User Roles and Permissions
Introduction
Flywheel roles and permissions provide granular access control over what data, settings, and actions are available to users.
This article explains:
- An overview of the roles and permissions structure in Flywheel.
- How to edit a user's Site, Group, or Project role
- What actions a user can take with each role
Learn more about creating custom project roles.
Instruction Steps
Overview
Permissions vs. Roles
- Permission: Enables or disables the ability to perform a specific action in Flywheel. For example, adding notes to a Project is a specific permission.
- Role: A group of permissions that are assigned to a user. For some roles you can edit the permissions.
Site vs. Group vs. Project Roles
Roles can be assigned at the Site, Group, and Project levels. All users have a role assigned at each of these levels:
- Site role: These roles are broad and assigned when you create a new user. In general, these roles match what the user is doing in Flywheel at a high level. The available site roles are Admin, Developer, and User. Pair these basic site roles with the more granular roles assigned at the Group and Project levels.
-
Group role: Group roles control what actions a user is permitted to take for a Group, but not for the group's projects. The available group roles are Admin, read-write, and read-only.
Assigning a Group role to a user does not grant the user a role on Projects within that Group. Instead, assign Project roles or (Group) Project Templates.
-
Project role: Project roles control what actions a user is permitted to take for a Project. Flywheel provides 3 standard project roles that cannot be modified: Admin, read-write, and read-only. Users with the Admin site role can create and manage custom project roles for each project. Custom project roles provide the capability to manage fine grained access controls to Projects for the benefit of data confidentiality and security. Learn more about creating or editing a custom role.
Manage Site Roles
You must have the Site Admin role to manage site roles of users. The site role can be assigned when a user is created, or edited for an existing user by following these steps.
-
Navigate to Users in the left Navigation Bar
-
Select a user
-
Select the Information tab
-
Next to Role, select a role from the dropdown, and click Save
Site Admin
The Site Admin has the highest site-level permissions. Site Admins can create new Users and Groups and modify user roles and permissions site-wide. You can think of this as a superuser role.
Site Developer
Developers have site-wide permission to upload gears and restrict their availability to specific projects or users. Admins must assign Developers permissions to Groups and Projects in order to see data.
Site User
The User role does not carry any special permissions. Admins must assign Users permissions to specific Groups and Projects in order to see data.
Manage Group Roles
Group roles give users broad permissions for what they can do within a Group, but do not govern project permissions.
Note: Assigning a Group role does not automatically add users to Projects in that Group.
You must have the Group Admin or Read-Write Role to manage Group Roles for users. Group roles can be managed by following these steps.
- Navigate to Groups in the left Navigation Bar
- Select a group
- Select the Permissions tab
- Modify the group Role(s), and click Save
Group Admin
- Manage & View Group Roles
- Manage & View Project Template Roles
- Manage & View Group Settings (name, tags, etc.)
- Create New Project
- Required for Smart Copy
- Delete Project
- Manage Project Settings
Group Read-Write
- View Group Roles
- View Project Template Roles
- Manage & View Group Settings (name, tags, etc.)
Group Read-Only
- View Group Roles
- View Project Template Roles
- View Group Settings (name, tags, etc.)
Manage Project Roles
Project roles control who can view, edit, and delete data within that Project. Only a Project Admin a Site Admin can manage Project Roles.
Note: If you only want a user to see certain projects under a Group, you can assign the user a role in the Project without giving the user a Group role. To give the user access to a Project, but not the Group associated with the Project, add them from the Permissions screen of the Project.
To Manage Project Roles:
- Navigate to the Project
- Select the Permissions management page
- Modify the group Role(s), and click Save
Select a permission level for the user. See the table below for more information.
Tip: Create a project template (group configuration) to standardize project roles across a group. This configuration sets default roles when projects are created, and changes can be applied to existing projects. See our article to learn more about creating a project template.
