INFO: RISC Policy - Azure Enclave: Workspace Controls, Permissions, and Auditing


The purpose of this policy is to define the following controls and permissions to the Azure Enclave platform workspace. This policy scope applies to researchers only and is not applicable to privileged users – RISC team members who manage, configure and monitor the Azure Enclave.

If you have any questions please contact the Azure Enclave Team at

Table of Contents


Project Workspace Members (Researchers): Project members including Principal Investigator (PI), project leader, co-investigators, staff members, and POIs.

Source Data: RISC patient cohort data copied into project workspace for the purposes of research.

Project Workspace: A self-contained virtual environment assigned to a project housing necessary tools to perform advanced data analytics and machine learning on source data.

Shared Workspace Folders (F Drive): Shared drive where project artifacts (non-source data) are stored.

Shared Schema Scratchpad: An shared schema sandbox within a database provided to a project workspace.

Inbound Data Transfer (Data Import): Permission to upload files from the local computer to the Azure Enclave.

Outbound Data Transfer (Data Export): Permission to download files from the Azure Enclave to external locations/local computer.

Policy Statements

A. Platform/Workspace Access Controls

1. Each project workspace is assigned a single unique PAS AD group.
2. Researchers are provisioned to 1 or more unique workspace PAS AD groups.
3. Access to the Azure Enclave platform outside from a project workspace is not permitted.
4. All researcher access to the Azure Enclave project workspaces is managed and controlled using PAS Active Directory (AD) Groups. No alternative access is permitted.
5. All PAS Active Directory Groups assigned to Azure Enclave are managed by the Cloud Data Solutions team.

B. Workspace Access Permissions 

Within the Azure Enclave:
1. Only researchers provisioned to a project workspace’s unique PAS AD group may view data contained in said project workspace.
2. Only researchers provisioned to the same project workspace have access to the shared workspace (F Drive) and optional scratchpad database.

C. Workspace Data Permissions

1. Researchers provisioned to multiple project workspaces may not transfer data between workspaces.
2. All researchers may share file artifacts with other researchers within the same project workspace.
3. All researchers are granted READ ONLY access to source data in workspace. Researchers have zero visibility into backbone source data outside of the workspace.
4. All researchers provisioned to a project workspace are granted full permissions to shared folders on workspace (F Drive) and shared schema scratchpad in the database location.

Inbound Data Transfer (Data Import):
1. Ability for inbound transfer (data import) applies to all Azure Enclave provisioned researchers.
2. Researchers may only import data to their provisioned project workspaces.
3. If researcher is provisioned to multiple project workspaces, researcher is prohibited from moving data between workspaces.
4. The file data assets allowed for inbound data transfer includes but is not limited to datasets, spreadsheets, .pdf’s, documents, movies, images, library code, supplemental data, user programs, and Docker containers.

Outbound Workspace Data Transfer (Data Export):
1. Only the project PI and Project Lead associated to workspace are permitted the ability to export from the workspace.
2. Users are not permitted to export source data from the workspace.
Exceptions requiring Cloud Data Solutions team approval as of August 2021:

• Raw data needed for FDA approval.

3. Users may ONLY export aggregate or de-identified data from the workspace.
4. Users may ONLY export project work such as insights they derive from the source data.
5. Row-level patient data may not to be sent out of workspace.
6. Researchers must attest to using exported data per MGB and Azure Enclave Data Use Policies.
7. MGB researchers (non-POI’s) have ability to export code or other existing pipelines in the Enclave and upload to GitLab/GitHub within the MGB Network.

D. Workspace Auditing

1. Auditing of researcher access to Workspace is required.
2. Auditing of researcher access to source data within the Workspace is required.
3. Auditing of all outbound workspace data transfers is required including but not limited to aggregate de-identified data and reports.

Go to KB0039001 in the IS Service Desk

Related articles