgramSecured(roleGroups = ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES)
     public HttpResponse<Response<SampleSubmission>> getSubmissionById(@PathVariable UUID programId, @PathVariable UUID submissionId, @QueryValue(value = "details", defaultValue = "false") @Nullable Boolean fetchDetails) {
         Optional<Program> program = programService.getById(programId);
         if(program.isEmpty()) {
@@ -157,7 +157,7 @@ public HttpResponse<Response<SampleSubmission>> updateSubmissionStatus(@PathVari
 
 
     @Get("/programs/{programId}/submissions/{submissionId}/dart")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @Produces(value={"text/csv", "application/vnd.ms-excel", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "application/octet-stream"})
     public HttpResponse<StreamedFile> generateDArTFile(@PathVariable UUID programId, @PathVariable UUID submissionId) {
         try {
@@ -184,7 +184,7 @@ public HttpResponse<StreamedFile> generateDArTFile(@PathVariable UUID programId,
     }
 
     @Get("/programs/{programId}/submissions/{submissionId}/lookup")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @Produces(value={"text/csv", "application/vnd.ms-excel", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "application/octet-stream"})
     public HttpResponse<StreamedFile> generateLookupFile(@PathVariable UUID programId, @PathVariable UUID submissionId) {
         try {
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIGermplasmController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIGermplasmController.java
index edc89b5f0..be22abaf3 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIGermplasmController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIGermplasmController.java
@@ -76,7 +76,7 @@ public BrAPIGermplasmController(BrAPIGermplasmService germplasmService, Germplas
     // TODO: expand to fully support BrAPI request body.
     @Post("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/search/germplasm{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<List<BrAPIGermplasm>>>> searchGermplasm(
             @PathVariable("programId") UUID programId,
             @QueryValue @QueryValid(using = GermplasmQueryMapper.class) @Valid BrapiQuery queryParams,
@@ -95,7 +95,7 @@ public HttpResponse<Response<DataResponse<List<BrAPIGermplasm>>>> searchGermplas
 
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/germplasm{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<List<BrAPIGermplasm>>>> getGermplasm(
             @PathVariable("programId") UUID programId,
             @QueryValue @QueryValid(using = GermplasmQueryMapper.class) @Valid GermplasmQuery queryParams) {
@@ -122,7 +122,7 @@ public HttpResponse<Response<DataResponse<List<BrAPIGermplasm>>>> getGermplasm(
 
     @Get("/programs/{programId}/germplasm/lists/{listDbId}/records{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<List<BrAPIGermplasm>>>> getGermplasmListRecords(
         @PathVariable("programId") UUID programId,
         @PathVariable("listDbId") String listDbId,
@@ -139,7 +139,7 @@ public HttpResponse<Response<DataResponse<List<BrAPIGermplasm>>>> getGermplasmLi
 
     @Get("/programs/{programId}/germplasm/lists/{listDbId}/export{?fileExtension}")
     @Produces(value = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<StreamedFile> germplasmListExport(
             @PathVariable("programId") UUID programId, @PathVariable("listDbId") String listDbId, @QueryValue(defaultValue = "XLSX") String fileExtension) {
         String downloadErrorMessage = "An error occurred while generating the download file. Contact the development team at bidevteam@cornell.edu.";
@@ -159,7 +159,7 @@ public HttpResponse<StreamedFile> germplasmListExport(
 
     @Get("/programs/{programId}/germplasm/export{?fileExtension}")
     @Produces(value = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<StreamedFile> germplasmExport(
             @PathVariable("programId") UUID programId, @QueryValue(defaultValue = "XLSX") String fileExtension) {
         String downloadErrorMessage = "An error occurred while generating the download file. Contact the development team at bidevteam@cornell.edu.";
@@ -178,7 +178,7 @@ public HttpResponse<StreamedFile> germplasmExport(
 
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/germplasm/{germplasmId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<BrAPIGermplasm>> getSingleGermplasm(
             @PathVariable("programId") UUID programId,
             @PathVariable("germplasmId") String germplasmId) {
@@ -197,7 +197,7 @@ public HttpResponse<Response<BrAPIGermplasm>> getSingleGermplasm(
 
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/germplasm/{germplasmId}/pedigree{?notation}{?includeSiblings}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIGermplasmPedigreeResponse> getGermplasmPedigreeInfo(
             @PathVariable("programId") UUID programId,
             @PathVariable("germplasmId") String germplasmId,
@@ -282,7 +282,7 @@ public HttpResponse<BrAPIGermplasmPedigreeResponse> getGermplasmPedigreeInfo(
 
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/germplasm/{germplasmId}/progeny")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIGermplasmProgenyResponse> getGermplasmProgenyInfo(
             @PathVariable("programId") UUID programId,
             @PathVariable("germplasmId") String germplasmId) {
@@ -346,7 +346,7 @@ public HttpResponse<BrAPIGermplasmProgenyResponse> getGermplasmProgenyInfo(
 
     @Get("/programs/{programId}/germplasm/{germplasmId}/genotype")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<GermplasmGenotype>> getGermplasmGenotype(@PathVariable("programId") UUID programId,
                                                                           @PathVariable("germplasmId") String germplasmId) {
 
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIImagesController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIImagesController.java
index f760af9f0..cf59df624 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIImagesController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIImagesController.java
@@ -41,7 +41,7 @@ public class BrAPIImagesController {
     - PUT imagesImageDbIdPut
      */
     @Get("/images")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse imagesGet(@PathVariable("programId") UUID programId,
                                   @QueryValue("imageDbId") String imageDbId,
                                   @QueryValue("imageName") String imageName,
@@ -59,7 +59,7 @@ public HttpResponse imagesGet(@PathVariable("programId") UUID programId,
     }
 
     @Get("/images/{imageDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse imagesImageDbIdGet(@PathVariable("programId") UUID programId,
                                            @PathVariable("imageDbId") String imageDbId) {
         return HttpResponse.notFound();
@@ -67,7 +67,7 @@ public HttpResponse imagesImageDbIdGet(@PathVariable("programId") UUID programId
 
     @Put("/images/{imageDbId}/imagecontent")
     @Consumes({"image/_*"})
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse imagesImageDbIdImagecontentPut(@PathVariable("programId") UUID programId,
                                                        @PathVariable("imageDbId") String imageDbId,
                                                        @Body Object body) {
@@ -75,7 +75,7 @@ public HttpResponse imagesImageDbIdImagecontentPut(@PathVariable("programId") UU
     }
 
     @Put("/images/{imageDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse imagesImageDbIdPut(@PathVariable("programId") UUID programId,
                                            @PathVariable("imageDbId") String imageDbId,
                                            @Body BrAPIImage body) {
@@ -83,7 +83,7 @@ public HttpResponse imagesImageDbIdPut(@PathVariable("programId") UUID programId
     }
 
     @Post("/images")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse imagesPost(@PathVariable("programId") UUID programId, @Body List<BrAPIImage> body) {
         return HttpResponse.notFound();
     }
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIListController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIListController.java
index 115448d58..3dd6fd1f4 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIListController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIListController.java
@@ -67,7 +67,7 @@ public BrAPIListController(ProgramService programService, BrAPIListService listS
     //@Get(BrapiVersion.BRAPI_V2 + "/lists")
     @Get("/${micronaut.bi.api.version}/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/lists{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<Object>>> getLists(
             @PathVariable("programId") UUID programId,
             @QueryValue @QueryValid(using = ListQueryMapper.class) @Valid ListQuery queryParams
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationLevelsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationLevelsController.java
index 9c54bed9a..ed2ef1884 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationLevelsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationLevelsController.java
@@ -77,7 +77,7 @@ public BrAPIObservationLevelsController(BrAPIEndpointProvider brAPIEndpointProvi
     }
 
     @Get("/observationlevels")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIObservationLevelListResponse> observationlevelsGet(@PathVariable("programId") UUID programId,
                                                                                 @Nullable @QueryValue("trialDbId") String experimentId,
                                                                                 @Nullable @QueryValue("studyDbId") String environmentId,
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationUnitController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationUnitController.java
index c649626b1..ca2b470f8 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationUnitController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationUnitController.java
@@ -67,7 +67,7 @@ public BrAPIObservationUnitController(@Property(name = "brapi.server.reference-s
     }
 
     @Get("/observationunits")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIObservationUnitListResponse> observationunitsGet(@PathVariable("programId") UUID programId,
                                                @Nullable @QueryValue("observationUnitDbId") String observationUnitDbId,
                                                @Nullable @QueryValue("observationUnitName") String observationUnitName,
@@ -147,7 +147,7 @@ public HttpResponse<BrAPIObservationUnitListResponse> observationunitsGet(@PathV
     }
 
     @Get("/observationunits/{observationUnitDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIObservationUnitSingleResponse> observationunitsObservationUnitDbIdGet(@PathVariable("programId") UUID programId, @PathVariable("observationUnitDbId") String observationUnitDbId) {
         log.debug("observationunitsObservationUnitDbIdGet: fetching ou by externalReferenceId: " + observationUnitDbId);
         Optional<Program> program = programService.getById(programId);
@@ -175,21 +175,21 @@ public HttpResponse<BrAPIObservationUnitSingleResponse> observationunitsObservat
     }
 
     @Put("/observationunits/{observationUnitDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> observationunitsObservationUnitDbIdPut(@PathVariable("programId") UUID programId, @PathVariable("observationUnitDbId") String observationUnitDbId, @Body BrAPIObservationUnit body) {
         //DO NOT IMPLEMENT - Users aren't yet able to update observation units
         return HttpResponse.notFound();
     }
 
     @Post("/observationunits")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> observationunitsPost(@PathVariable("programId") UUID programId, @Body List<BrAPIObservationUnit> body) {
         //DO NOT IMPLEMENT - Users are only able to create observation units via the DeltaBreed UI
         return HttpResponse.notFound();
     }
 
     @Put("/observationunits")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> observationunitsPut(@PathVariable("programId") UUID programId, @Body Map<String, BrAPIObservationUnit> body) {
         //DO NOT IMPLEMENT - Users aren't yet able to update observation units
         return HttpResponse.notFound();
@@ -197,7 +197,7 @@ public HttpResponse<?> observationunitsPut(@PathVariable("programId") UUID progr
 
     @Get("/observationunits/table")
     @Produces({"application/json", "text/csv", "text/tsv"})
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> observationunitsTableGet(@PathVariable("programId") UUID programId,
                                                     @Nullable @Header("Accept") String accept,
                                                     @Nullable @QueryValue("observationUnitDbId") String observationUnitDbId,
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationVariableController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationVariableController.java
index 45d6983f3..9727ad1be 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationVariableController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationVariableController.java
@@ -75,7 +75,7 @@ public BrAPIObservationVariableController(OntologyService ontologyService,
     }
 
     @Get("/variables")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIObservationVariableListResponse> variablesGet(@PathVariable("programId") UUID programId,
                                                                            @Nullable  @QueryValue("observationVariableDbId") String observationVariableDbId,
                                                                            @Nullable @QueryValue("observationVariableName") String observationVariableName,
@@ -146,7 +146,7 @@ public HttpResponse<BrAPIObservationVariableListResponse> variablesGet(@PathVari
     }
 
     @Get("/variables/{observationVariableDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIObservationVariableSingleResponse> variablesObservationVariableDbIdGet(@PathVariable("programId") UUID programId,
                                                             @PathVariable("observationVariableDbId") String observationVariableDbId) {
         log.debug("fetching variable: " + observationVariableDbId);
@@ -175,7 +175,7 @@ public HttpResponse<BrAPIObservationVariableSingleResponse> variablesObservation
     }
 
     @Put("/variables/{observationVariableDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> variablesObservationVariableDbIdPut(@PathVariable("programId") UUID programId,
                                                             @PathVariable("observationVariableDbId") String observationVariableDbId,
                                                                @Body BrAPIObservationVariable body) {
@@ -184,7 +184,7 @@ public HttpResponse<?> variablesObservationVariableDbIdPut(@PathVariable("progra
     }
 
     @Post("/variables")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> variablesPost(@PathVariable("programId") UUID programId, @Body List<BrAPIObservationVariable> body) {
         //DO NOT IMPLEMENT - Users are only able to create new traits via the DeltaBreed UI
         return HttpResponse.notFound();
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationsController.java
index 5a6c51148..5e70846ac 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationsController.java
@@ -40,7 +40,7 @@
 public class BrAPIObservationsController {
 
     @Get("/observations")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse observationsGet(@PathVariable("programId") UUID programId,
                                         @Nullable @QueryValue("observationDbId") String observationDbId,
                                         @Nullable @QueryValue("observationUnitDbId") String observationUnitDbId,
@@ -71,14 +71,14 @@ public HttpResponse observationsGet(@PathVariable("programId") UUID programId,
     }
 
     @Get("/observations/{observationDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse observationsObservationDbIdGet(@PathVariable("programId") UUID programId,
                                                        @PathVariable("observationDbId") String observationDbId) {
         return HttpResponse.notFound();
     }
 
     @Put("/observations/{observationDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse observationsObservationDbIdPut(@PathVariable("programId") UUID programId,
                                                        @PathVariable("observationDbId") String observationDbId,
                                                        @Body BrAPIObservation body) {
@@ -90,7 +90,7 @@ public HttpResponse observationsObservationDbIdPut(@PathVariable("programId") UU
     }
 
     @Post("/observations")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse observationsPost(@PathVariable("programId") UUID programId, @Body List<BrAPIObservation> body) {
         /*
             DO NOT IMPLEMENT - users must create observations via file upload
@@ -100,7 +100,7 @@ public HttpResponse observationsPost(@PathVariable("programId") UUID programId,
     }
 
     @Put("/observations")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse observationsPut(@PathVariable("programId") UUID programId, @Body Map<String, BrAPIObservation> body) {
         /*
             DO NOT IMPLEMENT - users must create observations via file upload
@@ -111,7 +111,7 @@ public HttpResponse observationsPut(@PathVariable("programId") UUID programId, @
 
     @Get("/observations/table")
     @Produces({"application/json", "text/csv", "text/tsv"})
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse observationsTableGet(@PathVariable("programId") UUID programId,
                                              @Nullable @Header("Accept") String accept,
                                              @Nullable @QueryValue("observationUnitDbId") String observationUnitDbId,
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIPedigreeController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIPedigreeController.java
index 51799b346..1e6d673fe 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIPedigreeController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIPedigreeController.java
@@ -57,7 +57,7 @@ public BrAPIPedigreeController(BrAPIPedigreeDAO pedigreeDAO,
     }
 
     @Get("/pedigree")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIPedigreeListResponse> pedigreeGet(@PathVariable("programId") UUID programId,
                                                                @Nullable @QueryValue("accessionNumber") String accessionNumber,
                                                                @Nullable @QueryValue("collection") String collection,
@@ -118,14 +118,14 @@ public HttpResponse<BrAPIPedigreeListResponse> pedigreeGet(@PathVariable("progra
     }
 
     @Post("/pedigree")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> pedigreePost(@PathVariable("programId") UUID programId, @Body List<BrAPIPedigreeNode> body) {
         //DO NOT IMPLEMENT - Users are only able to create pedigree via the DeltaBreed UI
         return HttpResponse.notFound();
     }
 
     @Put("/pedigree")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> pedigreePut(@PathVariable("programId") UUID programId, @Body Map<String, BrAPIPedigreeNode> body) {
         //DO NOT IMPLEMENT - Users aren't yet able to update observation units
         return HttpResponse.notFound();
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIProgramsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIProgramsController.java
index a30dbfbed..cd1d30c42 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIProgramsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIProgramsController.java
@@ -126,7 +126,7 @@ public HttpResponse<?> rootProgramsProgramDbIdPut(@PathVariable("programDbId") S
 
     //START - endpoints for within the context of a program
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/programs")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIProgramListResponse> programsGet(@PathVariable("programId") UUID programId,
                                     @QueryValue("abbreviation") Optional<String> abbreviation,
                                     @QueryValue("programType") Optional<String> programType,
@@ -153,14 +153,14 @@ public HttpResponse<BrAPIProgramListResponse> programsGet(@PathVariable("program
     }
 
     @Post("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/programs")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> programsPost(@PathVariable("programId") UUID programId, @Body List<BrAPIProgram> body) {
         //DO NOT IMPLEMENT - Users should only be able to create new programs via the DeltaBreed UI
         return HttpResponse.notFound();
     }
 
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/programs/{programDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIProgramSingleResponse> programsProgramDbIdGet(@PathVariable("programId") UUID programId, @PathVariable("programDbId") String programDbId) {
         Optional<BrAPIProgram> program = programService.getById(programId)
                                                        .stream()
@@ -172,7 +172,7 @@ public HttpResponse<BrAPIProgramSingleResponse> programsProgramDbIdGet(@PathVari
     }
 
     @Put("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/programs/{programDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> programsProgramDbIdPut(@PathVariable("programId") UUID programId, @PathVariable("programDbId") String programDbId, @Body BrAPIProgram body) {
         //DO NOT IMPLEMENT - Users should only be able to update programs via the DeltaBreed UI
         return HttpResponse.notFound();
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIStudiesController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIStudiesController.java
index 0382ecdb0..45fe087a4 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIStudiesController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIStudiesController.java
@@ -74,7 +74,7 @@ public BrAPIStudiesController(BrAPIStudyService studyService, StudyQueryMapper s
 
     @Get("/studies{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<List<BrAPIStudy>>>> getStudies(
             @PathVariable("programId") UUID programId,
             @QueryValue @QueryValid(using = StudyQueryMapper.class) @Valid StudyQuery queryParams) {
@@ -99,14 +99,14 @@ public HttpResponse<Response<DataResponse<List<BrAPIStudy>>>> getStudies(
     }
 
     @Post("/studies")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse studiesPost(@PathVariable("programId") UUID programId, @Body List<BrAPIStudy> body) {
         //DO NOT IMPLEMENT - Users are only able to create new studies via the DeltaBreed UI
         return HttpResponse.notFound();
     }
 
     @Get("/studies/{studyDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIStudySingleResponse> studiesStudyDbIdGet(@PathVariable("programId") UUID programId, @PathVariable("studyDbId") String environmentId) {
         Optional<Program> program = programService.getById(programId);
         if(program.isEmpty()) {
@@ -130,7 +130,7 @@ public HttpResponse<BrAPIStudySingleResponse> studiesStudyDbIdGet(@PathVariable(
     }
 
