...
A "StudyPermission" entity, with a N:1 relation ship to the Study entity, with a "role", an an "action" attribute.
When an association is accepted, one or several roles are associated with that association, based on the identity of the association initiator: In the simplest version, it may be a lookup in the existing roles table with the Called AET as user_id. If the Association initiator supports negotiation of the user identity in the A-Associate RQ, instead of the AET, the user id can be used for the lookup. And there will be an extension point, to get the associated roles to that association initator from other sources than the roles TABLE.
When a Study is created on receive of its first object, permissions will be created and linked to this Study according a configurable policy, which may consider not only the roles associated with the STORE SCU as described above, but also attributes of the object, in particular request attributes (e.g. Requesting Service) fetched from a specified MWL SCP and merged into the received object.
Consideration of Storage or Retrieve permissions is even simpler, because the operation will fail if the association initiator has not assigned a role with the permission to perform the requested operation.
For retrieve you may have to distinguish between a 'read' permission for the Storage SCP acting as Move Destination and a 'retrieve' permission for the Move SCU.
Permissions are definded defined by the relationship from StudyIUID to role and actions.
...
- AE Management
User ID and Password attribute are configurable for AET's which do not support user identification
- WebInterface (legacy WEB2, versions <=2.17.0)
- Configure the Web Interface for usage of study permissions:
- Enable Study Permission for WebInterface
Query, Edit and Delete restrictions are anabled by setting the following parameter in ../server/default/deploy/dcm4chee-web.war/WEB-INF/web.xml (has to be extracted for editing):Code Block xml xml <init-param> <param-name>enableStudyPermissionCheck</param-name> <param-value>false</param-value> </init-param>
- It is als possible to disable StudyPermissionCheck for dedicated user(s) (seperated by ',') that should see all studies (e.g. to configure Study Permissions Roles.
Code Block xml xml <init-param> <param-name>disableStudyPermissionCheckForUser</param-name><param-value>admin</param-value> </init-param>
- Grant/Revoke Study Permission
Users have to be assigned to one of the following roles to be able to grant/revoke study permissions:
GrantPrivileg – Users of this role are allowed to grant/revoke study sermissions for ALL studies in the archive
GrantOwnPrivileg – Users of this role are allowed to grant/revoke study permissions for those studies they have already got read permission - If user authentificationis managed by the PACS Database these roles have to be enabled in.../dcm4chee-web/dcm4chee-webroles-cfg.xml.
Code Block xml xml <role name="client1" type="StudyPermission" descr="Role for client 1 (Radiology)"/> <role name="client2" type="StudyPermission" descr="role for client 2 (Neurosurgery)"/>
- Enable Study Permission for WebInterface
- Configure the Web Interface for usage of study permissions:
- WebInterface (WEB3, versions >=2.17.1)
- Configure the Web Interface for usage of study permissions:
- Enable Study Permission for WebInterface
Login to jmx-console, open dcm4chee.web,service=WebConfig
manageStudyPermissions=true (Study permissions can be edited in WebInterface)
useStudyPermissions=true (Study permissions are applied according to users DICOM roles in WebInterface) - Configure Study Permission (DICOM) Roles in WEB3
Login to web 3, navigate to the roles tab and add any desired "study permission roles" with type "Dicom"
HINT: WEB3 will automatically add DICOM roles if it discovers an unknown DICOM role while a user edits permissions for a study. - Configure "Study Permission Edit" permissions for Web3
Edit permissions for a role with type "Web" and set desired study permission rights for the webinterface
Please Note that these rights are only offered if manageStudyPermissions=true in dcm4chee.web,service=WebConfig
Edit all study permissions
Users assigned to a role with this right are allowed to edit study permissions for ANY study in the archive
Propagate study permissions
Users assigned to a role with this right are allowed to set permission for a study (they are allowed to access) to any configured "DICOM role"
Edit own study permissions
Users assigned to a role with this right are allowed to set permission for a study (they are allowed to access) to "DICOM roles" they are assigned to
- Enable Study Permission for WebInterface
- Configure the Web Interface for usage of study permissions:
series-permission.xsl sample:
...