4. IAM (Identity & Access Management)¶

Admin privileges are available to users of the Admin Role only. For a new L7|ESP install, this consists of only the admin@localhost user. To access the IAM app of L7|ESP, log in as admin@localhost (or another user with the Admin Role).

As an Admin, you can view the entire system, configure the system, give permission to other users of the system, manage users, and more.

4.1. Manage Workgroups and Personnel¶

The sections to follow provide instructions for how to manage lab and personnel access (i.e., Workgroups, Roles, and Users) in L7|ESP through the IAM app.

../_images/manage-workgroup-and-personnel.png

4.1.1. Manage Users¶

Create New User¶

Click the IAM app and then click Users from the IAM menu to access the Users page.

Click + New User.

Enter information for the new user:

Enter the Name of the user.

Enter the user's Email.

Enter a unique Username.

Set up a default Password. Confirm the Password.

Note

Users login to L7|ESP using their username, not email.

Optional: Enter a Description (e.g., Hired on August 19, 2019). Check Force Password Reset, which will require the user to create a new password upon logging in.

Click + Add Roles to assign the user to one or more Roles. Once assigned, the Role(s) will appear under the Roles & Permissions tab.
Click +Add Workgroups to assign the user to one or more Workgroups. Once assigned, the Workgroup(s) will appear under the Workgroups tab.

Important

Before you can assign a Role or Workgroup to a user, the Role or Workgroup must already exist. To create a new Role, refer to Create New Role. To create a new Workgroup, refer to Create New Workgroup.

Save the new user.

Edit User¶

Click the IAM app. Click Users from the IAM menu to access the Users page.

Click the Name of a user.
Edit the desired information (e.g., Name, Email, Password, Description, Roles, Workgroups).
Save the updated user.

Deactivate User¶

Click the IAM app. Click Users from the IAM menu to access the Users page.

Click the Name of a user.
Click Deactivate. (A user can be reactivated by clicking Reactivate.)

Hint

Deactivating a user changes that user's Status to "Inactive," which can be observed from the Users page.

4.1.2. Manage Roles¶

Laboratories often have complex working environments where scientific and technical stakeholders perform different work functions, ultimately working together to produce results. L7|ESP was designed with this in mind and provides a platform to streamline the interactions between various laboratory personnel through Roles. Examples of Roles include scientists, lab technicians, bioinformaticians, etc.

You can create and define a Role and assign users to that specific Role. Roles make it easy to manage large groups of users because, when you make a change to a Role, the change is automatically applied to all users assigned to that Role.

Create New Role¶

Create a Role to define the actions that user(s) assigned to that Role can perform.

Click the IAM app. Click Roles from the IAM menu to access the Roles page.

Click + New Role.

Enter information for the new Role:

Enter the Name of the new Role.

Optional: Enter a Description.

Optional: Enter one or more Tag(s).

Optional: Click + Add Users and select one or more user(s) to assign to this Role. Any Role (other than the Admin Role) can have 0 members. Users can be assigned to multiple Roles.

Optional: Click the Permissions tab and select one or more Permission(s) to assign to the Role. Permissions determine the actions that the user assigned to this Role can perform.

Optional: Click the Applications tab and select one or more Application(s) to assign to the Role. The user will be able to view/access the assigned Application(s).

Optional: Select a Default App. Upon logging in, a user assigned to this Role will automatically be taken to the selected Default App.

Save the new Role.

Edit Role¶

Click the IAM app. Click Roles from the IAM menu to access the Roles page.

Click the Name of a Role.
Edit the desired information (e.g., Name, Description, Tags, Users, Permissions). You can also duplicate the Role by clicking Duplicate.

Hint

Creating a new Role that is similar to an existing Role is quick and easy with the Duplicate button. Click Duplicate on an existing Role to copy that Role's permissions and associated information; then, make any updates to the new Role and Save.

Save the updated Role.

Deactivate Role¶

Click the IAM app. Click Roles from the IAM menu to access the Roles page.