     @Put("/studies/{studyDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse studiesStudyDbIdPut(@PathVariable("programId") UUID programId, @PathVariable("studyDbId") String studyDbId,
                                             @Body BrAPIStudy body) {
         //DO NOT IMPLEMENT - Users are only able to update studies via the DeltaBreed UI
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
index 666115efa..335fad5c5 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
@@ -50,7 +50,7 @@ public BrAPITrialsController(BrAPITrialService experimentService, ExperimentQuer
 
     @Get("/trials{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<List<BrAPITrial>>>> getExperiments(
             @PathVariable("programId") UUID programId,
             @QueryValue @QueryValid(using = ExperimentQueryMapper.class) @Valid ExperimentQuery queryParams) {
@@ -71,7 +71,7 @@ public HttpResponse<Response<DataResponse<List<BrAPITrial>>>> getExperiments(
 
     @Get("/trials/{trialId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPITrialSingleResponse> getExperimentById(
             @PathVariable("programId") UUID programId,
             @PathVariable("trialId") UUID trialId,
@@ -92,7 +92,7 @@ public HttpResponse<BrAPITrialSingleResponse> getExperimentById(
     }
 
     @Post("/trials")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> trialsPost(@PathVariable("programId") UUID programId, @Body List<BrAPITrial> body) {
         //DO NOT IMPLEMENT - Users are only able to create new trials via the DeltaBreed UI
         return HttpResponse.notFound();
@@ -100,7 +100,7 @@ public HttpResponse<?> trialsPost(@PathVariable("programId") UUID programId, @Bo
 
 
     @Put("/trials/{trialDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> trialsTrialDbIdPut(@PathVariable("programId") UUID programId, @PathVariable("trialDbId") String trialDbId, @Body BrAPITrial body) {
         //DO NOT IMPLEMENT - Users are only able to update trials via the DeltaBreed UI
         return HttpResponse.notFound();
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIV2Controller.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIV2Controller.java
index b5249516e..469c3be9e 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIV2Controller.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIV2Controller.java
@@ -170,7 +170,7 @@ private void setBrAPIServerInfo(BrAPIServerInfo serverInfo) {
 
     @Get("/${micronaut.bi.api.version}/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/{+path}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> getCatchall(@PathVariable("path") String path, @PathVariable("programId") UUID programId, HttpRequest<String> request) {
         return executeRequest(path, programId, request, "GET");
     }
@@ -178,7 +178,7 @@ public HttpResponse<?> getCatchall(@PathVariable("path") String path, @PathVaria
     @Post("/${micronaut.bi.api.version}/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/{+path}")
     @Consumes(MediaType.ALL)
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<String> postCatchall(@PathVariable("path") String path, @PathVariable("programId") UUID programId, HttpRequest<byte[]> request,
                                              @Header("Content-Type") String contentType) {
         return executeByteRequest(path, programId, request, contentType, "POST");
@@ -187,7 +187,7 @@ public HttpResponse<String> postCatchall(@PathVariable("path") String path, @Pat
     @Put("/${micronaut.bi.api.version}/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/{+path}")
     @Consumes(MediaType.ALL)
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<String> putCatchall(@PathVariable("path") String path, @PathVariable("programId") UUID programId, HttpRequest<byte[]> request,
                                             @Header("Content-Type") String contentType) {
         return executeByteRequest(path, programId, request, contentType, "PUT");
diff --git a/src/main/java/org/breedinginsight/brapi/v2/CropController.java b/src/main/java/org/breedinginsight/brapi/v2/CropController.java
index 8e4b5ace2..3319a1acd 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/CropController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/CropController.java
@@ -58,7 +58,7 @@ public CropController(ProgramService programService) {
      */
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/commoncropnames")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<org.breedinginsight.api.model.v1.response.Response<DataResponse<List<String>>>> getCommonCropNames(
             @PathVariable("programId") UUID programId) {
 
diff --git a/src/main/java/org/breedinginsight/brapi/v2/ProgramController.java b/src/main/java/org/breedinginsight/brapi/v2/ProgramController.java
index 9b8c6b948..b93192dfb 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/ProgramController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/ProgramController.java
@@ -60,7 +60,7 @@ public ProgramController(ProgramService programService) {
      */
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/programs")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<org.breedinginsight.api.model.v1.response.Response<DataResponse<List<String>>>> getPrograms(
             @PathVariable("programId") UUID programId) {
 
diff --git a/src/main/java/org/breedinginsight/daos/impl/BreedingMethodDAOImpl.java b/src/main/java/org/breedinginsight/daos/impl/BreedingMethodDAOImpl.java
index 4d502b84e..6e0f7e71e 100644
--- a/src/main/java/org/breedinginsight/daos/impl/BreedingMethodDAOImpl.java
+++ b/src/main/java/org/breedinginsight/daos/impl/BreedingMethodDAOImpl.java
@@ -3,7 +3,6 @@
 import org.breedinginsight.dao.db.tables.daos.BreedingMethodDao;
 import org.breedinginsight.dao.db.tables.pojos.ProgramBreedingMethodEntity;
 import org.breedinginsight.daos.BreedingMethodDAO;
-import org.jetbrains.annotations.NotNull;
 import org.jooq.*;
 
 import javax.inject.Inject;

From 2c5dce87c76e1365eb10c978b6acc05c26cdf8fc Mon Sep 17 00:00:00 2001
From: mlm483 <128052931+mlm483@users.noreply.github.com>
Date: Fri, 26 Jul 2024 11:42:06 -0400
Subject: [PATCH 02/15] [BI-2255] - refactored ProgramSecuredRoleGroup enum

---
 .../api/auth/ProgramSecuredRoleGroup.java      |  5 +----
 .../controller/BreedingMethodController.java   |  2 +-
 .../v1/controller/ExperimentController.java    |  9 ++++-----
 .../api/v1/controller/JobController.java       |  2 +-
 .../api/v1/controller/ProgramController.java   | 16 ++++++++--------
 .../api/v1/controller/TraitController.java     | 12 ++++++------
 .../geno/SampleSubmissionController.java       |  8 ++++----
 .../brapi/v2/BrAPIGermplasmController.java     | 18 +++++++++---------
 .../brapi/v2/BrAPIImagesController.java        | 10 +++++-----
 .../brapi/v2/BrAPIListController.java          |  2 +-
 .../v2/BrAPIObservationLevelsController.java   |  2 +-
 .../v2/BrAPIObservationUnitController.java     | 12 ++++++------
 .../v2/BrAPIObservationVariableController.java |  8 ++++----
 .../brapi/v2/BrAPIObservationsController.java  | 12 ++++++------
 .../brapi/v2/BrAPIPedigreeController.java      |  6 +++---
 .../brapi/v2/BrAPIProgramsController.java      |  8 ++++----
 .../brapi/v2/BrAPIStudiesController.java       |  8 ++++----
 .../brapi/v2/BrAPITrialsController.java        |  8 ++++----
 .../brapi/v2/BrAPIV2Controller.java            |  6 +++---
 .../brapi/v2/CropController.java               |  2 +-
 .../brapi/v2/ProgramController.java            |  2 +-
 .../daos/impl/BreedingMethodDAOImpl.java       |  1 -
 22 files changed, 77 insertions(+), 82 deletions(-)

diff --git a/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java b/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java
index 8daf522e7..f8e862b04 100644
--- a/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java
+++ b/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java
@@ -17,13 +17,10 @@
 
 package org.breedinginsight.api.auth;
 
-import org.apache.commons.collections4.ListUtils;
-
 import java.util.List;
 
 public enum ProgramSecuredRoleGroup {
-    ALL_PROGRAM_ROLES(List.of(ProgramSecuredRole.MEMBER, ProgramSecuredRole.BREEDER)),
-    ALL(ListUtils.union(ALL_PROGRAM_ROLES.getProgramRoles(), List.of(ProgramSecuredRole.SYSTEM_ADMIN)));
+    PROGRAM_SCOPED_ROLES(List.of(ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.MEMBER, ProgramSecuredRole.BREEDER));
 
     private List<ProgramSecuredRole> programRoles;
 
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/BreedingMethodController.java b/src/main/java/org/breedinginsight/api/v1/controller/BreedingMethodController.java
index 9d80f9115..c15e338a1 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/BreedingMethodController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/BreedingMethodController.java
@@ -85,7 +85,7 @@ public HttpResponse<?> createProgramBreedingMethod(@PathVariable UUID programId,
     @Get("programs/{programId}/breeding-methods{?inUse}")
     @Produces(MediaType.APPLICATION_JSON)
     @AddMetadata
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<ProgramBreedingMethodEntity>>> getProgramBreedingMethods(@PathVariable UUID programId, @QueryValue(defaultValue = "false") Boolean inUse) {
         log.debug(String.format("fetching breeding methods for program: %s", programId));
 
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java b/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
index 77214c9cf..58e2d3e66 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
@@ -22,7 +22,6 @@
 import org.breedinginsight.model.Program;
 import org.breedinginsight.services.ProgramService;
 import org.breedinginsight.services.exceptions.DoesNotExistException;
-import org.breedinginsight.services.exceptions.UnprocessableEntityException;
 import org.breedinginsight.utilities.response.mappers.ExperimentQueryMapper;
 
 import javax.inject.Inject;
@@ -47,7 +46,7 @@ public ExperimentController(BrAPITrialService experimentService, ExperimentQuery
     }
 
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/export{?queryParams*}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @Produces(value={"text/csv", "application/vnd.ms-excel", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "application/octet-stream"})
     public HttpResponse<StreamedFile> datasetExport(
             @PathVariable("programId") UUID programId, @PathVariable("experimentId") UUID experimentId,
@@ -75,7 +74,7 @@ public HttpResponse<StreamedFile> datasetExport(
     }
 
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/dataset/{datasetId}{?stats}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @Produces(MediaType.APPLICATION_JSON)
     public HttpResponse<Response<Dataset>> getDatasetData(
             @PathVariable("programId") UUID programId,
@@ -102,7 +101,7 @@ public HttpResponse<Response<Dataset>> getDatasetData(
      * @return An HttpResponse with a Response object containing the newly created Dataset.
      */
     @Post("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/dataset")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @Produces(MediaType.APPLICATION_JSON)
     public HttpResponse<Response<Dataset>> createSubEntityDataset(
             @PathVariable("programId") UUID programId,
@@ -132,7 +131,7 @@ public HttpResponse<Response<Dataset>> createSubEntityDataset(
      * @throws ApiException if an error occurs while retrieving the datasets.
      */
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/datasets")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @Produces(MediaType.APPLICATION_JSON)
     public HttpResponse<Response<List<DatasetMetadata>>> getDatasets(
             @PathVariable("programId") UUID programId,
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/JobController.java b/src/main/java/org/breedinginsight/api/v1/controller/JobController.java
index 621493eb0..67b2e241d 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/JobController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/JobController.java
@@ -59,7 +59,7 @@ public JobController(SecurityService securityService, JobService jobService) {
     @Get("programs/{programId}/jobs")
     @Produces(MediaType.APPLICATION_JSON)
     @AddMetadata
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<Job>>> getProgramJobs(@PathVariable UUID programId) {
         log.debug(String.format("fetching jobs for program: %s", programId));
         try {
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java b/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java
index fedcbd751..a3052b5f1 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java
@@ -107,7 +107,7 @@ public HttpResponse<Response<DataResponse<Program>>> postProgramsSearch(
 
     @Get("/programs/{programId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @AddMetadata
     public HttpResponse<Response<Program>> getProgram(@PathVariable UUID programId) {
 
@@ -178,7 +178,7 @@ public HttpResponse archiveProgram(@PathVariable UUID programId) {
 
     @Get("/programs/{programId}/users{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<ProgramUser>>> getProgramUsers(
             @PathVariable UUID programId,
             @QueryValue @QueryValid(using = ProgramUserQueryMapper.class) @Valid QueryParams queryParams) {
@@ -194,7 +194,7 @@ public HttpResponse<Response<DataResponse<ProgramUser>>> getProgramUsers(
 
     @Post("/programs/{programId}/users/search{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<ProgramUser>>> searchProgramUsers(
             @PathVariable UUID programId,
             @QueryValue @QueryValid(using = ProgramUserQueryMapper.class) @Valid QueryParams queryParams,
@@ -211,7 +211,7 @@ public HttpResponse<Response<DataResponse<ProgramUser>>> searchProgramUsers(
 
     @Get("/programs/{programId}/users/{userId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @AddMetadata
     public HttpResponse<Response<ProgramUser>> getProgramUser(@PathVariable UUID programId, @PathVariable UUID userId) {
 
@@ -292,7 +292,7 @@ public HttpResponse archiveProgramUser(@PathVariable UUID programId, @PathVariab
 
     @Get("/programs/{programId}/locations{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<ProgramLocation>>> getProgramLocations(
             @PathVariable UUID programId,
             @QueryValue @QueryValid(using= ProgramLocationQueryMapper.class) @Valid QueryParams queryParams) {
@@ -311,7 +311,7 @@ public HttpResponse<Response<DataResponse<ProgramLocation>>> getProgramLocations
 
     @Post("/programs/{programId}/locations/search{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<ProgramLocation>>> postProgramLocationsSearch(
             @PathVariable UUID programId,
             @QueryValue @QueryValid(using= ProgramLocationQueryMapper.class) @Valid QueryParams queryParams,
@@ -335,7 +335,7 @@ public HttpResponse<Response<DataResponse<ProgramLocation>>> postProgramLocation
     @Get("/programs/{programId}/locations/{locationId}")
     @Produces(MediaType.APPLICATION_JSON)
     @AddMetadata
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<ProgramLocation>> getProgramLocations(@PathVariable UUID programId,
                                                                        @PathVariable UUID locationId) {
 
@@ -423,7 +423,7 @@ public HttpResponse archiveProgramLocation(@PathVariable UUID programId,
 
     @Get("/programs/{programId}/observation-levels")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<ProgramObservationLevel>>> getProgramObservationLevels(@PathVariable UUID programId)
             throws DoesNotExistException {
         List<ProgramObservationLevel> programObservationLevels = programObservationLevelService.getByProgramId(programId);
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/TraitController.java b/src/main/java/org/breedinginsight/api/v1/controller/TraitController.java
index 3e6e1869c..2a4ad7b07 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/TraitController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/TraitController.java
@@ -77,7 +77,7 @@ public TraitController(TraitService traitService, SecurityService securityServic
 
     @Get("/programs/{programId}/traits{?traitsQuery*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<Trait>>> getTraits(
             @PathVariable UUID programId,
             @QueryValue @QueryValid(using = TraitQueryMapper.class) @Valid TraitsQuery traitsQuery) {
@@ -93,7 +93,7 @@ public HttpResponse<Response<DataResponse<Trait>>> getTraits(
 
     @Get("/programs/{programId}/traits/export{?fileExtension,isActive}")
     @Produces(value = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse getTraitsExport(
             @PathVariable("programId") UUID programId, @QueryValue(defaultValue = "XLSX") String fileExtension, @QueryValue(defaultValue = "true") Boolean isActive) {
         String downloadErrorMessage = "An error occurred while generating the download file. Contact the development team at bidevteam@cornell.edu.";
@@ -113,7 +113,7 @@ public HttpResponse getTraitsExport(
 
     @Post("/programs/{programId}/traits/search{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<Program>>> postTraitsSearch(
             @PathVariable UUID programId,
             @QueryValue @QueryValid(using = TraitQueryMapper.class) @Valid QueryParams queryParams,
@@ -130,7 +130,7 @@ public HttpResponse<Response<DataResponse<Program>>> postTraitsSearch(
     @Get("/programs/{programId}/traits/{traitId}")
     @Produces(MediaType.APPLICATION_JSON)
     @AddMetadata
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<Trait>> getTrait(@PathVariable UUID programId, @PathVariable UUID traitId) {
 
         try {
@@ -151,7 +151,7 @@ public HttpResponse<Response<Trait>> getTrait(@PathVariable UUID programId, @Pat
     @Get("/programs/{programId}/traits/{traitId}/editable")
     @Produces(MediaType.APPLICATION_JSON)
     @AddMetadata
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<Editable>> getTraitEditable(@PathVariable UUID programId, @PathVariable UUID traitId) {
 
         Editable editable = traitService.getEditable(programId, traitId);
@@ -235,7 +235,7 @@ public HttpResponse<Response<Trait>> archiveTrait(@PathVariable UUID programId,
 
     @Get("/programs/{programId}/traits/tags")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<String>>> getAllTraitTags(
             @PathVariable UUID programId) {
 
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/geno/SampleSubmissionController.java b/src/main/java/org/breedinginsight/api/v1/controller/geno/SampleSubmissionController.java
index 43923c71a..e99bb5e70 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/geno/SampleSubmissionController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/geno/SampleSubmissionController.java
@@ -74,7 +74,7 @@ public SampleSubmissionController(@Property(name = "brapi.vendor-submission-enab
 
     @Get("programs/{programId}/submissions")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = ProgramSecuredRoleGroup.ALL)
+    @ProgramSecured(roleGroups = ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES)
     public HttpResponse<Response<DataResponse<SampleSubmission>>> getProgramSampleSubmissions(@PathVariable UUID programId) {
         Optional<Program> program = programService.getById(programId);
         if(program.isEmpty()) {
@@ -91,7 +91,7 @@ public HttpResponse<Response<DataResponse<SampleSubmission>>> getProgramSampleSu
 
     @Get("programs/{programId}/submissions/{submissionId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = ProgramSecuredRoleGroup.ALL)
+    @ProgramSecured(roleGroups = ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES)
     public HttpResponse<Response<SampleSubmission>> getSubmissionById(@PathVariable UUID programId, @PathVariable UUID submissionId, @QueryValue(value = "details", defaultValue = "false") @Nullable Boolean fetchDetails) {
         Optional<Program> program = programService.getById(programId);
         if(program.isEmpty()) {
@@ -157,7 +157,7 @@ public HttpResponse<Response<SampleSubmission>> updateSubmissionStatus(@PathVari
 
