How to restrict exam visibility to each group/hospital unit?

16 views
Skip to first unread message

Monique Araujo

unread,
Jul 6, 2026, 1:43:46 PM (3 days ago) Jul 6
to dcm4che
Environment: dcm4chee-arc-psql 5.34.2-secure + Keycloak 26.0.6, via docker-compose.

Goal: restrict visibility of studies from a specific institution/unit (e.g. "Metropolitano") so that other units (e.g. CEDC) cannot see them in the Web UI.

What I've already configured:

Store Access Control ID Rule (Configuration → Devices → dcm4chee-arc → Extensions → Device Extension → Archive Device → Store Access Control Rules):

Condition: IssuerOfPatientID=RISMETROPOLITANOPB
Store Access Control ID: METROPOLITANO
Entity: Study
Confirmed working: when a new study is received with that Issuer of Patient ID, the Study Access Control ID (7777,1027) field correctly shows METROPOLITANO in the study details.
In Keycloak, on the dcm4chee-arc-rs client:

Enabled "Client authentication" and "Authorization"
Created a Resource METROPOLITANO with the accessControlID scope
Created a group metropolitano-viewers (with the users who should have access)
Created a Group Policy pointing to that group
Created a Permission linking the METROPOLITANO resource to the group Policy
Problem: even though the study is correctly tagged with Study Access Control ID = METROPOLITANO, it's still visible in the Web UI to all users, including those who are not in the metropolitano-viewers group.

Question: has anyone successfully configured this full flow (Access Control ID + Keycloak Authorization Permissions)? What could be missing?
Captura de tela 2026-07-06 142920.png
Captura de tela 2026-07-06 143126.png
Reply all
Reply to author
Forward
0 new messages