Click the Name of a Role.
Click Deactivate. (A Role can be reactivated by clicking Reactive.)

4.1.3. Manage Workgroups¶

You can create Workgroups and assign specific users to each Workgroup, keeping users and resources organized.

A Workgroup restricts what a user can see and restricts the content that the user can perform actions on.

Create New Workgroup¶

Click the IAM app. Click Workgroups from the IAM menu to access the Workgroups page.

Click + New Workgroup.

Enter information for the new Workgroup:

Enter the Name of the new Workgroup.

Optional: Enter a Description.

Optional: Enter one or more Tag(s).

Optional: Click + Add Users to assign one or more user(s) to the Workgroup.

Save the new Workgroup.

Edit Workgroup¶

Click the IAM app. Click Workgroups from the IAM menu to access the Workgroups page.

Click the Name of a Workgroup.
Edit the desired information (e.g., Name, Description, Tags, Users).
Save the updated Workgroup.

Deactivate Workgroup¶

Click the IAM app. Click Workgroups from the IAM menu to access the Workgroups page.

Click the Name of a Workgroup.
Click Deactivate. (A Workgroup can be reactivated by clicking Reactive.)

4.2. IAM Permissions¶

The IAM Permissions tab allows administrators to configure what actions users in a certain role can take for particular types of ESP objects. ESP uses the following decision flow to determine if a user has permission to perform a particular operation on a particular resource:

The available permissions for each object type and their meaning is outlined in the table below.

4.2.1. Analysis-related permissions¶

Object Type	Permission	Description
Pipeline	Create	Create a pipeline in the analysis app or via API call
	Update	Edit a pipeline in the analysis app or via API call, including adding and removing tasks and editing other Pipeline-level metadata.
	Delete	Archive/Unarchive a pipeline in the analysis app or via API call
	Import	Import a pipeline via HUB or API call. Note that ordinarily, granting Import Pipeline permission means an administrator should also grant Import Task and Import Report Definition permissions.
	Execute	Run a pipeline via Analysis app or LIMS pipeline protocol.
Pipeline Instance	Create	Unused. Pipeline instance creation is controlled by the Pipeline Execute permission.
	Update	Update a pipeline instance, including pausing, killing, and restarting a pipeline instance.
	Delete	Archive/Unarchive a pipeline instance.
	Import	Unused at this time.
	Execute	Unused at this time.
Report	Create	Create a report, including pipeline-generated reports and operational reports created by UI or API call. (TODO: We should split those two permissions; honestly, execute pipeline permissions should probably be used to control creating a report from a report template...)
	Update	Update an operational report via UI or API call or a update a pipeline-generated report via API call including the report name, tags, description, report groups, and the elements (widgets) used for the report. (TODO: We should probably prevent update of elements of reports associated with a report template...)
	Delete	Archive/Unarchive an operational or pipeline report.
	Import	Import an operational Report via HUB or API Call.
	Execute	Unused at this time.
Report Template	Create	Create a pipeline-associated Report Template in the Analysis app or via API call.
	Update	Update a pipeline-associated Report Template in the Analysis app or via API call, including changing the Report Template name and the associated widgets.
	Delete	Archive/Unarchive a pipeline-associated report template via API call.
	Import	Import a ReportTemplate via HUB or API Call. Note that importing a pipeline with an associated report template requires permission for both Pipeline Import and Report Template Import.
	Execute	Unused at this time.
Task	Create	Create a Task in the Analysis app or via API call.
	Update	Update a Task in the Analysis app or via API call, including changing the Task name, description, tags, associated task files, and the task script.
	Delete	Archive/Unarchive a task via API call or in the UI.
	Import	Import a Task via HUB or API Call. Note that importing a pipeline with associated tasks requires Import permission for both Pipeline and Task.
	Execute	Unused at this time.
Task Instance	Create	Unused at this time. Task Instances are created at the same time as Pipeline Instances and controlled by the Execute Pipeline permission.
	Update	Update a TaskInstance, including associating a task-generated file with the task instance and associating status messages with a task instance. Ordinarily, a role with "Execute Pipeline" permissions should also have the Update Task Instance permission.
	Delete	Archive/Unarchive a task instance via API call.
	Import	Unused at this time.
	Execute	Unused at this time.

