Flywheel roles and permissions give you granular control over what data users have permission to view and edit.
This article explains:
- An overview of the roles and permissions structure in Flywheel.
- The how to edit a user's Site, Group, or Project role
- What actions a user can take with each role
See our other article to learn how to create your own custom role.
Flywheel users can see, edit, or delete data based on their roles and permissions.
-
Permission: Enables or disables the ability to perform a specific action in Flywheel. For example, adding notes to a Project is a specific permission.
-
Role: A group of permissions that are assigned to a user. For some roles you can edit the permissions.
The 3 levels of the hierarchy in Flywheel where you can assign a role are at the Site, Group, and Project level. All users have a role assigned at each of these levels:
-
Site role: These roles are broad and assigned when you create a new user. In general, these roles match what the user is doing in Flywheel at a high level. Site roles are Site Admin, Developer, and User. Pair these basic site roles with the more granular roles assigned at the Group and Project level. Learn more about the permissions associated with each site roles
-
Group role: Group roles give users broad permissions for what they can do within a Group and the Projects under that group. For example, do you want users to be able to add other users to the Group? Should the user be limited to just viewing the data in the Projects? Group roles are Admin, read-write, and read. Learn more about what users can do with these permissions.
-
Project role: By default, Projects have Admin, read-write, and read-only permissions. However, Site Admins can create customized project roles for each project (this feature is only available in Flywheel version and later. Work with Flywheel Support to upgrade your site to receive this feature). Custom project roles give you the flexibility to only give users access to the data they need. See below for a comparison of the permissions included with the default Project role. Go to our other article to learn how to create custom roles.
You must be a Site Admin to assign site roles to users. You assign the site role when you create a user in Flywheel, but you can edit site roles. To edit:
-
Go to Users > choose a user.
-
Select the Information tab.
-
Next to Role, select a role from the dropdown.
The Site Admin has the highest site-level permissions. Site Admins can create new Users and Groups, and modify user roles and permissions site-wide. You can think of this as a superuser role.
Developers have site-wide permission to upload gears. Admins must assign Developers permissions to Groups and Projects to be able to see data.
These permissions apply to Flywheel Groups. By default, Group permissions also apply to Projects within that Group (you can configure this setting so projects do not automatically inherit Group permissions).
To give a user permission to a Group:
-
Go to Users > choose a user.
-
Select the Permissions tab, and click Add.
-
From the dropdown menu, select a Group and select either Admin, Read-Write, Read. .
Below is some highlights for what each role can do in Flywheel. See the table below for more information on the permissions included with these roles
Admin:
-
Manage Group Permissions
-
Create New Project
-
Delete Project
-
Add Users to Group
Read-Write:
-
Manage Group Permissions
-
Create new Projects
-
Delete Projects
Read:
-
View Projects
Project roles allow you to control who can view, edit, and delete data within your Project. You must be an Admin for the Project or a Site Admin to edit Project roles.
Custom roles: You can also create custom roles for Projects.
To give users permissions to a Project:
-
Navigate to the Project
-
Select the Permissions tab.
-
From the dropdown menu, select user.
Select a permission level for the user. See the table below for more information on the permissions.
Create a project template to standardize roles and permissions
Project templates allow Site Admins to manage the project's default roles and permissions when creating a new project. See our article to learn more about how to create project template.
Compare project roles and permissions
|
Permission |
Read-only |
Read-Write |
Admin |
Required |
||||
|---|---|---|---|---|---|---|---|---|
|
Container Hierarchy (Subject/Session/Acquisition) |
||||||||
|
View Subject, Session, And Acquisition Metadata |
x |
x |
x |
x |
||||
|
Create new Subject, Sessions, and Acquisitions Required if the user is importing data. This does not give user ability to create a Project or copy subjects, sessions, or acquisitions into another project. |
|
x |
x |
|
||||
|
Modify Metadata Includes Project metadata |
|
x |
x |
|
||||
|
Delete Subject, Sessions, and Acquisitions This includes: Files Moving Subjects, Sessions, Acquisitions from a project There are special considerations for deleting Device data. See Considerations below for more details. |
|
x |
x |
|
||||
|
Delete Project |
|
|
x |
|
||||
|
Analyses |
||||||||
|
View Analyses Metadata |
x |
x |
x |
|
||||
|
Create Analyses “Ad-hoc Analyses” Upload files to Analysis |
|
x |
x |
|
||||
|
Create Analyses via Job |
|
x |
x |
|
||||
|
Modify Analyses Metadata |
|
x |
x |
|
||||
|
Delete Analyses Includes Files |
|
x |
x |
|
||||
|
Files |
||||||||
|
View file metadata |
x |
x |
x |
x |
||||
|
View file contents |
x |
x |
x |
|
||||
|
Download files |
x |
x |
x |
|
||||
|
Create and upload files |
|
x |
x |
|
||||
|
Modify file metadata |
|
x |
x |
|
||||
|
Delete non-device files For example, data that originated from running a gear. See Considerations below for more details. |
|
x |
x |
|
||||
|
Delete device data For example, deleting images uploaded directly from an MR scanner. See Considerations below for more details. |
|
x |
x |
|
||||
|
Tags |
||||||||
|
View Tags |
x |
x |
x |
x |
||||
|
Create, modify, and delete Tags |
|
x |
x |
|
||||
|
Notes |
||||||||
|
View Notes |
x |
x |
x |
x |
||||
|
Create, modify, and delete Notes |
|
x |
x |
|
||||
|
Project Permissions |
||||||||
|
View Project permissions |
x |
x |
x |
x |
||||
|
Create, modify, and delete Project permissions |
|
x |
x |
|
||||
|
Data views |
||||||||
|
View Data View and results |
x |
x |
x |
x |
||||
|
Create, Modify, and Delete Data Views |
|
x |
x |
|
||||
|
Session Templates |
||||||||
|
View Session Templates and results |
x |
x |
x |
x |
||||
|
Create, modify, and delete Session Templates |
|
x |
x |
|
||||
|
Gear rules |
||||||||
|
View Gear Rules |
x |
x |
x |
x |
||||
|
Create, modify, and delete gear rules |
|
|
x |
|
||||
|
Jobs- Gear runs |
||||||||
|
View jobs Includes job metadata, configuration, and logs |
x |
x |
x |
x |
||||
|
Run and cancel jobs (utility) |
|
x |
x |
|
||||
|
Cancel other users and system jobs |
|
|
x |
|
||||
|
Group Administration- Projects |
||||||||
|
Create Projects |
|
|
x |
|
||||
|
Delete Projects |
|
|
x |
|
||||