The medical imaging server uses a role-based access control system. The access control model is based on the following concepts:
- Data Actions refer to specific allowed or disallowed operations that can be performed on a imaging server's data. Examples include
read,write, anddelete. - Role definitions or simply roles, are named collections of actions that are allowed be performed. They apply to a set of scopes.
- Scopes define the subset of data to which a role definition applies. Currently, only the root scope (
/) is supported, which means that role definitions apply to all the data in the imaging server. - Role assignments grants a role definition to an identity (user, group, or service principal).
The set of data actions that can be part of a role definition are:
*allows all data actionsreadis required for reading and searching resources.writeis required for creating or updating resources.deleteis required for deleting resources.
Roles are defined in the roles.json file. Administrators can customize them if desired. A role definition looks like this:
{
"name": "globalWriter",
"dataActions": [
"*"
],
"notDataActions": [
"delete"
],
"scopes": [
"/"
]
}This role allows all data actions except delete. Note that if a user is part of this role and another role that allows delete, they will be allowed to perform the action.
Role assignments are done in the identity provider. In Azure Active Directory, you define app roles on the imaging server's app registration. The app role names must correspond to the names of the roles defined in roles.json. Then you assign identities (users, groups, or service principals) to the app roles.