User Roles and Permissions
Introduction
Flywheel roles and permissions provide granular access control over what data, settings, and actions are available to users.
This article explains:
- An overview of the roles and permissions structure in Flywheel.
- How to edit a user's Site, Group, or Project role
- What actions a user can take with each role
Learn more about creating custom project roles.
Instruction Steps
Overview
Permissions vs. Roles
- Permission: Enables or disables the ability to perform a specific action in Flywheel. For example, adding notes to a Project is a specific permission.
- Role: A group of permissions that are assigned to a user. For some roles you can edit the permissions.
Site vs. Group vs. Project Roles
Roles can be assigned at the Site, Group, and Project levels. All users have a role assigned at each of these levels:
- Site role: These roles are broad and assigned when you create a new user. In general, these roles match what the user is doing in Flywheel at a high level. The available site roles are Admin, Developer, and User. Pair these basic site roles with the more granular roles assigned at the Group and Project levels.
-
Group role: Group roles control what actions a user is permitted to take for a Group, but not for the group's projects. The available group roles are Admin, read-write, and read-only.
Assigning a Group role to a user does not grant the user a role on Projects within that Group. Instead, assign Project roles or (Group) Project Templates.
-
Project role: Project roles control what actions a user is permitted to take for a Project. Flywheel provides 3 standard project roles that cannot be modified: Admin, read-write, and read-only. Users with the Admin site role can create and manage custom project roles for each project. Custom project roles provide the capability to manage fine grained access controls to Projects for the benefit of data confidentiality and security. Learn more about creating or editing a custom role.
Manage Site Roles
You must have the Site Admin role to manage site roles of users. The site role can be assigned when a user is created, or edited for an existing user by following these steps.
-
Navigate to Users in the left Navigation Bar
-
Select a user
-
Select the Information tab
-
Next to Role, select a role from the dropdown, and click Save
Site Admin
The Site Admin has the highest site-level permissions. Site Admins can create new Users and Groups and modify user roles and permissions site-wide. You can think of this as a superuser role.
Site Developer
Developers have site-wide permission to upload gears and restrict their availability to specific projects or users. Admins must assign Developers permissions to Groups and Projects in order to see data.
Site User
The User role does not carry any special permissions. Admins must assign Users permissions to specific Groups and Projects in order to see data.
Manage Group Roles
Group roles give users broad permissions for what they can do within a Group, but do not govern project permissions.
Note: Assigning a Group role does not automatically add users to Projects in that Group.
You must have the Group Admin or Read-Write Role to manage Group Roles for users. Group roles can be managed by following these steps.
- Navigate to Groups in the left Navigation Bar
- Select a group
- Select the Permissions tab
- Modify the group Role(s), and click Save
Group Admin
- Manage & View Group Roles
- Manage & View Project Template Roles
- Manage & View Group Settings (name, tags, etc.)
- Create New Project
- Required for Smart Copy
- Delete Project
- Manage Project Settings
Group Read-Write
- View Group Roles
- View Project Template Roles
- Manage & View Group Settings (name, tags, etc.)
Group Read-Only
- View Group Roles
- View Project Template Roles
- View Group Settings (name, tags, etc.)
Manage Project Roles
Project roles control who can view, edit, and delete data within that Project. Only a Project Admin a Site Admin can manage Project Roles.
Note: If you only want a user to see certain projects under a Group, you can assign the user a role in the Project without giving the user a Group role. To give the user access to a Project, but not the Group associated with the Project, add them from the Permissions screen of the Project.
To Manage Project Roles:
- Navigate to the Project
- Select the Permissions management page
- Modify the group Role(s), and click Save
Select a permission level for the user. See the table below for more information.
Tip: Create a project template (group configuration) to standardize project roles across a group. This configuration sets default roles when projects are created, and changes can be applied to existing projects. See our article to learn more about creating a project template.
Compare Project Roles and Permissions
Container Hierarchy (Subject/Session/Acquisition)
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
View Metadata View all of the metadata on the project, and its subjects/sessions/acquisitions. The Web UI does not display system-controlled metadata fields which are accessible via the SDK or direct APIs. Project Settings are not considered metadata. | x | x | x | x |
Create Hierarchy Create new Subjects, Sessions, and Acquisitions Required when containers are added to the Project via moving or importing. This does not give user ability to create a Project or copy subjects, sessions, or acquisitions into another project. | x | x | ||
Modify Metadata Alter the Project, Subject, Session, Acquisition metadata -- labels, custom info, comments, tags, etc. Includes metadata fields unique to each container, like project description, subject type, and session age. | x | x | ||
Delete Delete Subjects, Sessions and Acquisitions within the project This includes: - Files attached to the deleted container and its children - Moving Subjects, Sessions, Acquisitions from a project There are special considerations for deleting Device data. | x | x | ||
Delete Project Delete the project, and all its contents. | x | |||
Copy Project Ability to make a Smart Copy from the project, including required project snapshots. Smart Copy must also be enabled in th project settings. | x |
Analyses
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
View Metadata View analyses and all their metadata. Applies to analyses at all levels -- Project, Subject, Session, Acquisition | x | x | x | |
Create via SDK Also known as “Ad hoc Analyses” Creation of an analysis without the use of an Analysis Gear (job). This is useful to track the inputs, outputs, and configuration within Flywheel of a computation task performed outside the Flywheel system. This also controls the ability to upload Output" files to analyses. | x | x | ||
Create via Job Creation of an analysis via running an Analysis Gear (job). The Manage My Jobs permission is also required for the creation of the job. | x | x | ||
