> ## Documentation Index
> Fetch the complete documentation index at: https://docs.carelane.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Access Control

> Managing who can access what in Carelane

Access control determines who can view, modify, or manage resources in Carelane. The system uses role-based access control (RBAC) to manage permissions.

## Access Control Model

### Role-Based Access Control

Permissions are assigned through roles:

```
User → Role → Permissions → Resources
```

| Component       | Description        |
| --------------- | ------------------ |
| **User**        | Individual account |
| **Role**        | Set of permissions |
| **Permissions** | Allowed actions    |
| **Resources**   | Data and features  |

### Permission Scopes

| Scope                | What It Controls                     |
| -------------------- | ------------------------------------ |
| **Organization**     | Organization settings and membership |
| **Study**            | Study configuration and oversight    |
| **Site**             | Site operations and participant data |
| **Service Provider** | Provider-specific access             |

## Assigning Access

### Organization Access

<Steps>
  <Step title="Invite to Organization">
    Admin invites user via email.
  </Step>

  <Step title="Assign Role">
    Select Administrator or Member.
  </Step>

  <Step title="User Accepts">
    User accepts invitation.
  </Step>
</Steps>

### Study Access

<Steps>
  <Step title="Navigate to Study Team">
    Open Study Settings > Team.
  </Step>

  <Step title="Add Member">
    Add organization member to study.
  </Step>

  <Step title="Assign Study Role">
    Select appropriate study role.
  </Step>
</Steps>

### Site Access

<Steps>
  <Step title="Navigate to Site Team">
    Open Site > Team.
  </Step>

  <Step title="Invite Member">
    Invite user to site.
  </Step>

  <Step title="Assign Site Role">
    Select appropriate site role.
  </Step>
</Steps>

## Access Hierarchy

Users may have roles at multiple levels:

| Level            | Inheritance                 |
| ---------------- | --------------------------- |
| **Organization** | Does NOT grant study access |
| **Study**        | Does NOT grant site access  |
| **Site**         | Site-specific only          |

<Note>
  Each level requires explicit role assignment. Organization administrators must still be assigned study roles to access study data.
</Note>

## Common Access Patterns

### Study Administrator Pattern

| Scope        | Role                |
| ------------ | ------------------- |
| Organization | Member              |
| Study        | Study Administrator |
| Sites        | As needed           |

### Site Investigator Pattern

| Scope        | Role                   |
| ------------ | ---------------------- |
| Organization | Member                 |
| Study        | None (or Collaborator) |
| Site         | Primary Investigator   |

## Access Review

Conduct regular access reviews:

<Steps>
  <Step title="List All Access">
    Document current access by user.
  </Step>

  <Step title="Verify Necessity">
    Confirm each user needs their access.
  </Step>

  <Step title="Update">
    Remove or modify inappropriate access.
  </Step>

  <Step title="Document">
    Record the review.
  </Step>
</Steps>

## Principle of Least Privilege

Grant minimum necessary access:

| Do                                  | Don't                 |
| ----------------------------------- | --------------------- |
| Assign specific roles               | Give everyone admin   |
| Grant site access only where needed | Grant all-site access |
| Review and remove unused access     | Let access accumulate |

## Revoking Access

When access should be removed:

<Steps>
  <Step title="Identify Scope">
    Determine what access to remove.
  </Step>

  <Step title="Remove Role">
    Remove the role assignment.
  </Step>

  <Step title="Verify">
    Confirm access is revoked.
  </Step>
</Steps>

<Warning>
  Removing access is immediate. Ensure you're removing the correct access.
</Warning>

## Access Logging

All access-related actions are logged:

| Event           | Logged |
| --------------- | ------ |
| Role assignment | Yes    |
| Role removal    | Yes    |
| Login           | Yes    |
| Resource access | Yes    |

## Best Practices

<AccordionGroup>
  <Accordion title="Least Privilege">
    Grant only the access needed for the job.
  </Accordion>

  <Accordion title="Regular Reviews">
    Review access quarterly at minimum.
  </Accordion>

  <Accordion title="Prompt Removal">
    Remove access immediately when no longer needed.
  </Accordion>

  <Accordion title="Document Rationale">
    Record why access was granted.
  </Accordion>
</AccordionGroup>

## Related

<CardGroup cols={2}>
  <Card title="Roles & Permissions" icon="shield" href="/roles-permissions">
    Complete role reference.
  </Card>

  <Card title="Audit Trails" icon="clock-rotate-left" href="/security-compliance/audit-trails">
    Access logging.
  </Card>
</CardGroup>
