Skip to content

User Roles and Permissions

Introduction

Flywheel roles and permissions provide granular access control over what data, settings, and actions are available to users.

This article explains:

  • An overview of the roles and permissions structure in Flywheel.
  • How to edit a user's Site, Group, or Project role
  • What actions a user can take with each role

Learn more about creating custom project roles.

Instruction Steps

Overview

Permissions vs. Roles

  • Permission: Enables or disables the ability to perform a specific action in Flywheel. For example, adding notes to a Project is a specific permission.
  • Role: A group of permissions that are assigned to a user. For some roles you can edit the permissions.

Site vs. Group vs. Project Roles

Roles can be assigned at the Site, Group, and Project levels. All users have a role assigned at each of these levels:

  • Site role: These roles are broad and assigned when you create a new user. In general, these roles match what the user is doing in Flywheel at a high level. The available site roles are Admin, Developer, and User. Pair these basic site roles with the more granular roles assigned at the Group and Project levels.
  • Group role: Group roles control what actions a user is permitted to take for a Group, but not for the group's projects. The available group roles are Admin, read-write, and read-only.

    Assigning a Group role to a user does not grant the user a role on Projects within that Group. Instead, assign Project roles or (Group) Project Templates.

  • Project role: Project roles control what actions a user is permitted to take for a Project. Flywheel provides 3 standard project roles that cannot be modified: Admin, read-write, and read-only. Users with the Admin site role can create and manage custom project roles for each project. Custom project roles provide the capability to manage fine grained access controls to Projects for the benefit of data confidentiality and security. Learn more about creating or editing a custom role.

Manage Site Roles

You must have the Site Admin role to manage site roles of users. The site role can be assigned when a user is created, or edited for an existing user by following these steps.

  1. Navigate to Users in the left Navigation Bar

  2. Select a user

  3. Select the Information tab

    15ed5665002f7f.png

  4. Next to Role, select a role from the dropdown, and click Save

Site Admin

The Site Admin has the highest site-level permissions. Site Admins can create new Users and Groups and modify user roles and permissions site-wide. You can think of this as a superuser role.

Site Developer

Developers have site-wide permission to upload gears and restrict their availability to specific projects or users. Admins must assign Developers permissions to Groups and Projects in order to see data.

Site User

The User role does not carry any special permissions. Admins must assign Users permissions to specific Groups and Projects in order to see data.

Manage Group Roles

Group roles give users broad permissions for what they can do within a Group, but do not govern project permissions.

Note: Assigning a Group role does not automatically add users to Projects in that Group.

You must have the Group Admin or Read-Write Role to manage Group Roles for users. Group roles can be managed by following these steps.

  1. Navigate to Groups in the left Navigation Bar
  2. Select a group
  3. Select the Permissions tab
  4. Modify the group Role(s), and click Save

15ed566500af26.png

Group Admin

  • Manage & View Group Roles
  • Manage & View Project Template Roles
  • Manage & View Group Settings (name, tags, etc.)
  • Create New Project
    • Required for Smart Copy
  • Delete Project
  • Manage Project Settings

Group Read-Write

  • View Group Roles
  • View Project Template Roles
  • Manage & View Group Settings (name, tags, etc.)

Group Read-Only

  • View Group Roles
  • View Project Template Roles
  • View Group Settings (name, tags, etc.)

Manage Project Roles

Project roles control who can view, edit, and delete data within that Project. Only a Project Admin a Site Admin can manage Project Roles.

Note: If you only want a user to see certain projects under a Group, you can assign the user a role in the Project without giving the user a Group role. To give the user access to a Project, but not the Group associated with the Project, add them from the Permissions screen of the Project.

To Manage Project Roles:

  1. Navigate to the Project
  2. Select the Permissions management page
  3. Modify the group Role(s), and click Save

15ed566501212d.png

Select a permission level for the user. See the table below for more information.

Tip: Create a project template (group configuration) to standardize project roles across a group. This configuration sets default roles when projects are created, and changes can be applied to existing projects. See our article to learn more about creating a project template.

Compare Project Roles and Permissions

Permission Read-only Read-Write Admin Required
Container Hierarchy (Subject/Session/Acquisition)
View Metadata
View metadata on projects, subjects, sessions, and acquisitions
x x x x
Create Hierarchy
Create new Subjects, Sessions, and Acquisitions
Required when containers are added to the Project via moving or importing. This does not give user ability to create a Project or copy subjects, sessions, or acquisitions into another project.
x x
Modify Metadata
Includes Project metadata
x x
Delete, including Files
This includes:
- Files attached to the deleted container and its children
- Moving Subjects, Sessions, Acquisitions from a project
There are special considerations for deleting Device data.
x x
Delete Project x
Copy Project x
Analyses
View Metadata x x x
Create via SDK
“Ad hoc Analyses”
includes the ability to upload files to an Analysis
x x
Create via Job
Creates an Analyses via Job/Gear
x x
Modify Metadata x x
Delete
Includes Analysis Output Files
x x
Files
View Metadata x x x x
View File Contents in Web UI
Includes single file download APIs
x x x
Download File
Includes single and bulk file download APIs
x x x
Create/Upload x x
Modify Metadata x x
Move Files x x
Delete, Non-Device Data
Example: files that originated from running a gear
x x
Delete Device Data
Example: deleting images uploaded directly from an MR scanner
x x
Tags
View Tags x x x x
Manage Tags
Create/Modify/Delete
x x
Notes
View Notes x x x x
Manage Notes
Create/Modify/Delete
x x
Project Permissions
View Permissions x x x x
Manage Permissions and Services
Create/Modify/Delete
x x
Project Settings
View Project Settings x x x x
Manage Project Settings     x  
Data views
View Data View and Results x x x x
Manage Data Views
Create/Modify/Delete
x x
Session Templates
View Session Templates and Results x x x x
Manage Session Templates
Create/Modify/Delete
x x
Gear rules
View Gear Rules x x x x
Manage Gear Rules
Create/Modify/Delete
x
Jobs (Gear Runs)
View Jobs
View Metadata/Configuration/Logs/etc. for my projects
x x x x
Manage My Jobs
Run/Cancel/Prioritize my jobs
x x
Manage Others' Jobs
Cancel/Prioritize others' jobs
x
Reader Tasks
View Reader Tasks x x x x
Manage Reader Tasks
Create/View/Modify/Delete
x
Manage Viewer Protocol Definitions
Create/Modify/Delete Viewer Protocols
x
Read Task Annotations
Manage My Annotations
Create/View/Modify/Delete My Annotations
x x
View Others' Annotations
View all annotations created by any user via tasks
x
Edit Others' Annotations
Modify or delete annotations created by any user via tasks
x
Read Task Viewer Form Data
Manage My Viewer Form Data
Create/View/Modify/Delete My Viewer Form Responses
x x
View Others' Viewer Form Data
View all viewer form data created by any user via tasks
x
Edit Others' Viewer Form Data
Modify or delete viewer form data created by any user via tasks
x
JupyterLab
Read
View servers and download source code.
x x x x
Launch and Publish
Retain user source code in Flywheel.
x x
Create x x
Modify
Modify server names and settings.
x x
Delete x
Azure Machine Learning Integration
Read
View resources and resource details
x x x x
Modify
Modify resource descriptions
x x
Access
Access the Azure Machine Learning Studio
x x
Data Transfer
Manage Imports
Data import storage and operations
x
Manage Exports
Data export storage and operations
x
Audit Trail Reports
Manage Audit Trail Reports
Create and Delete
x
View Audit Trail Reports x