 
     @Get("/programs/{programId}/submissions/{submissionId}/dart")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @Produces(value={"text/csv", "application/vnd.ms-excel", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "application/octet-stream"})
     public HttpResponse<StreamedFile> generateDArTFile(@PathVariable UUID programId, @PathVariable UUID submissionId) {
         try {
@@ -184,7 +184,7 @@ public HttpResponse<StreamedFile> generateDArTFile(@PathVariable UUID programId,
     }
 
     @Get("/programs/{programId}/submissions/{submissionId}/lookup")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @Produces(value={"text/csv", "application/vnd.ms-excel", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "application/octet-stream"})
     public HttpResponse<StreamedFile> generateLookupFile(@PathVariable UUID programId, @PathVariable UUID submissionId) {
         try {
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIGermplasmController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIGermplasmController.java
index edc89b5f0..be22abaf3 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIGermplasmController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIGermplasmController.java
@@ -76,7 +76,7 @@ public BrAPIGermplasmController(BrAPIGermplasmService germplasmService, Germplas
     // TODO: expand to fully support BrAPI request body.
     @Post("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/search/germplasm{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<List<BrAPIGermplasm>>>> searchGermplasm(
             @PathVariable("programId") UUID programId,
             @QueryValue @QueryValid(using = GermplasmQueryMapper.class) @Valid BrapiQuery queryParams,
@@ -95,7 +95,7 @@ public HttpResponse<Response<DataResponse<List<BrAPIGermplasm>>>> searchGermplas
 
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/germplasm{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<List<BrAPIGermplasm>>>> getGermplasm(
             @PathVariable("programId") UUID programId,
             @QueryValue @QueryValid(using = GermplasmQueryMapper.class) @Valid GermplasmQuery queryParams) {
@@ -122,7 +122,7 @@ public HttpResponse<Response<DataResponse<List<BrAPIGermplasm>>>> getGermplasm(
 
     @Get("/programs/{programId}/germplasm/lists/{listDbId}/records{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<List<BrAPIGermplasm>>>> getGermplasmListRecords(
         @PathVariable("programId") UUID programId,
         @PathVariable("listDbId") String listDbId,
@@ -139,7 +139,7 @@ public HttpResponse<Response<DataResponse<List<BrAPIGermplasm>>>> getGermplasmLi
 
     @Get("/programs/{programId}/germplasm/lists/{listDbId}/export{?fileExtension}")
     @Produces(value = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<StreamedFile> germplasmListExport(
             @PathVariable("programId") UUID programId, @PathVariable("listDbId") String listDbId, @QueryValue(defaultValue = "XLSX") String fileExtension) {
         String downloadErrorMessage = "An error occurred while generating the download file. Contact the development team at bidevteam@cornell.edu.";
@@ -159,7 +159,7 @@ public HttpResponse<StreamedFile> germplasmListExport(
 
     @Get("/programs/{programId}/germplasm/export{?fileExtension}")
     @Produces(value = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<StreamedFile> germplasmExport(
             @PathVariable("programId") UUID programId, @QueryValue(defaultValue = "XLSX") String fileExtension) {
         String downloadErrorMessage = "An error occurred while generating the download file. Contact the development team at bidevteam@cornell.edu.";
@@ -178,7 +178,7 @@ public HttpResponse<StreamedFile> germplasmExport(
 
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/germplasm/{germplasmId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<BrAPIGermplasm>> getSingleGermplasm(
             @PathVariable("programId") UUID programId,
             @PathVariable("germplasmId") String germplasmId) {
@@ -197,7 +197,7 @@ public HttpResponse<Response<BrAPIGermplasm>> getSingleGermplasm(
 
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/germplasm/{germplasmId}/pedigree{?notation}{?includeSiblings}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIGermplasmPedigreeResponse> getGermplasmPedigreeInfo(
             @PathVariable("programId") UUID programId,
             @PathVariable("germplasmId") String germplasmId,
@@ -282,7 +282,7 @@ public HttpResponse<BrAPIGermplasmPedigreeResponse> getGermplasmPedigreeInfo(
 
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/germplasm/{germplasmId}/progeny")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIGermplasmProgenyResponse> getGermplasmProgenyInfo(
             @PathVariable("programId") UUID programId,
             @PathVariable("germplasmId") String germplasmId) {
@@ -346,7 +346,7 @@ public HttpResponse<BrAPIGermplasmProgenyResponse> getGermplasmProgenyInfo(
 
     @Get("/programs/{programId}/germplasm/{germplasmId}/genotype")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<GermplasmGenotype>> getGermplasmGenotype(@PathVariable("programId") UUID programId,
                                                                           @PathVariable("germplasmId") String germplasmId) {
 
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIImagesController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIImagesController.java
index f760af9f0..cf59df624 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIImagesController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIImagesController.java
@@ -41,7 +41,7 @@ public class BrAPIImagesController {
     - PUT imagesImageDbIdPut
      */
     @Get("/images")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse imagesGet(@PathVariable("programId") UUID programId,
                                   @QueryValue("imageDbId") String imageDbId,
                                   @QueryValue("imageName") String imageName,
@@ -59,7 +59,7 @@ public HttpResponse imagesGet(@PathVariable("programId") UUID programId,
     }
 
     @Get("/images/{imageDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse imagesImageDbIdGet(@PathVariable("programId") UUID programId,
                                            @PathVariable("imageDbId") String imageDbId) {
         return HttpResponse.notFound();
@@ -67,7 +67,7 @@ public HttpResponse imagesImageDbIdGet(@PathVariable("programId") UUID programId
 
     @Put("/images/{imageDbId}/imagecontent")
     @Consumes({"image/_*"})
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse imagesImageDbIdImagecontentPut(@PathVariable("programId") UUID programId,
                                                        @PathVariable("imageDbId") String imageDbId,
                                                        @Body Object body) {
@@ -75,7 +75,7 @@ public HttpResponse imagesImageDbIdImagecontentPut(@PathVariable("programId") UU
     }
 
     @Put("/images/{imageDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse imagesImageDbIdPut(@PathVariable("programId") UUID programId,
                                            @PathVariable("imageDbId") String imageDbId,
                                            @Body BrAPIImage body) {
@@ -83,7 +83,7 @@ public HttpResponse imagesImageDbIdPut(@PathVariable("programId") UUID programId
     }
 
     @Post("/images")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse imagesPost(@PathVariable("programId") UUID programId, @Body List<BrAPIImage> body) {
         return HttpResponse.notFound();
     }
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIListController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIListController.java
index 115448d58..3dd6fd1f4 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIListController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIListController.java
@@ -67,7 +67,7 @@ public BrAPIListController(ProgramService programService, BrAPIListService listS
     //@Get(BrapiVersion.BRAPI_V2 + "/lists")
     @Get("/${micronaut.bi.api.version}/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/lists{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<Object>>> getLists(
             @PathVariable("programId") UUID programId,
             @QueryValue @QueryValid(using = ListQueryMapper.class) @Valid ListQuery queryParams
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationLevelsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationLevelsController.java
index 9c54bed9a..ed2ef1884 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationLevelsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationLevelsController.java
@@ -77,7 +77,7 @@ public BrAPIObservationLevelsController(BrAPIEndpointProvider brAPIEndpointProvi
     }
 
     @Get("/observationlevels")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIObservationLevelListResponse> observationlevelsGet(@PathVariable("programId") UUID programId,
                                                                                 @Nullable @QueryValue("trialDbId") String experimentId,
                                                                                 @Nullable @QueryValue("studyDbId") String environmentId,
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationUnitController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationUnitController.java
index c649626b1..ca2b470f8 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationUnitController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationUnitController.java
@@ -67,7 +67,7 @@ public BrAPIObservationUnitController(@Property(name = "brapi.server.reference-s
     }
 
     @Get("/observationunits")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIObservationUnitListResponse> observationunitsGet(@PathVariable("programId") UUID programId,
                                                @Nullable @QueryValue("observationUnitDbId") String observationUnitDbId,
                                                @Nullable @QueryValue("observationUnitName") String observationUnitName,
@@ -147,7 +147,7 @@ public HttpResponse<BrAPIObservationUnitListResponse> observationunitsGet(@PathV
     }
 
     @Get("/observationunits/{observationUnitDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIObservationUnitSingleResponse> observationunitsObservationUnitDbIdGet(@PathVariable("programId") UUID programId, @PathVariable("observationUnitDbId") String observationUnitDbId) {
         log.debug("observationunitsObservationUnitDbIdGet: fetching ou by externalReferenceId: " + observationUnitDbId);
         Optional<Program> program = programService.getById(programId);
@@ -175,21 +175,21 @@ public HttpResponse<BrAPIObservationUnitSingleResponse> observationunitsObservat
     }
 
     @Put("/observationunits/{observationUnitDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> observationunitsObservationUnitDbIdPut(@PathVariable("programId") UUID programId, @PathVariable("observationUnitDbId") String observationUnitDbId, @Body BrAPIObservationUnit body) {
         //DO NOT IMPLEMENT - Users aren't yet able to update observation units
         return HttpResponse.notFound();
     }
 
     @Post("/observationunits")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> observationunitsPost(@PathVariable("programId") UUID programId, @Body List<BrAPIObservationUnit> body) {
         //DO NOT IMPLEMENT - Users are only able to create observation units via the DeltaBreed UI
         return HttpResponse.notFound();
     }
 
     @Put("/observationunits")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> observationunitsPut(@PathVariable("programId") UUID programId, @Body Map<String, BrAPIObservationUnit> body) {
         //DO NOT IMPLEMENT - Users aren't yet able to update observation units
         return HttpResponse.notFound();
@@ -197,7 +197,7 @@ public HttpResponse<?> observationunitsPut(@PathVariable("programId") UUID progr
 
     @Get("/observationunits/table")
     @Produces({"application/json", "text/csv", "text/tsv"})
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> observationunitsTableGet(@PathVariable("programId") UUID programId,
                                                     @Nullable @Header("Accept") String accept,
                                                     @Nullable @QueryValue("observationUnitDbId") String observationUnitDbId,
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationVariableController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationVariableController.java
index 45d6983f3..9727ad1be 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationVariableController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationVariableController.java
@@ -75,7 +75,7 @@ public BrAPIObservationVariableController(OntologyService ontologyService,
     }
 
     @Get("/variables")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIObservationVariableListResponse> variablesGet(@PathVariable("programId") UUID programId,
                                                                            @Nullable  @QueryValue("observationVariableDbId") String observationVariableDbId,
                                                                            @Nullable @QueryValue("observationVariableName") String observationVariableName,
@@ -146,7 +146,7 @@ public HttpResponse<BrAPIObservationVariableListResponse> variablesGet(@PathVari
     }
 
     @Get("/variables/{observationVariableDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIObservationVariableSingleResponse> variablesObservationVariableDbIdGet(@PathVariable("programId") UUID programId,
                                                             @PathVariable("observationVariableDbId") String observationVariableDbId) {
         log.debug("fetching variable: " + observationVariableDbId);
@@ -175,7 +175,7 @@ public HttpResponse<BrAPIObservationVariableSingleResponse> variablesObservation
     }
 
     @Put("/variables/{observationVariableDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> variablesObservationVariableDbIdPut(@PathVariable("programId") UUID programId,
                                                             @PathVariable("observationVariableDbId") String observationVariableDbId,
                                                                @Body BrAPIObservationVariable body) {
@@ -184,7 +184,7 @@ public HttpResponse<?> variablesObservationVariableDbIdPut(@PathVariable("progra
     }
 
     @Post("/variables")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> variablesPost(@PathVariable("programId") UUID programId, @Body List<BrAPIObservationVariable> body) {
         //DO NOT IMPLEMENT - Users are only able to create new traits via the DeltaBreed UI
         return HttpResponse.notFound();
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationsController.java
index 5a6c51148..5e70846ac 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIObservationsController.java
@@ -40,7 +40,7 @@
 public class BrAPIObservationsController {
 
     @Get("/observations")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse observationsGet(@PathVariable("programId") UUID programId,
                                         @Nullable @QueryValue("observationDbId") String observationDbId,
                                         @Nullable @QueryValue("observationUnitDbId") String observationUnitDbId,
@@ -71,14 +71,14 @@ public HttpResponse observationsGet(@PathVariable("programId") UUID programId,
     }
 
     @Get("/observations/{observationDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse observationsObservationDbIdGet(@PathVariable("programId") UUID programId,
                                                        @PathVariable("observationDbId") String observationDbId) {
         return HttpResponse.notFound();
     }
 
     @Put("/observations/{observationDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse observationsObservationDbIdPut(@PathVariable("programId") UUID programId,
                                                        @PathVariable("observationDbId") String observationDbId,
                                                        @Body BrAPIObservation body) {
@@ -90,7 +90,7 @@ public HttpResponse observationsObservationDbIdPut(@PathVariable("programId") UU
     }
 
     @Post("/observations")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse observationsPost(@PathVariable("programId") UUID programId, @Body List<BrAPIObservation> body) {
         /*
             DO NOT IMPLEMENT - users must create observations via file upload
@@ -100,7 +100,7 @@ public HttpResponse observationsPost(@PathVariable("programId") UUID programId,
     }
 
     @Put("/observations")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse observationsPut(@PathVariable("programId") UUID programId, @Body Map<String, BrAPIObservation> body) {
         /*
             DO NOT IMPLEMENT - users must create observations via file upload
@@ -111,7 +111,7 @@ public HttpResponse observationsPut(@PathVariable("programId") UUID programId, @
 
     @Get("/observations/table")
     @Produces({"application/json", "text/csv", "text/tsv"})
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse observationsTableGet(@PathVariable("programId") UUID programId,
                                              @Nullable @Header("Accept") String accept,
                                              @Nullable @QueryValue("observationUnitDbId") String observationUnitDbId,
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIPedigreeController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIPedigreeController.java
index 51799b346..1e6d673fe 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIPedigreeController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIPedigreeController.java
@@ -57,7 +57,7 @@ public BrAPIPedigreeController(BrAPIPedigreeDAO pedigreeDAO,
     }
 
     @Get("/pedigree")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIPedigreeListResponse> pedigreeGet(@PathVariable("programId") UUID programId,
                                                                @Nullable @QueryValue("accessionNumber") String accessionNumber,
                                                                @Nullable @QueryValue("collection") String collection,
@@ -118,14 +118,14 @@ public HttpResponse<BrAPIPedigreeListResponse> pedigreeGet(@PathVariable("progra
     }
 
     @Post("/pedigree")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> pedigreePost(@PathVariable("programId") UUID programId, @Body List<BrAPIPedigreeNode> body) {
         //DO NOT IMPLEMENT - Users are only able to create pedigree via the DeltaBreed UI
         return HttpResponse.notFound();
     }
 
     @Put("/pedigree")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> pedigreePut(@PathVariable("programId") UUID programId, @Body Map<String, BrAPIPedigreeNode> body) {
         //DO NOT IMPLEMENT - Users aren't yet able to update observation units
         return HttpResponse.notFound();
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIProgramsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIProgramsController.java
index a30dbfbed..cd1d30c42 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIProgramsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIProgramsController.java
@@ -126,7 +126,7 @@ public HttpResponse<?> rootProgramsProgramDbIdPut(@PathVariable("programDbId") S
 
     //START - endpoints for within the context of a program
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/programs")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIProgramListResponse> programsGet(@PathVariable("programId") UUID programId,
                                     @QueryValue("abbreviation") Optional<String> abbreviation,
                                     @QueryValue("programType") Optional<String> programType,
@@ -153,14 +153,14 @@ public HttpResponse<BrAPIProgramListResponse> programsGet(@PathVariable("program
     }
 
     @Post("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/programs")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> programsPost(@PathVariable("programId") UUID programId, @Body List<BrAPIProgram> body) {
         //DO NOT IMPLEMENT - Users should only be able to create new programs via the DeltaBreed UI
         return HttpResponse.notFound();
     }
 
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/programs/{programDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIProgramSingleResponse> programsProgramDbIdGet(@PathVariable("programId") UUID programId, @PathVariable("programDbId") String programDbId) {
         Optional<BrAPIProgram> program = programService.getById(programId)
                                                        .stream()
@@ -172,7 +172,7 @@ public HttpResponse<BrAPIProgramSingleResponse> programsProgramDbIdGet(@PathVari
     }
 
     @Put("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/programs/{programDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> programsProgramDbIdPut(@PathVariable("programId") UUID programId, @PathVariable("programDbId") String programDbId, @Body BrAPIProgram body) {
         //DO NOT IMPLEMENT - Users should only be able to update programs via the DeltaBreed UI
         return HttpResponse.notFound();
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIStudiesController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIStudiesController.java
index 0382ecdb0..45fe087a4 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIStudiesController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIStudiesController.java
@@ -74,7 +74,7 @@ public BrAPIStudiesController(BrAPIStudyService studyService, StudyQueryMapper s
 
     @Get("/studies{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<List<BrAPIStudy>>>> getStudies(
             @PathVariable("programId") UUID programId,
             @QueryValue @QueryValid(using = StudyQueryMapper.class) @Valid StudyQuery queryParams) {
@@ -99,14 +99,14 @@ public HttpResponse<Response<DataResponse<List<BrAPIStudy>>>> getStudies(
     }
 
     @Post("/studies")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse studiesPost(@PathVariable("programId") UUID programId, @Body List<BrAPIStudy> body) {
         //DO NOT IMPLEMENT - Users are only able to create new studies via the DeltaBreed UI
         return HttpResponse.notFound();
     }
 
     @Get("/studies/{studyDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPIStudySingleResponse> studiesStudyDbIdGet(@PathVariable("programId") UUID programId, @PathVariable("studyDbId") String environmentId) {
         Optional<Program> program = programService.getById(programId);
         if(program.isEmpty()) {
@@ -130,7 +130,7 @@ public HttpResponse<BrAPIStudySingleResponse> studiesStudyDbIdGet(@PathVariable(
     }
 
     @Put("/studies/{studyDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse studiesStudyDbIdPut(@PathVariable("programId") UUID programId, @PathVariable("studyDbId") String studyDbId,
                                             @Body BrAPIStudy body) {
         //DO NOT IMPLEMENT - Users are only able to update studies via the DeltaBreed UI
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
index 666115efa..335fad5c5 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
@@ -50,7 +50,7 @@ public BrAPITrialsController(BrAPITrialService experimentService, ExperimentQuer
 
