Skip to content

User Roles and Permissions

Introduction

Flywheel roles and permissions provide granular access control over what data, settings, and actions are available to users.

This article explains:

  • An overview of the roles and permissions structure in Flywheel.
  • How to edit a user's Site, Group, or Project role
  • What actions a user can take with each role

Learn more about creating custom project roles.

Instruction Steps

Overview

Permissions vs. Roles

  • Permission: Enables or disables the ability to perform a specific action in Flywheel. For example, adding notes to a Project is a specific permission.
  • Role: A group of permissions that are assigned to a user. For some roles you can edit the permissions.

Site vs. Group vs. Project Roles

Roles can be assigned at the Site, Group, and Project levels. All users have a role assigned at each of these levels:

  • Site role: These roles are broad and assigned when you create a new user. In general, these roles match what the user is doing in Flywheel at a high level. The available site roles are Admin, Developer, and User. Pair these basic site roles with the more granular roles assigned at the Group and Project levels.
  • Group role: Group roles control what actions a user is permitted to take for a Group, but not for the group's projects. The available group roles are Admin, read-write, and read-only.

    Assigning a Group role to a user does not grant the user a role on Projects within that Group. Instead, assign Project roles or (Group) Project Templates.

  • Project role: Project roles control what actions a user is permitted to take for a Project. Flywheel provides 3 standard project roles that cannot be modified: Admin, read-write, and read-only. Users with the Admin site role can create and manage custom project roles for each project. Custom project roles provide the capability to manage fine grained access controls to Projects for the benefit of data confidentiality and security. Learn more about creating or editing a custom role.

Manage Site Roles

You must have the Site Admin role to manage site roles of users. The site role can be assigned when a user is created, or edited for an existing user by following these steps.

  1. Navigate to Users in the left Navigation Bar

  2. Select a user

  3. Select the Information tab

    15ed5665002f7f.png

  4. Next to Role, select a role from the dropdown, and click Save

Site Admin

The Site Admin has the highest site-level permissions. Site Admins can create new Users and Groups and modify user roles and permissions site-wide. You can think of this as a superuser role.

Site Developer

Developers have site-wide permission to upload gears and restrict their availability to specific projects or users. Admins must assign Developers permissions to Groups and Projects in order to see data.

Site User

The User role does not carry any special permissions. Admins must assign Users permissions to specific Groups and Projects in order to see data.

Manage Group Roles

Group roles give users broad permissions for what they can do within a Group, but do not govern project permissions.

Note: Assigning a Group role does not automatically add users to Projects in that Group.

You must have the Group Admin or Read-Write Role to manage Group Roles for users. Group roles can be managed by following these steps.

  1. Navigate to Groups in the left Navigation Bar
  2. Select a group
  3. Select the Permissions tab
  4. Modify the group Role(s), and click Save

15ed566500af26.png

Group Admin

  • Manage & View Group Roles
  • Manage & View Project Template Roles
  • Manage & View Group Settings (name, tags, etc.)
  • Create New Project
    • Required for Smart Copy
  • Delete Project
  • Manage Project Settings

Group Read-Write

  • View Group Roles
  • View Project Template Roles
  • Manage & View Group Settings (name, tags, etc.)

Group Read-Only

  • View Group Roles
  • View Project Template Roles
  • View Group Settings (name, tags, etc.)

Manage Project Roles

Project roles control who can view, edit, and delete data within that Project. Only a Project Admin a Site Admin can manage Project Roles.

Note: If you only want a user to see certain projects under a Group, you can assign the user a role in the Project without giving the user a Group role. To give the user access to a Project, but not the Group associated with the Project, add them from the Permissions screen of the Project.

To Manage Project Roles:

  1. Navigate to the Project
  2. Select the Permissions management page
  3. Modify the group Role(s), and click Save

15ed566501212d.png

Select a permission level for the user. See the table below for more information.

