The security of a project or folder depends on the permissions that each group has on that resource. The default security settings are designed to meet common security needs, and you may find that they work for you and you don't need to change them. If you do need to change them, you'll need to understand how permissions settings work and what the different roles mean in terms of the kinds of access granted.
Please note that security settings for a Research Studies
provide further refinement on the folder-level permissions covered here. Study security settings provide granular control over access to study datasets within the folder containing the study. Please see Manage Study Security (Dataset-Level Security)
for further details. A video overview is also provided here: Study Security - Sharing Data with Another Lab
is a named set of permissions that defines what members of a group can do. You secure a project or folder by specifying a role for each group defined for that resource. The privileges associated with the role are conferred on each member of the group. For more information, see Security Roles Reference
Setting Project-level and Folder-level Permissions
To assign a role (a set of permissions) to a group or individual, navigate to the "Permissions" page at Admin > Folder > Permissions
Set the scope of the role assignment by selecting the project/folder in the left-hand pane. In the image below the demo
subfolder is selected. (Note that the demo subfolder has a asterisk next to it. This means that the subfolder inherits the role assignments from its parent folder, Study
To grant a role to a group, locate the role from the Roles
column and then select the group from the downdown Add user to group
. In the image below, the Editor
role is being granted to the Issues Editors
Permissions can be revoked from a group by clicking the x
next to that group. In the image below, the Author role would be revoked from the Editors group by clicking the x
You can also drag and drop users and groups from one role to another. Notice that dragging and dropping between roles removes
the group from the source role and then adds
it to the target role. If you want to end up with both roles assigned, you would need to add to the second group instead.
You can set a folder to inherit permissions from its immediate parent by checking the checkbox Inherit permissions from parent
, as shown below.
Click Save and Finish
when you are finished configuring permissions. If you cancel or leave the page, your changes will not be saved.
A few specific permissions options are available at the site level, allowing access to certain features by non-admin users:
- Troubleshooter: Allows access to an abbreviated admin menu; troubleshooters can to view but not change administration settings and diagnostics.
- See Email Addresses: Only admins or users granted this permission can see email addresses.
- See Audit Log Events: Only admins or users granted this permission may view audit log events.
- Email Non-Users: Allows emails to be sent to addresses that are not associated with LabKey Server accounts.
To configure these roles:
- Select Admin > Site > Site Permissions.
The key things to remember about configuring permissions are:Permissions are additive.
This means that if a user belongs to any
group that has particular permissions for a project or folder, they will have the same permissions to that project or folder, even if they belong to another group that has no permissions for the same resource. If a user belongs to two groups with different levels of permissions, the user will always have the greater of the two sets of permissions on the resource. For example, if one group has admin privileges and the other has read privileges, the user who belongs to both groups will have admin privileges for that project or folder.
Additive permissions can get tricky. If you are restricting access for one group, you need to make sure that other groups also have the correct permissions. For example, if you set permissions on a project for the Logged in users
(Site Users) group to No Permissions, but the Guests
(Anonymous) group has read permissions, then all site users will also have read permissions on the project.Folders can inherit permissions.
In general, only admins automatically receive permissions to access newly-created folders. However, default permissions settings have one exception. In the case where the folder
admin is not a project or site admin, permissions are inherited from the parent project/folder. This avoids locking the folder creator out of his/her own new folder. If you create such a folder, you will need to consider whether it should have different permissions than its parent.
Permission Levels for Roles
Please see Security Roles Reference
for a list of the available LabKey roles and the level of permissions available to each one. As described above, assigning a role to a groups sets the group's level of permissions.
Permission for Reports and Views
Please see Matrix of Report, Chart, and Grid Permissions
for additional information about how roles define report and view permissions.