Security Roles Reference

2024-03-29

A role is a named set of permissions that defines what a user (or group of users) can do. This topic provides details about site and project/folder scoped roles.

Site Scoped Roles

These roles apply across the entire site. Learn about setting them here.

Site Administrator: The Site Administrator role is the most powerful role in LabKey Server. They control the user accounts, configure security settings, assign roles to users and groups, create and delete folders, etc. Site Administrators are automatically granted nearly every permission in every project or folder on the server. There are some specialized permissions not automatically granted to site admins, such as adjudicator permissions and permission to view PHI data. See Privileged Roles.

Application Administrator: This role is used for administrators who should have permissions above Project Administrators but below Site Administrators. It conveys permissions that are similar to Site Administrator, but excludes activities that are "operational" in nature. For example, they can manage the site, but can't change file/pipeline roots or configure the database connections. For details, see Administrator Permissions Matrix

Impersonating Troubleshooter: This role includes the access granted to the Troubleshooter role, plus the ability to impersonate any site-level roles, including Site Administrator. This is a powerful privileged role, designed to give a temporary ability to perform site administration actions, without permanently including that user on dropdown lists that include site administrators. The impersonation of site roles ends upon logout. All impersonation events are logged under "User events".

Troubleshooter: Troubleshooters may view administration settings but may not change them. Troubleshooters see an abbreviated admin menu that allows them to access the Admin Console. Most of the diagnostic links on the Admin Console, including the Audit Log, are available to Troubleshooters.

See User and Group Details: Allows selected non-administrators to see email addresses and contact information of other users as well as information about security groups.

See Email Addresses: Allows selected non-administrators to see email addresses.

See Audit Log Events: Only admins and selected non-administrators granted this role may view audit log events and queries.

Email Non-Users: Allows sending email to addresses that are not associated with a LabKey Server user account.

See Absolute File Paths: Allows users to see absolute file paths.

Use SendMessage API: Allows users to use the send message API. This API can be used to author code which sends emails to users (and potentially non-users) of the system.

Platform Developer: Assign this role to grant developer access to trusted individuals who can then write and deploy code outside the LabKey security framework. By default, the Developer group is granted this role on a site-wide basis. Learn more in this topic: Platform Developer Role

Project Creator: Allows users to create new projects via the CreateProject API and optionally also grant themselves the Project Administrator role in that new project. Note that creating new projects in the UI is not granted via this role. Only Site Administrators can create new projects from the project and folder menu.

Project Review Email Recipient: (Premium Feature) Project Administrators who are assigned this role will receive notification emails about projects needing review. Learn more in this topic: Project Locking and Review Workflow

Module Editor: (Premium Feature) This role grants the ability to edit module resources. Learn more in this topic: Module Editing Using the Server UI

Trusted Analyst: (Premium Feature) This role grants the ability to write code that runs on the server in a sandbox as well as the ability to share that code for use by other users under their own userIDs. For set up details, see Developer Roles.

Analyst: (Premium Feature) This role grants the ability to write code that runs on the server, but not the ability to share that code for use by other users.

Launch and use RStudio Server: (Premium Feature) Allows the user to use a configured RStudio Server.

Developer: Developer is not a role, but a site-level group that users can be assigned to. Roles (such as "Platform Developer") can then be granted to that group, typically to allow things like creating executable code on the server, adding R reports, etc. For details see Global Groups.

Project and Folder Scoped Roles

Users and groups can be assigned the following roles at the project or folder level. Learn about setting them here.

Project and Folder Administrator: Similar to site admins, Project and Folder Administrators also have broad permissions, but only within a given project or folder. Within their project or folder scope, these admins create and delete subfolders, add web parts, create and edit sample types and assay designs, configure security settings, and manage other project and study resources.

When a new subfolder is created within a project, existing project admin users and groups will be granted the Folder Administrator role in the new folder. The admin creating the folder can adjust that access as needed. Once a folder is created and permissions configured, any subsequent new project admin users or groups will not be automatically be granted folder admin to the existing folder.

Editor: This role lets the user add new information and modify and delete most existing information. For example, an editor can import, modify, and delete data rows; add, modify, and delete wiki pages; post new messages to a message board and edit existing messages, and so on.

Editor without Delete: This role lets the user add new information and modify some existing information, as described above for the Editor role, but not delete information.

  • For example, an "Editor without Delete" can import and modify data rows, but not delete them.
  • There are limited exceptions with this role where "delete" of subcomponents is considered part of the editing this role can perform. For example:
    • As part of editing a Workflow Job (within Sample Manager or Biologics LIMS) an "Editor without Delete" can delete tasks from the job.
    • As part of editing an Electronic Lab Notebook, an "Editor without Delete" may remove attachments from notebooks, provided that they are also an author of that notebook.
Author: This role lets the user view data and add new data, but not edit or delete data. Exceptions are Message board posts and Wiki pages: Authors can edit and delete their own posts and pages. An Author can also share reports with other users.

Reader: This role lets the user read text and data.

Submitter: This role is provided to support users adding new information but not editing existing information. Note that this role does not include read access; "Reader" must be granted separately if appropriate.

  • A user with both Submitter and Reader roles can insert new rows into lists.
  • When used with the issue tracker, a Submitter is able to insert new issue records, but not view or change other records. If the user assigned the Submitter role is not also assigned the Reader role, such an insert of a new issue would need to be performed via the API.
  • When used in a study with editable datasets, a user with both Submitter and Reader roles can insert new rows but not modify existing rows.
Message Board Contributor: This role lets you participate as an "Author" in message board conversations and Object-Level Discussions. You cannot start new discussions, but can post comments on existing discussions. You can also edit or delete your own comments on message boards.

Shared View Editor: This role lets the user create and edit shared views without having broader Editor access. Shared View Editor includes Reader access, and applies to all available queries or datasets.

Electronic Signer: Signers may electronically sign snapshots of data.

Assay Designer: Assay Designers may perform several actions related to creating assay designs.

Storage Editor: This role is required (in addition to "Reader" or higher) to read, add, edit, and delete data related to items in storage, picklists, and jobs. Available for use with Freezer Management in the LabKey Biologics and Sample Manager applications. Learn more in this topic: Storage Roles

Storage Designer: This role is required (in addition to "Reader" or higher) to read, add, edit, and delete data related to storage locations. Available for use with Freezer Management in the LabKey Biologics and Sample Manager applications. Learn more in this topic: Storage Roles

Workflow Editor: This role allows users to be able to add, update, and delete picklists and workflow jobs within Sample Manager or Biologics LIMS. It does not include general "Reader" access, or the ability to add or edit any sample, bioregistry, or assay data.

QC Analyst: (Premium Feature) - Perform QC related tasks, such as assigning QC states in datasets and assays. This role does not allow the user to manage QC configurations, which is available only to administrators. For set up details, see Assay QC States: Admin Guide.

PHI-related Roles: (Premium Feature) - For details see Compliance: Security Roles. Note that these roles are not automatically granted to administrators.

Related Topics


Premium Resource Available

Subscribers to premium editions of LabKey Server can learn more about how a developer can create a custom role with the example code in this topic:


Learn more about premium editions