This topic is under construction for the 25.7 (July 2025) release. For the previous documentation of this feature, click here.
Privileged security roles grant the highest level of access and control over the system. They include:
Site Administrator
The person who installs LabKey Server becomes the first Site Administrator, with administrative privileges across the entire site. Users with this role can view any project, make administrative changes, and grant permissions (including that of site administrator) to other users.
Only Site Administrators can manage privileged roles, including these actions:
- Assign/unassign privileged roles
- Delete/deactivate a user that is assigned one of these roles (directly or indirectly)
- Update a group that's assigned a privileged role (directly or indirectly)
- Clone to/from a user that's assigned any of these roles
- Impersonate privileged roles
Impersonating Troubleshooters can impersonate a Site Administrator and perform the above actions; an Application Administrator cannot.
Common LabKey Server Site Administration Tasks
Add Other Site Administrators
When any Site Administrator grants other users the Site Administrator role, they will have full access to your LabKey site. It is best practice to limit this permission to as few individuals as practical.
Most users do not require such broad administrative access to LabKey, and should be added to other roles. Users who require administrator access for a particular project or folder can be granted Project or Folder Administrator in the appropriate location.
If you want to add new users as Site Administrators:
- Add the new user
- Go to > Site > Site Permissions.
- Add to the Site Administrator role.
- Click Save or Save and Finish.
Application Administrator
Similar to Site Administrator on LabKey Server, the Application Administrator grants site-wide administrative access for Sample Manager and Biologics LIMS. Some 'operational' activities are excluded for this role, to ensure the application can run, but settings are shown as read-only. Learn more in this topic:
Administrator Permissions Matrix
Impersonating Troubleshooter
This role includes the access granted to the Troubleshooter role, plus the ability to impersonate any site-level roles, including Site Administrator. This is a powerful privileged role, designed to give a temporary ability to perform site administration actions, without permanently including that user on dropdown lists that include site administrators.
An
Impersonating Troubleshooter defaults to having the reduced set of Admin Console actions of a Troubleshooter, but can elevate their access if needed. Learn about the actions available to privileged roles, whether by assignment or impersonation, in this topic:
Administrator Permissions Matrix.
To impersonate one of the site roles, the Impersonating Troubleshooter must first navigate to the
> Site > Admin Console. Then the user will see
Impersonate > on the user menu.
The impersonation of site roles, like any impersonation, ends upon logout. All impersonation events are logged under "User events".
Related Topics