Skip to main content
Access control determines who can view, modify, or manage resources in Carelane. The system uses role-based access control (RBAC) to manage permissions.

Access Control Model

Role-Based Access Control

Permissions are assigned through roles: 
User → Role → Permissions → Resources
ComponentDescription
UserIndividual account
RoleSet of permissions
PermissionsAllowed actions
ResourcesData and features

Permission Scopes

ScopeWhat It Controls
OrganizationOrganization settings and membership
StudyStudy configuration and oversight
SiteSite operations and participant data
Service ProviderProvider-specific access

Assigning Access

Organization Access

1

Invite to Organization

Admin invites user via email.
2

Assign Role

Select Administrator or Member.
3

User Accepts

User accepts invitation.

Study Access

1

Navigate to Study Team

Open Study Settings > Team.
2

Add Member

Add organization member to study.
3

Assign Study Role

Select appropriate study role.

Site Access

1

Navigate to Site Team

Open Site > Team.
2

Invite Member

Invite user to site.
3

Assign Site Role

Select appropriate site role.

Access Hierarchy

Users may have roles at multiple levels:
LevelInheritance
OrganizationDoes NOT grant study access
StudyDoes NOT grant site access
SiteSite-specific only
Each level requires explicit role assignment. Organization administrators must still be assigned study roles to access study data.

Common Access Patterns

Study Administrator Pattern

ScopeRole
OrganizationMember
StudyStudy Administrator
SitesAs needed

Site Investigator Pattern

ScopeRole
OrganizationMember
StudyNone (or Collaborator)
SitePrimary Investigator

Access Review

Conduct regular access reviews:
1

List All Access

Document current access by user.
2

Verify Necessity

Confirm each user needs their access.
3

Update

Remove or modify inappropriate access.
4

Document

Record the review.

Principle of Least Privilege

Grant minimum necessary access:
DoDon’t
Assign specific rolesGive everyone admin
Grant site access only where neededGrant all-site access
Review and remove unused accessLet access accumulate

Revoking Access

When access should be removed:
1

Identify Scope

Determine what access to remove.
2

Remove Role

Remove the role assignment.
3

Verify

Confirm access is revoked.
Removing access is immediate. Ensure you’re removing the correct access.

Access Logging

All access-related actions are logged:
EventLogged
Role assignmentYes
Role removalYes
LoginYes
Resource accessYes

Best Practices

Grant only the access needed for the job.
Review access quarterly at minimum.
Remove access immediately when no longer needed.
Record why access was granted.

Roles & Permissions

Complete role reference.

Audit Trails

Access logging.