dcm4chee archive v5 Role Based Access Control migration

[Igor Solovey]

Hello,

We're planning to upgrade our DICOM server from dcm4chee archive v2 to v5 and wanted to clarify how to map our current access control setup onto the new version.

 

We have set up several hundred projects, whose names are stored in the Study Description dicom attribute on the sending AEs (MRI consoles). Every project also has a corresponding dcm4chee DICOM role and Role Base Access Controls (RBAC) are assigned to incoming DICOM series using the Study Permission service (dcm4chee.archive:StudyPermission) Series Stored stylesheet. We use LDAP for authentication (both the dcm4chee-web3 interface and a QueryRetrieveScp authenticated with User Identity negotiation). The dcm4chee roles are mapped to LDAP groups using the JBoss LdapExtLoginModule. Fine-grained project-level access control is a must for our setup.

 

Access control is currently implemented in dcm4chee archive v5 using archive (source) AE titles. I can't think of a straightforward way to migrate our setup to use AET-based access control. My questions:

 

1. Is there anything already implemented in dcm4chee-arc-lite which will allow RBAC where roles are assigned based on DICOM attributes like Study Description, instead of AET only?

 

2. If not, would you be open to merging this functionality into the project? We can look into developing it ourselves, but don't want to maintain a fork. Is there anything about the design of dcm4chee-arc-lite which makes such an extension undesirable/difficult?

Thanks,

-Igor

[gunterze]

Alternatively to configuring a constant Store Access Control ID for studies received by a particular Archive Application Entity, you may configure Store Access Control ID Rules on Archive Device or Archive Application Entity level, referring any DICOM attribute as condition (e.g. StudyDescription=XXX|YYY )   

[Igor Solovey]

Thanks for your reply.

The issue is that the Store Access Control ID rules are defined at the Archive Device or Archive Application Entity level. If we defined our access control rules on the AETitle level, that would require that users access the archive by a different AETitle for each of the (sometimes many) projects to which they have access. What we need instead is to define such rules on a Role and/or User level (regardless of AETitle), and for users to get a combined view of all studies they have access to, from a number of projects.

e.g. User1 and User2 both use a DICOM viewing workstation configured with AET DICOMVIEWER. When User1 runs a query from AET DICOMVIEWER they should see only studies to which User1 has access to, and likewise for User2 and studies accessible to them. Currently access control can only be provided to DICOMVIEWER without differentiation of User1 and User2.

Currently the Store Access Control ID rule assigns an AccessControlID to a study and then those AEs with the same AccessControlID can access the study. What we think we need is to assign an AccessControlID to a user and/or group. 

Thanks,

-Igor