Cleaning up code and bug bashing, adding in sharing settings tutorial, moving mermaid diagram, updating docstrings, expanding tests, make getting current ACL easier

Author: BryanFauble

docs/explanations/access_control.md

@@ -1,8 +1,88 @@
 # Access Control
 
-By default, data sets in Synapse are private to your user account, but they can easily be shared with specific users, groups, or the public.
+Access Control Lists (ACLs) in Synapse are the foundation of data security and sharing. They determine who can access your data and what actions they can perform. By default, all entities in Synapse are private to your user account, but they can be easily shared with specific users, groups, or made publicly accessible.
 
-See:
+## Core Concepts
 
+### Access Control Lists (ACLs)
+An ACL is a set of permissions that define what actions specific users or groups can perform on a Synapse entity. Each ACL entry specifies:
+
+- **Principal**: The user, team, or special group being granted permissions
+- **Permissions**: The specific actions they can perform
+
+### Benefactors and Inheritance
+Every entity in Synapse has a **benefactor** - the entity from which it inherits its permissions:
+
+- **Default Inheritance**: New entities inherit permissions from their parent container
+- **Local ACLs**: When you create custom sharing settings, the entity becomes its own benefactor
+- **Permission Resolution**: Synapse traverses up the hierarchy to find the benefactor with ACL settings
+
+### Permission Types
+Synapse supports several permission types that can be combined:
+
+- **READ**: View entity metadata and basic information
+- **DOWNLOAD**: Download files and data (requires READ)
+- **UPDATE**: Modify entity metadata and upload new file versions
+- **CREATE**: Create new entities within containers
+- **DELETE**: Delete entities
+- **CHANGE_PERMISSIONS**: Modify ACL permissions
+- **CHANGE_SETTINGS**: Modify entity settings
+- **MODERATE**: Moderate forum discussions (for projects)
+
+### Special Principal IDs
+Synapse provides special principals for common sharing scenarios:
+
+- **273948**: All authenticated Synapse users
+- **273949**: Public access (anyone on the internet)
+- **Specific User ID**: Individual Synapse users (e.g., 3417048)
+- **Team ID**: Synapse teams for group-based permissions
+
+## Common Use Cases
+
+### Research Collaboration
+- **Internal Teams**: Grant READ/DOWNLOAD to collaborators
+- **Data Owners**: Maintain full permissions (including UPDATE/DELETE)
+- **Public Data**: Use public principal (273949) for open datasets
+
+### Hierarchical Access Control
+- **Project Level**: Set broad permissions for the entire project
+- **Folder Level**: Override with more restrictive permissions for sensitive data
+- **File Level**: Fine-grained control for specific datasets
+
+### Data Governance
+- **Sensitive Data**: Create local ACLs with restricted access
+- **Compliance**: Use teams for role-based access control
+- **Auditing**: Use `list_acl()` to review permission structures
+
+## Best Practices
+
+1. **Use Inheritance**: Leverage the default inheritance model when possible for easier management
+2. **Minimal Local ACLs**: Only create custom ACLs when you need different permissions than the parent
+3. **Team-Based Permissions**: Use Synapse teams for group permissions rather than individual users
+4. **Regular Audits**: Periodically review ACLs using `list_acl()` to ensure appropriate access
+5. **Dry Run Testing**: Use `dry_run=True` when deleting permissions to preview changes
+6. **Documentation**: Document your permission structure for team understanding
+
+## Security Considerations
+
+- **Principle of Least Privilege**: Grant only the minimum permissions necessary
+- **Regular Reviews**: Audit permissions regularly, especially for sensitive data
+- **Team Management**: Use teams to simplify permission management and reduce errors
+- **Public Access**: Be cautious when granting public access (273949) to ensure data is appropriate for public consumption
+
+## Learn More
+
+For hands-on experience with ACL management, follow the comprehensive [Sharing Settings Tutorial](../tutorials/python/sharing_settings.md), which demonstrates all aspects of permission management using real examples.
+
+## API References
+
+### Object-Oriented Models
+- [get_permissions()][synapseclient.models.protocols.access_control_protocol.AccessControllableSynchronousProtocol.get_permissions]
+- [get_acl()][synapseclient.models.protocols.access_control_protocol.AccessControllableSynchronousProtocol.get_acl]
+- [set_permissions()][synapseclient.models.protocols.access_control_protocol.AccessControllableSynchronousProtocol.set_permissions]
+- [list_acl()][synapseclient.models.protocols.access_control_protocol.AccessControllableSynchronousProtocol.list_acl]
+- [delete_permissions()][synapseclient.models.protocols.access_control_protocol.AccessControllableSynchronousProtocol.delete_permissions]
+
+### Legacy API Methods
 - [synapseclient.Synapse.getPermissions][]
 - [synapseclient.Synapse.setPermissions][]

