I have a potential issue where I'm not sure if I'm just using Castellum wrong or if I found a (potentially severe) security problem. We are currently on Castellum 0.87.0.
We found that all users, who are "Study manager" locally within a study (Study->Details->Member management) have the ability to edit sensitive data of all subjects. All they have to do is make themselves local subject manager in member management if they aren't already, and then add the subject they want to edit to their own study.
Background:
We have users who own studies and are responsible for the experiments, recruitment, etc (study owners). They therefore need the permission to modify their own study and e.g. send out recruitment emails, add sessions, add other users as collaborators, add subjects, etc. In order for those users to do that, in "member management", I have to give them the role "Study Manager" and probably also "Subject manager" for that study. This has two implications:
Is there any way to give a user permission to manage their own study without making them a de-facto subject manager? We consider subject manager a highly sensitive role and cannot give it to all study owners.
I'm happy to answer any questions you might have about our specific situation.
Best, Dario
Edit: I updated the text to make more clear what the issue is.
Thanks for the hint, I was not aware of those additional, inconsequential permissions.
I agree, a user who can manage study members can elevate their own permissions within a study. So we have think thoroughly about whom to give those permissions.
As you already wrote, our goal is to have a standard set of exportable attributes/domains which we consider to be less sensitive, but of scientific value (e.g. handedness is not identifying information, but important for data interpretation in many experiments). Right now we have a study manager role who will set up the study and then add the study responsible scientist as a member. The scientist should be able to perform experiments, define sessions, change recruitment filters and in the best case add colleagues. They do not, however, need to fiddle with domains and shouldn't be able to remove those exportable attributes. I understand your concerns about blanket exports of attributes. If you have a different idea on how to solve our use case I'm open to suggestions. A (reduced) standard set of attributes which can only be augmented by the study responsible scientist for example is something I can imagine to work well.
Hello,
we'd like to allow users to modify aspects of their studies without having full control. In particular, I have users who need access to recruitment settings, session management and member management. However, I don't want them to be able to change exportable attributes, general domains, pseudonym domains.
While there are permission settings e.g. for sessions | session | can add session
or studies | study membership | can change study membership
, those settings have no effect until the user also has the studies | study | can change study
permission, which gives them full control over the study.
Any chance to get that changed?
It certainly removes one of the two big roadblocks for ldap usage with castellum.
Permission management would still be an issue. Users who are members of certain ldap groups should also get assigned to corresponding groups in castellum. Right now, even with that setting changed, we'll have to have an admin log into castellum and assign users to the correct group every time a new user is added. Having that managed via ldap (where all other permissions are handled) would be much better.
OK, thanks for the info.
I just played around a bit. Looks like the "Unknown" setting in dropdown attributes causes this problem, setting the value to anything else (or to "Declined to answer") allows us to export the data.
So right now we have a way to work around this issue, but a fix would be highly appreciated.
This is more of a feature request than an issue
In Tübingen all subjects are required to fill out a questionnaire. In this questionnaire we record things like exam duration, subject discomfort, etc. Since this information is tightly linked to individual subjects and to experimental sessions, I think it could make sense to have this functionality in castellum. Instead of re-implementing this questionnaire externally and storing loads of subject/study-specific data in another tool we think it could make sense to handle this questionnaire directly in castellum.
Evaluating this questionnaire can give important scientific information such as (made up cases):
Attached you can find screenshots in our existing questionnaire.
What do you think about this? Do you also think this would be a useful addition to Castellum?
@mihai.vintiloiu can you please find the log files and send them to the team?
Now that I have an account I can comment : my colleagues who brought this to my attention asked for those highlights in forms with a large number of fields, such as study creation and subject creation (and maybe their corresponding "edit" fields).