This article includes:
- How to create a custom role
- Considerations for assigning permissions.
- Example roles with permissions for a user who is developing gears as well as a user who is primarily importing existing data.
Flywheel Roles and Permissions Overview
-
Permission: Enables or disables the ability to perform a specific action in Flywheel. For example, adding notes to a Project is a specific permission.
-
Role: A group of permissions that you assign to a user. For custom roles, you can edit the permissions.
The 3 levels of the hierarchy in Flywheel where you can assign a role are at the Site, Group, and Project level. All users have a role assigned at each of these levels.
Steps
-
Sign in to Flywheel as a Site Admin.
-
Select Roles and Permissions.
-
Select an existing role from the dropdown menu or click Create a new role.
-
You can also choose the groups where the role will be available.
-
Editing an existing role updates the role for any user who is currently assigned that role.
-
-
Enable or disable permissions for the role. See below for considerations when assigning permissions.
Some permissions are required so that you cannot accidentally create a role that does not allow a user to interact with Flywheel. -
Click Save Role.
Your new custom role is now available in the projects under the group you gave access to the role. If any users are currently assigned that role, their permissions are immediately updated
Delete a custom role Custom roles assigned to a user cannot be deleted or removed from a group.
Considerations
Below are some considerations for permissions and how permissions interact with each other
Flywheel considers data that has entered the system through a device to be of a higher importance than data created by Gears or uploaded by Users. device data is often data from a medical device and, in some cases, does not exist in long term storage anywhere but Flywheel.
Due to this lack of redundancy or ability to recreate this data via a Gear run, permissions around deleting device data are handled separately from permissions for deleting other files in Flywheel. For example, if a user wishes to delete a Subject that has an Acquisition containing device data, this user would need both the Delete Container AND Delete Device Data permission.
If a user would like to move a container, they would need the Create Container permission in the destination project and the Delete Container permission in the source project. Device data (described above) is not considered as the user will not be removing the data from the system.
To delete or remove a custom role, you must re-assign all users with that role.
Below are some example use cases and the permissions the custom role should have:
In this example, there is a user who is working on developing a new gear for your project. This user should be able to upload, test, and run gears in your Project. However, they do not need to create containers or run reports.
|
Permission |
Enabled |
|---|---|
|
Container Hierarchy (Subject/Session/Acquisition) |
|
|
View Metadata |
x |
|
Create Hierarchy Required if the user is importing data. This does not give user ability to create a Project or copy subjects, sessions, or acquisitions into another project. |
|
|
Modify Metadata Includes Project metadata |
x |
|
Delete, including Files This includes:
There are special considerations for deleting Device data. See considerations for more information |
|
|
Delete Project |
|
|
Analyses |
|
|
View Analyses Metadata |
x |
|
Create via SDK, "Ad-hoc Analyses", includes the ability to upload Files to Analysis |
x |
|
Create via Job |
x |
|
Modify Analyses Metadata |
x |
|
Delete Analyses Includes Files |
x |
|
Files |
|
|
View file metadata |
x |
|
View file contents |
x |
|
Download files |
x |
|
Create and upload files |
x |
|
Modify file metadata |
x |
|
Delete non-device data For example, data that originated from running a gear. See below for more details. |
x |
|
Delete device data For example, deleting images uploaded directly from an MR scanner. See below for more details. |
|
|
Tags |
|
|
View Tags |
x |
|
Manage Tags |
x |
|
Notes |
|
|
View Notes |
x |
|
Manage Notes |
x |
|
Project Permissions |
|
|
View |
x |
|
Manage Permissions and Services |
|
|
Data views |
|
|
View |
x |
|
Manage Data Views |
|
|
Session Templates |
|
|
View |
x |
|
Manage Session Templates |
|
|
Gear rules |
|
|
View |
x |
|
Manage Gear Rules |
x |
|
Jobs- Gear runs |
|
|
View jobs Includes job metadata, configuration, and logs |
x |
|
Run and cancel jobs (utility) |
x |
|
Cancel any jobs |
x |
|
Group Administration- Projects |
|
|
Create Projects |
|
|
Delete Projects |
|
Below is an example of a user role for a user who is importing data in to Flywheel. We want the user to be able to create the necessary Subject, Sessions, and Acquisitions. However, the user does not need to run gears
|
Permission |
Enabled |
|---|---|
|
Container Hierarchy (Subject/Session/Acquisition) |
|
|
View Subject, Session, And Acquisition Metadata |
x |
|
Create Hierarchy Required if the user is importing data. This does not give user ability to create a Project or copy subjects, sessions, or acquisitions into another project. |
x |
|
Modify Metadata Includes Project metadata |
x |
|
Delete, including Files This includes:
There are special considerations for deleting Device data. See below for more details. |
|
|
Delete Project |
|
|
Analyses |
|
|
View Analyses Metadata |
x |
|
Create via SDK, "Ad-hoc Analyses", includes the ability to upload Files to Analysis |
|
|
Create via Job |
|
|
Modify Analyses Metadata |
|
|
Delete Analyses Includes Files |
|
|
Files |
|
|
View file metadata |
x |
|
View file contents |
x |
|
Download files |
x |
|
Create and upload files |
x |
|
Modify file metadata |
x |
|
Delete non-device data For example, data that originated from running a gear. See below for more details. |
|
|
Delete device data For example, deleting images uploaded directly from an MR scanner. See below for more details. |
|
|
Tags |
|
|
View Tags |
x |
|
Manage Tags |
x |
|
Notes |
|
|
View Notes |
x |
|
Manage Notes |
x |
|
Project Permissions |
|
|
View |
x |
|
Manage Permissions and Services |
|
|
Data views |
|
|
View Data View and results |
x |
|
Manage Data Views |
|
|
Session Templates |
|
|
View Session Templates and results |
x |
|
Manage Session Templates |
|
|
Gear rules |
|
|
View Gear Rules |
x |
|
Manage Gear Rules |
|
|
Jobs- Gear runs |
|
|
View jobs Includes job metadata, configuration, and logs |
x |
|
Run and cancel jobs (utility) |
x |
|
Cancel other users and system jobs |
|
|
Group Administration- Projects |
|
|
Create Projects |
|
|
Delete Projects |
|