Compare Project Roles and Permissions
Permission | Read-only | Read-Write | Admin | Required |
---|---|---|---|---|
Container Hierarchy (Subject/Session/Acquisition) | ||||
View Metadata View metadata on projects, subjects, sessions, and acquisitions | x | x | x | x |
Create Hierarchy Create new Subjects, Sessions, and Acquisitions Required when containers are added to the Project via moving or importing. This does not give user ability to create a Project or copy subjects, sessions, or acquisitions into another project. | x | x | ||
Modify Metadata Includes Project metadata | x | x | ||
Delete, including Files This includes: - Files attached to the deleted container and its children - Moving Subjects, Sessions, Acquisitions from a project There are special considerations for deleting Device data. | x | x | ||
Delete Project | x | |||
Copy Project | x | |||
Analyses | ||||
View Metadata | x | x | x | |
Create via SDK “Ad hoc Analyses” includes the ability to upload files to an Analysis | x | x | ||
Create via Job Creates an Analyses via Job/Gear | x | x | ||
Modify Metadata | x | x | ||
Delete Includes Analysis Output Files | x | x | ||
Files | ||||
View Metadata | x | x | x | x |
View File Contents in Web UI Includes single file download APIs | x | x | x | |
Download File Includes single and bulk file download APIs | x | x | x | |
Create/Upload | x | x | ||
Modify Metadata | x | x | ||
Move Files | x | x | ||
Delete, Non-Device Data Example: files that originated from running a gear | x | x | ||
Delete Device Data Example: deleting images uploaded directly from an MR scanner | x | x | ||
Tags | ||||
View Tags | x | x | x | x |
Manage Tags Create/Modify/Delete | x | x | ||
Notes | ||||
View Notes | x | x | x | x |
Manage Notes Create/Modify/Delete | x | x | ||
Project Permissions | ||||
View Permissions | x | x | x | x |
Manage Permissions and Services Create/Modify/Delete | x | x | ||
Project Settings | ||||
View Project Settings | x | x | x | x |
Manage Project Settings | x | |||
Data views | ||||
View Data View and Results | x | x | x | x |
Manage Data Views Create/Modify/Delete | x | x | ||
Session Templates | ||||
View Session Templates and Results | x | x | x | x |
Manage Session Templates Create/Modify/Delete | x | x | ||
Gear rules | ||||
View Gear Rules | x | x | x | x |
Manage Gear Rules Create/Modify/Delete | x | |||
Jobs (Gear Runs) | ||||
View Jobs View Metadata/Configuration/Logs/etc. for my projects | x | x | x | x |
Manage My Jobs Run/Cancel/Prioritize my jobs | x | x | ||
Manage Others' Jobs Cancel/Prioritize others' jobs | x | |||
Reader Tasks | ||||
View Reader Tasks | x | x | x | x |
Manage Reader Tasks Create/View/Modify/Delete | x | |||
Manage Viewer Protocol Definitions Create/Modify/Delete Viewer Protocols | x | |||
Read Task Annotations | ||||
Manage My Annotations Create/View/Modify/Delete My Annotations | x | x | ||
View Others' Annotations View all annotations created by any user via tasks | x | |||
Edit Others' Annotations Modify or delete annotations created by any user via tasks | x | |||
Read Task Viewer Form Data | ||||
Manage My Viewer Form Data Create/View/Modify/Delete My Viewer Form Responses | x | x | ||
View Others' Viewer Form Data View all viewer form data created by any user via tasks | x | |||
Edit Others' Viewer Form Data Modify or delete viewer form data created by any user via tasks | x | |||
JupyterLab | ||||
Read View servers and download source code. | x | x | x | x |
Launch and Publish Retain user source code in Flywheel. | x | x | ||
Create | x | x | ||
Modify Modify server names and settings. | x | x | ||
Delete | x | |||
Azure Machine Learning Integration | ||||
Read View resources and resource details | x | x | x | x |
Modify Modify resource descriptions | x | x | ||
Access Access the Azure Machine Learning Studio | x | x | ||
Data Transfer | ||||
Manage Imports Data import storage and operations | x | |||
Manage Exports Data export storage and operations | x | |||
Audit Trail Reports | ||||
Manage Audit Trail Reports Create and Delete | x | |||
View Audit Trail Reports | x |