Tip: Create a project template (group configuration) to standardize project roles across a group. This configuration sets default roles when projects are created, and changes can be applied to existing projects. See our article to learn more about creating a project template.

Compare Project Roles and Permissions

Container Hierarchy (Subject/Session/Acquisition)

Permission Read-only Read-Write Admin Required
View Metadata

View all of the metadata on the project, and its subjects/sessions/acquisitions. The Web UI does not display system-controlled metadata fields which are accessible via the SDK or direct APIs.

Project Settings are not considered metadata.
x x x x
Create Hierarchy

Create new Subjects, Sessions, and Acquisitions
Required when containers are added to the Project via moving or importing. This does not give user ability to create a Project or copy subjects, sessions, or acquisitions into another project.
x x
Modify Metadata

Alter the Project, Subject, Session, Acquisition metadata -- labels, custom info, comments, tags, etc. Includes metadata fields unique to each container, like project description, subject type, and session age.
x x
Delete

Delete Subjects, Sessions and Acquisitions within the project
This includes:
- Files attached to the deleted container and its children
- Moving Subjects, Sessions, Acquisitions from a project
There are special considerations for deleting Device data.
x x
Delete Project

Delete the project, and all its contents.
x
Copy Project

Ability to make a Smart Copy from the project, including required project snapshots. Smart Copy must also be enabled in th project settings.
x

Analyses

Permission Read-only Read-Write Admin Required
View Metadata

View analyses and all their metadata. Applies to analyses at all levels -- Project, Subject, Session, Acquisition
x x x
Create via SDK

Also known as “Ad hoc Analyses”
Creation of an analysis without the use of an Analysis Gear (job). This is useful to track the inputs, outputs, and configuration within Flywheel of a computation task performed outside the Flywheel system.
This also controls the ability to upload Output" files to analyses.
x x
Create via Job

Creation of an analysis via running an Analysis Gear (job). The Manage My Jobs permission is also required for the creation of the job.
x x
Modify Metadata

Alter the metadata on an analysis -- label, custom info, comments, tags, etc.
x x
Delete

When an analysis is deleted, that also deletes it output files. For input files, only the reference is deleted, so the file at its source location is untouched.
x x

Files

Permission Read-only Read-Write Admin Required
View Metadata

View files and all their metadata. Applies to files at all levels -- Project, Subject, Session, Acquisition.
x x x x
View File Contents in Web UI

Allows file contents to be viewed from the Flywheel Web UI, both Flywheel provided and custom viewer apps.
x x x
Download File

Download files, including both single file requests, and bulk file requests (download project, subject, session, acquisition)
x x x
Create/Upload

Upload file attachments to the Project, and it's Subjects, Sessions, and Acquisitions. This includes both single file and bulk upload methods.

To restrict users to only single file or bulk upload methods, create a custom role with this permission disabled, and either
Single File Upload/Create or Bulk File Upload enabled

This permission is deprecated, and will be removed with Flywheel version 21.0
x x
Single File Upload/Create

Controls the ability to directly add Project/Subject/Session/Acquisition attachments. Applies to the Web UI, flywheel-sdk, CLI (upload and cp commands), Extension Applications, etc.

Introduced with Flywheel Core 19.3.0
Bulk File Upload

Controls th ability to use bulk import methods. Applies to the Bulk Import, CLI (ingest command), and custom applications using the Flywheel xfer api.

Introduced with Flywheel Core 19.3.0
Modify Metadata

Alter the metadata on a file, such as file type, modality, classification, info, etc.
x x
Move Files

Move a file to another container, or renaming a file. If moving a file between projects, this permission is required on both projects.
x x
Delete Non-Device Data

Example: files that originated from running a gear.

