Got feedback or spotted a mistake?

Leave a comment at the end of this page or email contact@krishagni.com

Roles and Privileges

Introduction

OpenSpecimen allows controlling data access by assigning roles to users. The privileges can be controlled at a very granular level for each resource in the system.

OpenSpecimen provides default roles that administrators can assign to different users. To view details about default user roles, follow the below steps:

  1. Navigate to the 'Roles' card. 

  2. Click on any of the roles to view more information. 

Only Super Admins can create custom roles or edit existing roles.

Privileges specific to Super Administrators

Privileges

Description

Privileges

Description

Institute

To create one or more institute in the OpenSpecimen

User accounts

Only super admin can create other super admins

Extras>>Audit log

Generation of the audit logs

Extras>>Database Console

Access to database console

Extras>>API call logs

History of API call logs

Extras>>Backups

For setting up database and data file backups

Extras>>Dropdown manager

To manage values to be displayed in the dropdowns

Extras>>Identity providers

To create and manage user authentication providers

Extras>>Import records

To upload the data from multiple files at the same time

Extras>>Print rules

To create and manage specimen label print rules

Extras>>Specimen units

To add, edit, delete the specimen units

Extras>>Upgrade history

To view OpenSpecimen upgrade logs

System Settings

This allows super admin to update system settings. For more information, refer to https://openspecimen.atlassian.net/wiki/x/EQCtAg

Attach Form

Super admin can attach form at different level. For more information refer to Attach Forms at Different Levels - OpenSpecimen - Confluence (atlassian.net)

Default Roles

OpenSpecimen is installed with some default roles. Below mentioned are the default roles with descriptions.

Do not edit the default roles shipped with OpenSpecimen as it will causes issues with access across the system. It is suggested to create new roles as per requirement

Name

Description

Name

Description

Administrator

Users can perform all operations within the assigned sites.

Coordinator

Users can perform all operations within the assigned protocols within the same site.

Principal Investigator

The user has read access to all data within the assigned protocols.

Researcher

The user has read access to non-PHI data within the assigned protocols and its catalog request.

Technician

Users can perform specimen operations without access to PHI data within the assigned protocols.

Tissue Banker

Users can perform all operations within the assigned protocols.

Clinician (v6.2)

Users can register participants and collect and ship primary specimens within assigned protocols.

(The user cannot access child specimens, containers, and other workflows.)

Consent Collector (v7.0)

Users can perform all the operations on the participant(PHI), Consent, and Query module.

Resources

The resources define the module and data entry access given to the user.

Resources

Description

Participants(DeId)

User will only be able to access and see the de identified(non PHI) data of the participant.

Participants(PHI)

Users can access all data of the participant including identified fields(PHI) like name, birth date, MRN etc.

If Participants(PHI) resource privilege is given to the user, Participants(DeId) can be skipped.

Primary Specimens

Users will have access to Primary Specimens only.

Specimens

Users will have access to specimens of all the lineage i.e. primary, derived and aliquots.

Gels

Gives access to gels module. Refer to the wiki page for more details on Gels.

Shipping and Tracking

Users will have access to ship and receive the specimens/containers within sites that use OpenSpecimen. Gives access to the Shipment module.

Refer to the wiki page for more details on Shipment

Jobs

Users will have access to the Jobs module. Refer to the wiki page for more details on Jobs.

Privileges of Users

Resource

Access To

Resource

Access To

Collection Protocols

Collection Protocols based on the configuration in the user's role tab.

Consent Response

Consents response within a Collection Protocol or Distribution Protocol.
Note: Only super admins can add/edit the Consents at the global.

Distribution Protocols

Distribution Protocols based on users' sites.

Gels

Gels based on users' sites.

Jobs

Users can only see jobs created or shared with them.

Orders

Orders for the DPs they have access to.

Primary Specimens

Primary specimens for the CPs they have access to.
Note: This is typically given to Clinical Coordinator staff, who are responsible for collecting the primary specimens.

Participant (PHI)

All participant data (PHI and de-identified).

Participant (DeId)

Only de-identified fields.

NOTE: Users with 'Participant (DeId)' read, create, update, delete permissions will not be able to register a new participant within the CP. They can only see the existing participants, collect new visits, and add specimens.

Path Report

Can upload and access pathology reports. It also contains additional controls for lock/unlock path reports. This can be used if path reports will be locked after manual review or de-identification.

Query

Query module.

Specimens

All specimens (primary, derivative, and aliquots) for their CPs

Storage Containers

Containers within their site.
Note: Container types can be added only by super admins and institute admins.

Shipping and Tracking

Shipments within their site.

Supplies

Supplies based on their CP and site access.

Users

Users within their institute.

Visits

Visits for their CPs.

Catalogs

Users can access catalogs and their requests.

PHI Fields

The below fields marked as PHI in OpenSpecimen won't be visible to the roles with 'Participant (DeId)' privileges:

  1. First Name

  2. Middle Name

  3. Last Name

  4. Birth Date

  5. Social Security Number

  6. Death Date

  7. Master Patient Index

  8. Medical Record Number (MRN)

  9. Surgical Pathology Number

  10. Any custom fields marked as PHI.

Edit Default Roles

  1. The default role listed below should not be renamed or edited. They get auto-assigned to specific users, as stated below:

Role

Auto-assigned to

Role

Auto-assigned to

Administrator

Institute Administrator, Site Coordinators

2. The rest of the default roles can be edited.

3. No role can be deleted via UI.

4. While editing a role, keeping at least one resource privilege is mandatory.

5. Editing means you can assign or unassign permissions to a user or altogether remove a resource.

  • Sign in as Super admin → Navigate to Roles

  •  Click on the user you wish to edit, for example, Administrator.

  • Click on edit --> Go to any resource. For example Supplies

  • To give only read access, tick only the read permission.

  • If you wish not to provide import-export access, then untick the import-export permissions.

  • Click on the delete icon to remove the privilege.

  • Once provided with all required access, click the 'Update' button.

Add Coordinator or PI at CP Level

  1. CP level PI and coordinators are not assigned any role by default.

  2. After creating the CP, the admin has to manually assign specific roles to all the users who need to access the CP.

Provide Researcher access to edit request

  1. Researchers can edit their request(if it's pending) if they have 'Read' access to the 'Catalog' resource. 

  2. Ensure the researcher also has access to non-PHI data displayed in the catalog.

Create Custom Role

You can create new roles to suit your local needs.

  1. Log in as a super admin user.

  2. Click the 'Roles' card from the home page.

  3. Click the 'Create' button, and enter valid details.

  4. Click the 'Resources' dropdown and select the desired resources.

  5. Check the checkboxes of the privileges assigned to selected resources and click 'Create.' 

  6. Repeat steps 4 & 5 to add new resources.

Import / Export

If you have the 'Exp/Imp' privilege along with 'Create' or 'Update' on any resources, you can perform bulk import and export operations of those resources.

Query Resource (v6.3)

  1. The 'query' resource allows you to access the query module.

  2. CRUD + IE rights on the 'Query' resource is added to all the system shipped roles but the 'Researcher.' By default, the 'Researcher' role acquires only the Read and IE rights.

  3. Users who do not have Read privilege on the 'Query' resource will not be able to view the query module in OpenSpecimen.

  4. More details on operations associated with every privilege on query resource: Query Resource Privilege.

Got feedback or spotted a mistake?

Leave a comment at the end of this page or email contact@krishagni.com