Skip to content

Create Custom Roles

Introduction

Along with Flywheel's default Site and Group roles, Site Admins can create Project roles with customized permissions. These custom roles give you granular control over what data users can see, edit or delete.

Flywheel Roles and Permissions Overview

  • Permission: Enables or disables the ability to perform a specific action in Flywheel. For example, adding notes to a Project is a specific permission.
  • Role: A group of permissions that you assign to a user.

Roles in Flywheel are assigned at three levels of hierarchy: - Site - Group - Project

All users have a role assigned at each of these levels.

Instruction Steps

  1. Sign into Flywheel as a Site Admin.
  2. Select Roles and Permissions.
    15ed5665019f17__1_.png
  3. Select an existing role from the dropdown menu or click Create a new role.

  4. Edit the role. Editing an existing role updates the role for any user who is currently assigned to it.

    • Enable or disable permissions for the role. See below for considerations when assigning permissions. Some permissions are required so that you cannot accidentally create a role that does not allow a user to interact with Flywheel.
    • Select or modify the groups where the role will be available.
  5. Click Save Role.
    Your new custom role is now available in the projects under the group(s) that are assigned to the role. If any users are currently assigned that role, their permissions are immediately updated.

Considerations

Below are some considerations for permissions and how permissions interact with one another.

Deleting Device Data

Flywheel considers data that has entered the system through a device to be of a higher importance than data created by Gears or uploaded by Users. Device data is often data from a medical device and in some cases, does not exist in long term storage anywhere but Flywheel.

Due to this lack of redundancy or ability to recreate this data via a Gear run, permissions around deleting device data are handled separately from permissions for deleting other files in Flywheel. For example, if a user wishes to delete a Subject that has an Acquisition containing device data, this user would need both Delete Container AND Delete Device Data permission.

Moving containers (Subjects, Sessions, and Acquisitions)

For a user to move a container, they need the Create Container permission in the destination project and the Delete Container permission in the source project. Device data (described above) is not considered as the user will not be removing the data from the system.

Deleting a Custom Role

Custom roles assigned to a user cannot be deleted or removed from a group. To delete or remove a custom role, you must first re-assign all users with that role.

Assigning Multiple Project Roles

You can assign multiple Project roles to the same user. If the two roles have conflicting permissions, Flywheel uses the enabled permission. For example, if one role restricts viewing files and the other role allows it, the user will be permitted to view files.

Example Custom Roles

Below are some example use cases and the permissions the custom role should have:

Gear Developer

In this example, there is a user who is working on developing a new gear for your project. This user should be able to upload, test, and run gears in your project. They do not need to create containers or run reports.

Permission Enabled
Container Hierarchy (Subject/Session/Acquisition)
View Metadata x
Create Hierarchy
Required if the user is importing data. This does not give user ability to create a Project or copy subjects, sessions, or acquisitions into another project.
 
Modify Metadata
Includes Project metadata
x
Delete, including Files
This includes:
- Files
- Moving Subjects, Sessions, Acquisitions from a project
There are special considerations for deleting Device data.
 
Delete Project  
Analyses
View Analyses Metadata x
Create via SDK, "Ad hoc Analyses", includes the ability to upload Files to Analysis x
Create via Job x
Modify Analyses Metadata x
Delete Analyses
Includes Files
x
Files
View file metadata x
View file contents x
Download files  x
Create and upload files x
Modify file metadata x
Delete non-device data
For example, data that originated from running a gear.
x
Delete device data
For example, images uploaded directly from an MR scanner.
 
Tags
View Tags x
Manage Tags x
Notes
View Notes x
Manage Notes x
Project Permissions
View x
Manage Permissions and Services  
Data views
View x
Manage Data Views  
Session Templates
View x
Manage Session Templates  
Gear rules
View x
Manage Gear Rules x
Jobs- Gear runs
View jobs
Includes job metadata, configuration, and logs
x
Run and cancel jobs (utility) x
Cancel any jobs x
Group Administration- Projects
Create Projects  
Delete Projects  

Data Importer

Below is an example of a user role for a user who is importing data in to Flywheel. We want the user to be able to create the necessary Subject, Sessions, and Acquisitions. They do not need to run gears.

Permission Enabled
Container Hierarchy (Subject/Session/Acquisition)
View Subject, Session, And Acquisition Metadata x
Create Hierarchy
Required if the user is importing data. This does not give user ability to create a Project or copy subjects, sessions, or acquisitions into another project.
x
Modify Metadata
Includes Project metadata
x
Delete, including Files
This includes:
- Files
- Moving Subjects, Sessions, Acquisitions from a project
There are special considerations for deleting Device data.
 
Delete Project  
Analyses
View Analyses Metadata x
Create via SDK, "Ad hoc Analyses", includes the ability to upload Files to Analysis  
Create via Job  
Modify Analyses Metadata  
Delete Analyses
Includes Files
 
Files
View file metadata x
View file contents x
Download files  x
Create and upload files x
Modify file metadata x
Delete non-device data
For example, data that originated from running a gear.
 
Delete device data
For example, images uploaded directly from an MR scanner.
 
Tags
View Tags x
Manage Tags x
Notes
View Notes x
Manage Notes x
Project Permissions
View x
Manage Permissions and Services  
Data views
View Data View and results x
Manage Data Views   
Session Templates
View Session Templates and results x
Manage Session Templates  
Gear rules
View Gear Rules x
Manage Gear Rules  
Jobs- Gear runs
View jobs
Includes job metadata, configuration, and logs
x
Run and cancel jobs (utility) x
Cancel other users and system jobs  
Group Administration- Projects
Create Projects  
Delete Projects