Claude
Skills
Sign in
Back

openevidence-enterprise-rbac

Included with Lifetime
$97 forever

Enterprise Rbac for OpenEvidence. Trigger: "openevidence enterprise rbac".

Generalsaasopenevidencehealthcare

What this skill does

# OpenEvidence Enterprise RBAC

## Overview

OpenEvidence delivers AI-powered clinical decision support using peer-reviewed medical literature. Enterprise RBAC controls access to clinical queries, PHI-adjacent data, and research datasets. Clinicians query evidence with full access. Researchers access de-identified datasets and can create study cohorts. Admins manage institutional access, SSO configuration, and compliance settings. HIPAA requires strict audit logging of every clinical query, PHI access event, and data export. Institutional access agreements define which evidence libraries each organization can query.

## Role Hierarchy

| Role | Permissions | Scope |
|------|------------|-------|
| Institutional Admin | Manage users, SSO config, compliance settings, usage analytics | Organization-wide |
| Clinician | Query clinical evidence, view full citations, bookmark findings | Institutional library |
| Researcher | Access de-identified datasets, create study cohorts, export data | Approved studies |
| Medical Student | Query evidence with supervised access, no PHI datasets | Educational library |
| Auditor | Read-only access to query logs and compliance reports | Organization-wide |

## Permission Check

```typescript
async function checkClinicalAccess(userId: string, resource: string, accessLevel: string): Promise<boolean> {
  const response = await fetch(`${OE_API}/v1/institutions/${INSTITUTION_ID}/permissions`, {
    headers: { Authorization: `Bearer ${OE_API_TOKEN}`, 'Content-Type': 'application/json' },
  });
  const perms = await response.json();
  const user = perms.members.find((m: any) => m.id === userId);
  if (!user) return false;
  const allowed = ROLE_ACCESS[user.role];
  return allowed?.resources.includes(resource) && allowed.levels.includes(accessLevel);
}
```

## Role Assignment

```typescript
async function assignInstitutionalRole(email: string, role: string, library: string): Promise<void> {
  await fetch(`${OE_API}/v1/institutions/${INSTITUTION_ID}/members`, {
    method: 'POST',
    headers: { Authorization: `Bearer ${OE_API_TOKEN}`, 'Content-Type': 'application/json' },
    body: JSON.stringify({ email, role, libraryAccess: library, hipaaAcknowledged: true }),
  });
}

async function revokeAccess(email: string): Promise<void> {
  await fetch(`${OE_API}/v1/institutions/${INSTITUTION_ID}/members/${email}`, {
    method: 'DELETE',
    headers: { Authorization: `Bearer ${OE_API_TOKEN}` },
  });
}
```

## Audit Logging

```typescript
interface OpenEvidenceAuditEntry {
  timestamp: string; userId: string; role: string;
  action: 'clinical_query' | 'dataset_access' | 'export' | 'phi_view' | 'role_change';
  resource: string; institutionId: string; queryHash?: string; result: 'allowed' | 'denied';
}

function logClinicalAccess(entry: OpenEvidenceAuditEntry): void {
  console.log(JSON.stringify({ ...entry, hipaaCompliant: true }));
}
```

## RBAC Checklist

- [ ] Institutional access agreements define available evidence libraries
- [ ] Clinician role verified against NPI or institutional credentials
- [ ] Researcher access limited to IRB-approved de-identified datasets
- [ ] Medical student access supervised with educational library scope
- [ ] All clinical queries logged with timestamp, user, and query hash
- [ ] PHI access events tracked separately for HIPAA audit readiness
- [ ] Data export restricted to researcher role with approval workflow
- [ ] Quarterly access review aligned with HIPAA compliance cycle

## Error Handling

| Issue | Cause | Fix |
|-------|-------|-----|
| `403` on clinical query endpoint | User not provisioned at institution | Add user via institutional admin portal |
| Dataset access denied | Study not in user's approved IRB list | Submit IRB approval to institutional admin |
| Export blocked | Role lacks export permission | Upgrade to researcher role with export rights |
| SSO login loop | SAML assertion missing institution claim | Configure institution attribute in IdP SAML settings |
| Query results redacted | Library not included in institutional agreement | Contact OpenEvidence to expand library access |

## Resources

- [OpenEvidence Platform](https://www.openevidence.com)
- OpenEvidence for Institutions

## Next Steps

See `openevidence-security-basics`.
Files: 2
Size: 7.9 KB
Complexity: 24/100
Category: General
Source: https://github.com/jeremylongshore/claude-code-plugins-plus-skills/tree/main/plugins/saas-packs/openevidence-pack/skills/openevidence-enterprise-rbac

Related in General

modeling-omnistudio-epc-catalog

Included

Salesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).

Generalscripts

relationship-science-coach

Included

Use this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.

Generalscripts

building-sf-integrations

Included

Salesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).

Generalscripts

venue-templates

Included

Access comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.

Generalscripts

let-fate-decide

Included

Draws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.

Generalscripts

net-ops

Included

Cross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.

Generalscripts
Sign up & unlock — $97