Difference between revisions of "CTP Authentication and Privileges"

This article describes the authentication mechanism mechanism used by the CTP web servers and pipeline stages. The primary intended audience for this article is CTP administrators. A prerequisite for fully understanding this article is CTP-The RSNA Clinical Trial Processor.

1 Authentication

The main CTP program and several of the pipeline stages include web servers which support authentication of users. Each web server has a collection of servlets which provide access to information or functional control. Web servers only enforce authentication requirements. Servlets and pipeline stages enforce access control based on the privileges assigned to the user. Non-authenticated users are only granted access to public information.

When authentication is required, a web server verifies that the user is authenticated on each transaction, and if not, displays a login page. After a successful login, the user is directed to the original destination.

(Technical note: Once the user is authenticated, the system sets a session cookie on the client. The client must have cookies enabled for the authentication mechanism to work. It is not necessary to close the browser session to log in as another user, and it is also possible to log out. The home page of the web server provides links for both actions.)

The main CTP web server, called the admin server, has a User Manager servlet which allows users with certain privileges to create users and assign them privileges.

2 Admin Web Server Privileges

The admin web server recognizes the following privileges:

• admin grants a user access to administrative servlets that are restricted for security:
  • User Manager Servlet allows for the creation of users and the assignment of roles. The admin privilege does not allow the user to modify users with the shutdown privilege or to assign that privilege to any user.
  • ID Map Servlet provides access to the ID Map database, which supports queries for translation between PHI and anonymized ID values.
  • Object Tracker Servlet provides access to the Object Tracker database, which supports queries for objects which have been processed.
  • DICOM Anonymizer Configurator Servlet allows editing of DICOM anonymizer scripts.
  • Script Editor Servlet allows editing of XML and Zip anonymizer scripts.
  • Lookup Table Editor Servlet allows editing of DICOM anonymizer lookup tables.

• qadmin grants a user the ability to delete or requeue objects in quarantines. This privilege is not required just to view the contents of the quarantine, however.

• shutdown grants a user the ability to shut down the CTP application. It also grants a user the ability to modify all users and all privileges in the User Manager Servlet. (Note that the CTP application accepts shutdown requests from any authenticated user on the computer which is running CTP.)

3 HttpImportService Privileges

The HttpImportService can be configured to require authentication on each file submission. When so configured, the submission must include the credentials of a user which has been granted the following privilege:

• import grants a user authority to submit files.

4 FileStorageService Privileges

The FileStorageService pipeline stage includes a web server which has servlets to provide access to the stored files. The FileStorageService web server can be configured to enforce access control at the level of a FileSystem. The servlets recognize the following privileges:

• delete grants a user the ability to delete studies in any FileSystem.
• guest identifies a user as someone who can be granted read access to a specific FileSystem by the owner of that FileSystem.
• proxy grants a user the ability to manage the guest list of any FileSystem.
• read grants a user the ability to view studies in any FileSystem.

5 CTP Administration User Configurations

A typical administrator who has full control over the system would be granted all privileges except import (which only makes sense for remote sites which submit files).

Clinical trial administrators who are not allowed to shut down the system woudl be granted all privileges except shutdown and import.

6 FileStorageService User Configurations

In a system used to distribute studies to referring physicians, FileSystems would typically be organized by PatientID, and referring physicians would have the guest privilege. A technologist or secretary might be granted the proxy privilege to allow that person to add the appropriate physician to the guest list on behalf of the patient, thus granting the physician the ability to see the patient's studies.

In a system used for research data management, all users might be granted the read privilege, but only certain users might be granted the delete privilege, the latter just so that they can manage the storage of the system.

Unless a user has the read privilege, the user is allowed to access only his own FileSystem (the FileSystem with the same name as his username), the __default FileSystem, and any FileSystem which contains his username in its guest list. In addition, the user can access the GuestListServlet so that he may invite guests to view his FileSystem.

A user can always delete studies from his own FileSystem, but he can only delete other studies if he has the delete privilege.