Security Roles

A role is a named set of permissions that defines what a user (or group of users) can do.

Site Administrator: The site administrator role is the most powerful role in LabKey Server. Site admins can see and do everything that LabKey Server is designed to do in any project or folder on the server. They control the user accounts, configure security settings for any resource, assign roles to users and groups, create and delete folders, etc. See Site Administrator.

Application Administrator This role is used for administrators who should have permissions above Project Administrators but below Site Administrators. It conveys permissions that are similar to Site Administrator, but excludes activities that are "operational" in nature. For example, they can manage the site, but can't change file/pipeline roots or configure the database connections. Users can be granted the Application Administrator role at (Admin) > Site > Site Permissions. For details, see Administrator Role / Permissions Matrix

Users and groups can be assigned the following roles at the project or folder level. All roles are granted on a per-container basis, and optional inheritance of roles in subfolders is controlled by an administrator.

Project and Folder Administrator: Project and folder administrators are like site/app administrators, except their powers are granted only within a given project or folder. Within that scope, like site admins, create and delete subfolders, add web parts, configure security settings, and manage other project and study resources.

When a new subfolder is created within a project, existing project admin users and groups will be granted the folder admin role in the new folder. The admin creating the folder can adjust that access as needed. Once a folder is created and permissions configured, any subsequent new project admin users or groups will not be automatically be granted folder admin to the existing folder.

Editor: The editor role lets the user add new information and in most cases modify existing information. For example, an editor can add and modify wiki pages, post new messages to a message board and edit existing messages, post new issues to an issue tracker and edit existing issues, create and manage sample sets, view and manage MS2 runs, and so on.

Author: The author role lets you create new data and in some cases edit or delete your own data, but an author may only read and not modify the work of others. For example, a user assigned the author role can edit or delete their own message board posts, but not anyone else's posts. With assay or study data, an author has an expanded role and can modify & delete the data they have added themselves.

Reader: The reader role lets you read text and data, but generally you can't modify it.

Message Board Contributor: This role lets you participate in message board conversations and Object-Level Discussions. You cannot start new discussions, but can post comments on existing discussions. You can also edit or delete your own comments on message boards.

Shared View Editor: This role lets the user create and edit shared views without having broader Editor access. Shared View Editor includes Reader access, and applies to all available queries or datasets.

Submitter: The submitter role lets you insert new records, but not view or change other records.

Assay Designer: Assay designers may perform several actions related to designing assays.

Specimen Coordinator: Specimen Coordinators may perform a number of management tasks related to specimens. A Specimen Coordinator must also be given Reader permission. This role is available only in a project or folder containing a study or with a study in a descendant folder.

Specimen Requester: Specimen Requesters may request specimen vials. This role is available only in a project or folder containing a study or with a study in a descendant folder.

Developer: Developer is not a role, but a site-level group that users can be assigned to. Developers can create executable code on the server, for example, adding <script> tags to wiki pages and adding R reports and JavaScript reports to data grids. They cannot define new SQL queries using the schema browser. For details see Global Groups.

PHI-related Roles - For details see Compliance: Security Roles.

Site Level Permissions

In addition to the above, there are specific permissions that may be assigned at the site level to grant specific subsets of admin permission to individual users or groups.

To assign these roles, select (Admin) > Site > Site Permissions.

Troubleshooter: Troubleshooter may view administration settings but may not change them. Troubleshooters see an abbreviated admin menu that allows them to access the Admin Console. Most of the diagnostic links on the Admin Console are available to Troubleshooters.

See Email Addresses: Allows selected non-administrators to see email addresses.

See Audit Log Events: Only admins and selected non-administrators granted this permission may view audit log events and queries.

Email Non-Users: Allows sending email to addresses that are not associated with a LabKey Server user account.

Related Topics


Was this content helpful?

Log in or register an account to provide feedback

expand all collapse all