Configure Role-Based Permissions

Manage the permissions of the System Administrator, Facility Administrator, Researcher and Collaborator user roles to restrict or allow the following actions:

Sign in to the BaseSpace Clarity LIMS
Sign in to the API
View and interact with certain features of the interface.
Perform certain actions in the interface.

Role-based permissions are controlled through the permissions-tool.jar tool, at /opt/gls/clarity/tools/permissions/.

Functionality includes the following commands:

listRoles—List all roles in the system.
describeRole—List names and descriptions of all permissions in the system.
createRole—Create a role.
showSummary—List permissions assigned to each role in the system.
listPermissions—List permissions assigned to a specific role.
assignPermission—Assign a permission to a role.
removePermission—Remove a permission from a role.

The permissions-tool.jar tool function names and property names are case-sensitive. If you type the incorrect case, your command or property cannot be understood. '

There may be a delay (up to 20 minutes) before changes to some API-related permissions take effect.

listRoles

List all user roles in the system:

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> listRoles

describeRole

Show permissions for a specific role:

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> describeRole <rolename>

createRole

Create a role:

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> createRole <rolename>

showSummary

Show assigned permissions for all roles:

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> showSummary

listPermissions

List names and descriptions of all permissions:

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> listPermissions

assignPermission

Assign a permission to a role (the example assigns permission to create controls):

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> assignPermission <rolename> Controls:create

See Supported permissions.

removePermission

Remove a permission from a role the example removes permission to create controls):

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> removePermission <rolename> Controls:create

See Supported permissions.

Usage

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> <command> [<args>]

Options

-a

--apiUri

REST API base URI (ends with "/api/<version>/") Must be completed as: http://<servername>/api/v2/

-p

--password

LIMS password (required)

-u

--username

LIMS sign in username (required)

The sections below list LIMS permissions and actions, and the user roles to which each permission/action is assigned by default.

By default, System Administrators and Facility Administrators have all permissions listed.

The default role with AdministerLabLink permission is Administrator. This permission is added to the existing System Administrator & Facility Administrator roles.

The Collaborator role is based on the existing Collaborator role in LabLink v1.0.

Note: The existing Researcher role does not have the new permission and behaves similarly to the LabLink Collaborator role.

Action

Permission Required

System Administrator and Facility Administrator

Collaborator

Sign in to Lablink

CollaborationsLogin action

Yes

Yes

Manage Project

Projects create, read, update.

Yes

Yes

Manage Sample

Samples create, read, update.

Yes

Yes

Manage User

Users create, read, update.

Yes

No

Manage Configuration

Configuration update

Yes

No

View the Configuration page

AdministerLabLink

Yes

No

View the User Management page

AdministerLabLink

Yes

No

Default roles with this permission: Administrator, Researcher

Allows:

Result of denied permission

Sign in to BaseSpace LIMS
Access Lab View and Projects and Samples screen
Access Consumables > Reagents configuration tab; view, edit, and delete reagent lots; add lots to existing kits.
Access Consumables > Controls configuration tab and view control details
Access Consumables > Instruments configuration tab; add, edit, delete, and activate instruments; view instrument types.

Sign In screen

Sorry, you do not have permission to sign in to Clarity LIMS.

Default roles with this permission: Administrator

Allows:

Result of denied permission
Access LIMS Rest API

Sign In screen

403 Forbidden error via http://host/api/*

Default roles with these permissions: Administrator, Researcher, Collaborator

Action

Allows:

Result of denied permission
create
Create project
Modify project details
Modify project custom fields

Projects and Samples

New Project button hidden
View project details (read-only)

Note: No permission is needed to upload files to a project
update
Modify project details

Projects and Samples

Save button disabled (if delete is permitted)
Button menu hidden (if delete is not permitted)
View project details (read-only)
delete
Delete project containing no samples.
Delete project containing samples (also requires Sample:delete permission)

Projects and Samples

Delete button disabled (if update is permitted)
Button menu hidden (if update is not permitted)

Default roles with these permissions: Administrator, Researcher, Collaborator

Action

Allows:

Result of denied permission
create
Submit/add samples
Upload sample list
Download sample list example
Modify samples.