docs/reference/experimental/async/table.md

@@ -65,141 +65,3 @@ at your own risk.
 ::: synapseclient.models.CsvTableDescriptor
 [](){ #csv-to-pandas-df-reference-async }
 ::: synapseclient.models.mixins.table_components.csv_to_pandas_df
-
-## delete_permissions_async Flow Diagram
-
-The following sequence diagram illustrates the complete flow and function calls of the `delete_permissions_async` method:
-
-```mermaid
-sequenceDiagram
-    participant User as User/Client
-    participant Entity as Entity (File/Folder/Project)
-    participant Tracker as BenefactorTracker
-    participant SynClient as Synapse Client
-    participant API as Synapse API
-    participant Logger as Logger
-
-    User->>Entity: delete_permissions_async(params)
-
-    Note over Entity: Parameter Validation & Setup
-    Entity->>Entity: Validate entity.id exists
-    Entity->>SynClient: get_client()
-
-    alt Project Entity
-        Entity->>Logger: warn("Project ACL cannot be deleted")
-        Entity->>Entity: set include_self=False
-    end
-
-    Entity->>Entity: _normalize_target_entity_types()
-    Entity->>Tracker: create BenefactorTracker()
-
-    alt Recursive or Container Content Processing
-        Entity->>Entity: _collect_entities()
-        Note over Entity: Gather all entities to process
-
-        Entity->>Tracker: track_entity_benefactor(entity_ids)
-
-        loop For each entity_id
-            Tracker->>API: get_entity_benefactor(entity_id)
-            API-->>Tracker: benefactor_result
-        end
-
-        Note over Tracker: Build benefactor relationships
-        Tracker->>Tracker: Update entity_benefactors mapping
-        Tracker->>Tracker: Update benefactor_children mapping
-    end
-
-    alt Dry Run Mode
-        Entity->>Entity: _build_and_log_dry_run_tree()
-        Entity->>Logger: Log what would be deleted
-        Entity-->>User: Return (no actual deletion)
-    else Actual Deletion
-
-        alt Include Self
-            Entity->>Entity: _delete_current_entity_acl()
-
-            Entity->>Tracker: track_entity_benefactor([self.id])
-            Tracker->>API: get_entity_benefactor(self.id)
-            API-->>Tracker: benefactor_result
-
-            Entity->>Tracker: will_acl_deletion_affect_others(self.id)
-            Tracker-->>Entity: boolean result
-
-            alt Will Affect Others
-                Entity->>Logger: info("Deleting ACL will affect X entities")
-            end
-
-            Entity->>API: delete_entity_acl(self.id)
-
-            alt Success
-                API-->>Entity: Success
-                Entity->>Logger: debug("Deleted ACL for entity")
-                Entity->>Tracker: mark_acl_deleted(self.id)
-                Tracker->>Tracker: Update benefactor relationships
-                Tracker-->>Entity: affected_entities list
