.. _IAM: ===================================== IAM (Identity & Access Management) ===================================== Admin privileges are available to users of the Admin Role only. For a new L7|ESP install, this consists of only the admin@localhost user. To access the IAM app of L7|ESP, log in as admin@localhost (or another user with the Admin Role). As an Admin, you can view the entire system, configure the system, give permission to other users of the system, manage users, and more. Manage Workgroups and Personnel =============================== The sections to follow provide instructions for how to manage lab and personnel access (i.e., Workgroups, Roles, and Users) in L7|ESP through the IAM app. .. image:: images/manage-workgroup-and-personnel.png Manage Users ---------------- .. _admin-add-user: Create New User ~~~~~~~~~~~~~~~~~ 1. Click the **IAM** app and then click **Users** from the IAM menu to access the **Users** page. .. image:: images/users.png :width: 400px 2. Click **+ New User**. .. image:: images/add-new-user.png :width: 1200px 3. Enter information for the new user: - Enter the **Name** of the user. - Enter the user's **Email**. - Enter a unique **Username**. - Set up a default **Password**. Confirm the Password. .. note:: Users login to L7|ESP using their username, not email. - Optional: Enter a **Description** (e.g., Hired on August 19, 2019). Check Force Password Reset, which will require the user to create a new password upon logging in. .. image:: images/user-builder.png 4. Click **+ Add Roles** to assign the user to one or more Roles. Once assigned, the Role(s) will appear under the Roles & Permissions tab. 5. Click **+Add Workgroups** to assign the user to one or more Workgroups. Once assigned, the Workgroup(s) will appear under the Workgroups tab. .. important:: Before you can assign a Role or Workgroup to a user, the Role or Workgroup must already exist. To create a new Role, refer to :ref:`Create New Role`. To create a new Workgroup, refer to :ref:`Create New Workgroup`. 6. Save the new user. Edit User ~~~~~~~~~~ 1. Click the **IAM** app. Click **Users** from the IAM menu to access the **Users** page. .. image:: images/users.png :width: 400px 2. Click the **Name** of a user. 3. Edit the desired information (e.g., **Name**, **Email**, **Password**, **Description**, **Roles**, **Workgroups**). 4. Save the updated user. Deactivate User ~~~~~~~~~~~~~~~~~ 1. Click the **IAM** app. Click **Users** from the IAM menu to access the **Users** page. .. image:: images/users.png :width: 400px 2. Click the **Name** of a user. 3. Click **Deactivate**. (A user can be reactivated by clicking **Reactivate**.) .. hint:: Deactivating a user changes that user's Status to "Inactive," which can be observed from the Users page. Manage Roles --------------- Laboratories often have complex working environments where scientific and technical stakeholders perform different work functions, ultimately working together to produce results. L7|ESP was designed with this in mind and provides a platform to streamline the interactions between various laboratory personnel through **Roles**. Examples of Roles include scientists, lab technicians, bioinformaticians, etc. You can create and define a **Role** and assign users to that specific Role. Roles make it easy to manage large groups of users because, when you make a change to a Role, the change is automatically applied to all users assigned to that Role. .. _Create New Role: Create New Role ~~~~~~~~~~~~~~~~ Create a Role to define the actions that user(s) assigned to that Role can perform. 1. Click the **IAM** app. Click **Roles** from the IAM menu to access the **Roles** page. .. image:: images/roles.png :width: 400px 2. Click **+ New Role**. .. image:: images/add-new-role.png 3. Enter information for the new Role: - Enter the **Name** of the new Role. - Optional: Enter a **Description**. - Optional: Enter one or more **Tag(s)**. - Optional: Click **+ Add Users** and select one or more user(s) to assign to this Role. Any Role (other than the Admin Role) can have 0 members. Users can be assigned to multiple Roles. - Optional: Click the **Permissions** tab and select one or more Permission(s) to assign to the Role. Permissions determine the actions that the user assigned to this Role can perform. - Optional: Click the **Applications** tab and select one or more Application(s) to assign to the Role. The user will be able to view/access the assigned Application(s). - Optional: Select a **Default App**. Upon logging in, a user assigned to this Role will