     @Get("/trials{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<List<BrAPITrial>>>> getExperiments(
             @PathVariable("programId") UUID programId,
             @QueryValue @QueryValid(using = ExperimentQueryMapper.class) @Valid ExperimentQuery queryParams) {
@@ -71,7 +71,7 @@ public HttpResponse<Response<DataResponse<List<BrAPITrial>>>> getExperiments(
 
     @Get("/trials/{trialId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPITrialSingleResponse> getExperimentById(
             @PathVariable("programId") UUID programId,
             @PathVariable("trialId") UUID trialId,
@@ -92,7 +92,7 @@ public HttpResponse<BrAPITrialSingleResponse> getExperimentById(
     }
 
     @Post("/trials")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> trialsPost(@PathVariable("programId") UUID programId, @Body List<BrAPITrial> body) {
         //DO NOT IMPLEMENT - Users are only able to create new trials via the DeltaBreed UI
         return HttpResponse.notFound();
@@ -100,7 +100,7 @@ public HttpResponse<?> trialsPost(@PathVariable("programId") UUID programId, @Bo
 
 
     @Put("/trials/{trialDbId}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> trialsTrialDbIdPut(@PathVariable("programId") UUID programId, @PathVariable("trialDbId") String trialDbId, @Body BrAPITrial body) {
         //DO NOT IMPLEMENT - Users are only able to update trials via the DeltaBreed UI
         return HttpResponse.notFound();
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIV2Controller.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIV2Controller.java
index b5249516e..469c3be9e 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIV2Controller.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIV2Controller.java
@@ -170,7 +170,7 @@ private void setBrAPIServerInfo(BrAPIServerInfo serverInfo) {
 
     @Get("/${micronaut.bi.api.version}/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/{+path}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<?> getCatchall(@PathVariable("path") String path, @PathVariable("programId") UUID programId, HttpRequest<String> request) {
         return executeRequest(path, programId, request, "GET");
     }
@@ -178,7 +178,7 @@ public HttpResponse<?> getCatchall(@PathVariable("path") String path, @PathVaria
     @Post("/${micronaut.bi.api.version}/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/{+path}")
     @Consumes(MediaType.ALL)
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<String> postCatchall(@PathVariable("path") String path, @PathVariable("programId") UUID programId, HttpRequest<byte[]> request,
                                              @Header("Content-Type") String contentType) {
         return executeByteRequest(path, programId, request, contentType, "POST");
@@ -187,7 +187,7 @@ public HttpResponse<String> postCatchall(@PathVariable("path") String path, @Pat
     @Put("/${micronaut.bi.api.version}/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/{+path}")
     @Consumes(MediaType.ALL)
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<String> putCatchall(@PathVariable("path") String path, @PathVariable("programId") UUID programId, HttpRequest<byte[]> request,
                                             @Header("Content-Type") String contentType) {
         return executeByteRequest(path, programId, request, contentType, "PUT");
diff --git a/src/main/java/org/breedinginsight/brapi/v2/CropController.java b/src/main/java/org/breedinginsight/brapi/v2/CropController.java
index 8e4b5ace2..3319a1acd 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/CropController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/CropController.java
@@ -58,7 +58,7 @@ public CropController(ProgramService programService) {
      */
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/commoncropnames")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<org.breedinginsight.api.model.v1.response.Response<DataResponse<List<String>>>> getCommonCropNames(
             @PathVariable("programId") UUID programId) {
 
diff --git a/src/main/java/org/breedinginsight/brapi/v2/ProgramController.java b/src/main/java/org/breedinginsight/brapi/v2/ProgramController.java
index 9b8c6b948..b93192dfb 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/ProgramController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/ProgramController.java
@@ -60,7 +60,7 @@ public ProgramController(ProgramService programService) {
      */
     @Get("/programs/{programId}" + BrapiVersion.BRAPI_V2 + "/programs")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.ALL})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<org.breedinginsight.api.model.v1.response.Response<DataResponse<List<String>>>> getPrograms(
             @PathVariable("programId") UUID programId) {
 
diff --git a/src/main/java/org/breedinginsight/daos/impl/BreedingMethodDAOImpl.java b/src/main/java/org/breedinginsight/daos/impl/BreedingMethodDAOImpl.java
index 4d502b84e..6e0f7e71e 100644
--- a/src/main/java/org/breedinginsight/daos/impl/BreedingMethodDAOImpl.java
+++ b/src/main/java/org/breedinginsight/daos/impl/BreedingMethodDAOImpl.java
@@ -3,7 +3,6 @@
 import org.breedinginsight.dao.db.tables.daos.BreedingMethodDao;
 import org.breedinginsight.dao.db.tables.pojos.ProgramBreedingMethodEntity;
 import org.breedinginsight.daos.BreedingMethodDAO;
-import org.jetbrains.annotations.NotNull;
 import org.jooq.*;
 
 import javax.inject.Inject;

From f1279b795563be3a5946e1a576cd50c4f58aa29a Mon Sep 17 00:00:00 2001
From: David Randolph Phillips <drp227@cornell.edu>
Date: Tue, 6 Aug 2024 14:06:47 -0400
Subject: [PATCH 03/15] [BI-2255] WIP

---
 .../api/auth/AuthenticatedUser.java           |   5 +
 .../api/auth/ExperimentSecured.java           |  29 +++
 .../api/auth/ExperimentSecuredRole.java       |  41 ++++
 .../api/auth/ProgramSecuredRoleGroup.java     |   2 +-
 .../ExperimentSecuredAnnotationRule.java      | 178 ++++++++++++++++++
 .../rules/ProgramSecuredAnnotationRule.java   |   2 +-
 .../brapi/v2/BrAPITrialsController.java       |  30 ++-
 .../brapi/v2/services/BrAPITrialService.java  |   6 +
 .../controllers/ImportController.java         |   3 +-
 9 files changed, 287 insertions(+), 9 deletions(-)
 create mode 100644 src/main/java/org/breedinginsight/api/auth/ExperimentSecured.java
 create mode 100644 src/main/java/org/breedinginsight/api/auth/ExperimentSecuredRole.java
 create mode 100644 src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java

diff --git a/src/main/java/org/breedinginsight/api/auth/AuthenticatedUser.java b/src/main/java/org/breedinginsight/api/auth/AuthenticatedUser.java
index 389f7f4ac..e7d362402 100644
--- a/src/main/java/org/breedinginsight/api/auth/AuthenticatedUser.java
+++ b/src/main/java/org/breedinginsight/api/auth/AuthenticatedUser.java
@@ -21,6 +21,7 @@
 import lombok.Getter;
 import lombok.Setter;
 import org.breedinginsight.model.ProgramUser;
+import org.breedinginsight.services.exceptions.DoesNotExistException;
 
 import java.util.Collection;
 import java.util.List;
@@ -38,4 +39,8 @@ public AuthenticatedUser(String username, Collection<String> roles, UUID id, Lis
         this.id = id;
         this.programRoles = programRoles;
     }
+
+    public ProgramUser extractProgramUser() throws DoesNotExistException {
+        return this.programRoles.stream().filter(pu -> this.id.equals( pu.getProgramId() ) ).findFirst().orElseThrow( () -> new DoesNotExistException( String.format("No program user found for program %s", this.id) ) );
+    }
 }
diff --git a/src/main/java/org/breedinginsight/api/auth/ExperimentSecured.java b/src/main/java/org/breedinginsight/api/auth/ExperimentSecured.java
new file mode 100644
index 000000000..f24df2599
--- /dev/null
+++ b/src/main/java/org/breedinginsight/api/auth/ExperimentSecured.java
@@ -0,0 +1,29 @@
+/*
+ * See the NOTICE file distributed with this work for additional information
+ * regarding copyright ownership.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.breedinginsight.api.auth;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.METHOD)
+public @interface ExperimentSecured {
+    ExperimentSecuredRole[] roles() default {};
+}
diff --git a/src/main/java/org/breedinginsight/api/auth/ExperimentSecuredRole.java b/src/main/java/org/breedinginsight/api/auth/ExperimentSecuredRole.java
new file mode 100644
index 000000000..de1eacd18
--- /dev/null
+++ b/src/main/java/org/breedinginsight/api/auth/ExperimentSecuredRole.java
@@ -0,0 +1,41 @@
+/*
+ * See the NOTICE file distributed with this work for additional information
+ * regarding copyright ownership.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.breedinginsight.api.auth;
+
+public enum ExperimentSecuredRole {
+    MEMBER("member"),
+    BREEDER("breeder"),
+    SYSTEM_ADMIN("admin");
+
+    private String domain;
+
+    ExperimentSecuredRole(String domain) {
+        this.domain = domain;
+    }
+
+    @Override
+    public String toString() {
+        return domain;
+    }
+
+    public static ExperimentSecuredRole getEnum(String domain) {
+        for(ExperimentSecuredRole v : values())
+            if(v.toString().equalsIgnoreCase(domain)) return v;
+        throw new IllegalArgumentException();
+    }
+}
diff --git a/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java b/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java
index f8e862b04..24d4d6c4a 100644
--- a/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java
+++ b/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java
@@ -20,7 +20,7 @@
 import java.util.List;
 
 public enum ProgramSecuredRoleGroup {
-    PROGRAM_SCOPED_ROLES(List.of(ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.MEMBER, ProgramSecuredRole.BREEDER));
+    PROGRAM_SCOPED_ROLES(List.of(ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.MEMBER, ProgramSecuredRole.BREEDER, ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR));
 
     private List<ProgramSecuredRole> programRoles;
 
diff --git a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java
new file mode 100644
index 000000000..0af7f83a8
--- /dev/null
+++ b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java
@@ -0,0 +1,178 @@
+/*
+ * See the NOTICE file distributed with this work for additional information
+ * regarding copyright ownership.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.breedinginsight.api.auth.rules;
+
+import io.micronaut.http.HttpRequest;
+import io.micronaut.http.HttpStatus;
+import io.micronaut.http.exceptions.HttpStatusException;
+import io.micronaut.http.server.exceptions.HttpServerException;
+import io.micronaut.security.rules.SecuredAnnotationRule;
+import io.micronaut.security.rules.SecurityRuleResult;
+import io.micronaut.security.token.RolesFinder;
+import io.micronaut.web.router.MethodBasedRouteMatch;
+import io.micronaut.web.router.RouteMatch;
+import org.brapi.client.v2.model.exceptions.ApiException;
+import org.brapi.v2.model.core.BrAPITrial;
+import org.breedinginsight.api.auth.*;
+import org.breedinginsight.brapi.v2.dao.BrAPITrialDAO;
+import org.breedinginsight.daos.ProgramDAO;
+import org.breedinginsight.model.ProgramUser;
+import org.breedinginsight.model.Role;
+import org.breedinginsight.services.exceptions.DoesNotExistException;
+import org.jetbrains.annotations.Nullable;
+
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import java.util.*;
+import java.util.stream.Collectors;
+
+@Singleton
+public class ExperimentSecuredAnnotationRule extends SecuredAnnotationRule {
+
+    // Executes before the SecuredAnnotationRule, and if the annotation exists, will return before the SecuredAnnotationRule can execute
+    public static final Integer ORDER = SecuredAnnotationRule.ORDER - 1;
+
+    public ExperimentSecuredAnnotationRule(RolesFinder rolesFinder) {
+        super(rolesFinder);
+    }
+
+    @Inject
+    private SecurityService securityService;
+    @Inject
+    private ProgramDAO programDAO;
+    @Inject
+    private BrAPITrialDAO brAPITrialDAO;
+
+    @Override
+    public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?> routeMatch, @Nullable Map<String, Object> claims) {
+        // Does not approve request so that checks after it can check. Only rejects on fail.
+
+        if (routeMatch instanceof MethodBasedRouteMatch) {
+            MethodBasedRouteMatch methodRoute = ((MethodBasedRouteMatch) routeMatch);
+        Map<String, Object> tmp = routeMatch.getVariableValues();
+            String programId = (String) routeMatch.getVariableValues()
+                    .get("programId");
+            String experimentId = (String) routeMatch.getVariableValues()
+                    .get("trialId");
+
+            if (methodRoute.hasAnnotation(ExperimentSecured.class)) {
+                if (programId == null) {
+                    throw new HttpServerException("Endpoint does not have program id to check roles against");
+                }
+                if (experimentId == null) {
+                    throw new HttpServerException("Endpoint does not have experiment id to check roles against");
+                }
+
+                if (!programDAO.existsById(UUID.fromString(programId))) {
+                    throw new HttpStatusException(HttpStatus.NOT_FOUND, "Program does not exist");
+                }
+                Optional<BrAPITrial> trial = null;
+                try {
+                    trial = brAPITrialDAO.getTrialById(UUID.fromString(programId), UUID.fromString(experimentId));
+                } catch (ApiException e) {
+                    throw new RuntimeException(e);
+                } catch (DoesNotExistException e) {
+                    throw new HttpStatusException(HttpStatus.NOT_FOUND, "Experiment does not exist");
+                }
+                if( trial.isEmpty()) {
+                    throw new HttpStatusException(HttpStatus.NOT_FOUND, "Experiment does not exist");
+                }
+
+                if (claims != null){
+                    AuthenticatedUser user = securityService.getUser();
+                    List<ProgramUser> allProgramRoles = user.getProgramRoles();
+                    List<String> systemRoles = (List<String>) user.getRoles();
+
+                    // Get program roles for given program and system roles into single list
+                    List<ProgramSecuredRole> userRoles = processRoles(allProgramRoles, systemRoles, programId);
+
+                    // Get route allowed roles
+                    List<ProgramSecuredRole> allowedRoles = getAllowedRoles(methodRoute);
+
+                    List<String> allowedRolesString = allowedRoles
+                            .stream().map(ProgramSecuredRole::toString).collect(Collectors.toList());
+
+                    List<String> userRolesString = userRoles.stream()
+                            .map(ProgramSecuredRole::toString).collect(Collectors.toList());
+                    if (userRoles.size()==1 && userRoles.get(0)==ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR){
+                        return processExperiment(user, experimentId);
+                    }
+                    SecurityRuleResult securityRuleResult = compareRoles(allowedRolesString, userRolesString);
+                    return securityRuleResult;
+                }
+
+                // Rejects if no claims, or does not have correct roles
+                return SecurityRuleResult.REJECTED;
+            }
+        }
+
+        return SecurityRuleResult.UNKNOWN;
+    }
+
+    private SecurityRuleResult processExperiment(AuthenticatedUser authenticatedUser, String experimentId) throws DoesNotExistException{
+        ProgramUser programUser = authenticatedUser.extractProgramUser();
+        if(this.isExperimentCoordinator(programUser)){
+            return SecurityRuleResult.ALLOWED;
+        }
+        else{
+            return SecurityRuleResult.REJECTED;
+        }
+    }
+
+    private boolean isExperimentCoordinator(ProgramUser programUser){
+        List<Role> roles = programUser.getRoles();
+        return (roles.size()==1 &&
+                ProgramSecuredRole.getEnum(roles.get(0).getDomain())==ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR);
+
+    }
+
+    public List<ProgramSecuredRole> processRoles(List<ProgramUser> allProgramRoles, List<String> systemRoles, String programId) {
+
+        // Check that they have a role in the program they are requesting data for
+        List<ProgramUser> matchedProgramRoles = allProgramRoles.stream().filter(programRole ->
+                programRole.getProgramId().toString().equals(programId) && programRole.getActive()).collect(Collectors.toList());
+
+        // Get roles of the user for the given program
+        List<ProgramSecuredRole> userRoles = new ArrayList<>();
+        if (!matchedProgramRoles.isEmpty()){
+            matchedProgramRoles.get(0).getRoles().stream()
+                    .forEach(role -> userRoles.add(ProgramSecuredRole.getEnum(role.getDomain())));
+        }
+
+        // Add system roles to the user's roles. System roles apply to every program
+        systemRoles.stream().forEach(systemRole -> userRoles.add(ProgramSecuredRole.getEnum(systemRole)));
+        return userRoles;
+    }
+
+    public List<ProgramSecuredRole> getAllowedRoles(MethodBasedRouteMatch methodRoute) {
+
+        Optional<ProgramSecuredRole[]> programSecuredRoles = methodRoute.getValue(ExperimentSecured.class, "roles", ProgramSecuredRole[].class);
+        List<ProgramSecuredRole> allowedRoles = new ArrayList<>();
+        if (programSecuredRoles.isPresent()) {
+            // TODO could this be allowedRoles=Arrays.asList(programSecuredRoles.get());
+            allowedRoles.addAll(Arrays.asList(programSecuredRoles.get()));
+        }
+
+        return allowedRoles;
+    }
+    @Override
+    public int getOrder() {
+        return ORDER;
+    }
+
+}
\ No newline at end of file
diff --git a/src/main/java/org/breedinginsight/api/auth/rules/ProgramSecuredAnnotationRule.java b/src/main/java/org/breedinginsight/api/auth/rules/ProgramSecuredAnnotationRule.java
index 51aeabea7..188c1248f 100644
--- a/src/main/java/org/breedinginsight/api/auth/rules/ProgramSecuredAnnotationRule.java
+++ b/src/main/java/org/breedinginsight/api/auth/rules/ProgramSecuredAnnotationRule.java
@@ -57,7 +57,7 @@ public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?>
 
         if (routeMatch instanceof MethodBasedRouteMatch) {
             MethodBasedRouteMatch methodRoute = ((MethodBasedRouteMatch) routeMatch);
-
+        Map<String, Object> tmp = routeMatch.getVariableValues();
             String programId = (String) routeMatch.getVariableValues()
                     .get("programId");
 