-
-                alt Has Affected Entities
-                    Entity->>Logger: info("ACL deletion caused X entities to inherit from new benefactor")
-                end
-            else HTTP Error
-                API-->>Entity: SynapseHTTPError
-                alt Already Inherits (403)
-                    Entity->>Logger: debug("Entity already inherits permissions")
-                else Other Error
-                    Entity->>Entity: raise exception
-                end
-            end
-        end
-
-        alt Process Container Contents
-            Entity->>Entity: _process_container_contents()
-
-            alt Process Files
-                loop For each file
-                    Entity->>Entity: file.delete_permissions_async(recursive=False)
-                    Note right of Entity: Recursive call for each file
-                end
-            end
-
-            alt Process Folders
-                Entity->>Entity: _process_folder_permission_deletion()
-
-                loop For each folder
-                    alt Recursive Mode
-                        Entity->>Entity: folder.delete_permissions_async(recursive=True)
-                    else Direct Mode
-                        Entity->>Entity: folder.delete_permissions_async(recursive=False)
-                    end
-                    Note right of Entity: Recursive calls for folders
-                end
-            end
-        end
-    end
-
-    Entity-->>User: Complete
-
-    Note over User,Logger: Key Features:
-    Note over User,Logger: • Async operations with asyncio.gather()
-    Note over User,Logger: • Benefactor relationship tracking
-    Note over User,Logger: • Recursive processing capabilities
-    Note over User,Logger: • Dry run mode for preview
-    Note over User,Logger: • Error handling for inheritance conflicts
-    Note over User,Logger: • Cascading permission updates
-```
-
-### Key Components:
-
-- **Entity**: The primary object (File, Folder, Project) whose permissions are being deleted
-- **BenefactorTracker**: Manages benefactor relationships and tracks cascading changes
-- **Synapse Client**: Handles API communication and logging
-- **Synapse API**: REST endpoints for ACL operations (`delete_entity_acl`, `get_entity_benefactor`)
-- **Logger**: Records operations, warnings, and debug information
-
-### Flow Highlights:
-
-1. **Validation Phase**: Parameter validation and client setup
-2. **Collection Phase**: Gathering entities for recursive operations
-3. **Tracking Phase**: Parallel benefactor relationship discovery
-4. **Preview Phase**: Dry run mode shows what would be deleted
-5. **Deletion Phase**: Actual ACL deletions with error handling
-6. **Cascading Phase**: Updates benefactor relationships for affected entities

