OpenSkillIndex← back to search
claude-code

Claude-code-plugins-plus openevidence-enterprise-rbac

install
source · Clone the upstream repo
git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/saas-packs/openevidence-pack/skills/openevidence-enterprise-rbac" ~/.claude/skills/jeremylongshore-claude-code-plugins-plus-openevidence-enterprise-rbac && rm -rf "$T"
manifest: plugins/saas-packs/openevidence-pack/skills/openevidence-enterprise-rbac/SKILL.md
tags
#saas#openevidence#healthcare
source content

OpenEvidence Enterprise RBAC

Overview

OpenEvidence delivers AI-powered clinical decision support using peer-reviewed medical literature. Enterprise RBAC controls access to clinical queries, PHI-adjacent data, and research datasets. Clinicians query evidence with full access. Researchers access de-identified datasets and can create study cohorts. Admins manage institutional access, SSO configuration, and compliance settings. HIPAA requires strict audit logging of every clinical query, PHI access event, and data export. Institutional access agreements define which evidence libraries each organization can query.

Role Hierarchy

RolePermissionsScope
Institutional AdminManage users, SSO config, compliance settings, usage analyticsOrganization-wide
ClinicianQuery clinical evidence, view full citations, bookmark findingsInstitutional library
ResearcherAccess de-identified datasets, create study cohorts, export dataApproved studies
Medical StudentQuery evidence with supervised access, no PHI datasetsEducational library
AuditorRead-only access to query logs and compliance reportsOrganization-wide

Permission Check

async function checkClinicalAccess(userId: string, resource: string, accessLevel: string): Promise<boolean> {
  const response = await fetch(`${OE_API}/v1/institutions/${INSTITUTION_ID}/permissions`, {
    headers: { Authorization: `Bearer ${OE_API_TOKEN}`, 'Content-Type': 'application/json' },
  });
  const perms = await response.json();
  const user = perms.members.find((m: any) => m.id === userId);
  if (!user) return false;
  const allowed = ROLE_ACCESS[user.role];
  return allowed?.resources.includes(resource) && allowed.levels.includes(accessLevel);
}

Role Assignment

async function assignInstitutionalRole(email: string, role: string, library: string): Promise<void> {
  await fetch(`${OE_API}/v1/institutions/${INSTITUTION_ID}/members`, {
    method: 'POST',
    headers: { Authorization: `Bearer ${OE_API_TOKEN}`, 'Content-Type': 'application/json' },
    body: JSON.stringify({ email, role, libraryAccess: library, hipaaAcknowledged: true }),
  });
}

async function revokeAccess(email: string): Promise<void> {
  await fetch(`${OE_API}/v1/institutions/${INSTITUTION_ID}/members/${email}`, {
    method: 'DELETE',
    headers: { Authorization: `Bearer ${OE_API_TOKEN}` },
  });
}

Audit Logging

interface OpenEvidenceAuditEntry {
  timestamp: string; userId: string; role: string;
  action: 'clinical_query' | 'dataset_access' | 'export' | 'phi_view' | 'role_change';
  resource: string; institutionId: string; queryHash?: string; result: 'allowed' | 'denied';
}

function logClinicalAccess(entry: OpenEvidenceAuditEntry): void {
  console.log(JSON.stringify({ ...entry, hipaaCompliant: true }));
}

RBAC Checklist

  • Institutional access agreements define available evidence libraries
  • Clinician role verified against NPI or institutional credentials
  • Researcher access limited to IRB-approved de-identified datasets
  • Medical student access supervised with educational library scope
  • All clinical queries logged with timestamp, user, and query hash
  • PHI access events tracked separately for HIPAA audit readiness
  • Data export restricted to researcher role with approval workflow
  • Quarterly access review aligned with HIPAA compliance cycle

Error Handling

IssueCauseFix
403
on clinical query endpoint		User not provisioned at institutionAdd user via institutional admin portal
Dataset access deniedStudy not in user's approved IRB listSubmit IRB approval to institutional admin
Export blockedRole lacks export permissionUpgrade to researcher role with export rights
SSO login loopSAML assertion missing institution claimConfigure institution attribute in IdP SAML settings
Query results redactedLibrary not included in institutional agreementContact OpenEvidence to expand library access

Resources

Next Steps

See 

openevidence-security-basics
.