automatically be taken to the selected Default App. .. image:: images/role-builder.png 4. Save the new Role. Edit Role ~~~~~~~~~~~ 1. Click the **IAM** app. Click **Roles** from the IAM menu to access the **Roles** page. .. image:: images/roles.png :width: 400px 2. Click the **Name** of a Role. 3. Edit the desired information (e.g., **Name**, **Description**, **Tags**, **Users**, **Permissions**). You can also duplicate the Role by clicking **Duplicate**. .. hint:: Creating a new Role that is similar to an existing Role is quick and easy with the **Duplicate** button. Click **Duplicate** on an existing Role to copy that Role's permissions and associated information; then, make any updates to the new Role and Save. 4. Save the updated Role. Deactivate Role ~~~~~~~~~~~~~~~~~~~ 1. Click the **IAM** app. Click **Roles** from the IAM menu to access the **Roles** page. .. image:: images/roles.png :width: 400px 2. Click the **Name** of a Role. 3. Click **Deactivate**. (A Role can be reactivated by clicking **Reactive**.) Manage Workgroups ------------------- You can create **Workgroups** and assign specific users to each Workgroup, keeping users and resources organized. A Workgroup restricts what a user can see and restricts the content that the user can perform actions on. .. _Create New Workgroup: Create New Workgroup ~~~~~~~~~~~~~~~~~~~~~~ 1. Click the **IAM** app. Click **Workgroups** from the IAM menu to access the **Workgroups** page. .. image:: images/work-groups.png :width: 400px 2. Click **+ New Workgroup**. .. image:: images/add-new-work-group.png 3. Enter information for the new Workgroup: - Enter the **Name** of the new Workgroup. - Optional: Enter a **Description**. - Optional: Enter one or more **Tag(s)**. - Optional: Click **+ Add Users** to assign one or more user(s) to the Workgroup. .. image:: images/work-group-builder.png 4. Save the new Workgroup. Edit Workgroup ~~~~~~~~~~~~~~~ 1. Click the **IAM** app. Click **Workgroups** from the IAM menu to access the **Workgroups** page. .. image:: images/work-groups.png :width: 400px 2. Click the **Name** of a Workgroup. 3. Edit the desired information (e.g., **Name**, **Description**, **Tags**, **Users**). 4. Save the updated Workgroup. Deactivate Workgroup ~~~~~~~~~~~~~~~~~~~~~~~ 1. Click the **IAM** app. Click **Workgroups** from the IAM menu to access the **Workgroups** page. .. image:: images/work-groups.png :width: 400px 2. Click the **Name** of a Workgroup. 3. Click **Deactivate**. (A Workgroup can be reactivated by clicking **Reactive**.) IAM Permissions =============== The IAM Permissions tab allows administrators to configure what actions users in a certain role can take for particular types of ESP objects. ESP uses the following decision flow to determine if a user has permission to perform a particular operation on a particular resource: .. image:: images/esp_permissions.png The available permissions for each object type and their meaning is outlined in the table below. Analysis-related permissions ---------------------------- .. list-table:: :widths: 25 25 50 :header-rows: 1 * - Object Type - Permission - Description * - Pipeline - Create - Create a pipeline in the analysis app or via API call * - - Update - Edit a pipeline in the analysis app or via API call, including adding and removing tasks and editing other Pipeline-level metadata. * - - Delete - Archive/Unarchive a pipeline in the analysis app or via API call * - - Import - Import a pipeline via HUB or API call. Note that ordinarily, granting Import Pipeline permission means an administrator should also grant Import Task and Import Report Definition permissions. * - - Execute - Run a pipeline via Analysis app or LIMS pipeline protocol. * - Pipeline Instance - Create - Unused. Pipeline instance creation is controlled by the Pipeline Execute permission. * - - Update - Update a pipeline instance, including pausing, killing, and restarting a pipeline instance. * - - Delete - Archive/Unarchive a pipeline instance. * - - Import - Unused at this time. * - - Execute - Unused at this time. * - Report - Create - Create a report, including pipeline-generated reports and operational reports created by UI or API call. (TODO: We should split those two permissions; honestly, execute pipeline permissions should probably be used to control creating a report from a report template...) * - - Update - Update an operational report via UI or API call or a update a pipeline-generated report via API call including the report name, tags, description, report groups, and the elements (widgets) used for the