This permission can be useful for users responsible for removing unwanted gear results, but who otherwise should not be removing other more sensitive files.
x x
Delete Device Data

Example: deleting images uploaded directly from an MR scanner, CLI Bulk Uploads (fw ingest, fw import) or direct user uploads.
x x

Tags

Permission Read-only Read-Write Admin Required
View Tags

View the tags assigned to the project and data within it.
x x x x
Manage Tags

Create/Modify/Delete the tags assigned to the project and data within it.
x x

Notes

Permission Read-only Read-Write Admin Required
View Notes

View the user notes added to the project and data within it.
x x x x
Manage Notes

Create/Modify/Delete your own user notes added to the project and data within it.
x x

Project Permissions

Permission Read-only Read-Write Admin Required
View Permissions

View the users and their assigned roles on the project.
x x x x
Manage Permissions

Modify the assigned user roles on the project. If the LDAP Sync service is enabled for your site; modify the configuration of it for the project.
x x

Project Settings

Permission Read-only Read-Write Admin Required
View Project Settings

View the details of the project's settings (Viewer Apps, De-id Profiles, Project Locking, Smart Copy)
x x x x
Manage Project Settings

Modify the project's settings (Viewer Apps, De-id Profiles, Project Locking, Smart Copy)
    x  

Data views

Permission Read-only Read-Write Admin Required
View Data View and Results

View the Data Views (including their contents) defined for the project.
x x x x
Manage Data Views

Create/Modify/Delete the Data Views (including their contents) defined for the project.
x x

Session Templates

Permission Read-only Read-Write Admin Required
View Session Templates and Results

View the details of the project's session template configuration, and the compliance status for each session.
x x x x
Manage Session Templates

Modify the project's Session Template configuration.
x x

Gear rules

Permission Read-only Read-Write Admin Required
View Gear Rules

View the details of the project's gear rule configuration.
x x x x
Manage Gear Rules

Modify the project's gear rules configuration.
x

Jobs (Gear Runs)

Permission Read-only Read-Write Admin Required
View Jobs

View all details for all jobs belonging to the project.
x x x x
Manage My Jobs

Create new jobs, and cancel, rerun, and update the priority of the jobs you create
x x
Manage Others' Jobs

Cancel, rerun, and update the priority of the jobs you did not create.
x

Reader Tasks

Permission Read-only Read-Write Admin Required
View Reader Tasks x x x x
Manage Reader Tasks

Create/View/Modify/Delete
x
Manage Viewer Protocol Definitions

Create/Modify/Delete Viewer Protocols
x

Read Task Annotations

Permission Read-only Read-Write Admin Required
Manage My Annotations

Create/View/Modify/Delete My Annotations
x x
View Others' Annotations

View all annotations created by any user via tasks
x
Edit Others' Annotations

Modify or delete annotations created by any user via tasks
x

| Read Task Viewer Form Data |

Permission Read-only Read-Write Admin Required
Manage My Viewer Form Data

Create/View/Modify/Delete My Viewer Form Responses
x x
View Others' Viewer Form Data

View all viewer form data created by any user via tasks
x
Edit Others' Viewer Form Data

Modify or delete viewer form data created by any user via tasks
x

JupyterLab

Permission Read-only Read-Write Admin Required
Read

View servers and download source code.
x x x x
Launch and Publish

Retain user source code in Flywheel.
x x
Create x x
Modify

Modify server names and settings.
x x
Delete x

Azure Machine Learning Integration

Permission Read-only Read-Write Admin Required
Read

View resources and resource details
x x x x
Modify

Modify resource descriptions
x x
Access

Access the Azure Machine Learning Studio
x x

Data Transfer

Permission Read-only Read-Write Admin Required
Manage Imports

View, Create, Modify, and Delete Project Imports and their required cloud storage configuration.
x
Manage Exports

View, Create, Modify, and Delete Project Exports and their required snapshots and cloud storage configuration.
x

Audit Trail Reports

Permission Read-only Read-Write Admin Required
Manage Audit Trail Reports

Create new reports, cancel the creation of ones in progress, and delete existing reports.
x
View Audit Trail Reports

View the list of available Audit Trail reports , and download their contents.
x