4.2.2. L7|Master-related permissions¶

Object Type	Permission	Description
Container Type	Create	Create a Container Type in the L7\|Master app or via API call.
	Update	Update a Container Type in the L7\|Master app or via API call, including changing the Container Type name, description, tags, storage parameters, dimensions, or custom fields
	Delete	Archive/Unarchive a Container Type via API call or in the UI.
	Import	Import a Container Type via HUB or API Call.
	Execute	Unused at this time.
Customer	Create	Create a Customer in the L7\|Master app or via API call.
	Update	Update a Customer in the L7\|Master app or via API call, including changing the Customer name, description, tags, billing address and shipping address.
	Delete	Archive/Unarchive a Customer via API call or in the UI.
	Import	Import a Customer via HUB or API Call.
	Execute	Unused at this time.
Param Group	Create	Create a Param Group in the L7\|Master app or via API call.
	Update	Update a Param Group in the L7\|Master app or via API call, including changing the Param Group name, description, tags, and parameter settings.
	Delete	Archive/Unarchive a Param Group via API call or in the UI.
	Import	Import a Param Group via HUB or API Call.
	Execute	Unused at this time.
Protocol	Create	Create a Protocol in the L7\|Master app or via API call.
	Update	Update a Protocol in the L7\|Master app or via API call, including changing the Protocol name, description, tags, instructions, custom fields, protocol actions, and flex view
	Delete	Archive/Unarchive a Protocol via API call or in the UI.
	Import	Import a Protocol via HUB or API Call.
	Execute	Unused at this time.
	Code authoring	Controls whether the user can edit the `initialContext` and use the `Generic renderer` widget.
Sample Type	Create	Create an Entity Type in the L7\|Master app or via API call
	Update	Update an Entity Type in the L7\|Master app or via API call, including changing the Entity Type name, description, tags, custom fields, and Detail View Template.
	Delete	Archive/Unarchive an Entity Type via API call or in the UI.
	Import	Import an Entity Type via HUB or API Call.
	Execute	Unused at this time.
Workflow	Create	Create a Workflow in the L7\|Master app or via API call.
	Update	Update a Workflow in the L7\|Master app or via API call, including changing the Workflow name, description, tags, associated protocols, and data links.
	Delete	Archive/Unarchive a Workflow via API call or in the UI.
	Import	Import a Workflow via HUB or API Call.
	Execute	Unused at this time.
Workflow Chain	Create	Create a Workflow Chain in the L7\|Master app or via API call.
	Update	Update a Workflow Chain in the L7\|Master app or via API call, including changing the Workflow Chain name, description, tags, nodes, and transitions
	Delete	Archive/Unarchive a Workflow Chain via API call or in the UI.
	Import	Import a Workflow Chain via HUB or API Call.
	Execute	Unused at this time.
Workflow Chain Plan	Create	Create a Workflow Chain Plan in the Projects app or via API call.
	Update	Update a Workflow Chain Plan in the Projects app or via API call, including changing the Workflow Chain Plan name, description, tags, billing address and shipping address.
	Delete	Archive/Unarchive a Workflow Chain Plan via API call or in the UI.
	Import	Unused at this time.
	Execute	Unused at this time.
Workflowable Resource Class	Create	Create an Entity Class in the L7\|Master app or via API call.
	Update	Update an Entity Class in the L7\|Master app or via API call, including changing the Entity Class name, description, tags, billing address and shipping address.
	Delete	Archive/Unarchive an Entity Class via API call or in the UI.
	Import	Import an Entity Class via HUB or API Call.
	Execute	Unused at this time.
Execution Plan	Create	TODO
	Update	TODO
	Delete	TODO
	Import	TODO
	Execute	TODO
Execution Plan Definition	Create	TODO
	Update	TODO
	Delete	TODO
	Import	TODO
	Execute	TODO

