Professional Documents
Culture Documents
MRI Magnetom Trio syngoMR-pages-5
MRI Magnetom Trio syngoMR-pages-5
0.0
DICOM Nodes B.2 For the security system, DICOM network nodes are treated as
“virtual” user accounts. They are not intended for local logon;
they are required for proper networking (transfer of data).
B.2
To set up the access rights for data being transferred from and
to the network workstation, you should put each DICOM node
into a user group and assign a role (this effectively assigns the
workstation a user group and role). The relationship between
user groups and patient groups define the permissions on the
data as well as the default patient group, the roles define the
functional privileges of the DICOM nodes. B.2
0.0
Tracking of User Activities B.2 In syngo MR, the activities of a user are recorded in the audit
trail - including the user’s identity. According to national regula-
tions, it is not allowed to share user accounts. B.2
TIP
Recommend the users to use the Log In Different User
function to switch the user quickly at the workstation. B.2
B.2
Multistage Security Setup B.2 Security in syngo MR has a multistage security concept: B.2
0.0
The following preparatory steps will help you to set up the secu-
rity system from scratch. Depending on the options selected for
your security system, you do not have to perform all steps: B.2
❏ Get a license for the security system.
❏ Outline the intended user management system with the help
of a drawing similar to the one shown below.
As a basis, outline the intended daily workflow at the system.
For example, consider who can stand in as an acting physi-
cian and set up the necessary access rights accordingly. B.2
For basic user management you need user accounts and
groups. When using the functional check too, you also need
to think about the organization of roles. B.2
0.0
– For each patient group you can later grant groups and
users the permission to have full control or no access to
data that is marked with that patient group. You can also
grant the right to modify the assigned patient group.
– Whenever a “real” user or a “virtual” DICOM node user
creates new patient data on your system, a patient group
that defines the access rights to the data can be applied.
Registration of new patients or data received from a
DICOM node are the most common ways new data is cre-
ated.
– If studies of a patient are already stored in the local data-
base, the existing patient group assignment is also used
for any additional studies.
– After switching the data access check option of the secu-
rity system on, you will find all of your patient studies in the
STANDARD patient group.
0.0
0.0
B.2
CAUTION
Source of danger: Behavior of secured systems. B.2
Remedy: B.2
0.0
B.2
NOTE
You have to set up the security system on every syngo MR
workstation in your hospital except for satellite consoles,
which take the security settings from their main console. B.2
B.2
NOTE
In any case, the security system should never be configured
during an acquisition B.2
0.0
❏ Create user accounts for every user who will work with the
workstation. Do not forget to create at least one user account
that is intended to stand in as both an administrator and
security administrator.
→ Page B.2–25
❏ Please check the personal administrator account(s) inten-
sively to make sure they work properly. After finishing and
testing the security configuration, we recommend to disable
the built-in “Administrator“ or to set an individual password
for it.
→ Page B.4–1
❏ Create the groups and roles of your user model. Add the cor-
responding users to those groups and roles. Do not forget to
assign the user account(s) intended as administrator both to
the groups and roles “Administrators” and “SecurityAdmins”.
→ Page B.2–35
❏ Create patient groups to define the various data access
rights (= permissions). Assign them the desired user groups
and set up the “default” patient group. If necessary, you can
also set individual permissions at user level.
→ Page B.2–48
0.0
0.0
Securing the System B.2 By activating the syngo MR security system, the customer ser-
vice technician turns your system into a system with high data
protection level. The service technician needs the appropriate
service key for service level 7. B.2
B.2
CAUTION
Source of danger: There is no undo! B.2
0.0
0.0
User management Activates user management which is the basis for all other security options. When
activating any other security option, the user management will also be switched on
automatically.
Data access check Access to data is always provided in accordance with the current permissions. If this
check box is not selected, you cannot restrict any data access rights.
Functional check Access to functions is always provided in accordance with the privileges granted to a user
role. If this check box is not selected, you cannot restrict the use of functions.
Auditing Access to the system and configured actions are recorded in an audit trail.
✧ To confirm, click Save and Finish in the status bar of the win-
dow.
✧ End the service session and log off.
After a restart of the system, only authenticated and authorized
persons can use the workstation. B.2
0.0
Opening the Security You need “Administrator” and “SecurityAdmin” rights to config-
Configuration Console B.2 ure the security system. B.2
0.0
B.2
TIP
Use the Show/Hide Console Tree icon if the tree view
does not appear after start-up. B.2
0.0
B.2
TIP
The items to be recorded in the audit trail are configured in
the Audit Trail Viewer Console (→ Page B.2–88) and
storing parameters are set up in the Audit Trail
Configuration dialog box (→ Page B.2–77). B.2
0.0
User Accounts B.2 For every user who will work with the system, create a user
account and assign a password. B.2
B.2
NOTE
Always work in the syngo MR Security Configuration,
never use the Microsoft Management Console (MMC) to
create or to manage user accounts. syngo MR expands the
Windows-related security system by a data security
management and distinguishes between groups and
roles. B.2
0.0
Special User Accounts B.2 The security system comes with some default and some inter-
nal user accounts, and automatically generates DICOM Node
user accounts. B.2
❏ Default users are delivered with the software and contain, for
example, the Administrator, the LocalServiceUser and the
RemoteServiceUser.