Projects and Samples

Submit Samples title hidden
Download Example Sample List link hidden
Upload Sample List button hidden
Add Samples button hidden
Modify Samples button renamed Download List
Modify <n> Samples button hidden (sample list)

Sample Management

Sample + button hidden
update
Modify samples.

Projects and Samples

Modify Samples button renamed Download List

The Sample:update permission is automatically granted to roles that have the Sample:create permission at the time of migration to Clarity LIMS v5.x. If you have removed create permissions from any default role, that role does not acquire the update permission.
delete
Delete a submitted sample on Projects and Samples screen, provided no work has been performed on the sample.
Delete a submitted sample in API, provided no work has been performed on the sample.

Projects and Samples

Delete button hidden
403 Forbidden error via http://host/api/sample

Default roles with these permissions: Administrator

Action

Allows

Result of denied permission
create
Create control samples.

Controls

New Control button hidden
View control sample details (read-only)
update
Modify control samples.
Archive control samples (requires both update and delete permissions)

Controls

Save button disabled (if delete is permitted)
Button menu hidden (if delete is not permitted)
View control sample details (read-only)
delete
Delete control samples.
Archive control samples (requires both update and delete permissions)

Controls

Delete button disabled (if update is permitted)
Button menu hidden (if delete is not permitted)
Archived toggle disabled

Users with ClarityLogin permission can access the Consumables > Controls tab and view control sample details (read only).

Default roles with these permissions: Administrator

Action

Allows

Result of denied permission
create
Create reagent kits

Reagents

New Reagent Kit button hidden
View reagent kit details (read-only)
update
Modify reagent kits
Archive reagent kits (requires both update and delete permissions)

Reagents

Save button disabled (if delete is permitted)
Button menu hidden (if delete is not permitted)
View kit details (read-only - except for Status)
delete
Delete reagent kits
Archive reagent kits (requires both update and delete permissions)

Reagents

Delete button disabled (if update is permitted)
Button menu hidden (if delete is not permitted)
Archived toggle disabled

Users with ClarityLogin permission can access the Consumables > Reagents tab. They can also view, edit, and delete reagent lots, and add lots to existing kits. No additional ReagentKit permissions are required.

Default roles with these permissions: Administrator

Action

Allows

Result of denied permission
read
View client (researcher/contact) details, including details such as username and roles in API
View users and clients (contacts) on Users and Clients screen
403 Forbidden error via http://host/api/roles
create
Create user roles.
403 Forbidden error via http://host/api/roles
update
Modify existing user roles.
Add/remove user role permissions
403 Forbidden error via http://host/api/roles
delete
Delete user roles.
403 Forbidden error via http://host/api/roles

APILogin permission is required for role management. All users with ClarityLogin permissions can view and edit their own user details—except for assigning/removing roles.

Default roles with these permissions: Administrator

Action

Allows

Result of denied permission
read
View users and clients on Users and Clients screen
View client details, including details such as username and roles in API
403 Forbidden error via http://host/api/researchers
create
Create users and clients on Users and Clients screen (User:update permission is required to assign permissions to the user)
Send login instructions and password reset emails on Users and Clients screen (either this or User:update is required)
Create clients in API.
Create user credentials and assign roles in API.

Users and Clients

New User button hidden
View user details (read-only)
403 Forbidden error via http://host/api/researchers
update
Update users and clients on Users and Clients screen
Send sign in instructions and password reset emails on Users and Clients screen (either this or User:create is required)
Modify client details in API.
Assign role to user in API.
Remove role from user in API.
Save button disabled (if delete is permitted)
Button menu hidden (if delete is not permitted)
View user/client details (read-only)
403 Forbidden error via http://host/api/researchers
delete
Delete users and clients on Users and Clients screen.
Delete a client and associated user in API.
Delete button disabled (if update is permitted)
Button menu hidden (if delete is not permitted)
403 Forbidden error via http://host/api/researchers

In the LIMS user interface, the term 'contact' has been replaced with 'client.' However, the API still uses the permission Contact.

