This topic is under construction for the 19.1 release of LabKey Server. For current documentation of this feature, click here.
The security of a project or folder depends on the permissions that each group has on that resource. The default security settings are designed to meet common security needs, and you may find that they work for you and you don't need to change them. If you do need to change them, you'll need to understand how permissions settings work and what the different roles mean in terms of the kinds of access granted.
is a named set of permissions
that defines what members of a group can do. You secure a project or folder by specifying a role for each group defined for that resource. The privileges associated with the role are conferred on each member of the group. Assigning roles to groups
is a good way to simplify keeping track of who has access to what resources, since you can manage group membership in one place.
To set permissions, you assign a role
to a group or individual user.
Note: Before you can grant roles to users, you must first add the users at the site level
. When you type into the "Select user or group..." box, it will narrow the pulldown menu to the matching already defined
users, but you cannot add a new account from this page.
- Select (Admin) > Folder > Permissions.
- Set the scope of the role assignment by selecting the project/folder in the left-hand pane.
- In the image below the Research Study subfolder is selected.
- To grant a role, locate it in the Roles column and then select the user or group from the Select user or group... pulldown.
- Click Save or Save and Finish to record any changes you make to permissions.
Revoke or Change Permissions
Permissions can be revoked by removing role assignments.
- To revoke assignment to a role, click the x in the user or group box.
- Here we will revoke the "Author" role for the group "Guests" as it was added by mistake.
- You can also drag and drop users and groups from one role to another.
- Dragging and dropping between roles removes the group from the source role and then adds it to the target role. If you want to end up with both roles assigned, you would need to add to the second group instead.
Inherit Permission Settings
You can control whether a folder inherits permission settings, i.e. role assignments, from its immediate parent.
- Check the checkbox Inherit permissions from parent, as shown below.
- When permissions are inherited, the permissions UI is grayed out and the folder appears with an asterisk in the hierarchy panel.
A few specific permissions are available at the site level, allowing admins to assign access to certain features to users who are not full administrators. For a listing and details about these roles, see the Security Roles Reference documentation
To configure site-level roles:
- Select (Admin) > Site > Site Permissions.
The key things to remember about configuring permissions are:Permissions are additive.
This means that if a user belongs to several groups, they will have the superset of the highest level of permissions granted by all groups they are in.
Additive permissions can get tricky when you are restricting access for one group. Consider whether other groups also have the correct permissions. For example, if you remove permissions for the ProjectX
group, but the Users
(logged-in-site users) group has read permissions, then Project X team members will also have read permissions when they are signed in.Folders can inherit permissions.
In general, only site admins automatically receive permissions to access newly-created folders. However, default permissions settings have one exception. In the case where the folder
admin is not a project or site admin, permissions are inherited from the parent project/folder. This avoids locking the folder creator out of his/her own new folder.