IN THIS ARTICLE
ProKnow's Identity and Access Management (IAM) facilitates the management of user access to groups of resources. It comprises Workspaces, Roles, and Users. This article explains the purpose of these entities in ProKnow and offers a general method for setting up your organization.
- Workspaces, Roles, and Users
- Permission Types
- Setting Up Your Organization
- Conclusion and Next Steps
Workspaces, Roles, and Users
A workspace is an abstract container where patient and collection data is stored. One workspace can hold many patients and can have a representation in many collections. Each patient belongs to exactly one workspace.
A role is a set of access rules that define what actions may be performed on each of the various organization settings and system resources. Roles have the flexibility to permit unfettered access to all system resources or to define specific, limited access to certain workspaces.
A user is an entity (usually a person) who uses the system. A user must be assigned to exactly one role.
A user must have the Manage Users, Roles, and Workspaces permission to manage the workspaces, roles, and users for the organization (see Organization Management Permissions).
Advanced User Permissions
This is a group of permissions related to advanced user functionality. The Create API Keys permission grants access to create API keys that do not expire but can be revoked. These can be useful when interacting with the ProKnow API to perform automated tasks in a script or as a DICOM server.
Organization Management Permissions
These are the permissions related to managing the organization resources. Generally speaking, these permissions should be granted to administrative or management roles only. The Manage Users, Roles, and Workspaces permission grants the permission to add, update, and remove users, roles, and workspaces. The Manage Custom Metrics permission grants privileges to define, change, and delete custom metrics. The Manage Renaming Rules permission grants the ability to create and manage renaming rules, as well as the ability to execute renaming rules against existing datasets. The Manage Scorecard Templates permission grants the ability to create, update, and remove scorecard templates.
These are permissions that apply to all workspaces within the organization. Any role granted these permissions will be able to perform the indicated actions in every workspace. The possible organization level actions are Read Patients, View PHI, Download DICOM, Write Patients, Contour Patients, Delete Patients, Read Collections, Write Collections, Delete Collections, and Collaborator.
These are permissions that apply to specific workspaces. Any role granted these permissions will only be able to perform the indicated actions in the specified workspace only. The possible workspace level actions are Read Patients, View PHI, Download DICOM, Write Patients, Contour Patients, Delete Patients, Read Collections, Write Collections, Delete Collections, and Collaborator.
Setting Up Your Organization
If you have the Manage Users, Roles, and Workspaces permission, you will want to think carefully about your particular use case to determine what workspaces, roles, and users to create. We recommend following this general procedure to determine your organization's needs.
Step 1: Determine Workspace Needs
The first thing you'll want to do is to determine how many workspaces you'll need and what these workspaces should be called. Your organization is already preconfigured with the "Clinical" workspace. This organization can be used to store clinical data or renamed and repurposed for something else. To determine the set of workspaces you should maintain, ask yourself whether certain groups of users should only be able to access a subset of the organization's data. If yes, you'll need to organize your data into multiple workspaces. For example, let's say that you have clinical data and research data. Suppose further that researchers should only be able to access research data while clinicians should be able to access both the research and clinical data. In this scenario, you should have two workspaces: Clinical and Research. If the answer to that question is no, just keep the Clinical workspace and rename it to suit your situation. If your needs change, you can always add additional workspaces.
Step 2: Determine Role Needs
Next, you'll want to determine what roles are needed to support the kinds of users who will have accounts in your ProKnow organization. Begin by considering the workspace and organization level permissions, and consider the following questions:
- Who should have access to every workspace?
- Who should have access to only certain workspaces?
- Will read access suffice for certain users?
- Who will require the ability to delete data?
- Are there groups of two or more users who should have identical permission schemes?
Once you've determined the answers to these questions, think about which advanced user permissions and organization management permissions are appropriate for each of your users. When in doubt, it's best to assign permissions using the principle of least privilege. In other words, start by assigning only the permissions that are necessary, and modify the permissions later as needed. Remember that roles can be created, updated, and deleted as needed.
Step 3: Determine User Needs
Lastly, you'll want to compile a list of users who will be invited to join the organization. As you compile the list, make sure each user fits appropriately into the roles you've developed in step 2. If any do not, go back to step 2, and revise your roles.
Conclusion and Next Steps
Identity and Access Management is an important part of your ProKnow organization. Determining the needs of your organization in the way of workspaces, roles, and users goes a long way toward ensuring that your account remains secure and your team stays efficient. Once you've thought about these needs, you're ready dive into step-by-step guides for Managing Workspaces, Managing Roles, and Managing Users.