INFO: Digital Research Policy - Azure Enclave: Workspace Controls, Permissions, Auditing, Retention


The purpose of this policy is to define the following controls and permissions to the Azure Enclave platform workspace. This policy scope applies to researchers only and is not applicable to privileged users – Digital Research team members who manage, configure and monitor the Azure Enclave. 



Policy Statements:

  1. Platform/Workspace Access Controls
  2. Workspace Data Permissions
  3. Workspace Access Permissions
  4. Workspace Auditing
  5. Retention


  • Project Workspace Members (Researchers): Project members including Principal Investigator (PI), project leader, co-investigators, staff members, and POIs.
  • Source Data: Digital Research patient cohort data copied into project workspace for the purposes of research.
  • Project Workspace: A self-contained virtual environment assigned to a project housing necessary tools to perform advanced data analytics and machine learning on source data.
  • Shared Workspace Folders (F Drive): Shared drive where project artifacts (non-source data) are stored.
  • Shared Schema Scratchpad: An shared schema sandbox within a database provided to a project workspace.
  • Inbound Data Transfer (Data Import): Permission to upload files from the local computer to the Azure Enclave.
  • Outbound Data Transfer (Data Export): Permission to download files from the Azure Enclave to external locations/local computer.

Policy Statements

A. Platform/Workspace Access Controls

  1. Each project workspace is assigned a single unique PAS AD group.
  2. Researchers are provisioned to 1 or more unique workspace PAS AD groups.
  3. Access to the Azure Enclave platform outside from a project workspace is not permitted.
  4. All researcher access to the Azure Enclave project workspaces is managed and controlled using PAS Active Directory (AD) Groups. No alternative access is permitted.
  5. All PAS Active Directory Groups assigned to Azure Enclave are managed by the Cloud Data Solutions team.

B. Workspace Access Permissions – within the Azure Enclave:

  1. Only researchers provisioned to a project workspace’s unique PAS AD group may view data contained in said project workspace.
  2. Only researchers provisioned to the same project workspace have access to the shared workspace (F Drive) and optional scratchpad database.

C. Workspace Data Permissions

  1. Researchers provisioned to multiple project workspaces may not transfer data between workspaces.
  2. All researchers may share file artifacts with other researchers within the same project workspace.
  3. All researchers are granted READ ONLY access to source data in workspace. Researchers have zero visibility into backbone source data outside of the workspace.
  4. All researchers provisioned to a project workspace are granted full permissions to shared folders on workspace (F Drive) and shared schema scratchpad in the database location.

Inbound Data Transfer (Data Import):

  1. Ability for inbound transfer (data import) applies to all Azure Enclave provisioned researchers.
  2. Researchers may only import data to their provisioned project workspaces.
  3. If researcher is provisioned to multiple project workspaces, researcher is prohibited from moving data between workspaces.
  4. The file data assets allowed for inbound data transfer includes but is not limited to datasets, spreadsheets, .pdf’s, documents, movies, images, library code, supplemental data, user programs, and Docker containers.

Outbound Workspace Data Transfer (Data Export):

  1. Researchers are not permitted to export any data out of workspace.
  2. Researchers are not permitted to screenshot, print screen, or print any workspace data.
  3. MGB researchers (non-POI’s) have ability to upload to MGB GitLab and Azure DevOps within the MGB Network. Researchers agree to only upload code and NOT data.

D. Workspace Auditing

  1. Auditing of researcher access to Workspace is required.
  2. Auditing of researcher access to source data within the Workspace is required.
  3. Auditing of all outbound workspace data transfers is required including but not limited to aggregate de-identified data and reports.

E. Retention

  1. Active Project Azure Workspace:

    • Workspace VM must have 30 days of backup.
    • Workspace SQL Database as a Service must have 2 weeks of backup.
  2. Completed Project Azure Workspace - archiving starts from date the project workspace is completed:

    • Workspace VM, workspace SQL Database as a Service, and workspace storage accounts must be archived for 7 years.

If you have any questions please contact the Azure Enclave Team at @email.

Go to KB0039001 in the IS Service Desk

Related articles