Modify Metadata Alter the metadata on an analysis -- label, custom info, comments, tags, etc. | x | x | ||
Delete When an analysis is deleted, that also deletes it output files. For input files, only the reference is deleted, so the file at its source location is untouched. | x | x |
Files
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
View Metadata View files and all their metadata. Applies to files at all levels -- Project, Subject, Session, Acquisition. | x | x | x | x |
View File Contents in Web UI Allows file contents to be viewed from the Flywheel Web UI, both Flywheel provided and custom viewer apps. | x | x | x | |
Download File Download files, including both single file requests, and bulk file requests (download project, subject, session, acquisition) | x | x | x | |
Create/Upload Upload file attachments to the Project, and it's Subjects, Sessions, and Acquisitions. This includes both single file and bulk upload methods. To restrict users to only single file or bulk upload methods, create a custom role with this permission disabled, and either Single File Upload/Create or Bulk File Upload enabled This permission is deprecated, and will be removed with Flywheel version 21.0 | x | x | ||
Single File Upload/Create Controls the ability to directly add Project/Subject/Session/Acquisition attachments. Applies to the Web UI, flywheel-sdk, CLI ( upload and cp commands), Extension Applications, etc. Introduced with Flywheel Core 19.3.0 | ||||
Bulk File Upload Controls th ability to use bulk import methods. Applies to the Bulk Import, CLI ( ingest command), and custom applications using the Flywheel xfer api.Introduced with Flywheel Core 19.3.0 | ||||
Modify Metadata Alter the metadata on a file, such as file type, modality, classification, info, etc. | x | x | ||
Move Files Move a file to another container, or renaming a file. If moving a file between projects, this permission is required on both projects. | x | x | ||
Delete Non-Device Data Example: files that originated from running a gear. This permission can be useful for users responsible for removing unwanted gear results, but who otherwise should not be removing other more sensitive files. | x | x | ||
Delete Device Data Example: deleting images uploaded directly from an MR scanner, CLI Bulk Uploads ( fw ingest , fw import ) or direct user uploads. | x | x |
Tags
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
View Tags View the tags assigned to the project and data within it. | x | x | x | x |
Manage Tags Create/Modify/Delete the tags assigned to the project and data within it. | x | x |
Notes
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
View Notes View the user notes added to the project and data within it. | x | x | x | x |
Manage Notes Create/Modify/Delete your own user notes added to the project and data within it. | x | x |
Project Permissions
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
View Permissions View the users and their assigned roles on the project. | x | x | x | x |
Manage Permissions Modify the assigned user roles on the project. If the LDAP Sync service is enabled for your site; modify the configuration of it for the project. | x | x |
Project Settings
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
View Project Settings View the details of the project's settings (Viewer Apps, De-id Profiles, Project Locking, Smart Copy) | x | x | x | x |
Manage Project Settings Modify the project's settings (Viewer Apps, De-id Profiles, Project Locking, Smart Copy) | x |
Data views
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
View Data View and Results View the Data Views (including their contents) defined for the project. | x | x | x | x |
Manage Data Views Create/Modify/Delete the Data Views (including their contents) defined for the project. | x | x |
Session Templates
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
View Session Templates and Results View the details of the project's session template configuration, and the compliance status for each session. | x | x | x | x |
Manage Session Templates Modify the project's Session Template configuration. | x | x |
Gear rules
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
View Gear Rules View the details of the project's gear rule configuration. | x | x | x | x |
Manage Gear Rules Modify the project's gear rules configuration. | x |
Jobs (Gear Runs)
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
View Jobs View all details for all jobs belonging to the project. | x | x | x | x |
Manage My Jobs Create new jobs, and cancel, rerun, and update the priority of the jobs you create | x | x | ||
Manage Others' Jobs Cancel, rerun, and update the priority of the jobs you did not create. | x |
Reader Tasks
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
View Reader Tasks | x | x | x | x |
Manage Reader Tasks Create/View/Modify/Delete | x | |||
Manage Viewer Protocol Definitions Create/Modify/Delete Viewer Protocols | x |
Read Task Annotations
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
Manage My Annotations Create/View/Modify/Delete My Annotations | x | x | ||
View Others' Annotations View all annotations created by any user via tasks | x | |||
Edit Others' Annotations Modify or delete annotations created by any user via tasks | x |
| Read Task Viewer Form Data |
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
Manage My Viewer Form Data Create/View/Modify/Delete My Viewer Form Responses | x | x | ||
View Others' Viewer Form Data View all viewer form data created by any user via tasks | x | |||
Edit Others' Viewer Form Data Modify or delete viewer form data created by any user via tasks | x |
JupyterLab
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
Read View servers and download source code. | x | x | x | x |
Launch and Publish Retain user source code in Flywheel. | x | x | ||
Create | x | x | ||
Modify Modify server names and settings. | x | x | ||
Delete | x |
Azure Machine Learning Integration
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
Read View resources and resource details | x | x | x | x |
Modify Modify resource descriptions | x | x | ||
Access Access the Azure Machine Learning Studio | x | x |
Data Transfer
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
Manage Imports View, Create, Modify, and Delete Project Imports and their required cloud storage configuration. | x | |||
Manage Exports View, Create, Modify, and Delete Project Exports and their required snapshots and cloud storage configuration. | x |
Audit Trail Reports
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
Manage Audit Trail Reports Create new reports, cancel the creation of ones in progress, and delete existing reports. | x | |||
View Audit Trail Reports View the list of available Audit Trail reports , and download their contents. | x |