Monique Araujo
unread,Jul 6, 2026, 1:43:46 PM (3 days ago) Jul 6Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dcm4che
Environment: dcm4chee-arc-psql 5.34.2-secure + Keycloak 26.0.6, via docker-compose.
Goal: restrict visibility of studies from a specific institution/unit (e.g. "Metropolitano") so that other units (e.g. CEDC) cannot see them in the Web UI.
What I've already configured:
Store Access Control ID Rule (Configuration → Devices → dcm4chee-arc → Extensions → Device Extension → Archive Device → Store Access Control Rules):
Condition: IssuerOfPatientID=RISMETROPOLITANOPB
Store Access Control ID: METROPOLITANO
Entity: Study
Confirmed working: when a new study is received with that Issuer of Patient ID, the Study Access Control ID (7777,1027) field correctly shows METROPOLITANO in the study details.
In Keycloak, on the dcm4chee-arc-rs client:
Enabled "Client authentication" and "Authorization"
Created a Resource METROPOLITANO with the accessControlID scope
Created a group metropolitano-viewers (with the users who should have access)
Created a Group Policy pointing to that group
Created a Permission linking the METROPOLITANO resource to the group Policy
Problem: even though the study is correctly tagged with Study Access Control ID = METROPOLITANO, it's still visible in the Web UI to all users, including those who are not in the metropolitano-viewers group.
Question: has anyone successfully configured this full flow (Access Control ID + Keycloak Authorization Permissions)? What could be missing?
Captura de tela 2026-07-06 142920.png
Captura de tela 2026-07-06 143126.png