AE Title base access crontrol

[Brandon Driscoll]

Hi,

I've been digging through the old forums and these boards for weeks now and I still haven't been able to sort out a problem that I've seen posted by numerous people but there is never a full solution discussed.  

It's pretty important in a lot of situations to have access control of studies based on users. The web interface seems to handle that, no problem. Simply based on AESource I can make 3 users and say each user can only see studies whose source AE title is associated with their user ie User 1 sends the data to the PACS only that user can retrieve it. I can also alter the series-permissions.xsl to define roles on study store based on some other tag say referring physician, or modality etc.  All that works just fine.. from the web interface. 

But what happens when we step out into the real world in which people are accessing the PACS from something other than the web interface? Say Osirix, or ClearCanvas?  Something with actual visualization and image analysis tools?

It seems like it should be a two step solution

1) On series store assign access rights to the study based on the AE Title where the study originated (or potentially some otehr imbedded tag)

-Go to Jboss->dcm4chee.archive->StudyPermission

-UpdateOnSeriesStored -> true

-Alter Series-permission.xls to add roles based on the "calling" tag (My proposed .xsl is linked)

2) On Query Receive assign a user to the calling AE Title since it's being done from a remote dicom node and will not have user permission information

- I can not for the life of me get this to work

- I've been using this (http://www.dcm4che.org/confluence/display/ee2/Configuration+of+Study+Permissions+%28Role+Based+Access+Control%29) and it mentions this service

AE Management

User ID and Password attribute are configurable for AET's which do not support user identification

This suggests to me that you can specify the User associated with an AE title in the AE configuration, which you can in eitehr the web interface or the service=AE tag in jboss.  So I go into the AE configuration and add a user and password to the AE Title of my remote clear canvas instance hoping that when I query the PACS it will see oh it's BrandonAE assign the role Brandon which can only see images which came from Brandon AE.  But no dice I still get all the studies.  If I login into the web interface as Brandon I can only see the studies sent from my AE Title.  

I'm stumped, this seems like something many people must do but I don't see any real walkthrough or explanation of how it works.

Any help would be much appreciated.

[Brandon Driscoll]

Another question is are the roles defined in the Series-Permission.xsl file the same as those defined in the Web interface?  

[Brandon Driscoll]

Is this really an unsolvable problem? 

I've modified the series-permissions to assign roles to studies as they come in and I've enabled the dicom security in the conf/login-config by commenting out the lines as suggested in the file.

-

 <application-policy name="dcm4chee-dicom">

- <authentication>

- <!--  Comment out following login-module to require/check passcode in

          DICOM User Identity negotiation  

  --> 

<!-- - <login-module code="org.dcm4chex.archive.security.TrustLoginModule" flag="required">

  <module-option name="password-stacking">useFirstPass</module-option> 

  </login-module> -- >

- <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">

  <module-option name="password-stacking">useFirstPass</module-option> 

  <module-option name="dsJndiName">java:/pacsDS</module-option> 

  <module-option name="principalsQuery">select passwd from users where user_id=?</module-option> 

  <module-option name="rolesQuery">select roles, 'Roles' from roles where user_id=?</module-option> 

  <module-option name="hashEncoding">base64</module-option> 

  <module-option name="hashCharset">UTF-8</module-option> 

  <module-option name="hashAlgorithm">SHA-1</module-option> 

  </login-module>

  </authentication>

  </application-policy>

Shouldn't this force the calling AE Title to provide the associated user/password from AE management and then this controls what is able to be queried through dicom?

The dicom node still see's all studies.

I feel like I'm missing something obvious here but I'm very new to this and treading water to try and figure it out, any suggestions would be much appreciated.

[Mark Messer]

I don't think I will be able to be too much help on this one. But just as a sanity check, in the JMX console have you changed these parameters?

    service=QueryRetrieveScp  

        UnrestrictedQueryPermissionsToAETitles

        UnrestrictedReadPermissionsToAETitles

        UnrestrictedExportPermissionsToAETitles

 

    service=StoreScp

        UnrestrictedAppendPermissionsToAETitles

[Brandon Driscoll]

Actually I hadn't touched any of those.  They were all left as ANY.  I changed them all to the master AET and it is querying correctly or at least looks like it!  I'm having trouble sending now but I think there's a bug in my series-permissions.xsl but this is the first time I've been able to allow teh dicom node to only see a fraction of the studies so I have hope now.

Thanks!

[Keith Schneider]

Hi Brandon, did you ever find a solution to this?  We have a similar problem.  We'd like to enable OsiriX access to our PACS database, but we can't figure out how to restrict access to only certain AETitles.

Thanks for any info.

keith

[fleetwoodfc]

Brandon's first post describes how to restrict access to certain AETitles - he just hadn't enabled it as described by the Mark Messer post.