OpenEvidence Enterprise RBAC

Overview

OpenEvidence delivers AI-powered clinical decision support using peer-reviewed medical literature. Enterprise RBAC controls access to clinical queries, PHI-adjacent data, and research datasets. Clinicians query evidence with full access. Researchers access de-identified datasets and can create study cohorts. Admins manage institutional access, SSO configuration, and compliance settings. HIPAA requires strict audit logging of every clinical query, PHI access event, and data export. Institutional access agreements define which evidence libraries each organization can query.

Role Hierarchy

Permission Check

async function checkClinicalAccess(userId: string, resource: string, accessLevel: string): Promise<boolean> {
  const response = await fetch(`${OE_API}/v1/institutions/${INSTITUTION_ID}/permissions`, {
    headers: { Authorization: `Bearer ${OE_API_TOKEN}`, 'Content-Type': 'application/json' },
  });
  const perms = await response.json();
  const user = perms.members.find((m: any) => m.id === userId);
  if (!user) return false;
  const allowed = ROLE_ACCESS[user.role];
  return allowed?.resources.includes(resource) && allowed.levels.includes(accessLevel);
}

Role Assignment

async function assignInstitutionalRole(email: string, role: string, library: string): Promise<void> {
  await fetch(`${OE_API}/v1/institutions/${INSTITUTION_ID}/members`, {
    method: 'POST',
    headers: { Authorization: `Bearer ${OE_API_TOKEN}`, 'Content-Type': 'application/json' },
    body: JSON.stringify({ email, role, libraryAccess: library, hipaaAcknowledged: true }),
  });
}

async function revokeAccess(email: string): Promise<void> {
  await fetch(`${OE_API}/v1/institutions/${INSTITUTION_ID}/members/${email}`, {
    method: 'DELETE',
    headers: { Authorization: `Bearer ${OE_API_TOKEN}` },
  });
}

Audit Logging

interface OpenEvidenceAuditEntry {
  timestamp: string; userId: string; role: string;
  action: 'clinical_query' | 'dataset_access' | 'export' | 'phi_view' | 'role_change';
  resource: string; institutionId: string; queryHash?: string; result: 'allowed' | 'denied';
}

function logClinicalAccess(entry: OpenEvidenceAuditEntry): void {
  console.log(JSON.stringify({ ...entry, hipaaCompliant: true }));
}

RBAC Checklist

• [ ] Institutional access agreements define available evidence libraries
• [ ] Clinician role verified against NPI or institutional credentials
• [ ] Researcher access limited to IRB-approved de-identified datasets
• [ ] Medical student access supervised with educational library scope
• [ ] All clinical queries logged with timestamp, user, and query hash
• [ ] PHI access events tracked separately for HIPAA audit readiness
• [ ] Data export restricted to researcher role with approval workflow
• [ ] Quarterly access review aligned with HIPAA compliance cycle

Error Handling

Resources

• OpenEvidence Platform
• OpenEvidence for Institutions

Next Steps

See openevidence-security-basics.