All users with ClarityLogin permission can view and edit their own user details—except for assigning/removing roles.

Default roles with these permissions: Administrator

Action

Allows

Result of denied permission
read
View clients on Users and Clients screen
View client details in API
403 Forbidden error via http://host/api/researchers
create
Create clients on Users and Clients screen.
Create clients in API.

Contact:update permission is required to assign permissions to clients.
New Client button hidden
View client details (read-only)
403 Forbidden error via http://host/api/researchers
update
Update client details on Users and Clients screen.
Update client details in API.
Assign role to/remove role from client.
403 Forbidden error via http://host/api/researchers

This permission does not affect the display of clients in Project and Samples and Sample Accessioning screens.
delete
Delete clients on Users and Clients screen.
Delete clients in API.

Clients with associated user details cannot be deleted.
Delete button disabled (if update is permitted)
Button menu hidden (if delete is not permitted)
403 Forbidden error via http://host/api/researchers

In the LIMS user interface, the term 'contact' has been replaced with 'client.' However, the API still uses the permission Contact.

Users with ClarityLogin permission can view and edit their own client and user details.

Clients can edit their own details—except for assigning/removing roles, without having update permission.

Default roles with these permissions: Administrator

Action

Allows

Result of denied permission
read
View master steps
403 Forbidden error via http://host/api/process
create
Create master steps.
403 Forbidden error via http://host/api/process
update
Modify master steps.
403 Forbidden error via http://host/api/process

In the LIMS user interface, the term 'process' has been replaced with 'master step.' However, the API still uses the permission Process.

Default roles with this permission: Administrator

Action

Allows

Result of denied permission
read
Access the Overview Dashboard
No Dashboards button

Default roles with this permission: Administrator

Action

Allows

Result of denied permission
update
Manage all configuration in the LIMS interface (ClarityLogin permission is also required)
Manage configuration in API (APILogin permission is also required)
403 Forbidden error via any URI that begins with http://host/api/configuration.

Default roles with this permission: Administrator, Researcher, Collaborator

Allows

Result of denied permission
Requeue a sample in sample search.
Requeue a sample in container search.

Sample and Container Search

Requeue button hidden.

Default roles with this permission: Administrator, Researcher, Collaborator

Allows

Result of denied permission
Assign sample to workflow from Projects and Samples screen.

Sample Management

Sample cannot be dragged into workflow widgets.
Workflow selection widget hidden
Workflow lozenge Remove button hidden
Delete workflow button hidden.

Default roles with this permission: Administrator

Allows

Result of denied permission
Remove sample from queue.
Remove sample from workflow.

Sample Management

Remove from this queue option hidden (if Move to next step is permitted)
Options button hidden (if Move to next step is not permitted)

Default roles with this permission: Administrator

Allows

Result of denied permission
Move sample to next step in workflow

Sample Management

Move to the next step option hidden (if Remove from this queue is permitted)
Options button hidden (if Remove from this queue is not permitted)

Default roles with this permission: Administrator

Allows

Result - permission granted
Rework a sample from a previous step.

Sample Management

In Select the next step of the sample drop-down list, Rework from an earlier step option displays.
On Protocol Step Results screen, a button displays to allow the sample to be reworked from an earlier step.

Default roles with this permission: Administrator

Allows

Result - permission granted
Review escalated samples.

Sample Escalation

Enter Review Comment box enabled.

Default roles with this permission: Administrator

Allows

Result of denied permission
Sign an eSignature on step completion.

Record Details

Error message in e-Signature popup

Default roles with this permission: None

Allows

Result - permission granted
See Edit button when viewing a completed step.
Select button to edit completed step details on Record Details screen.

Assign Next Steps.

Edit button displays.

Record Details

After clicking Edit button, Record Details fields are editable, as applicable/permitted.

Modifications are limited to what is available on the Record Details screen for the step.

Details such as sample placement or routing cannot be modified.

Only steps completed after upgrading to LIMS v5.1 can be edited. Steps completed in v5.0 or earlier cannot be edited.

Steps that were executed using the Process API cannot be edited.

For details, see Modify Completed Step Details