report. (TODO: We should probably prevent update of elements of reports associated with a report template...) * - - Delete - Archive/Unarchive an operational or pipeline report. * - - Import - Import an operational Report via HUB or API Call. * - - Execute - Unused at this time. * - Report Template - Create - Create a pipeline-associated Report Template in the Analysis app or via API call. * - - Update - Update a pipeline-associated Report Template in the Analysis app or via API call, including changing the Report Template name and the associated widgets. * - - Delete - Archive/Unarchive a pipeline-associated report template via API call. * - - Import - Import a ReportTemplate via HUB or API Call. Note that importing a pipeline with an associated report template requires permission for both Pipeline Import and Report Template Import. * - - Execute - Unused at this time. * - Task - Create - Create a Task in the Analysis app or via API call. * - - Update - Update a Task in the Analysis app or via API call, including changing the Task name, description, tags, associated task files, and the task script. * - - Delete - Archive/Unarchive a task via API call or in the UI. * - - Import - Import a Task via HUB or API Call. Note that importing a pipeline with associated tasks requires Import permission for both Pipeline and Task. * - - Execute - Unused at this time. * - Task Instance - Create - Unused at this time. Task Instances are created at the same time as Pipeline Instances and controlled by the Execute Pipeline permission. * - - Update - Update a TaskInstance, including associating a task-generated file with the task instance and associating status messages with a task instance. Ordinarily, a role with "Execute Pipeline" permissions should also have the Update Task Instance permission. * - - Delete - Archive/Unarchive a task instance via API call. * - - Import - Unused at this time. * - - Execute - Unused at this time. L7|Master-related permissions ----------------------------- .. list-table:: :widths: 25 25 50 :header-rows: 1 * - Object Type - Permission - Description * - Container Type - Create - Create a Container Type in the L7|Master app or via API call. * - - Update - Update a Container Type in the L7|Master app or via API call, including changing the Container Type name, description, tags, storage parameters, dimensions, or custom fields * - - Delete - Archive/Unarchive a Container Type via API call or in the UI. * - - Import - Import a Container Type via HUB or API Call. * - - Execute - Unused at this time. * - Customer - Create - Create a Customer in the L7|Master app or via API call. * - - Update - Update a Customer in the L7|Master app or via API call, including changing the Customer name, description, tags, billing address and shipping address. * - - Delete - Archive/Unarchive a Customer via API call or in the UI. * - - Import - Import a Customer via HUB or API Call. * - - Execute - Unused at this time. * - Param Group - Create - Create a Param Group in the L7|Master app or via API call. * - - Update - Update a Param Group in the L7|Master app or via API call, including changing the Param Group name, description, tags, and parameter settings. * - - Delete - Archive/Unarchive a Param Group via API call or in the UI. * - - Import - Import a Param Group via HUB or API Call. * - - Execute - Unused at this time. * - Protocol - Create - Create a Protocol in the L7|Master app or via API call. * - - Update - Update a Protocol in the L7|Master app or via API call, including changing the Protocol name, description, tags, instructions, custom fields, protocol actions, and flex view * - - Delete - Archive/Unarchive a Protocol via API call or in the UI. * - - Import - Import a Protocol via HUB or API Call. * - - Execute - Unused at this time. * - - Code authoring - Controls whether the user can edit the ``initialContext`` and use the ``Generic renderer`` widget. * - Sample Type - Create - Create an Entity Type in the L7|Master app or via API call * - - Update - Update an Entity Type in the L7|Master app or via API call, including changing the Entity Type name, description, tags, custom fields, and Detail View Template. * - - Delete - Archive/Unarchive an Entity Type via API call or in the UI. * - - Import - Import an Entity Type via HUB or API Call. * - - Execute - Unused at this time. * - Workflow - Create - Create a Workflow in the L7|Master app or via API call. * - - Update - Update a Workflow in the L7|Master app or via API call, including changing the Workflow name, description, tags, associated