docs/reference/experimental/mixins/access_controllable.md

@@ -1,3 +1,147 @@
 # AccessControllable
 
+## delete_permissions Flow Diagram
+
+The following sequence diagram illustrates the complete flow and function calls of the `delete_permissions` method:
+
+```mermaid
+sequenceDiagram
+    participant User as User/Client
+    participant Entity as Entity (File/Folder/Project)
+    participant Tracker as BenefactorTracker
+    participant SynClient as Synapse Client
+    participant API as Synapse API
+    participant Logger as Logger
+
+    User->>Entity: delete_permissions(params)
+
+    Note over Entity: Parameter Validation & Setup
+    Entity->>Entity: Validate entity.id exists
+    Entity->>SynClient: get_client()
+
+    alt Project Entity
+        Entity->>Logger: warn("Project ACL cannot be deleted")
+        Entity->>Entity: set include_self=False
+    end
+
+    Entity->>Entity: _normalize_target_entity_types()
+    Entity->>Tracker: create BenefactorTracker()
+
+    alt Recursive or Container Content Processing
+        Entity->>Entity: _collect_entities()
+        Note over Entity: Gather all entities to process
+
+        Entity->>Tracker: track_entity_benefactor(entity_ids)
+
+        loop For each entity_id
+            Tracker->>API: get_entity_benefactor(entity_id)
+            API-->>Tracker: benefactor_result
+        end
+
+        Note over Tracker: Build benefactor relationships
+        Tracker->>Tracker: Update entity_benefactors mapping
+        Tracker->>Tracker: Update benefactor_children mapping
+    end
+
+    alt Dry Run Mode
+        Entity->>Entity: _build_and_log_dry_run_tree()
+        Entity->>Logger: Log what would be deleted
+        Entity-->>User: Return (no actual deletion)
+    else Actual Deletion
+
+        alt Include Self
+            Entity->>Entity: _delete_current_entity_acl()
+
+            Entity->>Tracker: track_entity_benefactor([self.id])
+            Tracker->>API: get_entity_benefactor(self.id)
+            API-->>Tracker: benefactor_result
+
+            Entity->>Tracker: will_acl_deletion_affect_others(self.id)
+            Tracker-->>Entity: boolean result
+
+            alt Will Affect Others
+                Entity->>Logger: info("Deleting ACL will affect X entities")
+            end
+
+            Entity->>API: delete_entity_acl(self.id)
+
+            alt Success
+                API-->>Entity: Success
+                Entity->>Logger: debug("Deleted ACL for entity")
+                Entity->>Tracker: mark_acl_deleted(self.id)
+                Tracker->>Tracker: Update benefactor relationships
+                Tracker-->>Entity: affected_entities list
+
+                alt Has Affected Entities
+                    Entity->>Logger: info("ACL deletion caused X entities to inherit from new benefactor")
+                end
+            else HTTP Error
+                API-->>Entity: SynapseHTTPError
+                alt Already Inherits (403)
+                    Entity->>Logger: debug("Entity already inherits permissions")
+                else Other Error
+                    Entity->>Entity: raise exception
+                end
+            end
+        end
+
+        alt Process Container Contents
+            Entity->>Entity: _process_container_contents()
+
+            alt Process Files
+                loop For each file
+                    Entity->>Entity: file.delete_permissions_async(recursive=False)
+                    Note right of Entity: Recursive call for each file
+                end
+            end
+
+            alt Process Folders
+                Entity->>Entity: _process_folder_permission_deletion()
+
+                loop For each folder
+                    alt Recursive Mode
+                        Entity->>Entity: folder.delete_permissions_async(recursive=True)
+                    else Direct Mode
+                        Entity->>Entity: folder.delete_permissions_async(recursive=False)
+                    end
+                    Note right of Entity: Recursive calls for folders
+                end
+            end
+        end
+    end
+
+    Entity-->>User: Complete
+
+    Note over User,Logger: Key Features:
+    Note over User,Logger: • Async operations with asyncio.gather()
+    Note over User,Logger: • Benefactor relationship tracking
+    Note over User,Logger: • Recursive processing capabilities
+    Note over User,Logger: • Dry run mode for preview
+    Note over User,Logger: • Error handling for inheritance conflicts
+    Note over User,Logger: • Cascading permission updates
+```
+
+### Key Components:
+
+- **Entity**: The primary object (File, Folder, Project) whose permissions are being deleted
+- **BenefactorTracker**: Manages benefactor relationships and tracks cascading changes
+- **Synapse Client**: Handles API communication and logging
+- **Synapse API**: REST endpoints for ACL operations (`delete_entity_acl`, `get_entity_benefactor`)
+- **Logger**: Records operations, warnings, and debug information
+
+### Flow Highlights:
+
+1. **Validation Phase**: Parameter validation and client setup
+2. **Collection Phase**: Gathering entities for recursive operations
+3. **Tracking Phase**: Parallel benefactor relationship discovery
+4. **Preview Phase**: Dry run mode shows what would be deleted
+5. **Deletion Phase**: Actual ACL deletions with error handling
+6. **Cascading Phase**: Updates benefactor relationships for affected entities
+
+
 ::: synapseclient.models.mixins.AccessControllable
+
+---
+
+
+::: synapseclient.models.protocols.access_control_protocol.AccessControllableSynchronousProtocol