Permission Matrix
Introduction
This reference provides a complete matrix of all available permissions in Flywheel and shows how each of the default project roles (Read-only, Read-Write, Admin) is pre-configured.
For conceptual information about roles and permissions, see Roles & Permissions Concepts.
For instructions on assigning permissions, see How to Assign Permissions.
Compare Project Roles and Permissions
The tables below list all available permissions and show how each default role is pre-configured. The column Required indicates core permissions preset for all users, as these view-only permissions are essential for all roles.
To create additional custom roles tailored to your users, see Creating custom roles.
Container Hierarchy (Subject/Session/Acquisition)
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| View Metadata View all metadata on the project and its subjects/sessions/acquisitions. The Web UI does not display system-controlled metadata fields accessible via SDK or APIs. Project Settings are not considered metadata. | x | x | x | x |
| Create Hierarchy Create new Subjects, Sessions, and Acquisitions Required when containers are added via moving or importing. Does not grant ability to create Projects or copy containers to another project. | x | x | ||
| Modify Metadata Alter Project, Subject, Session, Acquisition metadata -- labels, custom info, comments, tags, etc. Includes metadata unique to each container. | x | x | ||
| Delete Delete Subjects, Sessions and Acquisitions within the project This includes: - Files attached to the deleted container and children - Moving Subjects, Sessions, Acquisitions from a project Special considerations for deleting Device data. | x | x | ||
| Delete Project Delete the project and all its contents. | x | |||
| Copy Project Create Smart Copy from the project, including required snapshots. Smart Copy must also be enabled in project settings. | x |
Analyses
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| View Metadata View analyses and all their metadata at all levels -- Project, Subject, Session, Acquisition | x | x | x | |
| Create via SDK "Ad hoc Analyses" Create analysis without using an Analysis Gear. Useful to track inputs, outputs, and configuration of computations performed outside Flywheel. Also controls uploading Output files to analyses. | x | x | ||
| Create via Job Create analysis via running an Analysis Gear. The Manage My Jobs permission is also required for job creation. | x | x | ||
| Modify Metadata Alter analysis metadata -- label, custom info, comments, tags, etc. | x | x | ||
| Delete When deleted, output files are also deleted. For input files, only the reference is deleted, source file remains untouched. | x | x |
Files
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| View Metadata View files and metadata at all levels -- Project, Subject, Session, Acquisition. | x | x | x | x |
| View File Contents in Web UI View file contents from Flywheel Web UI, both Flywheel-provided and custom viewer apps. | x | x | x | |
| Download File Download files, including single file requests and bulk file requests (download project, subject, session, acquisition) | x | x | x | |
| Create/Upload Upload file attachments to Project and its Subjects, Sessions, and Acquisitions. Includes single file and bulk upload methods. To restrict to only single or bulk methods, create custom role with this disabled and either Single File Upload/Create or Bulk File Upload enabled Deprecated, will be removed in Flywheel version 21.0 or later | x | x | ||
| Single File Upload/Create Directly add Project/Subject/Session/Acquisition attachments. Applies to Web UI, flywheel-sdk, connectors, CLI ( upload, cp, ingest commands), Extension Applications, etc. Introduced with Flywheel Core 19.3.0 | ||||
| Bulk File Upload Use bulk import methods supporting malware scanning. Applies to Bulk Import Web UI and (BETA) CLI ( import command).Introduced with Flywheel Core 19.3.0 | ||||
| Modify Metadata Alter file metadata, such as file type, modality, classification, info, etc. | x | x | ||
| Move Files Move file to another container or rename file. If moving between projects, this permission required on both projects. | x | x | ||
| Delete Non-Device Data Example: files from running a gear. Useful for users removing unwanted gear results who should not remove other sensitive files. | x | x | ||
| Delete Device Data Example: images uploaded from MR scanner, CLI Bulk Uploads ( fw ingest, fw import) or direct user uploads. | x | x |
Tags
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| View Tags View tags assigned to project and data within it. | x | x | x | x |
| Manage Tags Create/Modify/Delete tags assigned to project and data within it. | x | x |
Notes
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| View Notes View user notes added to project and data within it. | x | x | x | x |
| Manage Notes Create/Modify/Delete your own user notes added to project and data within it. | x | x |
Project Permissions
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| View Permissions View users and their assigned roles on the project. | x | x | x | x |
| Manage Permissions Modify assigned user roles on project. If LDAP Sync service is enabled for your site, modify its configuration for the project. | x |
Project Settings
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| View Project Settings View details of project's settings (Viewer Apps, De-id Profiles, Project Locking, Smart Copy) | x | x | x | x |
| Manage Project Settings Modify project's settings (Viewer Apps, De-id Profiles, Project Locking, Smart Copy) | x |
Data views
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| View Data View and Results View Data Views (including their contents) defined for the project. | x | x | x | x |
| Manage Data Views Create/Modify/Delete Data Views (including their contents) defined for the project. | x | x |
Session Templates
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| View Session Templates and Results View details of project's session template configuration and compliance status for each session. | x | x | x | x |
| Manage Session Templates Modify project's Session Template configuration. | x | x |
Gear rules
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| View Gear Rules View details of project's gear rule configuration. | x | x | x | x |
| Manage Gear Rules Modify project's gear rules configuration. | x |
Jobs (Gear Runs)
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| View Jobs View all details for all jobs belonging to the project. | x | x | x | x |
| Manage My Jobs Create new jobs, and cancel, rerun, and update priority of jobs you create | x | x | ||
| Manage Others' Jobs Cancel, rerun, and update priority of jobs you did not create. | x |
Reader Tasks
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| View Reader Tasks | x | x | x | x |
| Manage Reader Tasks Create/View/Modify/Delete | x | |||
| Manage Viewer Protocol Definitions Create/Modify/Delete Viewer Protocols | x |
Read Task Annotations
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| Manage My Annotations Create/View/Modify/Delete My Annotations | x | x | ||
| View Others' Annotations View all annotations created by any user via tasks | x | |||
| Edit Others' Annotations Modify or delete annotations created by any user via tasks | x |
Read Task Viewer Form Data
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| Manage My Viewer Form Data Create/View/Modify/Delete My Viewer Form Responses | x | x | ||
| View Others' Viewer Form Data View all viewer form data created by any user via tasks | x | |||
| Edit Others' Viewer Form Data Modify or delete viewer form data created by any user via tasks | x |
JupyterLab
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| Read View servers and download source code. | x | x | x | x |
| Launch and Publish Retain user source code in Flywheel. | x | x | ||
| Create | x | x | ||
| Modify Modify server names and settings. | x | x | ||
| Delete | x |
Data Transfer
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| Manage Imports View, Create, Modify, and Delete Project Imports and their required cloud storage configuration. | x | |||
| Manage Exports View, Create, Modify, and Delete Project Exports and their required snapshots and cloud storage configuration. | x |
Audit Trail Reports
| Permission | Read-only | Read-Write | Admin | Required |
|---|---|---|---|---|
| Manage Audit Trail Reports Create new reports, cancel creation of ones in progress, and delete existing reports. | x | |||
| View Audit Trail Reports View list of available Audit Trail reports and download their contents. | x |