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
index 335fad5c5..87bb67375 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
@@ -11,8 +11,7 @@
 import org.brapi.client.v2.model.exceptions.ApiException;
 import org.brapi.v2.model.core.BrAPITrial;
 import org.brapi.v2.model.core.response.BrAPITrialSingleResponse;
-import org.breedinginsight.api.auth.ProgramSecured;
-import org.breedinginsight.api.auth.ProgramSecuredRoleGroup;
+import org.breedinginsight.api.auth.*;
 import org.breedinginsight.api.model.v1.request.query.SearchRequest;
 import org.breedinginsight.api.model.v1.response.DataResponse;
 import org.breedinginsight.api.model.v1.response.Response;
@@ -21,6 +20,8 @@
 import org.breedinginsight.brapi.v2.model.request.query.ExperimentQuery;
 import org.breedinginsight.brapi.v2.services.BrAPITrialService;
 import org.breedinginsight.brapps.importer.services.ExternalReferenceSource;
+import org.breedinginsight.model.ProgramUser;
+import org.breedinginsight.model.Role;
 import org.breedinginsight.services.exceptions.DoesNotExistException;
 import org.breedinginsight.utilities.Utilities;
 import org.breedinginsight.utilities.response.ResponseUtils;
@@ -38,11 +39,13 @@
 public class BrAPITrialsController {
 
     private final String referenceSource;
+    private final SecurityService securityService;
     private final BrAPITrialService experimentService;
     private final ExperimentQueryMapper experimentQueryMapper;
 
     @Inject
-    public BrAPITrialsController(BrAPITrialService experimentService, ExperimentQueryMapper experimentQueryMapper, @Property(name = "brapi.server.reference-source") String referenceSource) {
+    public BrAPITrialsController(SecurityService securityService, BrAPITrialService experimentService, ExperimentQueryMapper experimentQueryMapper, @Property(name = "brapi.server.reference-source") String referenceSource) {
+        this.securityService = securityService;
         this.experimentService = experimentService;
         this.experimentQueryMapper = experimentQueryMapper;
         this.referenceSource = referenceSource;
@@ -50,14 +53,22 @@ public BrAPITrialsController(BrAPITrialService experimentService, ExperimentQuer
 
     @Get("/trials{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<List<BrAPITrial>>>> getExperiments(
             @PathVariable("programId") UUID programId,
             @QueryValue @QueryValid(using = ExperimentQueryMapper.class) @Valid ExperimentQuery queryParams) {
         try {
             log.debug("fetching trials for program: " + programId);
+            AuthenticatedUser authenticatedUser = securityService.getUser();
+            ProgramUser programUser = authenticatedUser.extractProgramUser(programId);
 
-            List<BrAPITrial> experiments = experimentService.getExperiments(programId).stream().peek(this::setDbIds).collect(Collectors.toList());
+            List<BrAPITrial> experiments = null;
+            if( this.isExperimentCoordinator(programUser)) {
+                experiments = experimentService.getExperimentsForCoordinator(programId, programUser);
+            }
+            else{
+                experiments = experimentService.getExperiments(programId);
+            }
+            experiments = experiments.stream().peek(this::setDbIds).collect(Collectors.toList());
             SearchRequest searchRequest = queryParams.constructSearchRequest();
             return ResponseUtils.getBrapiQueryResponse(experiments, experimentQueryMapper, queryParams, searchRequest);
         } catch (ApiException e) {
@@ -71,7 +82,7 @@ public HttpResponse<Response<DataResponse<List<BrAPITrial>>>> getExperiments(
 
     @Get("/trials/{trialId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
+    @ExperimentSecured(roles = {ExperimentSecuredRole.SYSTEM_ADMIN, ExperimentSecuredRole.BREEDER})
     public HttpResponse<BrAPITrialSingleResponse> getExperimentById(
             @PathVariable("programId") UUID programId,
             @PathVariable("trialId") UUID trialId,
@@ -117,4 +128,11 @@ private void setDbIds(BrAPITrial trial) {
         //TODO update locationDbId
     }
 
+    private boolean isExperimentCoordinator(ProgramUser programUser){
+        List<Role> roles = programUser.getRoles();
+        return (roles.size()==1 &&
+                ProgramSecuredRole.getEnum(roles.get(0).getDomain())==ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR);
+
+    }
+
 }
diff --git a/src/main/java/org/breedinginsight/brapi/v2/services/BrAPITrialService.java b/src/main/java/org/breedinginsight/brapi/v2/services/BrAPITrialService.java
index 2f6d1d881..8103d3f54 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/services/BrAPITrialService.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/services/BrAPITrialService.java
@@ -102,6 +102,12 @@ public List<BrAPITrial> getExperiments(UUID programId) throws ApiException, Does
         return trialDAO.getTrials(programId);
     }
 
+    public List<BrAPITrial> getExperimentsForCoordinator(UUID programId, ProgramUser programUser) throws ApiException, DoesNotExistException {
+
+        //TODO the following is just a place holder.  FIX IT!
+        return trialDAO.getTrials(programId);
+    }
+
     public BrAPITrial getTrialDataByUUID(UUID programId, UUID trialId, boolean stats) throws DoesNotExistException {
         try {
             BrAPITrial trial = trialDAO.getTrialById(programId,trialId).orElseThrow(() -> new DoesNotExistException("Trial does not exist"));
diff --git a/src/main/java/org/breedinginsight/brapps/importer/controllers/ImportController.java b/src/main/java/org/breedinginsight/brapps/importer/controllers/ImportController.java
index c9ea3ec39..dfd2fa803 100644
--- a/src/main/java/org/breedinginsight/brapps/importer/controllers/ImportController.java
+++ b/src/main/java/org/breedinginsight/brapps/importer/controllers/ImportController.java
@@ -84,7 +84,7 @@ public HttpResponse<Response<DataResponse<ImportConfigResponse>>> getImportTypes
     @Get("/programs/{programId}/import/mappings{?draft}")
     @Produces(MediaType.APPLICATION_JSON)
     @AddMetadata
-    @ProgramSecured(roles = {ProgramSecuredRole.BREEDER, ProgramSecuredRole.SYSTEM_ADMIN})
+    @ProgramSecured(roles = {ProgramSecuredRole.BREEDER, ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR})
     public HttpResponse<Response<DataResponse<ImportMapping>>> getMappings(@PathVariable UUID programId,
                                                                            @QueryValue(defaultValue = "false") Boolean draft) {
 
@@ -191,6 +191,7 @@ public HttpResponse<Response<ImportMapping>> editMapping(@PathVariable UUID prog
     @Produces(MediaType.APPLICATION_JSON)
     @AddMetadata
     @Secured(SecurityRule.IS_ANONYMOUS)
+    @ProgramSecured(roles = {ProgramSecuredRole.BREEDER, ProgramSecuredRole.SYSTEM_ADMIN})
     public HttpResponse<Response<DataResponse<ImportMapping>>> getSystemMappings(@Nullable @QueryValue String importName) {
 
         AuthenticatedUser actingUser = securityService.getUser();

From 69e68fedfb809c5e67c9d00a83ba3d362c4375e3 Mon Sep 17 00:00:00 2001
From: rob-ouser-bi <bidevteam@cornell.edu>
Date: Thu, 8 Aug 2024 13:13:19 +0000
Subject: [PATCH 04/15] [autocommit] bumping build number

---
 src/main/resources/version.properties | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/version.properties b/src/main/resources/version.properties
index 09bc98561..783869815 100644
--- a/src/main/resources/version.properties
+++ b/src/main/resources/version.properties
@@ -14,5 +14,5 @@
 # limitations under the License.
 #
 
-version=v0.10.0+777
-versionInfo=https://github.com/Breeding-Insight/bi-api/commit/8a3fa22fb1ddfa8f1cadaf5e89150b7e8ba09d3d
+version=v0.10.0+779
+versionInfo=https://github.com/Breeding-Insight/bi-api/commit/e037a0cc1fe21a8c98af114c330f2adcce7f4f97

From 6cabaed14004377ec59a2ad6f4f8586a6153b622 Mon Sep 17 00:00:00 2001
From: David Randolph Phillips <drp227@cornell.edu>
Date: Thu, 8 Aug 2024 10:12:43 -0400
Subject: [PATCH 05/15] [BI-2255] WIP

---
 .../api/auth/ExperimentSecuredRole.java       |  1 +
 .../ExperimentSecuredAnnotationRule.java      | 40 +++++++++----------
 .../brapi/v2/BrAPITrialsController.java       |  3 +-
 3 files changed, 23 insertions(+), 21 deletions(-)

diff --git a/src/main/java/org/breedinginsight/api/auth/ExperimentSecuredRole.java b/src/main/java/org/breedinginsight/api/auth/ExperimentSecuredRole.java
index de1eacd18..74b1d2d41 100644
--- a/src/main/java/org/breedinginsight/api/auth/ExperimentSecuredRole.java
+++ b/src/main/java/org/breedinginsight/api/auth/ExperimentSecuredRole.java
@@ -17,6 +17,7 @@
 
 package org.breedinginsight.api.auth;
 
+//TODO Delete this Class if not used.
 public enum ExperimentSecuredRole {
     MEMBER("member"),
     BREEDER("breeder"),
diff --git a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java
index 0af7f83a8..2ec13cee1 100644
--- a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java
+++ b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java
@@ -64,7 +64,7 @@ public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?>
 
         if (routeMatch instanceof MethodBasedRouteMatch) {
             MethodBasedRouteMatch methodRoute = ((MethodBasedRouteMatch) routeMatch);
-        Map<String, Object> tmp = routeMatch.getVariableValues();
+//        Map<String, Object> tmp = routeMatch.getVariableValues();
             String programId = (String) routeMatch.getVariableValues()
                     .get("programId");
             String experimentId = (String) routeMatch.getVariableValues()
@@ -95,28 +95,28 @@ public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?>
 
                 if (claims != null){
                     AuthenticatedUser user = securityService.getUser();
-                    List<ProgramUser> allProgramRoles = user.getProgramRoles();
-                    List<String> systemRoles = (List<String>) user.getRoles();
-
-                    // Get program roles for given program and system roles into single list
-                    List<ProgramSecuredRole> userRoles = processRoles(allProgramRoles, systemRoles, programId);
-
-                    // Get route allowed roles
-                    List<ProgramSecuredRole> allowedRoles = getAllowedRoles(methodRoute);
-
-                    List<String> allowedRolesString = allowedRoles
-                            .stream().map(ProgramSecuredRole::toString).collect(Collectors.toList());
-
-                    List<String> userRolesString = userRoles.stream()
-                            .map(ProgramSecuredRole::toString).collect(Collectors.toList());
-                    if (userRoles.size()==1 && userRoles.get(0)==ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR){
+//                    List<ProgramUser> allProgramRoles = user.getProgramRoles();
+//                    List<String> systemRoles = (List<String>) user.getRoles();
+//
+//                    // Get program roles for given program and system roles into single list
+//                    List<ProgramSecuredRole> userRoles = processRoles(allProgramRoles, systemRoles, programId);
+//
+//                    // Get route allowed roles
+//                    List<ProgramSecuredRole> allowedRoles = getAllowedRoles(methodRoute);
+//
+//                    List<String> allowedRolesString = allowedRoles
+//                            .stream().map(ProgramSecuredRole::toString).collect(Collectors.toList());
+//
+//                    List<String> userRolesString = userRoles.stream()
+//                            .map(ProgramSecuredRole::toString).collect(Collectors.toList());
+//                    if (userRoles.size()==1 && userRoles.get(0)==ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR){
                         return processExperiment(user, experimentId);
-                    }
-                    SecurityRuleResult securityRuleResult = compareRoles(allowedRolesString, userRolesString);
-                    return securityRuleResult;
+//                    }
+//                    SecurityRuleResult securityRuleResult = compareRoles(allowedRolesString, userRolesString);
+//                    return securityRuleResult;
                 }
 
-                // Rejects if no claims, or does not have correct roles
+                // Rejects if no claims
                 return SecurityRuleResult.REJECTED;
             }
         }
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
index 89f4788d5..dd69d7b4a 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
@@ -83,7 +83,8 @@ public HttpResponse<Response<DataResponse<List<BrAPITrial>>>> getExperiments(
 
     @Get("/trials/{trialId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ExperimentSecured(roles = {ExperimentSecuredRole.SYSTEM_ADMIN, ExperimentSecuredRole.BREEDER})
+    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.BREEDER, ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR})
+    @ExperimentSecured()
     public HttpResponse<BrAPITrialSingleResponse> getExperimentById(
             @PathVariable("programId") UUID programId,
             @PathVariable("trialId") UUID trialId,

From 1a2c6decbbf924efa9fa7038a7f604ea7796fa4c Mon Sep 17 00:00:00 2001
From: rob-ouser-bi <bidevteam@cornell.edu>
Date: Thu, 8 Aug 2024 19:53:47 +0000
Subject: [PATCH 06/15] [autocommit] bumping build number

---
 src/main/resources/version.properties | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/version.properties b/src/main/resources/version.properties
index 783869815..9102aac80 100644
--- a/src/main/resources/version.properties
+++ b/src/main/resources/version.properties
@@ -14,5 +14,5 @@
 # limitations under the License.
 #
 
-version=v0.10.0+779
-versionInfo=https://github.com/Breeding-Insight/bi-api/commit/e037a0cc1fe21a8c98af114c330f2adcce7f4f97
+version=v0.10.0+781
+versionInfo=https://github.com/Breeding-Insight/bi-api/commit/16e3768d2d06d50d0e6a3aab61f2d4067a4ee077

From 1654b5e417709259be3af831f7641078f817fee4 Mon Sep 17 00:00:00 2001
From: David Randolph Phillips <drp227@cornell.edu>
Date: Fri, 9 Aug 2024 11:53:07 -0400
Subject: [PATCH 07/15] [BI-2255] WIP

---
 .../api/auth/AuthenticatedUser.java           | 10 ++-
 .../ExperimentSecuredAnnotationRule.java      | 67 ++++---------------
 .../brapi/v2/BrAPITrialsController.java       |  2 +-
 .../daos/ExperimentalCollaboratorDAO.java     | 25 +++++++
 4 files changed, 46 insertions(+), 58 deletions(-)

diff --git a/src/main/java/org/breedinginsight/api/auth/AuthenticatedUser.java b/src/main/java/org/breedinginsight/api/auth/AuthenticatedUser.java
index e7d362402..2c0ed119c 100644
--- a/src/main/java/org/breedinginsight/api/auth/AuthenticatedUser.java
+++ b/src/main/java/org/breedinginsight/api/auth/AuthenticatedUser.java
@@ -17,6 +17,7 @@
 
 package org.breedinginsight.api.auth;
 
+import com.drew.lang.annotations.NotNull;
 import io.micronaut.security.authentication.UserDetails;
 import lombok.Getter;
 import lombok.Setter;
@@ -40,7 +41,12 @@ public AuthenticatedUser(String username, Collection<String> roles, UUID id, Lis
         this.programRoles = programRoles;
     }
 
-    public ProgramUser extractProgramUser() throws DoesNotExistException {
-        return this.programRoles.stream().filter(pu -> this.id.equals( pu.getProgramId() ) ).findFirst().orElseThrow( () -> new DoesNotExistException( String.format("No program user found for program %s", this.id) ) );
+    public ProgramUser extractProgramUser(UUID programId) throws DoesNotExistException {
+//        ;
+//        if (programRoles != null && !programRoles.isEmpty()){
+//            ProgramUser firstUserRole = programRoles.get(0);
+//            programId = firstUserRole.getProgramId();
+//        }
+        return this.programRoles.stream().filter(pu -> programId.equals( pu.getProgramId() ) ).findFirst().orElseThrow( () -> new DoesNotExistException( String.format("No program user found for program %s", this.id) ) );
     }
 }
diff --git a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java
index 2ec13cee1..32852033f 100644
--- a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java
+++ b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java
@@ -30,6 +30,7 @@
 import org.brapi.v2.model.core.BrAPITrial;
 import org.breedinginsight.api.auth.*;
 import org.breedinginsight.brapi.v2.dao.BrAPITrialDAO;
+import org.breedinginsight.daos.ExperimentalCollaboratorDAO;
 import org.breedinginsight.daos.ProgramDAO;
 import org.breedinginsight.model.ProgramUser;
 import org.breedinginsight.model.Role;
@@ -57,6 +58,8 @@ public ExperimentSecuredAnnotationRule(RolesFinder rolesFinder) {
     private ProgramDAO programDAO;
     @Inject
     private BrAPITrialDAO brAPITrialDAO;
+    @Inject
+    private ExperimentalCollaboratorDAO experimentalCollaboratorDAO;
 
     @Override
     public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?> routeMatch, @Nullable Map<String, Object> claims) {
@@ -64,7 +67,6 @@ public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?>
 
         if (routeMatch instanceof MethodBasedRouteMatch) {
             MethodBasedRouteMatch methodRoute = ((MethodBasedRouteMatch) routeMatch);
-//        Map<String, Object> tmp = routeMatch.getVariableValues();
             String programId = (String) routeMatch.getVariableValues()
                     .get("programId");
             String experimentId = (String) routeMatch.getVariableValues()
@@ -95,25 +97,8 @@ public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?>
 
                 if (claims != null){
                     AuthenticatedUser user = securityService.getUser();
-//                    List<ProgramUser> allProgramRoles = user.getProgramRoles();
-//                    List<String> systemRoles = (List<String>) user.getRoles();
-//
-//                    // Get program roles for given program and system roles into single list
-//                    List<ProgramSecuredRole> userRoles = processRoles(allProgramRoles, systemRoles, programId);
-//
-//                    // Get route allowed roles
-//                    List<ProgramSecuredRole> allowedRoles = getAllowedRoles(methodRoute);
-//
-//                    List<String> allowedRolesString = allowedRoles
-//                            .stream().map(ProgramSecuredRole::toString).collect(Collectors.toList());
-//
-//                    List<String> userRolesString = userRoles.stream()
-//                            .map(ProgramSecuredRole::toString).collect(Collectors.toList());
-//                    if (userRoles.size()==1 && userRoles.get(0)==ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR){
-                        return processExperiment(user, experimentId);
-//                    }
-//                    SecurityRuleResult securityRuleResult = compareRoles(allowedRolesString, userRolesString);
-//                    return securityRuleResult;
+
+                    return processExperiment(user, experimentId, programId);
                 }
 
                 // Rejects if no claims
@@ -124,14 +109,15 @@ public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?>
         return SecurityRuleResult.UNKNOWN;
     }
 
