Skip to main content
openevidence-enterprise-rbac Configure OpenEvidence enterprise SSO, role-based access control, and organization management.
Use when implementing SSO integration, configuring role-based permissions,
or setting up organization-level controls for clinical AI applications.
Trigger with phrases like "openevidence SSO", "openevidence RBAC",
"openevidence enterprise", "openevidence roles", "openevidence permissions".
npx skills add jeremylongshore/claude-code-plugins-plus-skills --skill openevidence-enterprise-rbac ai automation claude-code devops mcp ai-agents
OpenEvidence Enterprise RBAC
Overview
OpenEvidence delivers AI-powered clinical decision support using peer-reviewed medical literature. Enterprise RBAC controls access to clinical queries, PHI-adjacent data, and research datasets. Clinicians query evidence with full access. Researchers access de-identified datasets and can create study cohorts. Admins manage institutional access, SSO configuration, and compliance settings. HIPAA requires strict audit logging of every clinical query, PHI access event, and data export. Institutional access agreements define which evidence libraries each organization can query.
Role Hierarchy
Role Permissions Scope Institutional Admin Manage users, SSO config, compliance settings, usage analytics Organization-wide Clinician Query clinical evidence, view full citations, bookmark findings Institutional library Researcher Access de-identified datasets, create study cohorts, export data Approved studies Medical Student Query evidence with supervised access, no PHI datasets Educational library Auditor Read-only access to query logs and compliance reports Organization-wide
Permission Check
async function checkClinicalAccess(userId: string, resource: string, accessLevel: string): Promise<boolean> {
const response = await fetch(`${OE_API}/v1/institutions/${INSTITUTION_ID}/permissions`, {
headers: { Authorization: `Bearer ${OE_API_TOKEN}`, 'Content-Type': 'application/json' },
});
const perms = await response.json();
const user = perms.members.find((m: any) => m.id === userId);
if (!user) return false;
const allowed = ROLE_ACCESS[user.role];
return allowed?.resources.includes(resource) && allowed.levels.includes(accessLevel);
}
Role Assignment async function assignInstitutionalRole(email: string, role: string, library: string): Promise<void> {
await fetch(`${OE_API}/v1/institutions/${INSTITUTION_ID}/members`, {
method: 'POST',
headers: { Authorization: `Bearer ${OE_API_TOKEN}`, 'Content-Type': 'application/json' },
body: JSON.stringify({ email, role, libraryAccess: library, hipaaAcknowledged: true }),
});
}
async function revokeAccess(email: string): Promise<void> {
await fetch(`${OE_API}/v1/institutions/${INSTITUTION_ID}/members/${email}`, {
method: 'DELETE',
headers: { Authorization: `Bearer ${OE_API_TOKEN}` },
});
}
Audit Logging interface OpenEvidenceAuditEntry {
timestamp: string; userId: string; role: string;
action: 'clinical_query' | 'dataset_access' | 'export' | 'phi_view' | 'role_change';
resource: string; institutionId: string; queryHash?: string; result: 'allowed' | 'denied';
}
function logClinicalAccess(entry: OpenEvidenceAuditEntry): void {
console.log(JSON.stringify({ ...entry, hipaaCompliant: true }));
}
RBAC Checklist
Error Handling Issue Cause Fix 403 on clinical query endpointUser not provisioned at institution Add user via institutional admin portal Dataset access denied Study not in user's approved IRB list Submit IRB approval to institutional admin Export blocked Role lacks export permission Upgrade to researcher role with export rights SSO login loop SAML assertion missing institution claim Configure institution attribute in IdP SAML settings Query results redacted Library not included in institutional agreement Contact OpenEvidence to expand library access
Resources
Next Steps See openevidence-security-basics.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).