4.2.3. IAM-related permissions¶

Object Type	Permission	Description
Read Permission	Create	Associate an object with a workgroup via API call to the `/api/labs/associateresources` endpoint.
	Update	Unused at this time.
	Delete	Unused at this time.
	Import	Unused at this time.
	Execute	Unused at this time.
Role	Create	Create a Role in the IAM app or via API call.
	Update	Update a Role in the IAM app or via API call, including changing the Role name, description, tags, permissions, application permissions, and associated users.
	Delete	Deactivate/Reactivate a Role via API call or in the UI.
	Import	Import a Role via HUB or API Call.
	Execute	Unused at this time.
User	Create	Create a User in the IAM app or via API call.
	Update	Update a User in the IAM app or via API call, including changing the User's name, username, password, force reset password, account valid hours, description, tags, associated roles and workgroups, and session management.
	Delete	Deactivate/Reactivate a User via API call or in the UI.
	Import	Import a User via API Call.
	Execute	Unused at this time.
Workgroup	Create	Create a Workgroup in the IAM app or via API call.
	Update	Update a Workgroup in the IAM app or via API call, including changing the Workgroup name, description, tags, and associated users
	Delete	Deactivate/Reactivate a Workgroup via API call or in the UI.
	Import	Import a Workgroup via HUB or API Call.
	Execute	Unused at this time.

4.2.4. Ingest-related permissions¶

Object Type	Permission	Description
Ingest Definition	Create	Create an Ingest Definition in the Ingest app or via API call. An Ingest Definition is a the configuration that controls how to interpret a particular ingested file.
	Update	Update an Ingest Definition in the Ingest app or via API call, including changing the Ingest Definition name, description, tags, preprocessor, postprocessor, and field mappings.
	Delete	Archive/Unarchive a Ingest Definition via API call or in the UI.
	Import	Unused at this time.
	Execute	Unused at this time.
Ingest Instance	Create	Create an Ingest Instance in the Ingest app or via API call. An ingest instance is the association between a particular file to ingest, the ingest definition to use when parsing the file, and the ingested results (entities and data).
	Update	Update an Ingest Instance in the Ingest app or via API call, including changing the Ingest Instance name, description, tags, and associated ingest definition
	Delete	Archive/Unarchive an Ingest Instance via API call or in the UI.
	Import	Unused at this time.
	Execute	Submit in ingest instance for processing.

4.2.5. Inventory and Billing-related permissions¶

Object Type	Permission	Description
Address	Create	Unused at this time.
	Update	Unused at this time.
	Delete	Unused at this time.
	Import	Unused at this time.
	Execute	Unused at this time.
Container	Create	Create a Container in the Locations app, LIMS app, or via API call.
	Update	Update a Container in the Locations app or via API call, including changing the Container name, description, tags, barcode, custom field data, and contained items.
	Delete	Archive/Unarchive a Container via API call or in the UI.
	Import	Import a Container via HUB or API Call.
	Execute	Unused at this time.
Item	Create	Create an Item in the Inventory app or via API call.
	Update	Update a Item in the Inventory app or via API call, including changing the Item name, description, tags, barcode, vendor, lot number, serial id, status, expiration date, and making quantity adjustments. This permission is also necessary to use the inventory-use column type in LIMS.
	Delete	Archive/Unarchive an Item via API call or in the UI.
	Import	Import an Item via HUB or API Call.
	Execute	Unused at this time.
Item Type	Create	Create an Item Type in the L7\|Master app or via API call.
	Update	Update an Item Type in the L7\|Master app or via API call, including changing the Item Type name, description, tags, custom fields, units, vendors, ID naming scheme, reorder threshold, and reorder amount,
	Delete	Archive/Unarchive an Item Type via API call or in the UI.
	Import	Import an Item Type via HUB or API Call.
	Execute	Unused at this time.
Service	Create	Create a Service (a billing charge record) via API call.
	Update	Update a Service via API call, including changing the Service name, description, tags, and barcode. Changing the price of a service post-creation is not supported.
	Delete	Archive/Unarchive a Service via API call
	Import	Import a Service via API Call.
	Execute	Unused at this time.
Service Type	Create	Create a Service Type in the L7\|Master app or via API call.
	Update	Update a Service Type in the L7\|Master app or via API call, including changing the Service Type name, description, tags, pricing, and adding/removing/editing customer-specific pricing
	Delete	Archive/Unarchive a Service Type via API call or in the UI.
	Import	Import a Service Type via HUB or API Call.
	Execute	Unused at this time.
Vendor	Create	Create a Vendor in the L7\|Master app or via API call.
	Update	Update a Vendor in the L7\|Master app or via API call, including changing the Vendor name, description, tags, billing address and shipping address.
	Delete	Archive/Unarchive a Vendor via API call or in the UI.
	Import	Import a Vendor via HUB or API Call.
	Execute	Unused at this time.