-    private SecurityRuleResult processExperiment(AuthenticatedUser authenticatedUser, String experimentId) throws DoesNotExistException{
-        ProgramUser programUser = authenticatedUser.extractProgramUser();
+    private SecurityRuleResult processExperiment(AuthenticatedUser authenticatedUser, String experimentId, String programId) {
+        ProgramUser programUser = authenticatedUser.extractProgramUser(UUID.fromString(programId));
         if(this.isExperimentCoordinator(programUser)){
-            return SecurityRuleResult.ALLOWED;
-        }
-        else{
-            return SecurityRuleResult.REJECTED;
+            List<UUID> colaboratableExperimentIds = experimentalCollaboratorDAO.fetchExperimentIds(authenticatedUser.getId(), UUID.fromString(programId));
+            if(colaboratableExperimentIds.contains( UUID.fromString(experimentId)) ){
+                return SecurityRuleResult.ALLOWED;
+            }
         }
+        return SecurityRuleResult.REJECTED;
     }
 
     private boolean isExperimentCoordinator(ProgramUser programUser){
@@ -141,35 +127,6 @@ private boolean isExperimentCoordinator(ProgramUser programUser){
 
     }
 
-    public List<ProgramSecuredRole> processRoles(List<ProgramUser> allProgramRoles, List<String> systemRoles, String programId) {
-
-        // Check that they have a role in the program they are requesting data for
-        List<ProgramUser> matchedProgramRoles = allProgramRoles.stream().filter(programRole ->
-                programRole.getProgramId().toString().equals(programId) && programRole.getActive()).collect(Collectors.toList());
-
-        // Get roles of the user for the given program
-        List<ProgramSecuredRole> userRoles = new ArrayList<>();
-        if (!matchedProgramRoles.isEmpty()){
-            matchedProgramRoles.get(0).getRoles().stream()
-                    .forEach(role -> userRoles.add(ProgramSecuredRole.getEnum(role.getDomain())));
-        }
-
-        // Add system roles to the user's roles. System roles apply to every program
-        systemRoles.stream().forEach(systemRole -> userRoles.add(ProgramSecuredRole.getEnum(systemRole)));
-        return userRoles;
-    }
-
-    public List<ProgramSecuredRole> getAllowedRoles(MethodBasedRouteMatch methodRoute) {
-
-        Optional<ProgramSecuredRole[]> programSecuredRoles = methodRoute.getValue(ExperimentSecured.class, "roles", ProgramSecuredRole[].class);
-        List<ProgramSecuredRole> allowedRoles = new ArrayList<>();
-        if (programSecuredRoles.isPresent()) {
-            // TODO could this be allowedRoles=Arrays.asList(programSecuredRoles.get());
-            allowedRoles.addAll(Arrays.asList(programSecuredRoles.get()));
-        }
-
-        return allowedRoles;
-    }
     @Override
     public int getOrder() {
         return ORDER;
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
index dd69d7b4a..84cd8e295 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
@@ -53,7 +53,7 @@ public BrAPITrialsController(SecurityService securityService, BrAPITrialService
 
     @Get("/trials{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.MEMBER, ProgramSecuredRole.BREEDER, ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR})
+    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.MEMBER, ProgramSecuredRole.BREEDER, ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR})
     public HttpResponse<Response<DataResponse<List<BrAPITrial>>>> getExperiments(
             @PathVariable("programId") UUID programId,
             @QueryValue @QueryValid(using = ExperimentQueryMapper.class) @Valid ExperimentQuery queryParams) {
diff --git a/src/main/java/org/breedinginsight/daos/ExperimentalCollaboratorDAO.java b/src/main/java/org/breedinginsight/daos/ExperimentalCollaboratorDAO.java
index b3ac8bbaf..09f011cda 100644
--- a/src/main/java/org/breedinginsight/daos/ExperimentalCollaboratorDAO.java
+++ b/src/main/java/org/breedinginsight/daos/ExperimentalCollaboratorDAO.java
@@ -18,12 +18,19 @@
 package org.breedinginsight.daos;
 
 import lombok.extern.slf4j.Slf4j;
+import org.breedinginsight.dao.db.tables.ExperimentProgramUserRoleTable;
+import org.breedinginsight.dao.db.tables.ProgramUserRoleTable;
 import org.breedinginsight.dao.db.tables.daos.ExperimentProgramUserRoleDao;
 import org.jooq.Configuration;
 import org.jooq.DSLContext;
+import org.jooq.Record;
+import org.jooq.Result;
 
 import javax.inject.Inject;
 import javax.inject.Singleton;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.UUID;
 
 @Slf4j
 @Singleton
@@ -36,4 +43,22 @@ public ExperimentalCollaboratorDAO(Configuration config, DSLContext dsl) {
         super(config);
         this.dsl = dsl;
     }
+    public List<UUID> fetchExperimentIds(UUID userId, UUID programId){
+        ExperimentProgramUserRoleTable EXPERIMENT_PROGRAM_USER_ROLE = ExperimentProgramUserRoleTable.EXPERIMENT_PROGRAM_USER_ROLE;
+        ProgramUserRoleTable PROGRAM_USER_ROLE = ProgramUserRoleTable.PROGRAM_USER_ROLE;
+
+        Result<Record> queryResult =
+                dsl.select().from(EXPERIMENT_PROGRAM_USER_ROLE)
+                .join(PROGRAM_USER_ROLE)
+                .on(EXPERIMENT_PROGRAM_USER_ROLE.PROGRAM_USER_ROLE_ID.eq(PROGRAM_USER_ROLE.ID))
+                .where(PROGRAM_USER_ROLE.USER_ID.eq(userId)).and(PROGRAM_USER_ROLE.PROGRAM_ID.eq(programId))
+                .fetch();
+
+        List<UUID> experimentIds = new ArrayList<>(queryResult.size());
+        for (Record record: queryResult) {
+            experimentIds.add(record.getValue(EXPERIMENT_PROGRAM_USER_ROLE.EXPERIMENT_ID));
+        }
+
+        return experimentIds;
+    }
 }

From e65f791d72ae502b1f24d9c3601632db565c2b41 Mon Sep 17 00:00:00 2001
From: David Randolph Phillips <drp227@cornell.edu>
Date: Tue, 13 Aug 2024 09:21:41 -0400
Subject: [PATCH 08/15] [BI-2055] adjusted order of SecuredAnnotationRules

---
 .../api/auth/ExperimentSecuredRole.java       |  5 +-
 .../api/auth/ProgramSecuredRoleGroup.java     |  2 +-
 .../ExperimentSecuredAnnotationRule.java      | 24 +++----
 .../v1/controller/ExperimentController.java   | 12 ++--
 .../brapi/v2/BrAPITrialsController.java       |  4 +-
 .../daos/ExperimentalCollaboratorDAO.java     | 66 +++++++++++--------
 6 files changed, 63 insertions(+), 50 deletions(-)

diff --git a/src/main/java/org/breedinginsight/api/auth/ExperimentSecuredRole.java b/src/main/java/org/breedinginsight/api/auth/ExperimentSecuredRole.java
index 80cf05675..9e20099bc 100644
--- a/src/main/java/org/breedinginsight/api/auth/ExperimentSecuredRole.java
+++ b/src/main/java/org/breedinginsight/api/auth/ExperimentSecuredRole.java
@@ -17,11 +17,8 @@
 
 package org.breedinginsight.api.auth;
 
-//TODO Delete this Class if not used.
 public enum ExperimentSecuredRole {
-    READ_ONLY("member"),
-    PROGRAM_ADMIN("breeder"),
-    SYSTEM_ADMIN("admin");
+    EXPERIMENTAL_COLLABORATOR("Experimental Collaborator");
 
     private String domain;
 
diff --git a/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java b/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java
index 61a329927..6f88d4ddb 100644
--- a/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java
+++ b/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java
@@ -20,7 +20,7 @@
 import java.util.List;
 
 public enum ProgramSecuredRoleGroup {
-    PROGRAM_SCOPED_ROLES(List.of(ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN));
+    PROGRAM_SCOPED_ROLES(List.of(ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN, ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR));
 
     private List<ProgramSecuredRole> programRoles;
 
diff --git a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java
index c48e89376..19417a5fa 100644
--- a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java
+++ b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java
@@ -40,13 +40,12 @@
 import javax.inject.Inject;
 import javax.inject.Singleton;
 import java.util.*;
-import java.util.stream.Collectors;
 
 @Singleton
 public class ExperimentSecuredAnnotationRule extends SecuredAnnotationRule {
 
-    // Executes before the SecuredAnnotationRule, and if the annotation exists, will return before the SecuredAnnotationRule can execute
-    public static final Integer ORDER = SecuredAnnotationRule.ORDER - 1;
+    // Executes before the ProgramSecuredAnnotationRule, and if the annotation exists, will return before the ProgramSecuredAnnotationRule can execute
+    public static final Integer ORDER = ProgramSecuredAnnotationRule.ORDER -2;
 
     public ExperimentSecuredAnnotationRule(RolesFinder rolesFinder) {
         super(rolesFinder);
@@ -83,7 +82,7 @@ public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?>
                 if (!programDAO.existsById(UUID.fromString(programId))) {
                     throw new HttpStatusException(HttpStatus.NOT_FOUND, "Program does not exist");
                 }
-                Optional<BrAPITrial> trial = null;
+                Optional<BrAPITrial> trial;
                 try {
                     trial = brAPITrialDAO.getTrialById(UUID.fromString(programId), UUID.fromString(experimentId));
                 } catch (ApiException e) {
@@ -110,26 +109,29 @@ public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?>
     }
 
     private SecurityRuleResult processExperiment(AuthenticatedUser authenticatedUser, String experimentId, String programId) {
-        ProgramUser programUser = null;
+        ProgramUser programUserRole;
         try {
-            programUser = authenticatedUser.extractProgramUser(UUID.fromString(programId));
+            programUserRole = authenticatedUser.extractProgramUser(UUID.fromString(programId));
         } catch (DoesNotExistException e) {
             return SecurityRuleResult.UNKNOWN;
         }
-        if(this.isExperimentCoordinator(programUser)){
-            List<UUID> colaboratableExperimentIds = experimentalCollaboratorDAO.fetchExperimentIds(authenticatedUser.getId(), UUID.fromString(programId));
-            if(colaboratableExperimentIds.contains( UUID.fromString(experimentId)) ){
+        if(this.isExperimentCoordinator(programUserRole)){
+            List<UUID> collaborativeExperimentIds = experimentalCollaboratorDAO.getExperimentIds(programUserRole.getId(), true);
+            if(collaborativeExperimentIds.contains( UUID.fromString(experimentId)) ){
                 return SecurityRuleResult.ALLOWED;
             }
         }
+        else {
+            //Allow the next Secured Annotation to be run
+            return SecurityRuleResult.UNKNOWN;
+        }
         return SecurityRuleResult.REJECTED;
     }
 
     private boolean isExperimentCoordinator(ProgramUser programUser){
         List<Role> roles = programUser.getRoles();
         return (roles.size()==1 &&
-                ProgramSecuredRole.getEnum(roles.get(0).getDomain())==ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR);
-
+                ExperimentSecuredRole.getEnum( roles.get(0).getDomain() )==ExperimentSecuredRole.EXPERIMENTAL_COLLABORATOR);
     }
 
     @Override
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java b/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
index 58e2d3e66..f50b26775 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
@@ -10,8 +10,7 @@
 import io.micronaut.security.rules.SecurityRule;
 import lombok.extern.slf4j.Slf4j;
 import org.brapi.client.v2.model.exceptions.ApiException;
-import org.breedinginsight.api.auth.ProgramSecured;
-import org.breedinginsight.api.auth.ProgramSecuredRoleGroup;
+import org.breedinginsight.api.auth.*;
 import org.breedinginsight.api.model.v1.request.SubEntityDatasetRequest;
 import org.breedinginsight.api.model.v1.response.Response;
 import org.breedinginsight.brapi.v2.model.request.query.ExperimentExportQuery;
@@ -46,7 +45,8 @@ public ExperimentController(BrAPITrialService experimentService, ExperimentQuery
     }
 
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/export{?queryParams*}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
+    @ExperimentSecured( roles = {ExperimentSecuredRole.EXPERIMENTAL_COLLABORATOR} )
+    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
     @Produces(value={"text/csv", "application/vnd.ms-excel", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "application/octet-stream"})
     public HttpResponse<StreamedFile> datasetExport(
             @PathVariable("programId") UUID programId, @PathVariable("experimentId") UUID experimentId,
@@ -74,7 +74,8 @@ public HttpResponse<StreamedFile> datasetExport(
     }
 
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/dataset/{datasetId}{?stats}")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
+    @ExperimentSecured( roles = {ExperimentSecuredRole.EXPERIMENTAL_COLLABORATOR} )
+    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
     @Produces(MediaType.APPLICATION_JSON)
     public HttpResponse<Response<Dataset>> getDatasetData(
             @PathVariable("programId") UUID programId,
@@ -131,7 +132,8 @@ public HttpResponse<Response<Dataset>> createSubEntityDataset(
      * @throws ApiException if an error occurs while retrieving the datasets.
      */
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/datasets")
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
+    @ExperimentSecured( roles = {ExperimentSecuredRole.EXPERIMENTAL_COLLABORATOR} )
+    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
     @Produces(MediaType.APPLICATION_JSON)
     public HttpResponse<Response<List<DatasetMetadata>>> getDatasets(
             @PathVariable("programId") UUID programId,
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
index 6d8af07a8..568e3a627 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
@@ -83,8 +83,8 @@ public HttpResponse<Response<DataResponse<List<BrAPITrial>>>> getExperiments(
 
     @Get("/trials/{trialId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.PROGRAM_ADMIN, ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR})
-    @ExperimentSecured()
+    @ExperimentSecured(roles = {ExperimentSecuredRole.EXPERIMENTAL_COLLABORATOR})
+    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
     public HttpResponse<BrAPITrialSingleResponse> getExperimentById(
             @PathVariable("programId") UUID programId,
             @PathVariable("trialId") UUID trialId,
diff --git a/src/main/java/org/breedinginsight/daos/ExperimentalCollaboratorDAO.java b/src/main/java/org/breedinginsight/daos/ExperimentalCollaboratorDAO.java
index e58a053c7..431d2ae00 100644
--- a/src/main/java/org/breedinginsight/daos/ExperimentalCollaboratorDAO.java
+++ b/src/main/java/org/breedinginsight/daos/ExperimentalCollaboratorDAO.java
@@ -18,25 +18,20 @@
 package org.breedinginsight.daos;
 
 import lombok.extern.slf4j.Slf4j;
-import org.breedinginsight.dao.db.tables.ExperimentProgramUserRoleTable;
-import org.breedinginsight.dao.db.tables.ProgramUserRoleTable;
 import org.breedinginsight.dao.db.tables.daos.ExperimentProgramUserRoleDao;
 import org.breedinginsight.dao.db.tables.pojos.ExperimentProgramUserRoleEntity;
 import org.jooq.Configuration;
 import org.jooq.DSLContext;
-import org.jooq.Record;
-import org.jooq.Result;
 
 import javax.inject.Inject;
 import javax.inject.Singleton;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.UUID;
-
 import java.time.OffsetDateTime;
+import java.util.List;
 import java.util.UUID;
 
 import static org.breedinginsight.dao.db.Tables.EXPERIMENT_PROGRAM_USER_ROLE;
+import static org.breedinginsight.dao.db.Tables.PROGRAM_USER_ROLE;
+
 
 @Slf4j
 @Singleton
@@ -50,25 +45,6 @@ public ExperimentalCollaboratorDAO(Configuration config, DSLContext dsl) {
         this.dsl = dsl;
     }
 
-    public List<UUID> fetchExperimentIds(UUID userId, UUID programId) {
-        ExperimentProgramUserRoleTable EXPERIMENT_PROGRAM_USER_ROLE = ExperimentProgramUserRoleTable.EXPERIMENT_PROGRAM_USER_ROLE;
-        ProgramUserRoleTable PROGRAM_USER_ROLE = ProgramUserRoleTable.PROGRAM_USER_ROLE;
-
-        Result<Record> queryResult =
-                dsl.select().from(EXPERIMENT_PROGRAM_USER_ROLE)
-                        .join(PROGRAM_USER_ROLE)
-                        .on(EXPERIMENT_PROGRAM_USER_ROLE.PROGRAM_USER_ROLE_ID.eq(PROGRAM_USER_ROLE.ID))
-                        .where(PROGRAM_USER_ROLE.USER_ID.eq(userId)).and(PROGRAM_USER_ROLE.PROGRAM_ID.eq(programId))
-                        .fetch();
-
-        List<UUID> experimentIds = new ArrayList<>(queryResult.size());
-        for (Record record : queryResult) {
-            experimentIds.add(record.getValue(EXPERIMENT_PROGRAM_USER_ROLE.EXPERIMENT_ID));
-        }
-
-        return experimentIds;
-    }
-
     public ExperimentProgramUserRoleEntity create(UUID experimentId, UUID programUserRoleId, UUID userId) {
         return dsl.insertInto(EXPERIMENT_PROGRAM_USER_ROLE)
                 .columns(EXPERIMENT_PROGRAM_USER_ROLE.EXPERIMENT_ID,
@@ -86,4 +62,40 @@ public ExperimentProgramUserRoleEntity create(UUID experimentId, UUID programUse
                 .returning(EXPERIMENT_PROGRAM_USER_ROLE.fields())
                 .fetchOneInto(ExperimentProgramUserRoleEntity.class);
     }
+
+    public List<ExperimentProgramUserRoleEntity> fetchByProgramUserIdAndExperimentId(UUID programUserRoleId, UUID experimentId) {
+        // Only returns results for active program_user_role rows.
+        return dsl.select(EXPERIMENT_PROGRAM_USER_ROLE.fields())
+                .from(EXPERIMENT_PROGRAM_USER_ROLE)
+                .innerJoin(PROGRAM_USER_ROLE).on(EXPERIMENT_PROGRAM_USER_ROLE.PROGRAM_USER_ROLE_ID.eq(PROGRAM_USER_ROLE.ID))
+                .where(EXPERIMENT_PROGRAM_USER_ROLE.PROGRAM_USER_ROLE_ID.eq(programUserRoleId))
+                .and(EXPERIMENT_PROGRAM_USER_ROLE.EXPERIMENT_ID.eq(experimentId))
+                .and(PROGRAM_USER_ROLE.ACTIVE.eq(true))
+                .fetchInto(ExperimentProgramUserRoleEntity.class);
+    }
+
+    public List<UUID> getExperimentIds(UUID programUserRoleId, boolean activeOnly) {
+        // If activeOnly, this will only return results if the program_user_role row is active.
+        if (activeOnly)
+        {
+            return getExperimentIdsIfActive(programUserRoleId);
+        }
+        return getExperimentIds(programUserRoleId);
+    }
+
+    private List<UUID> getExperimentIdsIfActive(UUID programUserRoleId) {
+        return dsl.select(EXPERIMENT_PROGRAM_USER_ROLE.EXPERIMENT_ID)
+                .from(EXPERIMENT_PROGRAM_USER_ROLE)
+                .join(PROGRAM_USER_ROLE).on(EXPERIMENT_PROGRAM_USER_ROLE.PROGRAM_USER_ROLE_ID.eq(PROGRAM_USER_ROLE.ID))
+                .where(EXPERIMENT_PROGRAM_USER_ROLE.PROGRAM_USER_ROLE_ID.eq(programUserRoleId))
+                .and(PROGRAM_USER_ROLE.ACTIVE.eq(true))
+                .fetchInto(UUID.class);
+    }
+
+    private List<UUID> getExperimentIds(UUID programUserRoleId) {
+        return dsl.select(EXPERIMENT_PROGRAM_USER_ROLE.EXPERIMENT_ID)
+                .from(EXPERIMENT_PROGRAM_USER_ROLE)
+                .where(EXPERIMENT_PROGRAM_USER_ROLE.PROGRAM_USER_ROLE_ID.eq(programUserRoleId))
+                .fetchInto(UUID.class);
+    }
 }

