Access Control Id - qr

[Ze Ay]

I created a Store Access Control Rule based on the institution name. ( https://github.com/dcm4che/dcm4chee-arc-light/wiki/Store-Access-Control)

I also added the Access Control ID to an AE.
( https://github.com/dcm4che/dcm4chee-arc-light/wiki/Access-Control )

When studies are received, the access control id is assigned correctly.

When i try a qr with calling aet using the one i added the access control id, i still get all the studies, Inclusive the ones with another Access Control ID.

Did I miss something?

[Vrinda Nayak]

Can you show the configurations (for Store Access and Access Control IDs) you did ?

[Ze Ay]

That’s my configuration.

[vrinda...@j4care.com]

Can't reproduce. See attached document with same configurations as yours (except for InstitutionName value in conditions)

> When i try a qr with calling aet using the one i added the access control id, i still get all the studies, Inclusive the ones with another Access Control ID.

Note : If the other studies have * as access_control_id, these will be returned always together with studies having your access_control_id

On Friday, June 12, 2020 at 9:22:48 AM UTC+2 zea...@gmail.com wrote:

That’s my configuration.

[Ze Ay]

Hi Vrinda,

thanks for your detailed answer!

I've only just got around to testing it again.

If I do find on the archive and use the aet OrgaEins as calling AET, I still get all results back, even the ones without Access Control ID.
Background is that a customer should retrieve data with his AET (viewer) and see only the data that is intended for him.

Did I misunderstand the usage for this setting?

Exemple call:
/opt/tools/dcm4che-3.3.8/bin/findscu -b OrgaEins -c dcm4...@10.200.129.51:11112 -L STUDY -r 00100010 -r 00100020 -r 00100030 -r 00100040 -r 00100021 -cancel 30

[vrinda...@j4care.com]

- even the ones without Access Control ID.

This implies studies which have * as access_control_id and as mentioned before, studies with * as access_control_id are returned back. Wildcard (*) is assigned as an access_control_id to studies received from Application Entities having no store access configuration.

For your use case, where the viewer should only see the data intended for it, in addition to your existing configuration, configure some default store access for other AEs in your archive, so that whenever a study is stored to the archive, it shall always have an access_control_id set to it. (For already stored studies with * as access_control_id, you can use sql to update it to some default value). After doing these changes, retry q/r with your viewer specific AET.

[zea...@gmail.com]

I just tried it. 

 

As a test I created the Access Control id orgaTest and set it for all studies (in my test environment only 4)

 

Then I sent in a study, which got the ID Orga_1.

I still get all the studys displayed.

/opt/tools/dcm4che-3.3.8/bin/findscu -b OrgaEins -c dcm4...@10.200.129.51:11112  -L STUDY -r 00100010 -r 00100020 -r 00100030 -r 00100040 -r 00100021  

[vrinda...@j4care.com]

Not reproducible. There is something either missing or wrong in your configurations. I've done the same steps as yours and I only see studies meant for Orga_1. See attached doc with configurations / tests

[Ze Ay]

Hi Vrinda,

Now I've discovered my mistake.

When I query the OrgaEins node, I only get back the data that was authorized.

But I thought the Use Case the other way round. So when I query the dcm4chee node as OrgaEins node, only the data is returned.
So in the example
findscu -b OrgaEins -c dcm4chee@localhost:11112 -L STUDY -r 00100010 -r 00100020 -r 00100030 -r 00100040 -r 00100021

Is that possible?

[Vrinda Nayak]

-   findscu -b OrgaEins -c dcm4chee@localhost:11112 -L STUDY -r 00100010 -r 00100020 -r 00100030 -r 00100040 -r 00100021

masks the calling AET i.e. FINDSCU. That means to the archive, it looks like OrgaEins has invoked the C-FIND instead of FINDSCU. The Access Control is always applied on Called AET, in this case DCM4CHEE.

Above C-FIND shall return studies having access_control_id as * in database and if you configured any Store Access Control for DCM4CHEE then those studies shall be returned as well.

Above C-FIND will not return studies which have access_control set for OrgaEins.