Security Scenario

Suppose you are collecting data from multiple labs for a longitudinal study. You want the different teams involved to gather their data and perform quality control steps before the data is integrated into the study. You also want to ensure that the different teams cannot see each other's data until it has been added to the study. This step shows you how to realize these security requirements. You will install a sample workspace that provides a framework of folders and data to experiment with different security configurations.

You configure security by assigning different levels of access to users and groups of users (for a given folder). Different access levels, such as Reader, Author, Editor, etc., allow users to do different things with the data in a given folder. For example, if you assign an individual user Reader level access to a folder, then that user will be able to see, but not change, the data in that folder. These different access/permission levels are called roles.

Set Up Security Workspace

The tutorial workspace exists as a folder archive file (a .folder.zip file). It has been preconfigured with subfolders and team resources that you will work with in this tutorial. Below, you will install this preconfigured workspace by creating an empty folder and then importing the folder archive file into that empty folder.

Structure of the Security Workspace

The security workspace contains four folders:

• Security Tutorial -- The main parent folder.
• Lab A - Child folder intended as the private folder for the lab A team, containing data and resources visible only to team A.
• Lab B - Child folder intended as the private folder for the lab B team, containing data and resources visible only to team B.
• Study - Child folder intended as the shared folder visible to all teams.

To see and navigate to these folders in the LabKey Server user interface:

• Hover over the Home link to see the menu of folders inside the Home project.
• Open the folder node Security Tutorial (which you just imported).
• You will see three subfolders inside: Lab A, Lab B, and Study.
• Click a subfolder name to navigate to it.

Configure Permissions for Lab Folders

How do you restrict access to the Lab A folder so that only members of team A can see and change it? The procedure for restricting access has two overarching steps:

1. Create a user group corresponding to team A.
2. Assign the appropriate roles to this group.

Next assign roles to these groups:

• Click the Permissions tab.
• If necessary, select the Lab A folder in the left-side pane.
• Locate the Editor role. This role allows users to see and change items (data, resources, and user interfaces) in the current folder.
• Open the dropdown for the Editor role, select the group Lab A Group to add it.
• Locate the Reader role and remove the All Site Users and Guests groups, if present. If you see a warning when you remove these groups, simply dismiss it.

• Click Save.
• Select the Lab B folder, and repeat the steps on the permissions tab (substituting Lab B for Lab A throughout). Remember to remove all groups from the Reader role.
• Click Save and Finish.

In a real world application you would add individual users (and/or other groups) to Lab A Group and Lab B Group. But this is not necessary to test our permissions configuration. Group and role "impersonation" lets you test security behavior before any actual users are added to the groups.

(Optional) Configure Permissions for Study Folder

In this step we will configure the study folder with the following permissions:

• Lab A and Lab B groups will have Reader access (so those teams can see the integrated data).
• The "Study Group" will have Editor access (intended for those users working directly with the study data).

Start Over | Next Step