From b7bc15bf6b89ff3172f6b43a2af6f07a856facf7 Mon Sep 17 00:00:00 2001
From: David Randolph Phillips <drp227@cornell.edu>
Date: Tue, 13 Aug 2024 09:33:48 -0400
Subject: [PATCH 09/15] [BI-2055] Removed parameters from ExperimentSecuredRule

---
 .../org/breedinginsight/api/auth/ExperimentSecured.java     | 2 +-
 .../api/v1/controller/ExperimentController.java             | 6 +++---
 .../org/breedinginsight/brapi/v2/BrAPITrialsController.java | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/breedinginsight/api/auth/ExperimentSecured.java b/src/main/java/org/breedinginsight/api/auth/ExperimentSecured.java
index f24df2599..4a3ad5c99 100644
--- a/src/main/java/org/breedinginsight/api/auth/ExperimentSecured.java
+++ b/src/main/java/org/breedinginsight/api/auth/ExperimentSecured.java
@@ -25,5 +25,5 @@
 @Retention(RetentionPolicy.RUNTIME)
 @Target(ElementType.METHOD)
 public @interface ExperimentSecured {
-    ExperimentSecuredRole[] roles() default {};
+    //The only role is EXPERIMENTAL_COLLABORATOR
 }
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java b/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
index f50b26775..8142799c9 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
@@ -45,7 +45,7 @@ public ExperimentController(BrAPITrialService experimentService, ExperimentQuery
     }
 
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/export{?queryParams*}")
-    @ExperimentSecured( roles = {ExperimentSecuredRole.EXPERIMENTAL_COLLABORATOR} )
+    @ExperimentSecured
     @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
     @Produces(value={"text/csv", "application/vnd.ms-excel", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "application/octet-stream"})
     public HttpResponse<StreamedFile> datasetExport(
@@ -74,7 +74,7 @@ public HttpResponse<StreamedFile> datasetExport(
     }
 
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/dataset/{datasetId}{?stats}")
-    @ExperimentSecured( roles = {ExperimentSecuredRole.EXPERIMENTAL_COLLABORATOR} )
+    @ExperimentSecured
     @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
     @Produces(MediaType.APPLICATION_JSON)
     public HttpResponse<Response<Dataset>> getDatasetData(
@@ -132,7 +132,7 @@ public HttpResponse<Response<Dataset>> createSubEntityDataset(
      * @throws ApiException if an error occurs while retrieving the datasets.
      */
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/datasets")
-    @ExperimentSecured( roles = {ExperimentSecuredRole.EXPERIMENTAL_COLLABORATOR} )
+    @ExperimentSecured
     @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
     @Produces(MediaType.APPLICATION_JSON)
     public HttpResponse<Response<List<DatasetMetadata>>> getDatasets(
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
index 568e3a627..7c33080b2 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
@@ -83,7 +83,7 @@ public HttpResponse<Response<DataResponse<List<BrAPITrial>>>> getExperiments(
 
     @Get("/trials/{trialId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ExperimentSecured(roles = {ExperimentSecuredRole.EXPERIMENTAL_COLLABORATOR})
+    @ExperimentSecured
     @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
     public HttpResponse<BrAPITrialSingleResponse> getExperimentById(
             @PathVariable("programId") UUID programId,

From ed72bc819c921297e784b3e3e729a6f189cb46fb Mon Sep 17 00:00:00 2001
From: David Randolph Phillips <drp227@cornell.edu>
Date: Tue, 13 Aug 2024 10:20:42 -0400
Subject: [PATCH 10/15] [BI-2055] renamed annotation from ExperimentSecured ->
 ExperimentCollaboratorSecured

---
 ...ava => ExperimentCollaboratorSecured.java} |  2 +-
 ...=> ExperimentCollaboratorSecuredRole.java} |  8 +++----
 ...entCollaboratorSecuredAnnotationRule.java} | 22 ++++++++++++++-----
 .../v1/controller/ExperimentController.java   |  6 ++---
 .../brapi/v2/BrAPITrialsController.java       |  2 +-
 5 files changed, 25 insertions(+), 15 deletions(-)
 rename src/main/java/org/breedinginsight/api/auth/{ExperimentSecured.java => ExperimentCollaboratorSecured.java} (95%)
 rename src/main/java/org/breedinginsight/api/auth/{ExperimentSecuredRole.java => ExperimentCollaboratorSecuredRole.java} (81%)
 rename src/main/java/org/breedinginsight/api/auth/rules/{ExperimentSecuredAnnotationRule.java => ExperimentCollaboratorSecuredAnnotationRule.java} (87%)

diff --git a/src/main/java/org/breedinginsight/api/auth/ExperimentSecured.java b/src/main/java/org/breedinginsight/api/auth/ExperimentCollaboratorSecured.java
similarity index 95%
rename from src/main/java/org/breedinginsight/api/auth/ExperimentSecured.java
rename to src/main/java/org/breedinginsight/api/auth/ExperimentCollaboratorSecured.java
index 4a3ad5c99..f14dc5fce 100644
--- a/src/main/java/org/breedinginsight/api/auth/ExperimentSecured.java
+++ b/src/main/java/org/breedinginsight/api/auth/ExperimentCollaboratorSecured.java
@@ -24,6 +24,6 @@
 
 @Retention(RetentionPolicy.RUNTIME)
 @Target(ElementType.METHOD)
-public @interface ExperimentSecured {
+public @interface ExperimentCollaboratorSecured {
     //The only role is EXPERIMENTAL_COLLABORATOR
 }
diff --git a/src/main/java/org/breedinginsight/api/auth/ExperimentSecuredRole.java b/src/main/java/org/breedinginsight/api/auth/ExperimentCollaboratorSecuredRole.java
similarity index 81%
rename from src/main/java/org/breedinginsight/api/auth/ExperimentSecuredRole.java
rename to src/main/java/org/breedinginsight/api/auth/ExperimentCollaboratorSecuredRole.java
index 9e20099bc..9268718f5 100644
--- a/src/main/java/org/breedinginsight/api/auth/ExperimentSecuredRole.java
+++ b/src/main/java/org/breedinginsight/api/auth/ExperimentCollaboratorSecuredRole.java
@@ -17,12 +17,12 @@
 
 package org.breedinginsight.api.auth;
 
-public enum ExperimentSecuredRole {
+public enum ExperimentCollaboratorSecuredRole {
     EXPERIMENTAL_COLLABORATOR("Experimental Collaborator");
 
     private String domain;
 
-    ExperimentSecuredRole(String domain) {
+    ExperimentCollaboratorSecuredRole(String domain) {
         this.domain = domain;
     }
 
@@ -31,8 +31,8 @@ public String toString() {
         return domain;
     }
 
-    public static ExperimentSecuredRole getEnum(String domain) {
-        for(ExperimentSecuredRole v : values())
+    public static ExperimentCollaboratorSecuredRole getEnum(String domain) {
+        for(ExperimentCollaboratorSecuredRole v : values())
             if(v.toString().equalsIgnoreCase(domain)) return v;
         throw new IllegalArgumentException();
     }
diff --git a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java
similarity index 87%
rename from src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java
rename to src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java
index 19417a5fa..2181e7e87 100644
--- a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentSecuredAnnotationRule.java
+++ b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java
@@ -42,12 +42,12 @@
 import java.util.*;
 
 @Singleton
-public class ExperimentSecuredAnnotationRule extends SecuredAnnotationRule {
+public class ExperimentCollaboratorSecuredAnnotationRule extends SecuredAnnotationRule {
 
     // Executes before the ProgramSecuredAnnotationRule, and if the annotation exists, will return before the ProgramSecuredAnnotationRule can execute
     public static final Integer ORDER = ProgramSecuredAnnotationRule.ORDER -2;
 
-    public ExperimentSecuredAnnotationRule(RolesFinder rolesFinder) {
+    public ExperimentCollaboratorSecuredAnnotationRule(RolesFinder rolesFinder) {
         super(rolesFinder);
     }
 
@@ -66,12 +66,19 @@ public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?>
 
         if (routeMatch instanceof MethodBasedRouteMatch) {
             MethodBasedRouteMatch methodRoute = ((MethodBasedRouteMatch) routeMatch);
+
+            Map<String, Object> tmp = routeMatch.getVariableValues();
+
             String programId = (String) routeMatch.getVariableValues()
                     .get("programId");
             String experimentId = (String) routeMatch.getVariableValues()
-                    .get("trialId");
+                    .get("experimentId");
+            if( experimentId==null) {
+                experimentId = (String) routeMatch.getVariableValues()
+                        .get("trialId");
+            }
 
-            if (methodRoute.hasAnnotation(ExperimentSecured.class)) {
+            if (methodRoute.hasAnnotation(ExperimentCollaboratorSecured.class)) {
                 if (programId == null) {
                     throw new HttpServerException("Endpoint does not have program id to check roles against");
                 }
@@ -130,8 +137,11 @@ private SecurityRuleResult processExperiment(AuthenticatedUser authenticatedUser
 
     private boolean isExperimentCoordinator(ProgramUser programUser){
         List<Role> roles = programUser.getRoles();
-        return (roles.size()==1 &&
-                ExperimentSecuredRole.getEnum( roles.get(0).getDomain() )==ExperimentSecuredRole.EXPERIMENTAL_COLLABORATOR);
+        if( roles.size()!=1 ){ return false; }
+        String primaryRole = roles.get(0).getDomain();
+        return (primaryRole != null &&
+                primaryRole.equals( ExperimentCollaboratorSecuredRole.EXPERIMENTAL_COLLABORATOR.toString() )
+        );
     }
 
     @Override
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java b/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
index 8142799c9..f1032c867 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
@@ -45,7 +45,7 @@ public ExperimentController(BrAPITrialService experimentService, ExperimentQuery
     }
 
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/export{?queryParams*}")
-    @ExperimentSecured
+    @ExperimentCollaboratorSecured
     @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
     @Produces(value={"text/csv", "application/vnd.ms-excel", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "application/octet-stream"})
     public HttpResponse<StreamedFile> datasetExport(
@@ -74,7 +74,7 @@ public HttpResponse<StreamedFile> datasetExport(
     }
 
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/dataset/{datasetId}{?stats}")
-    @ExperimentSecured
+    @ExperimentCollaboratorSecured
     @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
     @Produces(MediaType.APPLICATION_JSON)
     public HttpResponse<Response<Dataset>> getDatasetData(
@@ -132,7 +132,7 @@ public HttpResponse<Response<Dataset>> createSubEntityDataset(
      * @throws ApiException if an error occurs while retrieving the datasets.
      */
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/datasets")
-    @ExperimentSecured
+    @ExperimentCollaboratorSecured
     @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
     @Produces(MediaType.APPLICATION_JSON)
     public HttpResponse<Response<List<DatasetMetadata>>> getDatasets(
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
index 7c33080b2..f69b07ec4 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
@@ -83,7 +83,7 @@ public HttpResponse<Response<DataResponse<List<BrAPITrial>>>> getExperiments(
 
     @Get("/trials/{trialId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ExperimentSecured
+    @ExperimentCollaboratorSecured
     @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
     public HttpResponse<BrAPITrialSingleResponse> getExperimentById(
             @PathVariable("programId") UUID programId,

From bf6f0de7f6ff6f1af0fe816c35e0b5aa4d57e4f4 Mon Sep 17 00:00:00 2001
From: David Randolph Phillips <drp227@cornell.edu>
Date: Tue, 13 Aug 2024 10:34:05 -0400
Subject: [PATCH 11/15] [BI-2055] created the extractExperimentId to make more
 readable

---
 ...mentCollaboratorSecuredAnnotationRule.java | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java
index 2181e7e87..771cfc136 100644
--- a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java
+++ b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java
@@ -35,6 +35,7 @@
 import org.breedinginsight.model.ProgramUser;
 import org.breedinginsight.model.Role;
 import org.breedinginsight.services.exceptions.DoesNotExistException;
+import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 
 import javax.inject.Inject;
@@ -71,12 +72,7 @@ public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?>
 
             String programId = (String) routeMatch.getVariableValues()
                     .get("programId");
-            String experimentId = (String) routeMatch.getVariableValues()
-                    .get("experimentId");
-            if( experimentId==null) {
-                experimentId = (String) routeMatch.getVariableValues()
-                        .get("trialId");
-            }
+            String experimentId = extractExperimentId(routeMatch);
 
             if (methodRoute.hasAnnotation(ExperimentCollaboratorSecured.class)) {
                 if (programId == null) {
@@ -115,6 +111,17 @@ public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?>
         return SecurityRuleResult.UNKNOWN;
     }
 
+    private static String extractExperimentId(@NotNull RouteMatch<?> routeMatch) {
+        //The endpoints can use either the "experimentId" or "trialId" parameter to pass the experiment ID
+        String experimentId = (String) routeMatch.getVariableValues()
+                .get("experimentId");
+        if( experimentId==null) {
+            experimentId = (String) routeMatch.getVariableValues()
+                    .get("trialId");
+        }
+        return experimentId;
+    }
+
     private SecurityRuleResult processExperiment(AuthenticatedUser authenticatedUser, String experimentId, String programId) {
         ProgramUser programUserRole;
         try {

From 760f054a6d54eeda43b8e4d225a8ffab24abc708 Mon Sep 17 00:00:00 2001
From: David Randolph Phillips <drp227@cornell.edu>
Date: Tue, 13 Aug 2024 11:30:16 -0400
Subject: [PATCH 12/15] [BI-2255] cleaned up code

---
 .../breedinginsight/api/auth/AuthenticatedUser.java | 11 ++++-------
 ...ExperimentCollaboratorSecuredAnnotationRule.java |  2 --
 .../auth/rules/ProgramSecuredAnnotationRule.java    |  2 +-
 .../brapi/v2/BrAPITrialsController.java             | 13 ++-----------
 .../brapi/v2/services/BrAPITrialService.java        |  5 -----
 src/main/resources/version.properties               |  5 +++--
 6 files changed, 10 insertions(+), 28 deletions(-)

diff --git a/src/main/java/org/breedinginsight/api/auth/AuthenticatedUser.java b/src/main/java/org/breedinginsight/api/auth/AuthenticatedUser.java
index 2c0ed119c..b2fa128b7 100644
--- a/src/main/java/org/breedinginsight/api/auth/AuthenticatedUser.java
+++ b/src/main/java/org/breedinginsight/api/auth/AuthenticatedUser.java
@@ -17,7 +17,6 @@
 
 package org.breedinginsight.api.auth;
 
-import com.drew.lang.annotations.NotNull;
 import io.micronaut.security.authentication.UserDetails;
 import lombok.Getter;
 import lombok.Setter;
@@ -42,11 +41,9 @@ public AuthenticatedUser(String username, Collection<String> roles, UUID id, Lis
     }
 
     public ProgramUser extractProgramUser(UUID programId) throws DoesNotExistException {
-//        ;
-//        if (programRoles != null && !programRoles.isEmpty()){
-//            ProgramUser firstUserRole = programRoles.get(0);
-//            programId = firstUserRole.getProgramId();
-//        }
-        return this.programRoles.stream().filter(pu -> programId.equals( pu.getProgramId() ) ).findFirst().orElseThrow( () -> new DoesNotExistException( String.format("No program user found for program %s", this.id) ) );
+        return this.programRoles.stream()
+                .filter(pu -> programId.equals( pu.getProgramId() ) )
+                .findFirst()
+                .orElseThrow( () -> new DoesNotExistException( String.format("No program user found for program %s", this.id) ) );
     }
 }
diff --git a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java
index 771cfc136..54448e68c 100644
--- a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java
+++ b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java
@@ -68,8 +68,6 @@ public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?>
         if (routeMatch instanceof MethodBasedRouteMatch) {
             MethodBasedRouteMatch methodRoute = ((MethodBasedRouteMatch) routeMatch);
 
-            Map<String, Object> tmp = routeMatch.getVariableValues();
-
             String programId = (String) routeMatch.getVariableValues()
                     .get("programId");
             String experimentId = extractExperimentId(routeMatch);
diff --git a/src/main/java/org/breedinginsight/api/auth/rules/ProgramSecuredAnnotationRule.java b/src/main/java/org/breedinginsight/api/auth/rules/ProgramSecuredAnnotationRule.java
index 188c1248f..51aeabea7 100644
--- a/src/main/java/org/breedinginsight/api/auth/rules/ProgramSecuredAnnotationRule.java
+++ b/src/main/java/org/breedinginsight/api/auth/rules/ProgramSecuredAnnotationRule.java
@@ -57,7 +57,7 @@ public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?>
 
         if (routeMatch instanceof MethodBasedRouteMatch) {
             MethodBasedRouteMatch methodRoute = ((MethodBasedRouteMatch) routeMatch);
-        Map<String, Object> tmp = routeMatch.getVariableValues();
+
             String programId = (String) routeMatch.getVariableValues()
                     .get("programId");
 