protocols, and data links. * - - Delete - Archive/Unarchive a Workflow via API call or in the UI. * - - Import - Import a Workflow via HUB or API Call. * - - Execute - Unused at this time. * - Workflow Chain - Create - Create a Workflow Chain in the L7|Master app or via API call. * - - Update - Update a Workflow Chain in the L7|Master app or via API call, including changing the Workflow Chain name, description, tags, nodes, and transitions * - - Delete - Archive/Unarchive a Workflow Chain via API call or in the UI. * - - Import - Import a Workflow Chain via HUB or API Call. * - - Execute - Unused at this time. * - Workflow Chain Plan - Create - Create a Workflow Chain Plan in the Projects app or via API call. * - - Update - Update a Workflow Chain Plan in the Projects app or via API call, including changing the Workflow Chain Plan name, description, tags, billing address and shipping address. * - - Delete - Archive/Unarchive a Workflow Chain Plan via API call or in the UI. * - - Import - Unused at this time. * - - Execute - Unused at this time. * - Workflowable Resource Class - Create - Create an Entity Class in the L7|Master app or via API call. * - - Update - Update an Entity Class in the L7|Master app or via API call, including changing the Entity Class name, description, tags, billing address and shipping address. * - - Delete - Archive/Unarchive an Entity Class via API call or in the UI. * - - Import - Import an Entity Class via HUB or API Call. * - - Execute - Unused at this time. * - Execution Plan - Create - TODO * - - Update - TODO * - - Delete - TODO * - - Import - TODO * - - Execute - TODO * - Execution Plan Definition - Create - TODO * - - Update - TODO * - - Delete - TODO * - - Import - TODO * - - Execute - TODO IAM-related permissions ----------------------- .. list-table:: :widths: 25 25 50 :header-rows: 1 * - Object Type - Permission - Description * - Read Permission - Create - Associate an object with a workgroup via API call to the ``/api/labs/associateresources`` endpoint. * - - Update - Unused at this time. * - - Delete - Unused at this time. * - - Import - Unused at this time. * - - Execute - Unused at this time. * - Role - Create - Create a Role in the IAM app or via API call. * - - Update - Update a Role in the IAM app or via API call, including changing the Role name, description, tags, permissions, application permissions, and associated users. * - - Delete - Deactivate/Reactivate a Role via API call or in the UI. * - - Import - Import a Role via HUB or API Call. * - - Execute - Unused at this time. * - User - Create - Create a User in the IAM app or via API call. * - - Update - Update a User in the IAM app or via API call, including changing the User's name, username, password, force reset password, account valid hours, description, tags, associated roles and workgroups, and session management. * - - Delete - Deactivate/Reactivate a User via API call or in the UI. * - - Import - Import a User via API Call. * - - Execute - Unused at this time. * - Workgroup - Create - Create a Workgroup in the IAM app or via API call. * - - Update - Update a Workgroup in the IAM app or via API call, including changing the Workgroup name, description, tags, and associated users * - - Delete - Deactivate/Reactivate a Workgroup via API call or in the UI. * - - Import - Import a Workgroup via HUB or API Call. * - - Execute - Unused at this time. Ingest-related permissions -------------------------- .. list-table:: :widths: 25 25 50 :header-rows: 1 * - Object Type - Permission - Description * - Ingest Definition - Create - Create an Ingest Definition in the Ingest app or via API call. An Ingest Definition is a the configuration that controls how to interpret a particular ingested file. * - - Update - Update an Ingest Definition in the Ingest app or via API call, including changing the Ingest Definition name, description, tags, preprocessor, postprocessor, and field mappings. * - - Delete - Archive/Unarchive a Ingest Definition via API call or in the UI. * - - Import - Unused at this time. * - - Execute - Unused at this time. * - Ingest Instance - Create - Create an Ingest Instance in the Ingest app or via API call. An ingest instance is the association between a particular file to ingest, the ingest definition to use when parsing the file, and the ingested results (entities and data). * - - Update - Update an Ingest Instance in the Ingest app or via API call, including changing the Ingest Instance name, description, tags, and associated ingest definition * - - Delete - Archive/Unarchive an Ingest