OpenEvidence 企业角色权限

v20260311

openevidence-enterprise-rbac

指导在 OpenEvidence 企业版中搭建临床 AI 应用的 SSO、基于角色的访问控制与组织管理，涵盖角色定义、SAML/OIDC 集成、权限中间件、组织多租户配置以及安全会话策略。

角色权限企业安全单点登录临床 AI Express 中间件组织管理会话安全

获取技能

454 次下载

概览

OpenEvidence Enterprise RBAC

Overview
Prerequisites
Instructions
Output
Error Handling
Examples
Resources

Overview

Configure enterprise-grade role-based access control for OpenEvidence clinical AI integrations. Covers role definitions, SSO (SAML/OIDC), permission middleware, organization management, and secure session handling.

Prerequisites

OpenEvidence Enterprise tier subscription
Identity Provider (IdP) with SAML/OIDC support
Understanding of role-based access patterns
HIPAA audit logging infrastructure

Role Definitions

Role	Permissions	Use Case
Physician	Full clinical query, DeepConsult	Active patient care
Nurse	Clinical query (no DeepConsult)	Nursing support
Pharmacist	Drug-focused queries	Medication management
Resident	Clinical query (supervised)	Training
Admin	Full access, user management	Platform administration
Auditor	Read-only audit logs	Compliance review
Integration	API access only	System integration

Instructions

Step 1: Define Roles and Permissions

Create ClinicalRole enum and ClinicalPermissions interface with boolean flags for clinicalQuery, deepConsult, drugInfo, guidelineAccess, exportResults, viewAuditLogs, manageUsers, manageSettings.

Step 2: Configure SSO (SAML or OIDC)

Integrate with IdP using passport-saml or passport-openidconnect. Map IdP groups to clinical roles with priority ordering (Admin > Physician > Pharmacist > Nurse > Resident).

Step 3: Implement Permission Middleware

Create requirePermission() Express middleware that checks hasPermission(user.role, permission) and logs denied access attempts to HIPAA audit trail.

Step 4: Organization Management

Build OrganizationManager for multi-tenant setup with configurable settings per org (deepConsult limits, MFA requirements, audit retention).

Step 5: Configure Session Management

Use Redis-backed sessions with 8-hour maxAge (typical clinical shift), rolling expiry, secure cookies, and re-authentication for sensitive operations.

Output

Role definitions with clinical permissions matrix
SAML/OIDC SSO integration
Permission middleware for Express routes
Organization management with multi-tenant support
Secure session handling with shift-based timeout

Error Handling

RBAC Issue	Detection	Resolution
SSO login fails	Auth callback error	Check IdP configuration and certificates
Wrong role assigned	User reports	Review IdP group-to-role mappings
Permission denied	403 responses	Verify role has required permission
Session expired	User redirect	Implement session warning middleware

Examples

Route Protection

app.post('/api/clinical/query', requirePermission('clinicalQuery'), queryHandler);
app.post('/api/clinical/deepconsult', requirePermission('deepConsult'), deepConsultHandler);
app.get('/api/admin/audit-logs', requirePermission('viewAuditLogs'), auditLogsHandler);

See detailed implementation for advanced patterns.

Resources

信息

Category 人工智能

Name openevidence-enterprise-rbac

版本 v20260311

大小 3.34KB

Source jeremylongshore/claude-code-plugins-plus-skills

更新时间 2026-03-12