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
index f69b07ec4..1c5f6e9b8 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
@@ -53,23 +53,14 @@ public BrAPITrialsController(SecurityService securityService, BrAPITrialService
 
     @Get("/trials{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN, ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<List<BrAPITrial>>>> getExperiments(
             @PathVariable("programId") UUID programId,
             @QueryValue @QueryValid(using = ExperimentQueryMapper.class) @Valid ExperimentQuery queryParams) {
         try {
             log.debug("fetching trials for program: " + programId);
-            AuthenticatedUser authenticatedUser = securityService.getUser();
-            ProgramUser programUser = authenticatedUser.extractProgramUser(programId);
 
-            List<BrAPITrial> experiments = null;
-            if( this.isExperimentCoordinator(programUser)) {
-                experiments = experimentService.getExperimentsForCoordinator(programId, programUser);
-            }
-            else{
-                experiments = experimentService.getExperiments(programId);
-            }
-            experiments = experiments.stream().peek(this::setDbIds).collect(Collectors.toList());
+            List<BrAPITrial> experiments = experimentService.getExperiments(programId).stream().peek(this::setDbIds).collect(Collectors.toList());
             SearchRequest searchRequest = queryParams.constructSearchRequest();
             return ResponseUtils.getBrapiQueryResponse(experiments, experimentQueryMapper, queryParams, searchRequest);
         } catch (ApiException e) {
diff --git a/src/main/java/org/breedinginsight/brapi/v2/services/BrAPITrialService.java b/src/main/java/org/breedinginsight/brapi/v2/services/BrAPITrialService.java
index 8e2cfab7c..3bd983f96 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/services/BrAPITrialService.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/services/BrAPITrialService.java
@@ -102,11 +102,6 @@ public List<BrAPITrial> getExperiments(UUID programId) throws ApiException, Does
         return trialDAO.getTrials(programId);
     }
 
-    public List<BrAPITrial> getExperimentsForCoordinator(UUID programId, ProgramUser programUser) throws ApiException, DoesNotExistException {
-
-        //TODO the following is just a place holder.  FIX IT!
-        return trialDAO.getTrials(programId);
-    }
 
     public BrAPITrial getTrialDataByUUID(UUID programId, UUID trialId, boolean stats) throws DoesNotExistException {
         try {
diff --git a/src/main/resources/version.properties b/src/main/resources/version.properties
index 9102aac80..11a8cbe8f 100644
--- a/src/main/resources/version.properties
+++ b/src/main/resources/version.properties
@@ -14,5 +14,6 @@
 # limitations under the License.
 #
 
-version=v0.10.0+781
-versionInfo=https://github.com/Breeding-Insight/bi-api/commit/16e3768d2d06d50d0e6a3aab61f2d4067a4ee077
+
+version=v0.10.0+786
+versionInfo=https://github.com/Breeding-Insight/bi-api/commit/cdd8f312aa68fb61cac90d7d3ddb4fffe63aa492

From 45fa5d4ec9e077d8b1749ac01e152e56a0f17e26 Mon Sep 17 00:00:00 2001
From: David Randolph Phillips <drp227@cornell.edu>
Date: Tue, 13 Aug 2024 13:24:27 -0400
Subject: [PATCH 13/15] [BI-2255] move initialization of variable to inside
 if-statement

---
 .../rules/ExperimentCollaboratorSecuredAnnotationRule.java | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java
index 54448e68c..74ee763a1 100644
--- a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java
+++ b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java
@@ -68,11 +68,10 @@ public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?>
         if (routeMatch instanceof MethodBasedRouteMatch) {
             MethodBasedRouteMatch methodRoute = ((MethodBasedRouteMatch) routeMatch);
 
-            String programId = (String) routeMatch.getVariableValues()
-                    .get("programId");
-            String experimentId = extractExperimentId(routeMatch);
-
             if (methodRoute.hasAnnotation(ExperimentCollaboratorSecured.class)) {
+                String programId = (String) routeMatch.getVariableValues()
+                        .get("programId");
+                String experimentId = extractExperimentId(routeMatch);
                 if (programId == null) {
                     throw new HttpServerException("Endpoint does not have program id to check roles against");
                 }

From 51adb85bc7fcbbb8c8885c97fee260958015bd32 Mon Sep 17 00:00:00 2001
From: David Randolph Phillips <drp227@cornell.edu>
Date: Thu, 15 Aug 2024 14:00:34 -0400
Subject: [PATCH 14/15] [BI-2255]Addressed PR-comments from Matthew

---
 .../ExperimentCollaboratorSecuredRole.java    | 39 -------------------
 .../api/auth/ProgramSecuredRoleGroup.java     |  2 +-
 ...mentCollaboratorSecuredAnnotationRule.java |  6 +--
 .../v1/controller/ExperimentController.java   |  6 +--
 .../api/v1/controller/ProgramController.java  |  5 ++-
 .../brapi/v2/BrAPIStudiesController.java      |  4 +-
 .../brapi/v2/BrAPITrialsController.java       | 17 ++------
 .../brapi/v2/BrAPIV2Controller.java           |  5 +--
 .../controllers/ImportController.java         |  8 +---
 9 files changed, 21 insertions(+), 71 deletions(-)
 delete mode 100644 src/main/java/org/breedinginsight/api/auth/ExperimentCollaboratorSecuredRole.java

diff --git a/src/main/java/org/breedinginsight/api/auth/ExperimentCollaboratorSecuredRole.java b/src/main/java/org/breedinginsight/api/auth/ExperimentCollaboratorSecuredRole.java
deleted file mode 100644
index 9268718f5..000000000
--- a/src/main/java/org/breedinginsight/api/auth/ExperimentCollaboratorSecuredRole.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * See the NOTICE file distributed with this work for additional information
- * regarding copyright ownership.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.breedinginsight.api.auth;
-
-public enum ExperimentCollaboratorSecuredRole {
-    EXPERIMENTAL_COLLABORATOR("Experimental Collaborator");
-
-    private String domain;
-
-    ExperimentCollaboratorSecuredRole(String domain) {
-        this.domain = domain;
-    }
-
-    @Override
-    public String toString() {
-        return domain;
-    }
-
-    public static ExperimentCollaboratorSecuredRole getEnum(String domain) {
-        for(ExperimentCollaboratorSecuredRole v : values())
-            if(v.toString().equalsIgnoreCase(domain)) return v;
-        throw new IllegalArgumentException();
-    }
-}
diff --git a/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java b/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java
index 6f88d4ddb..61a329927 100644
--- a/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java
+++ b/src/main/java/org/breedinginsight/api/auth/ProgramSecuredRoleGroup.java
@@ -20,7 +20,7 @@
 import java.util.List;
 
 public enum ProgramSecuredRoleGroup {
-    PROGRAM_SCOPED_ROLES(List.of(ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN, ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR));
+    PROGRAM_SCOPED_ROLES(List.of(ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN));
 
     private List<ProgramSecuredRole> programRoles;
 
diff --git a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java
index 74ee763a1..31217eac6 100644
--- a/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java
+++ b/src/main/java/org/breedinginsight/api/auth/rules/ExperimentCollaboratorSecuredAnnotationRule.java
@@ -97,7 +97,7 @@ public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?>
                 if (claims != null){
                     AuthenticatedUser user = securityService.getUser();
 
-                    return processExperiment(user, experimentId, programId);
+                    return checkAuthorization(user, experimentId, programId);
                 }
 
                 // Rejects if no claims
@@ -119,7 +119,7 @@ private static String extractExperimentId(@NotNull RouteMatch<?> routeMatch) {
         return experimentId;
     }
 
-    private SecurityRuleResult processExperiment(AuthenticatedUser authenticatedUser, String experimentId, String programId) {
+    private SecurityRuleResult checkAuthorization(AuthenticatedUser authenticatedUser, String experimentId, String programId) {
         ProgramUser programUserRole;
         try {
             programUserRole = authenticatedUser.extractProgramUser(UUID.fromString(programId));
@@ -144,7 +144,7 @@ private boolean isExperimentCoordinator(ProgramUser programUser){
         if( roles.size()!=1 ){ return false; }
         String primaryRole = roles.get(0).getDomain();
         return (primaryRole != null &&
-                primaryRole.equals( ExperimentCollaboratorSecuredRole.EXPERIMENTAL_COLLABORATOR.toString() )
+                primaryRole.equals( ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR.toString() )
         );
     }
 
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java b/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
index f1032c867..55b63e24e 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/ExperimentController.java
@@ -46,7 +46,7 @@ public ExperimentController(BrAPITrialService experimentService, ExperimentQuery
 
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/export{?queryParams*}")
     @ExperimentCollaboratorSecured
-    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @Produces(value={"text/csv", "application/vnd.ms-excel", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "application/octet-stream"})
     public HttpResponse<StreamedFile> datasetExport(
             @PathVariable("programId") UUID programId, @PathVariable("experimentId") UUID experimentId,
@@ -75,7 +75,7 @@ public HttpResponse<StreamedFile> datasetExport(
 
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/dataset/{datasetId}{?stats}")
     @ExperimentCollaboratorSecured
-    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @Produces(MediaType.APPLICATION_JSON)
     public HttpResponse<Response<Dataset>> getDatasetData(
             @PathVariable("programId") UUID programId,
@@ -133,7 +133,7 @@ public HttpResponse<Response<Dataset>> createSubEntityDataset(
      */
     @Get("/${micronaut.bi.api.version}/programs/{programId}/experiments/{experimentId}/datasets")
     @ExperimentCollaboratorSecured
-    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     @Produces(MediaType.APPLICATION_JSON)
     public HttpResponse<Response<List<DatasetMetadata>>> getDatasets(
             @PathVariable("programId") UUID programId,
diff --git a/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java b/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java
index 3ede5969a..ca04ef39d 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java
@@ -88,6 +88,8 @@ public ProgramController(ProgramService programService, ProgramUserService progr
 
     @Get("/programs{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
+    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN
+            ,ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR })
     public HttpResponse<Response<DataResponse<Program>>> getPrograms(
             @QueryValue @QueryValid(using = ProgramQueryMapper.class) @Valid QueryParams queryParams) {
 
@@ -107,7 +109,8 @@ public HttpResponse<Response<DataResponse<Program>>> postProgramsSearch(
 
     @Get("/programs/{programId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
+    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN
+            ,ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR })
     @AddMetadata
     public HttpResponse<Response<Program>> getProgram(@PathVariable UUID programId) {
 
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIStudiesController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIStudiesController.java
index 45fe087a4..39a4d33dd 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIStudiesController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIStudiesController.java
@@ -31,6 +31,7 @@
 import org.brapi.v2.model.core.BrAPIStudy;
 import org.brapi.v2.model.core.response.BrAPIStudySingleResponse;
 import org.breedinginsight.api.auth.ProgramSecured;
+import org.breedinginsight.api.auth.ProgramSecuredRole;
 import org.breedinginsight.api.auth.ProgramSecuredRoleGroup;
 import org.breedinginsight.api.model.v1.request.query.SearchRequest;
 import org.breedinginsight.api.model.v1.response.DataResponse;
@@ -74,7 +75,8 @@ public BrAPIStudiesController(BrAPIStudyService studyService, StudyQueryMapper s
 
     @Get("/studies{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
+    @ProgramSecured( roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN
+            ,ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR} )
     public HttpResponse<Response<DataResponse<List<BrAPIStudy>>>> getStudies(
             @PathVariable("programId") UUID programId,
             @QueryValue @QueryValid(using = StudyQueryMapper.class) @Valid StudyQuery queryParams) {
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
index 1c5f6e9b8..cd6dca2c3 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPITrialsController.java
@@ -39,13 +39,11 @@
 public class BrAPITrialsController {
 
     private final String referenceSource;
-    private final SecurityService securityService;
     private final BrAPITrialService experimentService;
     private final ExperimentQueryMapper experimentQueryMapper;
 
     @Inject
-    public BrAPITrialsController(SecurityService securityService, BrAPITrialService experimentService, ExperimentQueryMapper experimentQueryMapper, @Property(name = "brapi.server.reference-source") String referenceSource) {
-        this.securityService = securityService;
+    public BrAPITrialsController(BrAPITrialService experimentService, ExperimentQueryMapper experimentQueryMapper, @Property(name = "brapi.server.reference-source") String referenceSource) {
         this.experimentService = experimentService;
         this.experimentQueryMapper = experimentQueryMapper;
         this.referenceSource = referenceSource;
@@ -53,7 +51,8 @@ public BrAPITrialsController(SecurityService securityService, BrAPITrialService
 
     @Get("/trials{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
+    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN
+            ,ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR })
     public HttpResponse<Response<DataResponse<List<BrAPITrial>>>> getExperiments(
             @PathVariable("programId") UUID programId,
             @QueryValue @QueryValid(using = ExperimentQueryMapper.class) @Valid ExperimentQuery queryParams) {
@@ -75,7 +74,7 @@ public HttpResponse<Response<DataResponse<List<BrAPITrial>>>> getExperiments(
     @Get("/trials/{trialId}")
     @Produces(MediaType.APPLICATION_JSON)
     @ExperimentCollaboratorSecured
-    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<BrAPITrialSingleResponse> getExperimentById(
             @PathVariable("programId") UUID programId,
             @PathVariable("trialId") UUID trialId,
@@ -120,12 +119,4 @@ private void setDbIds(BrAPITrial trial) {
 
         //TODO update locationDbId
     }
-
-    private boolean isExperimentCoordinator(ProgramUser programUser){
-        List<Role> roles = programUser.getRoles();
-        return (roles.size()==1 &&
-                ProgramSecuredRole.getEnum(roles.get(0).getDomain())==ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR);
-
-    }
-
 }
diff --git a/src/main/java/org/breedinginsight/brapi/v2/BrAPIV2Controller.java b/src/main/java/org/breedinginsight/brapi/v2/BrAPIV2Controller.java
index 469c3be9e..6b8f767a6 100644
--- a/src/main/java/org/breedinginsight/brapi/v2/BrAPIV2Controller.java
+++ b/src/main/java/org/breedinginsight/brapi/v2/BrAPIV2Controller.java
@@ -30,10 +30,7 @@
 import org.brapi.v2.model.core.BrAPIServerInfo;
 import org.brapi.v2.model.core.BrAPIService;
 import org.brapi.v2.model.core.response.BrAPIServerInfoResponse;
-import org.breedinginsight.api.auth.AuthenticatedUser;
-import org.breedinginsight.api.auth.ProgramSecured;
-import org.breedinginsight.api.auth.ProgramSecuredRoleGroup;
-import org.breedinginsight.api.auth.SecurityService;
+import org.breedinginsight.api.auth.*;
 import org.breedinginsight.brapi.v1.controller.BrapiVersion;
 import org.breedinginsight.model.ProgramBrAPIEndpoints;
 import org.breedinginsight.services.ProgramService;
diff --git a/src/main/java/org/breedinginsight/brapps/importer/controllers/ImportController.java b/src/main/java/org/breedinginsight/brapps/importer/controllers/ImportController.java
index cf578e206..d732da0c5 100644
--- a/src/main/java/org/breedinginsight/brapps/importer/controllers/ImportController.java
+++ b/src/main/java/org/breedinginsight/brapps/importer/controllers/ImportController.java
@@ -25,10 +25,7 @@
 import io.micronaut.security.annotation.Secured;
 import io.micronaut.security.rules.SecurityRule;
 import lombok.extern.slf4j.Slf4j;
-import org.breedinginsight.api.auth.AuthenticatedUser;
-import org.breedinginsight.api.auth.ProgramSecured;
-import org.breedinginsight.api.auth.ProgramSecuredRole;
-import org.breedinginsight.api.auth.SecurityService;
+import org.breedinginsight.api.auth.*;
 import org.breedinginsight.api.model.v1.response.DataResponse;
 import org.breedinginsight.api.model.v1.response.Response;
 import org.breedinginsight.api.model.v1.response.metadata.Metadata;
@@ -84,7 +81,7 @@ public HttpResponse<Response<DataResponse<ImportConfigResponse>>> getImportTypes
     @Get("/programs/{programId}/import/mappings{?draft}")
     @Produces(MediaType.APPLICATION_JSON)
     @AddMetadata
-    @ProgramSecured(roles = {ProgramSecuredRole.PROGRAM_ADMIN, ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR})
+    @ProgramSecured(roleGroups = {ProgramSecuredRoleGroup.PROGRAM_SCOPED_ROLES})
     public HttpResponse<Response<DataResponse<ImportMapping>>> getMappings(@PathVariable UUID programId,
                                                                            @QueryValue(defaultValue = "false") Boolean draft) {
 
@@ -191,7 +188,6 @@ public HttpResponse<Response<ImportMapping>> editMapping(@PathVariable UUID prog
     @Produces(MediaType.APPLICATION_JSON)
     @AddMetadata
     @Secured(SecurityRule.IS_ANONYMOUS)
-    @ProgramSecured(roles = {ProgramSecuredRole.PROGRAM_ADMIN, ProgramSecuredRole.SYSTEM_ADMIN})
     public HttpResponse<Response<DataResponse<ImportMapping>>> getSystemMappings(@Nullable @QueryValue String importName) {
 
         AuthenticatedUser actingUser = securityService.getUser();

From 321f8ad95a5c4c45f283469a84e0dc2bad50017b Mon Sep 17 00:00:00 2001
From: David Randolph Phillips <drp227@cornell.edu>
Date: Mon, 19 Aug 2024 12:06:44 -0400
Subject: [PATCH 15/15] [BI-2255] fixed bug

---
 .../breedinginsight/api/v1/controller/ProgramController.java    | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java b/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java
index ca04ef39d..79dd3d796 100644
--- a/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java
+++ b/src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java
@@ -88,8 +88,6 @@ public ProgramController(ProgramService programService, ProgramUserService progr
 
     @Get("/programs{?queryParams*}")
     @Produces(MediaType.APPLICATION_JSON)
-    @ProgramSecured(roles = {ProgramSecuredRole.SYSTEM_ADMIN, ProgramSecuredRole.READ_ONLY, ProgramSecuredRole.PROGRAM_ADMIN
-            ,ProgramSecuredRole.EXPERIMENTAL_COLLABORATOR })
     public HttpResponse<Response<DataResponse<Program>>> getPrograms(
             @QueryValue @QueryValid(using = ProgramQueryMapper.class) @Valid QueryParams queryParams) {