Instance via API call or in the UI. * - - Import - Unused at this time. * - - Execute - Submit in ingest instance for processing. Inventory and Billing-related permissions ----------------------------------------- .. list-table:: :widths: 25 25 50 :header-rows: 1 * - Object Type - Permission - Description * - Address - Create - Unused at this time. * - - Update - Unused at this time. * - - Delete - Unused at this time. * - - Import - Unused at this time. * - - Execute - Unused at this time. * - Container - Create - Create a Container in the Locations app, LIMS app, or via API call. * - - Update - Update a Container in the Locations app or via API call, including changing the Container name, description, tags, barcode, custom field data, and contained items. * - - Delete - Archive/Unarchive a Container via API call or in the UI. * - - Import - Import a Container via HUB or API Call. * - - Execute - Unused at this time. * - Item - Create - Create an Item in the Inventory app or via API call. * - - Update - Update a Item in the Inventory app or via API call, including changing the Item name, description, tags, barcode, vendor, lot number, serial id, status, expiration date, and making quantity adjustments. This permission is also necessary to use the inventory-use column type in LIMS. * - - Delete - Archive/Unarchive an Item via API call or in the UI. * - - Import - Import an Item via HUB or API Call. * - - Execute - Unused at this time. * - Item Type - Create - Create an Item Type in the L7|Master app or via API call. * - - Update - Update an Item Type in the L7|Master app or via API call, including changing the Item Type name, description, tags, custom fields, units, vendors, ID naming scheme, reorder threshold, and reorder amount, * - - Delete - Archive/Unarchive an Item Type via API call or in the UI. * - - Import - Import an Item Type via HUB or API Call. * - - Execute - Unused at this time. * - Service - Create - Create a Service (a billing charge record) via API call. * - - Update - Update a Service via API call, including changing the Service name, description, tags, and barcode. Changing the price of a service post-creation is not supported. * - - Delete - Archive/Unarchive a Service via API call * - - Import - Import a Service via API Call. * - - Execute - Unused at this time. * - Service Type - Create - Create a Service Type in the L7|Master app or via API call. * - - Update - Update a Service Type in the L7|Master app or via API call, including changing the Service Type name, description, tags, pricing, and adding/removing/editing customer-specific pricing * - - Delete - Archive/Unarchive a Service Type via API call or in the UI. * - - Import - Import a Service Type via HUB or API Call. * - - Execute - Unused at this time. * - Vendor - Create - Create a Vendor in the L7|Master app or via API call. * - - Update - Update a Vendor in the L7|Master app or via API call, including changing the Vendor name, description, tags, billing address and shipping address. * - - Delete - Archive/Unarchive a Vendor via API call or in the UI. * - - Import - Import a Vendor via HUB or API Call. * - - Execute - Unused at this time. LIMS-related permissions ------------------------ .. list-table:: :widths: 25 25 50 :header-rows: 1 * - Object Type - Permission - Description * - Experiment - Create - Create an Experiment in the Projects app or via API call. * - - Update - Update an Experiment in the Projects app or via API call, including changing the Experiment name, description, tags, and included entities. * - - Delete - Archive/Unarchive an Experiment via API call or in the UI. * - - Import - Unused at this time. * - - Execute - Unused at this time. * - Project - Create - Create a Project in the Projects app or via API call. * - - Update - Update a Project in the Projects app or via API call, including changing the Project name, description, and tags. * - - Delete - Archive/Unarchive a Project via API call or in the UI * - - Import - Import a Project via HUB or API Call. * - - Execute - Unused at this time. * - Sample - Create - Create an Entity in the Projects app, the Entities app, any Entity class-specific apps, or via API call. * - - Update - Update an Entity in the Entities app, any Entity class app, or via API call, including changing the Entity name, description, tags, barcode, and custom field data. * - - Delete - Archive/Unarchive an Entity via API call or in the UI. * - - Import - Import an Entity via HUB or API Call. * - - Execute - Unused at this time. * - Sample Sheet - Create - Create a