Allowing store but not query/retrieve

[Niels Wahlgreen]

Hi all.

We are using dcm4chee-arc secure version 5.16.1.

We would like to configure an AETitle, that remote institutions are able to C-MOVE dicom files to, but not query or retrieve (or at least only query/retrieve things they have stored themselves).

We have enabled the dcmValidateCallingAEHostname feature in https://github.com/dcm4che/dcm4chee-arc-light/wiki/Validate-hostname-or-IP-address-of-association-requester

I am assuming, that I need to configure Access Control and Store Access Control, as described here: https://github.com/dcm4che/dcm4chee-arc-light/wiki/Access-control-based-on-Archive-AEs

My idea is to configure Store Access Control, so it assigns an access ID based on either the AE storing the file, or - if that is not possible - create separate AETitles for each remote institution on our server and have the remote institutions use them when they store. The optimal solution would be, that the remote partners can only store files, but cannot query or retrieve anything.

My hope is, that I can then configure it, so doctors in our clinic can retrieve all the files that have been stored, when they query the server.

Is this possible? And is it a feasible way to accomplish this objective?

[Niels Wahlgreen]

Hi Guys,

 

Does anyone have any input on this? Or interest in the result😊 ?

 

Otherwise, I will give it a go tomorrow and see how far I can get.

 

Med venlig hilsen / Best regards 

Niels Wahlgreen
Senior IT Consultant & Founder, Cand.Merc.(dat.)

Wahlgreen IT

Vadstrupvej 53‪ | 2880 Bagsværd
D: +45 70 23 50 45 | M: +45 26 34 60 80
E: ni...@wahlgreen.dk | W: www.wahlgreen.dk

 

Alle priser er ekskl. moms. Vi tager forbehold for prisændringer og/eller tastefejl.

Vores generelle betingelser er gældende. Læs dem her.

--
You received this message because you are subscribed to the Google Groups "dcm4che" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To post to this group, send email to dcm...@googlegroups.com.
Visit this group at https://groups.google.com/group/dcm4che.
To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/0b053c0e-7f13-4608-9eb7-8f884592a0a9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Gunter Zeilinger]

pitfalls:

- If you want that an AE only provides Studies which Study Access Control ID matches one of its configured Access Control ID(s), you have to ensure, that there are no Studies with no Access Control ID.

- If there is an AE with no configured Access Control ID(s), you have to take care that it only accepts Association Requests from clients which are authorized to access Studies with any Access Control ID.

To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/HE1PR0401MB265003DC638592040332E94BCF090%40HE1PR0401MB2650.eurprd04.prod.outlook.com.

[Niels Wahlgreen]

Hi Gunter,

Thanks a lot. 

We tried creating Access Control based on this guide: https://github.com/dcm4che/dcm4chee-arc-light/wiki/Access-control-based-on-Archive-AEs

The result is, as you warned, that even though Access Control for the AE is set to an Access Control ID, all the existing studies are accessible when querying that AE. 

Questions:

- Will studies with Access Control ID * be visible regardless of Access Control setting for the AE?

- Does this mean, that the only way to accomplish Access Control, is to somehow set an ID for all existing studies on the server? And is it possible to do that after they have been stored on the server (we have already migrated years 2011-2015 to the server, so about 8TB of studies). 

- Is there somewhere to view the Access Control ID of a study?

I really appreciate your help, and I hope that you can point me in the right direction for this. Thanks.

Kind regards,

Niels

[Gunter Zeilinger]

- Will studies with Access Control ID * be visible regardless of Access Control setting for the AE?

Right.

- Does this mean, that the only way to accomplish Access Control, is to somehow set an ID for all existing studies on the server? And is it possible to do that after they have been stored on the server (we have already migrated years 2011-2015 to the server, so about 8TB of studies). 

There is a RESTful service to update Study Access Control ID of matching Studies . (There is an open issue make use of it from the UI). Just realized, that its actual path does not reflect the specification. E.g.:

$ curl -v -X POST http://localhost:8080/dcm4chee-arc/aets/DCM4CHEE/access/STORESCU?SendingApplicationEntityTitleOfSeries=STORESCU
* Connected to localhost (127.0.0.1) port 8080 (#0)
> POST /dcm4chee-arc/aets/DCM4CHEE/access/STORESCU?SendingApplicationEntityTitleOfSeries=STORESCU HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: origin, content-type, accept, authorization
< Access-Control-Allow-Credentials: true
< Content-Type: application/octet-stream
< Content-Length: 11
< Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, HEAD
< Date: Tue, 04 Jun 2019 06:54:18 GMT
<
* Connection #0 to host localhost left intact
{"count":6}

=> Assigns Access Control ID "STORESCU" to Studies with Series received from AE "STORESCU"

Alternatively you may set it directly by SQL:
update study set access_control_id='default' where access_control_id='*';

- Is there somewhere to view the Access Control ID of a study?

It's returned in private Attribute (7777,1027) LO in QIDO-RS responses and therefore shown as Study Attributes in the UI.

--

You received this message because you are subscribed to the Google Groups "dcm4che" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To post to this group, send email to dcm...@googlegroups.com.
Visit this group at https://groups.google.com/group/dcm4che.

To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/5a1157a7-0a3c-4bde-acda-41459f10eac3%40googlegroups.com.

[Niels Wahlgreen]

Thanks a lot, I will update it tomorrow with SQL, that looks like a very fast and easy solution for this.

Again thanks, your help is very appreciated.

[Niels Wahlgreen]

Using SQL to update Access to update access_control_id worked perfectly.

 

Thanks again 😊

--
You received this message because you are subscribed to the Google Groups "dcm4che" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To post to this group, send email to dcm...@googlegroups.com.
Visit this group at https://groups.google.com/group/dcm4che

.
To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/CAEoJp8xHwkoq8%3Dyb-faKZFmFATPK8L7nyOBM7sqkU%2BSRd1_oWA%40mail.gmail.com.