Security roles: ConceptsTopic number: 1425411654672

Authorization in Agfa HealthCare Enterprise Imaging is based on the concept of security roles assigned to application users. A security role consists of one or more permission sets, which can be granted conditionally or always, and security filters. Permissions, with their conditions, are grouped into logical units called permission sets.

Security roles, filters, and permission sets are the security features that protect patient data and health. Each user has at least one security role assigned. The roles assigned apply to each end-user desktop.

The building blocks of security roles

Permissions:

  • Are combined in permission sets to grant or deny actions on tasks and studies. Only when granted permission can a user perform the related action.
  • Are evaluated at startup to show or hide action buttons and menus.
  • Are dynamically evaluated when an action is triggered (to check whether any conditions apply).

Conditions:

  • Limit the user’s permission based on study or task attributes. For example, junior radiologists might only be granted permission to perform reading tasks for their own department.
  • A permission can have one or more conditions.

Permission sets:

  • Are logical grouping of permissions.

    Example: The reporting permissions of a radiologist could be configured in the permission set Standard user reporting permissions. This permission set might consist of permissions such as Can start reading tasks, Can cancel reading tasks, and Can start addendum reading tasks.

  • Are linked to one or more security roles. A security role can have one or more permission sets.

Security filters:

  • Can be configured to restrict the studies and tasks shown for a user in the List area, the Search area, and active and comparison studies lists.
  • Are evaluated per use:
    • Each time a study or task list is refreshed.
    • Each time a user performs a search.
    • Each time a task or study is opened in the Text area.
  • Act like a search query.

    Example: The security filter is Performing department: Radiology and Study confidentiality: Non-confidential. If the user searches for all studies for Patient: Bob de Bouwer, the result list shows only studies performed by the Radiology department that are not flagged as confidential and that apply to patient Bob de Bouwer.

  • Prevent images that are related to the filtered-out studies from being displayed in the Image area.
  • Are linked to a security role. If you do not enable any security filters for a security role, then users who are linked to this security role can see all information.
  • Allows users who are linked to several security roles to have a combined security filter.

    Example: Peter is linked to security role A with security filter Modality types CT, RX, and to security role B with Modality types MR, RX. The result is that Peter can view studies with modality types CT, MR, and RX. If you also link Peter to security role C without any security filter, then Peter sees all modality types.

WARNING!

Task assignment groups determine to whom the tasks are assigned, but grant no permissions. Incorrectly configured security rules and assignment rules can result in conflicting application behavior, such as assigning a task to someone who does not have the permission to perform the task.

Import and export of security roles

To simplify configuration, administrators can import and export settings using the standard import/export tools.