SampleSheet in the LIMS app or via API call. * - - Update - Update a SampleSheet in the LIMS app or via API call, including changing the SampleSheet name, description, tags, included samples, and sample sheet data values. * - - Delete - Archive/Unarchive a SampleSheet via API call or in the UI. * - - Import - Unused at this time. * - - Execute - Unused at this time. * - - Force update - Edit data of completed LIMS records. * - - Force unlock - Remove a SampleSheet lock acquired by a different user. * - Workflow Chain Instance - Create - Create a WorkflowChainInstance (Experiment using a WorkflowChain) in the Projects app or via API call. * - - Update - Update a WorkflowChainInstance in the UI or via API call, specifically transitioning experiment samples to the next node(s) in the WorkflowChain, * - - Delete - Archive/Unarchive a WorkflowChainInstance via API call or in the UI. * - - Import - Unused at this time. * - - Execute - Unused at this time. L7|Hub ------ .. list-table:: :widths: 25 25 50 :header-rows: 1 * - Object Type - Permission - Description * - Bundle - Create - * - - Update - * - - Delete - Unused at this time. * - - Import - * - Collection - Create - Create a Collection in the HUB app or via API call. * - - Update - Update a Collection in the HUB app or via API call, including changing the collection name, description, tags, and included content. * - - Delete - Archive/Unarchive a Collection via API call or in the UI. * - - Import - Unused at this time. * - Collection Definition - Create - * - - Update - Unused at this time. * - - Delete - Unused at this time. * - - Import - Unused at this time. * - Supply - Create - * - - Update - Unused at this time. * - - Delete - * - - Import - Unused at this time. Configuration ------------- .. list-table:: :widths: 25 25 50 :header-rows: 1 * - Object Type - Permission - Description * - Configuration - Create - Create a Configuration in the Configuration app or via API call. Also used when importing a Configuration via HUB or API Call. * - - Update - Update a Configuration in the Configuration app or via API call, including changing the Configuration name, configuration values, and secret values. * - - Delete - Archive/Unarchive a Configuration via API call or in the UI. * - - Import - Unused at this time. * - Internalization - Create - Unused at this time. * - - Update - Unused at this time. * - - Delete - Unused at this time. * - - Import - Import an Internationalization bundle via the Translations app or API call. Manufacturing Execution System ------------------------------ .. list-table:: :widths: 25 25 50 :header-rows: 1 * - Object Type - Permission - Description * - Manufacturing Execution System - Quality Review - Perform Quality Review: mark as reviewed, request changes, fail batches, and enter Quality Review Signature. * - - Operations Review - Perform Operations Review: mark as reviewed, request changes, and enter Operations Review Signature. * - - Data Entry - Update, enter data, acknowledge label reconciliation, and make changes to data when requested by Quality Review. * - - Batch creation and Print Labels. - Notebooks --------- .. list-table:: :widths: 25 25 50 :header-rows: 1 * - Object Type - Permission - Description * - Notebook - Create - Create a Notebook in the Notebooks app or via API call. * - - Update - Update a Notebook in the Notebooks app or via API call, including changing the Notebook name, description, and tags. * - - Delete - Archive/Unarchive a Notebook via API call or in the UI. * - - Import - Unused at this time. * - - Code Authoring - * - Notebook Entry - Create - Create a NotebookEntry in the Notebooks app or via API call. * - - Update - Update a NotebookEntry in the Notebooks app or via API call, including changing the NotebookEntry name, description, tags, and entry information (widgets with configuration). * - - Delete - Archive/Unarchive a NotebookEntry via API call or in the UI. * - - Import - Unused at this time. * - - Code Authoring - Controls whether the user can use the Generic renderer widget. * - Notebook Entry Template - Create - Create a NotebookEntryTemplate in the Notebooks app or via API call. * - - Update - Update a NotebookEntryTemplate in the Notebooks app or via API call, including changing the NotebookEntryTemplate name, description, tags. and entry information (widgets with configuration). * - - Delete - Archive/Unarchive a NotebookEntryTemplate via API call or in the UI. * - - Import - Unused at this time. * - - Code Authoring - Controls whether the user can use the Generic renderer widget.