Hi OHDSI community,
I’m working with Atlas/WebAPI permissions and encountering a challenge regarding source-level access control for Person Profile.
I have the following permissions configured for a user:
*:person:*:get:dates
source1:person:*:get
source2:person:*:get
source3:person:*:get
*:person:*:get
My goal is to deny access to source3, so I want to assign permissions for source1 and source2 only, without granting the global *:person:*:get permission.
However, if I exclude both source3:person:*:get and *:person:*:get, the user cannot see profiles for source1 and source2 (output: can’t find {Person Num}). It seems that without the global wildcard permission, access to source-specific data is blocked or the UI/API doesn’t render those profiles.
But if I grant the global permission *:person:*:get, the user can access person profiles on all sources including source3, which I want to avoid.
My questions:
Is this expected behavior in the current Atlas/WebAPI permission model?
Is there a way to allow access to only specific sources (e.g., source1 and source2) without granting the global *:person:*:get permission?
ATLAS Version 2.15.0
WebAPI Version 2.15.1
Thanks in advance for any insights or advice!
Hi, I got this message, and I need to look at how the permissions are evaluated in the code, but there’s an endpoint that will get you the patient profile and then potentially another one that is used to get patient level data. You’ll need all necessary permissions and there should be a way to restrict permissions to specific sources. However, it may be a bit of a ‘permission exercise’ in that if the default behavior is to allow access to patient profiles to any source (the *:person:*:get permission) by granting that permission to Atlas Users, then you will either need to remove that permission from atlas Users (and grant the permission to all the other users you want to have access) or you will create a new permission group (what we call a ‘role’) and grant all the perms you want to that role, and then move the person you want to restrict to the specific source into that role.
But I need to look at the code closer because I need to understand how permissions to a source intersect with the permission to view profiles. So please give me some time to re-educate myself on how the permissions work in patient profiles and I’ll come back with more difinitive info.
Thanks so much for the quick response! I really appreciate you taking the time. The profile feature in ATLAS really helps us with quickly inspecting sample patients and revising cohort definitions. Being able to manage source-level access would be super helpful to allow all our colleagues to use the feature.
Looking forward to hearing what you find once you’ve had a chance to review the code!