Roles

[amsalama]

Hello,
i have multi-client that push dicom to my dcm4chee-arc v5.
but i need for same client user can post and other user not.
for example client1 : user1 can send dicom, other query.
for query : query only studies that client send only not all studies.

[vrindanayak]

@amsalama : By default dockerized secured archive comes pre-configured with 2 roles / users for archive UI.
Roles : admin / user
Users : admin / user

User admin has both roles mapped to it whereas user user has only user role mapped to it. The archive is also pre-configured with a set of UI permissions - some permissions available for both users whereas some are exclusive only to the admin user.

Depending upon your use case for eg. Action - Studies - Upload File in study UI permission has only admin role configured to it. This means only admin user can upload bulkdata file to a study. You may choose to assign admin role to your users which shall have the permission to execute these functions.

For your last point
for query : query only studies that client send only not all studies.
See Access Control

[gunterze]

Guess, you does not mean "roles" of users authenticated by Open ID in HTTP requests to the Archive Web UI or RESTful service.
You may configure different sets of Transfer Capabilities provided by different Archive Network Application Entities which specified Accepted Calling AE Title(s).
S.o. DICOM PS 3.15, H.1.1 Data Model Component Objects

Currently, there is no corresponding feature like "Accepted User Roles" for restricting access by RESTful services associated with a particular Archive AE.

[amsalama]

Thanks for Reply :
but You refer me to UI permission only
Also About API and TCP permission .
for example : Client1 Push to AET1 using API(curl) or TCP (storescu/tls)
client1 have 2-users,first using API for pushing and and second user used for full permissions
also first user can not list devices, can not list AET and so on,but second user can do any thing.
and also for TCP : first user can storescu but can not query , second user full permissions.

Also Client2 (2-user) Push AET2 only not able to list all DEVICES not able to list AET'S
but only able to push to AET2,also first user for Client2 can only store to AET2 only and can not query for AET2

Thanks

I hope very quickly response.

[gunterze]

You may configure different sets of Transfer Capabilities provided by different Archive Network Application Entities which specified Accepted Calling AE Title(s).

refers to Storage, Query/Retrieve by DIMSE Services C-STORE, C-FIND/C-MOVE/C-GET.

[amsalama]

Thanks,
" Currently, there is no corresponding feature like "Accepted User Roles" for restricting access by RESTful services associated with a particular Archive AE."

this feature can do in which version ?
Is this going to be done?

[gunterze]

Currently, there is no corresponding feature like "Accepted User Roles" for restricting access by RESTful services associated with a particular Archive AE.

would only applies to RESTful services: STOW/QIDO/WADO.

What are you currently using for storage/query/retrieve?

[amsalama]

for restful i create shell script using curl
for storage i am use dcm4che storescu and other command line from dcm4che.

question : if any clients have token can list and download studies that not related to him and this is critical issue.

[gunterze]

So storage can already be restricted by setting Accepted Calling AE Title(s) and removing STOW-RS from Web Service Class(s).

Will think about how to provide user specific access restriction by RESTful services. Configuration of "Accepted User Roles" is just one option ...

[amsalama]

Can I remove CONFIG-RS from restful ?

[gunterze]

Think currently only configured STOW-RS/QIDO-RS/WADO-RS is checked by RESTful services, others only by the Archive UI

[vrindanayak]

Think currently only configured STOW-RS/QIDO-RS/WADO-RS is checked by RESTful services, others only by the Archive UI

STOW-RS/QIDO-RS/WADO-RS and WADO-URI is checked by RESTful services - Yes

others only by the Archive UI : @amsalama : This is configurable by UI Permissions - You may choose to edit roles for certain permissions or if a particular permission is deleted, the corresponding function doesn't show up in the UI.