CTP Authentication and Privileges
This article describes the authentication mechanism mechanism used by the CTP web servers and pipeline stages. The primary intended audience for this article is CTP administrators. A prerequisite for fully understanding this article is CTP-The RSNA Clinical Trial Processor.
1 Admin Web Server Privileges
The admin web server recognizes the following privileges:
- admin grants a user access to administrative servlets that are restricted for security:
- User Manager Servlet allows for the creation of users and the assignment of roles. The admin privilege does not allow the user to modify users with the shutdown privilege or to assign that privilege to any user.
- ID Map Servlet provides access to the ID Map database, which supports queries for translation between PHI and anonymized ID values.
- Object Tracker Servlet provides access to the Object Tracker database, which supports queries for objects which have been processed.
- DICOM Anonymizer Configurator Servlet allows editing of DICOM anonymizer scripts.
- Script Editor Servlet allows editing of XML and Zip anonymizer scripts.
- Lookup Table Editor Servlet allows editing of DICOM anonymizer lookup tables.
- qadmin grants a user the ability to delete or requeue objects in quarantines. This privilege is not required just to view the contents of the quarantine, however.
- shutdown grants a user the ability to shut down the CTP application. It also grants a user the ability to modify all users and all privileges in the User Manager Servlet. (Note that the CTP application accepts shutdown requests from any authenticated user on the computer which is running CTP.)
2 HttpImportService Privileges
The HttpImportService can be configured to require authentication on each file submission. When so configured, the submission must include the credentials of a user which has been granted the following privilege:
- import grants a user authority to submit files.
3 FileStorageService Privileges
The FileStorageService pipeline stage includes a web server which has servlets to provide access to the stored files. The FileStorageService web server can be configured to enforce access control at the level of a FileSystem. The servlets recognize the following privileges:
- delete grants a user the ability to delete studies in any FileSystem.
- guest identifies a user as someone who can be granted read access to a specific FileSystem by the owner of that FileSystem.
- proxy grants a user the ability to manage the guest list of any FileSystem.
- read grants a user the ability to view studies in any FileSystem.
4 CTP Administration User Configurations
A typical administrator who has full control over the system would be granted all privileges except import (which only makes sense for remote sites which submit files). When CTP is first installed, a standard user of this type is included (username king; password password).
Clinical trial administrators who are not allowed to shut down the system would be granted all privileges except shutdown and import. When CTP is first installed, a standard user of this type is included (username admin; password password).
5 FileStorageService User Configurations
In a system used to distribute studies to referring physicians, FileSystems would typically be organized by PatientID, and referring physicians would have the guest privilege. A technologist or secretary might be granted the proxy privilege to allow that person to add the appropriate physician to the guest list on behalf of the patient, thus granting the physician the ability to see the patient's studies.
In a system used for research data management, all users might be granted the read privilege, but only certain users might be granted the delete privilege, the latter just so that they can manage the storage of the system.
Unless a user has the read privilege, the user is allowed to access only his own FileSystem (the FileSystem with the same name as his username), the __default FileSystem, and any FileSystem which contains his username in its guest list. In addition, the user can access the GuestListServlet so that he may invite guests to view his FileSystem.
A user can always delete studies from his own FileSystem, but he can only delete other studies if he has the delete privilege.