Once a site administrator has set up LabKey Server, they can start adding new users. There are several ways to add new users to your LabKey installation.
Note that there is an important distinction between adding a user account and granting that user permissions. By default, newly added accounts only have access as part of the "Site: Users" group. Be sure to grant users the access they need, generally by adding them to security groups
with the required access.
Users Authenticated by LDAP and Single Sign-On
If your LabKey Server installation has been configured to authenticate users with an LDAP server
or single-sign on via SAML
, then you don't need to explicitly add user accounts to LabKey Server.
Every user recognized by the LDAP or single sign-on servers can log into LabKey using their user name and password. If they are not already a member, any user who logs in will automatically be added to the "Site Users" group, which includes all users who have accounts on the LabKey site.
If desired, you can turn off this feature by unchecking the Auto-create Authenticated Users checkbox
Users Authenticated by LabKey
If you are not using LDAP or single sign on authentication, then you must explicitly add each new user to the site, unless you configure self sign-up
Site Admin Options
If you are a site administrator, you can add new users to the LabKey site by entering their email addresses on the Site Users
- Select (Admin) > Site > Site Users.
- Click Add Users.
- Enter one or more email addresses.
- Check the box to Clone permissions from an existing user if appropriate, otherwise individually assign permissions next.
- Check the box if you want to Send password verification email to all new users. See note below.
- Click Add Users.
- You'll see a message indicating success and an option to review the new user email.
- Click Done when finished.
Note that if you have enabled LDAP authentication
on a premium edition of LabKey Server, emails will only be sent to new users whose email domain does not match any of the configured LDAP domains. The configured LDAP domains will be listed in the user interface for this checkbox.
Site admins may also use the pathway described below for adding users via the security group management UI.
Project Admin Options
If you are a project administrator, you can add new users to the LabKey site from within the project. Any users added in this way will also be added to the global "Site Users" group if they are not already included there.
- Select (Admin) > Folder > Permissions.
- Click the Project Groups tab.
- Click the name of the group to which you want to add the user (add a new group if needed).
- Type the user's email address in the "Add user or group.." box.
- You'll see the list of existing users narrow so that you can select the user if their account has already been created.
- If it has not, hit return after typing and a popup message will ask if you want to add the user to the system. Confirm.
- To bulk add new site users to a project group, click the group name then click Manage Group.
- You'll see a box to add new user accounts here, each on one line, similar to adding site users described above.
- The Manage Group page provides the ability to suppress password verification emails; adding users via the permissions UI does not provide this option (they are always sent to non-LDAP users)
- Return to the Permissions tab to define the security roles for that group if needed.
- Click Save and Finish when finished.
When an administrator adds a non-LDAP user, the user will receive an email containing a link to a LabKey page where the user can choose their own password. A cryptographically secure hash of the user-selected password is stored in the database and used for subsequent authentications.
Note: If you have not configured an email server for LabKey Server to use to send system emails, you can still add users to the site, but they won't receive an email from the system. You'll see an error indicating that the email could not be sent that includes a link to an HTML version of the email that the system attempted to send. You can copy and send this text to the user directly if you would like them to be able to log into the system.