In a study, as in other containers,
folder permissions are used to control the access of users and groups to the resources in the study, including lists, wikis, reports, etc. In addition,
Study Security offers finer-grained control over access to datasets in a study. Administrators can use study security to implement important data access requirements such as cohort blinding, PHI/PII access restrictions, and control over data editing. Access can be granted by security group and, if needed, on a dataset-by-dataset basis.
Note that Enterprise Edition deployments can also
use field-level PHI annotations to control dataset access on an even finer grained level.
Two
Study Security types are supported for studies:
- Basic: Use folder permissions.
- Custom: Add dataset-level permissions to override folder permissions, making it possible for users/groups to have either higher or lower permissions on the datasets than they have on other folder resources as a whole.
- Custom, or dataset-level, security is not supported in shared studies.
This topic describes how to configure study security to meet your needs.
Study Security Types
Regardless of the security type selected, the following rules apply:
- Users with any "Administrator" role in the folder can always import, insert, update, and delete rows in every dataset.
- All dataset access requires "Reader" permission in the folder, at a minimum.
First, decide what kind of
Study Security you require.
- Will you allow editing after import? If so, choose the editable branch of the security type. Only users authorized to edit datasets will be able to do so.
- Will any users need different access to study datasets than they do for other folder resources? For example, will you have any users who should see lists and reports, but not the datasets themselves? If so, you need Custom security. If not, you can use a Basic option.
- Will any users need different access to different datasets, i.e. edit some, read-only for others? If so, you need Custom security. If not, you can use a Basic option.
Type 1: Basic Security with Read-Only Datasets
- Uses the security settings of the containing folder for dataset security.
- Only administrators can import, insert, update, or delete dataset data.
- Users assigned any "Reader" (or higher) role in the folder can read all datasets, but cannot edit, import, update, or delete them.
- This is the default security configuration when you create a new study.
Type 2: Basic Security with Editable Datasets
- Identical to Basic Security Type 1, except:
- Users assigned the "Author" role in the folder can also insert dataset data.
- Users assigned the "Editor" role in the folder can also insert, update, and delete dataset data.
- Only users with insert and update permissions will see the relevant grid controls.
Type 3: Custom Security with Read-Only Datasets
- Allows the configuration of dataset-level access.
- Only administrators can import, insert, update, or delete dataset data.
- Users with the "Reader" (or higher) role in the folder may also be granted access to read all or some of the datasets. Access is granted by group.
- No edit permissions can be granted and insert and edit options are not visible to non-admin users.
Type 4: Custom Security with Editable Datasets
- This security type is identical to Type 3, in allowing configuration of read access to some or all of the datasets to users by group. Plus:
- Author or Editor permissions on some or all of the datasets may also be granted to security groups.
Configure Study Security
Study security type is set upon study creation, and can be changed and updated at any time. Study administrators should periodically review study security settings, particularly as needs and group memberships change.
- In your study folder, click the Manage tab.
- Click Manage Security.
- On the Study Security page, select the desired Study Security Type.
- Click Update Type.
If you are using one of the
Basic types, you can skip to the
testing section. If you are using one of the
Custom types, continue in the
next section.
Group Membership and Folder Permissions
Dataset-level security is applied on a
group basis; you cannot assign dataset-level permissions to individual users.
Before proceeding, check that the groups you need exist and have the access you expect.
- Select (Admin) > Folder > Permissions.
- Check for the groups you need on the Project Groups tab.
- Switch to the Permissions tab if you also want to assign folder roles to groups. Note that this assignment does not control the group's final access to datasets, it controls their access to non-dataset resources and makes them eligible for dataset permission assignment.
- Click Save and Finish.
Configure Dataset-level Security
- Select (Admin) > Manage Study > Manage Security.
- When either Custom security type is selected, you will see a Study Security section, with a row for each site and project group.
- Specify permissions for each group using the radio buttons.
- Edit All: Members of the group may view and edit all rows in all datasets. Only shown with "Custom security with editable datasets" (Type 4).
- Read All: Members of the group may view all rows in all datasets.
- Per Dataset: Configure Per Dataset Permissions permissions as described below.
- None: This group is not granted view or edit access to datasets. Group members will only be able to view some summary data for the study, unless they are also members of a different group that is granted higher access.
- Note that these options override the general access granted at the folder level.
- A group granted "Reader" to the project may be allowed to "Edit All" datasets.
- Or, a group granted the "Editor" role in the folder may be restricted to the "Read All" role for datasets.
- Individuals who are members of multiple groups will have the highest level of dataset access conferred by the groups to which they belong.
- After using the radio buttons to specify security settings for each group, click Update to apply the settings.
- If any group assigned dataset access does not already have folder access, you will see a warning. This may not be a problem, as long as the group members are granted read access in the folder in some other way (via a different group or individually).
Below is an example configuration for custom dataset permissions.
- Several groups, including "Blinded Group" are given no access to the datasets
- Lab A Group and Lab B Group will have permissions specified per individual dataset
- The Study Group can edit all datasets.
Note the red exclamation mark at the end of the
Z Group row. As the hover text explains, this group lacks folder-level read permissions to the study itself, so group members will have the assigned access only if they have been granted the Reader role in the folder in some other manner.
Configure Per Dataset Permissions
The
Per Dataset Permissions section lets you specify access for specific datasets. This option is available only when there are groups given
Per Dataset access. For each dataset you can choose:
- None: The group members are not granted access to this dataset.
- Reader: The group members are granted read-only access to this dataset.
- Author: The group members are granted read and insert access to this dataset.
- Editor: The group members are granted read, insert, update, and delete access to this dataset.
- Note that other roles may appear in these dropdowns, depending on the modules deployed on your server.
- In the column for each group you can grant access for each individual dataset (row) by setting the dropdown to None, Reader, Author, or Editor.
Dataset-Level and Folder-Level Permissions
Folder level permissions are
overridden by dataset-level permissions. Regardless of the setting for a group at the folder level, users who are members of that group will have the assigned dataset-level permission on each dataset.
For example, using the above image of security settings, if "Lab A Group" has the "Editor" role in the study folder, they would only be able to edit datasets for which they were assigned the "Editor" role in the
Per Dataset Permissions. Other datasets are marked as either read or none, meaning they would not have "Editor" access to them. Likewise, if "Lab B Group" has only the "Reader" role in the folder, they would still be able to edit the "LabResults" dataset because of the per-dataset permission granted.
Individual users who are members of multiple groups will have the highest level of dataset permissions assigned to any of their groups.
Test Study Security
It is good practice for study administrators to test the security settings after configuring them. To do so, use impersonation of groups and individuals to ensure that users have the expected access.
Learn more in this topic:
Test Security Settings by Impersonation
Import/Export Security Policy XML
The Study Security policy framework is flexible enough to accommodate complex role and group assignment needs. Once you've created the policy you like, you can export the study security policy as an XML file. That XML file could later be imported elsewhere to repeat the same security configuration. This same file is generated and included when you
export a folder archive checking the box for
Permissions for Custom Study Security.
- Select (Admin) > Manage Study > Manage Security.
- Scroll down to the Import/Export Policy panel.
Click
Export to export the current study security settings as an xml file.
You can provide an alternate configuration by editing this file or providing your own. To import new settings, use
Browse or Choose File to select the desired studyPolicy.xml file, then click
Import.
Related Topics