❏ All internal users are essential for the system and indicated
as such. We strongly recommend not changing the pass-
words of these users.
❏ DICOM nodes are required for remote network functions.
They are created as soon as you configure the DICOM ser-
vices (AET). You can only change the password and the
group assignment of these users.
For a detailed list of the internal user accounts see
→ Page B.2–2. B.2
0.0
Handling of Passwords B.2 The password of a user in syngo MR never expires, but the
users are allowed to change their passwords on their own
(depending on your security policy). B.2
B.2
CAUTION
Source of danger: User access may be prevented due to
forgotten or unknown accounts or passwords, or wrong
setup (for example, in case of an emergency). B.2
Creating a new User One basic task for configuration is the creation of the necessary
Account B.2 user accounts. A number of general user accounts come pre-
installed with the system. B.2
0.0
B.2
NOTE
Misuse of the emergency account defeats the security
system! B.2
Ensure that all users have been properly informed about the
use of the emergency access account and the use of the
password. Misuse of the account is illegal! B.2
0.0
✧ Right-click the Users folder and choose New > User from
the context menu.
Or B.2
✧ Select the Users folder and choose the Action > New >
User menu item.
The User tab card is displayed: B.2
0.0
Name Name of the user account (= logon name). Note, that the name has to be unique within
the system. The user name is not case sensitive. Only alphanumeric characters are
allowed.
Full name Information that helps to identify the user, for example, first, second name and title of the
user.
Description Further information about the user (for example, his/her department).
New Password The password that has to be entered by the user in order to log on to a workstation. The
password is case sensitive.
Confirm Password For validation purposes, the password has to be entered a second time.
According to the hospital’s security policies, users in syngo may be allowed to change
passwords on their own.
Account is disabled If selected, the user account is set up but the user cannot log onto the system. You may
use this option, for example, for users who are off-site for some time.
Password never This option is selected by default and cannot be changed: The user’s password does not
expires expire regularly (for example, this setting is important for the EmergencyAccess account).
User cannot change If selected, the user cannot change the password on their own. For the
password EmergencyAccess, we strongly recommend to disable the change of password.
0.0
for Editing
✧ Open the syngo MR Security Configuration console.
B.2
→ Page B.2–22
✧ On the left-hand side, open the User Management folder.
✧ Click the Users folder.
All available user accounts are displayed on the right-hand side.
You can identify the users by the information in the Name, Full
Name and Description columns. B.2
Modifying a User Account You can change the account properties or enable/disable an
and Passwords B.2 account. Also it is possible to change the password for normal
users and DICOM Nodes. B.2
B.2
NOTE
We strongly recommend not to change passwords of any
internal user accounts, otherwise important system
services may no longer work properly. B.2
0.0
0.0
✧ On the User tab card, you can change the Full Name and
the Description of the user account.
✧ To change a password, type the desired password into the
New Password field and repeat it in the Confirm Password
field.
✧ To disable/enable the account, select/clear the Account is
disabled check box.
✧ To prevent users from changing their password, select the
User cannot change password check box.
The Member of tab card lists all groups (for data access) this
user is assigned to. B.2
The Owner of tab card lists all roles (for use cases or functional
privileges) this user owns. B.2
0.0
Deleting a User Account B.2 You can delete user accounts that are no longer needed. B.2
B.2
NOTE
For reason of system integrity, it is not possible to delete
internal users, DICOM nodes, and special users. B.2
✧ Select the desired user account and choose the Action >
Delete menu item.
✧ Confirm the security notice with Yes.
The user account is deleted. B.2
0.0
About Groups and Roles B.2 The syngo MR security system makes use of users, groups
and roles. B.2
❏ Groups are used to configure the same data access rights for
a group of people (for example, everyone who works in a par-
ticular ward).
We recommend that you create a user group for every team
or department of your user model. Then you assign the user
accounts that belong to that group.
❏ Roles are used to configure the same function execution
privileges for people with similar tasks (for example, physi-
cians, nurses, or assistants).
You then assign the user accounts that will own that role.
Built-in Groups and Roles B.2 By default, some general groups and roles are already
installed. They are created automatically when you install the
Windows operating system and syngo MR. These groups and
roles are named identically: B.2
❏ Emergency_Access
❏ SecurityAdmins
❏ syngoServiceUsers
0.0
No Group Hierarchies B.2 Note that you cannot plan sub-groups (groups-in-groups), such
as “Hospital” for hospital-wide permissions and “Neurology” for
defining permissions for people working in the neurology
department of the hospital.
B.2
Configuration Levels B.2 The security configuration provides you two different ways to
assign group members and owners of roles. Which one you
prefer depends on your interest; it is often useful to switch
between both: B.2
Creating a new Group or Because groups and roles handled almost identically, their han-
Role B.2 dling is described here together. B.2
0.0
0.0
0.0