editing UI for specific role
191 views
Skip to first unread message
Jonathan Brooks
Aug 21, 2023, 1:25:06 PM8/21/23
to dcm4che
Dear Devs,
SW/OS secure UI version dcm2chee-arc-light 5.25.2, running on Ubuntu 22.04 LTS.
This is a request for some help on understanding the information from the wiki regarding UI permission configuration (here).
I'd like to restrict a users ability to delete data from the archive when using the GUI. All our users are automatically given the role "user".
Following the directions on the wiki I browse to the relevant permission (action-studies-patient), which is currently configured as below:
Clearly I'd like the admin user to be able to delete and edit data (so assume this is a default configuration), however, it's not clear to me how I restrict access for someone with the role = user.
If (as admin) I turn off "delete" and "edit" and save the changes, then log in as a normal user I see the following:
However, If I just un-check "delete" leaving "edit" turned on, this appears to achieve the desired result. However, I would like to know a bit more about what's going on here?
Q. What does "edit" imply?
Q. Looking at the instructions on the wiki, it's not clear whether it's possible to have multiple UI configurations for multiple different users (e.g. with different roles). I know you guys have put a huge amount of effort in here, and I'm sure it must be possible!
Is the first element the only one to be applied, can multiple "profiles" (not the right thing to call them) co-exist? Can there be default, admins, others, etc etc...?
Hope you can help.
Kind regards,
Jon
Shefki Esadi
Sep 6, 2023, 7:04:20 AM9/6/23
to dcm4che
Hi,
because the role `user` is mandatory to be able to access the UI, one should not use that role to restrict something, unless the permission defined with that role should be valid for everyone. So to restrict a group of UI user to something you should define a new role ( other then user and admin ) and deffine the permissons to that user as you wish.
> However, If I just un-check "delete" leaving "edit" turned on, this appears to achieve the desired result. However, I would like to know a bit more about what's going on here?
The permission with the id `action-studies-patient` and param `delete` makes the delete button visible if it is available ( there are some condition that has to be fulfilled so that a patient can be deleted ( so you you mey not see the button even if you have the permissions to see, if the conditions are not fulfilled ). The parameter `edit` shows the button edit, so that you can edit the attributes of the patient.
>Q. Looking at the instructions on the wiki, it's not clear whether it's possible to have multiple UI configurations for multiple different users (e.g. with different roles). I know you guys have put a huge amount of effort in here, and I'm sure it must be possible!
There is currently not possible to have different UI configurations but also there is currently no need for that. If you mean and have to define different permission based on different roles you can do that ( in the same UI config with different Permission Configs - just give to the permission config different UI Permission names for each role like `Action - Studies - Patient ( admin )`, `Action - Studies - Patient ( simple user ) ` etc. ( I know that defining permission in the open source version is much difficult. In the pro version we have a specific page for that that makes the configuration of the permission based on roles very easy )
Best Regard
Shefki Esadi
because the role `user` is mandatory to be able to access the UI, one should not use that role to restrict something, unless the permission defined with that role should be valid for everyone. So to restrict a group of UI user to something you should define a new role ( other then user and admin ) and deffine the permissons to that user as you wish.
> However, If I just un-check "delete" leaving "edit" turned on, this appears to achieve the desired result. However, I would like to know a bit more about what's going on here?
>Q. Looking at the instructions on the wiki, it's not clear whether it's possible to have multiple UI configurations for multiple different users (e.g. with different roles). I know you guys have put a huge amount of effort in here, and I'm sure it must be possible!
There is currently not possible to have different UI configurations but also there is currently no need for that. If you mean and have to define different permission based on different roles you can do that ( in the same UI config with different Permission Configs - just give to the permission config different UI Permission names for each role like `Action - Studies - Patient ( admin )`, `Action - Studies - Patient ( simple user ) ` etc. ( I know that defining permission in the open source version is much difficult. In the pro version we have a specific page for that that makes the configuration of the permission based on roles very easy )
Best Regard
Shefki Esadi
Jonathan Brooks
Sep 6, 2023, 11:20:10 AM9/6/23
to dcm4che
Dear Shefki,
Thanks for your helpful explanation.
Can I check that if I defined a new role (e.g. "simple users") through LDAP/keycloak, this would then require the pro version to create a relevant section option (Action - Studies - Patient (simple user)) under UI Configuration -> Permissions for specific options to apply for users in the group "simple users"?
Best wishes,
Jon
Shefki Esadi
Sep 7, 2023, 5:29:57 AM9/7/23
to dcm4che
Hallo,
I'm nut sure I quite understand you question, maybe you could clarify more.
I said if you have the pro version you can configure the permissions easier ( because there is a specific page in pro for that ) but you can do that also without pro in the UI configs like you started.
So to define specific permissions for a group of users, you create a new role like `simple_user` ( In KeyCloak ), then you go to the UI config ( as you did before ) create new child in the Permission ( Child Objects ), you give a unique name to that and add as role the new role ( `simple_user` ). With that the defined permission should apply to only the users that have that role ( Like I said, make sure that the roles of the users doesn't overlap like the role `user` ).
Best Regards
Shefki Esadi
I'm nut sure I quite understand you question, maybe you could clarify more.
I said if you have the pro version you can configure the permissions easier ( because there is a specific page in pro for that ) but you can do that also without pro in the UI configs like you started.
So to define specific permissions for a group of users, you create a new role like `simple_user` ( In KeyCloak ), then you go to the UI config ( as you did before ) create new child in the Permission ( Child Objects ), you give a unique name to that and add as role the new role ( `simple_user` ). With that the defined permission should apply to only the users that have that role ( Like I said, make sure that the roles of the users doesn't overlap like the role `user` ).
Best Regards
Shefki Esadi
Reply all
Reply to author
Forward
0 new messages