Create Custom Roles
Introduction
Along with Flywheel's default Site and Group roles, Site Admins can create Project roles with customized permissions. These custom roles give you granular control over what data users can see, edit or delete.
Flywheel Roles and Permissions Overview
- Permission: Enables or disables the ability to perform a specific action in Flywheel. For example, adding notes to a Project is a specific permission.
- Role: A group of permissions that you assign to a user.
Roles in Flywheel are assigned at three levels of hierarchy: - Site - Group - Project
All users have a role assigned at each of these levels.
Instruction Steps
- Sign into Flywheel as a Site Admin.
- Select Roles and Permissions.
-
Select an existing role from the dropdown menu or click Create a new role.
-
Edit the role. Editing an existing role updates the role for any user who is currently assigned to it.
- Enable or disable permissions for the role. See below for considerations when assigning permissions. Some permissions are required so that you cannot accidentally create a role that does not allow a user to interact with Flywheel.
- Select or modify the groups where the role will be available.
- Click Save Role.
Your new custom role is now available in the projects under the group(s) that are assigned to the role. If any users are currently assigned that role, their permissions are immediately updated.
Considerations
Below are some considerations for permissions and how permissions interact with one another.
Deleting Device Data
Flywheel considers data that has entered the system through a device to be of a higher importance than data created by Gears or uploaded by Users. Device data is often data from a medical device and in some cases, does not exist in long term storage anywhere but Flywheel.
Due to this lack of redundancy or ability to recreate this data via a Gear run, permissions around deleting device data are handled separately from permissions for deleting other files in Flywheel. For example, if a user wishes to delete a Subject that has an Acquisition containing device data, this user would need both Delete Container AND Delete Device Data permission.
Moving containers (Subjects, Sessions, and Acquisitions)
For a user to move a container, they need the Create Container permission in the destination project and the Delete Container permission in the source project. Device data (described above) is not considered as the user will not be removing the data from the system.
Deleting a Custom Role
Custom roles assigned to a user cannot be deleted or removed from a group. To delete or remove a custom role, you must first re-assign all users with that role.
Assigning Multiple Project Roles
You can assign multiple Project roles to the same user. If the two roles have conflicting permissions, Flywheel uses the enabled permission. For example, if one role restricts viewing files and the other role allows it, the user will be permitted to view files.
Example Custom Roles
Below are some example use cases and the permissions the custom role should have:
Gear Developer
In this example, there is a user who is working on developing a new gear for your project. This user should be able to upload, test, and run gears in your project. They do not need to create containers or run reports.
Permission | Enabled |
---|---|
Container Hierarchy (Subject/Session/Acquisition) | |
View Metadata | x |
Create Hierarchy Required if the user is importing data. This does not give user ability to create a Project or copy subjects, sessions, or acquisitions into another project. | |
Modify Metadata Includes Project metadata | x |
Delete, including Files This includes: - Files - Moving Subjects, Sessions, Acquisitions from a project There are special considerations for deleting Device data. | |
Delete Project | |
Analyses | |
View Analyses Metadata | x |
Create via SDK, "Ad hoc Analyses", includes the ability to upload Files to Analysis | x |
Create via Job | x |
Modify Analyses Metadata | x |
Delete Analyses Includes Files | x |
Files | |
View file metadata | x |
View file contents | x |
Download files | x |
Create and upload files | x |
Modify file metadata | x |
Delete non-device data For example, data that originated from running a gear. | x |
Delete device data For example, images uploaded directly from an MR scanner. | |
Tags | |
View Tags | x |
Manage Tags | x |
Notes | |
View Notes | x |
Manage Notes | x |
Project Permissions | |
View | x |
Manage Permissions and Services | |
Data views | |
View | x |
Manage Data Views | |
Session Templates | |
View | x |
Manage Session Templates | |
Gear rules | |
View | x |
Manage Gear Rules | x |
Jobs- Gear runs | |
View jobs Includes job metadata, configuration, and logs | x |
Run and cancel jobs (utility) | x |
Cancel any jobs | x |
Group Administration- Projects | |
Create Projects | |
Delete Projects |
Data Importer
Below is an example of a user role for a user who is importing data in to Flywheel. We want the user to be able to create the necessary Subject, Sessions, and Acquisitions. They do not need to run gears.
Permission | Enabled |
---|---|
Container Hierarchy (Subject/Session/Acquisition) | |
View Subject, Session, And Acquisition Metadata | x |
Create Hierarchy Required if the user is importing data. This does not give user ability to create a Project or copy subjects, sessions, or acquisitions into another project. | x |
Modify Metadata Includes Project metadata | x |
Delete, including Files This includes: - Files - Moving Subjects, Sessions, Acquisitions from a project There are special considerations for deleting Device data. | |
Delete Project | |
Analyses | |
View Analyses Metadata | x |
Create via SDK, "Ad hoc Analyses", includes the ability to upload Files to Analysis | |
Create via Job | |
Modify Analyses Metadata | |
Delete Analyses Includes Files | |
Files | |
View file metadata | x |
View file contents | x |
Download files | x |
Create and upload files | x |
Modify file metadata | x |
Delete non-device data For example, data that originated from running a gear. | |
Delete device data For example, images uploaded directly from an MR scanner. | |
Tags | |
View Tags | x |
Manage Tags | x |
Notes | |
View Notes | x |
Manage Notes | x |
Project Permissions | |
View | x |
Manage Permissions and Services | |
Data views | |
View Data View and results | x |
Manage Data Views | |
Session Templates | |
View Session Templates and results | x |
Manage Session Templates | |
Gear rules | |
View Gear Rules | x |
Manage Gear Rules | |
Jobs- Gear runs | |
View jobs Includes job metadata, configuration, and logs | x |
Run and cancel jobs (utility) | x |
Cancel other users and system jobs | |
Group Administration- Projects | |
Create Projects | |
Delete Projects |