Roles and rights specification - fli-iam/shanoir-ng GitHub Wiki
Roles and rights in Shanoir
There are two levels of rights in Shanoir :
- General roles : apply globally to an user
- Study rights : apply to a user for a specific study
General roles
There are four categories of persons that uses Shanoir. Depending of their functions, they may view or edit some data while some other data should not be accessible or editable for them. Here is the list of those roles and their descriptions.
- USER : Depending on his rights on a study a user can be a researcher that want to use the collected data or an MRI operator / doctor that collects and organize the data in Shanoir. The main reason for this role is that despite his rights on any study, he is prevented from doing some operations in Shanoir that could alter the data quality (he cannot create studies or edit datasets, centers, coils, manufacturers, equipment, etc).
- EXPERT : The expert works with operators and doctors and administrate his studies. He is a trusted user that can create new studies, configure them and can edit the imported data more precisely. He can also create new entities like centers, coils, etc.
- ADMIN : The system (server instance) administrator: this role is reserved to the technical support members and give the possibility to do almost everything in Shanoir.
Study rights
In order to interact with a study, a user must be a member of it. His membership comes with certain rights.
- CAN_SEE_ALL : The member can see all the study's data.
- CAN_DOWNLOAD : The member can download data from this study.
- CAN_IMPORT : The member can import data in this study. Must come with CAN_SEE_ALL otherwise the user cannot see the data he has imported.
- CAN_ADMINISTRATE : The member can edit the study's parameters, the study's members and their rights and protocol files for this study.
- CAN_EXECUTE : The member can launch vip executions with this data as input
In case a study requires a data user agreement (DUA), each member of the study will have to accept the DUA first, before getting access to the data and using their rights below. For this reason StudyUser (the membership table in edit study) now contains a confirmed column, that shows if the current member has already accepted the DUA or not. Members where confirmed is false, can not access to any data of the study. If no DUA is required by the study, the StudyUser confirmed is true by default. For more information, please see: DUA Spec.
Note : The Shanoir UI may check automatically some rights when selecting certains rights. For instance CAN_ADMINISTRATE will check every other right.
Study membership flags
- Receive Import Mail: when this flag is true for a member of a study, this user receives a notification email for each import done within this study.
- Receive Member Mail: when this flag is true for a member of a study, this user receives a notification email each time one or more new members are added to the study.
General roles and study rights compatibility
| USER | EXPERT | ADMIN | |
|---|---|---|---|
| CAN_SEE_ALL | x | x | x |
| CAN_DOWNLOAD | x | x | x |
| CAN_IMPORT | x | x | x |
| CAN_ADMINISTRATE | x | x | x |
| CAN_EXECUTE | x | x |
Synthesis table
We assume that an ADMIN has every right
| USER | EXPERT | ||
|---|---|---|---|
| View details | CAN_SEE_ALL | CAN_SEE_ALL | |
| STUDY | Create | ✗ | ✔ |
| (incl. protocol) | Edit / Delete | ✗ | CAN_ADMINISTRATE |
| View details | CAN_SEE_ALL | CAN_SEE_ALL | |
| DATASET | Download | CAN_DOWNLOAD | CAN_DOWNLOAD |
| Delete all NIfTIs | ✗ | ✗ | |
| DATASET ACQ | Create (ds acq) | CAN_IMPORT | CAN_IMPORT |
| Execute a pipeline | ✗ | CAN_ADMINISTRATE | |
| Edit / Delete | ✗ | CAN_ADMINISTRATE | |
| View details | CAN_SEE_ALL | CAN_SEE_ALL or only names | |
| SUBJECT | Create | CAN_IMPORT | CAN_IMPORT |
| Edit | ✗ | ✗ | |
| Delete | ✗ | CAN_ADMINISTRATE | |
| View details | CAN_SEE_ALL | CAN_SEE_ALL or only names | |
| EXAMINATION | Create | CAN_IMPORT | CAN_IMPORT |
| Edit | CAN_IMPORT | CAN_IMPORT | |
| Delete | ✗ | CAN_ADMINISTRATE | |
| View details | CAN_SEE_ALL | CAN_SEE_ALL | |
| SUBJECT-STUDY | Create | CAN_IMPORT | CAN_IMPORT || CAN_ADMINISTRATE |
| Edit | CAN_IMPORT | CAN_IMPORT || CAN_ADMINISTRATE | |
| Delete | ✗ | CAN_ADMINISTRATE | |
| View details | ✔ | ✔ | |
| CENTER | Create | ✗ (✔, if via ShUp InstitutionDicom, either Excel mass import or single-exam import into studies without a study card, requires CAN_IMPORT) | ✔ |
| Edit / Delete | ✗ | ✔ | |
| View details | ✔ | ✔ | |
| EQUIPMENT | Create | ✗(✔, if via ShUp EquipmentDicom, either Excel mass import or single-exam import into studies without a study card, requires CAN_IMPORT) | ✔ |
| Edit / Delete | ✗ | ✔ | |
| View details | ✔ | CAN_SEE_ALL | |
| STUDY CARDS | Create | ✗ | CAN_ADMINISTRATE |
| Edit / Delete | ✗ | CAN_ADMINISTRATE | |
| View details | ✔ | CAN_SEE_ALL | |
| QUALITY CARDS | Create | ✗ | CAN_ADMINISTRATE |
| Edit / Delete | ✗ | CAN_ADMINISTRATE | |
| IMPORT | Import | CAN_IMPORT | CAN_IMPORT |
| View | Only names | Only names | |
| USERS | Create / Delete | ✗ | ✗ |
| Edit | Only me - Only email / name / pwd | Only me - Only email / name / pwd | |
| Approve / Refuse | CAN_ADMINISTRATE | CAN_ADMINISTRATE | |
| NIFTI CONVERTER | View | ✔ | ✔ |
| VIP EXECUTION | View pipelines | ✗ | CAN_EXECUTE |
| Create executions | ✗ | CAN_EXECUTE |