4.2.6. LIMS-related permissions¶

Object Type	Permission	Description
Experiment	Create	Create an Experiment in the Projects app or via API call.
	Update	Update an Experiment in the Projects app or via API call, including changing the Experiment name, description, tags, and included entities.
	Delete	Archive/Unarchive an Experiment via API call or in the UI.
	Import	Unused at this time.
	Execute	Unused at this time.
Project	Create	Create a Project in the Projects app or via API call.
	Update	Update a Project in the Projects app or via API call, including changing the Project name, description, and tags.
	Delete	Archive/Unarchive a Project via API call or in the UI
	Import	Import a Project via HUB or API Call.
	Execute	Unused at this time.
Sample	Create	Create an Entity in the Projects app, the Entities app, any Entity class-specific apps, or via API call.
	Update	Update an Entity in the Entities app, any Entity class app, or via API call, including changing the Entity name, description, tags, barcode, and custom field data.
	Delete	Archive/Unarchive an Entity via API call or in the UI.
	Import	Import an Entity via HUB or API Call.
	Execute	Unused at this time.
Sample Sheet	Create	Create a SampleSheet in the LIMS app or via API call.
	Update	Update a SampleSheet in the LIMS app or via API call, including changing the SampleSheet name, description, tags, included samples, and sample sheet data values.
	Delete	Archive/Unarchive a SampleSheet via API call or in the UI.
	Import	Unused at this time.
	Execute	Unused at this time.
	Force update	Edit data of completed LIMS records.
	Force unlock	Remove a SampleSheet lock acquired by a different user.
Workflow Chain Instance	Create	Create a WorkflowChainInstance (Experiment using a WorkflowChain) in the Projects app or via API call.
	Update	Update a WorkflowChainInstance in the UI or via API call, specifically transitioning experiment samples to the next node(s) in the WorkflowChain,
	Delete	Archive/Unarchive a WorkflowChainInstance via API call or in the UI.
	Import	Unused at this time.
	Execute	Unused at this time.

4.2.7. L7|Hub¶

Object Type	Permission	Description
Bundle	Create
	Update
	Delete	Unused at this time.
	Import
Collection	Create	Create a Collection in the HUB app or via API call.
	Update	Update a Collection in the HUB app or via API call, including changing the collection name, description, tags, and included content.
	Delete	Archive/Unarchive a Collection via API call or in the UI.
	Import	Unused at this time.
Collection Definition	Create
	Update	Unused at this time.
	Delete	Unused at this time.
	Import	Unused at this time.
Supply	Create
	Update	Unused at this time.
	Delete
	Import	Unused at this time.

4.2.8. Configuration¶

Object Type	Permission	Description
Configuration	Create	Create a Configuration in the Configuration app or via API call. Also used when importing a Configuration via HUB or API Call.
	Update	Update a Configuration in the Configuration app or via API call, including changing the Configuration name, configuration values, and secret values.
	Delete	Archive/Unarchive a Configuration via API call or in the UI.
	Import	Unused at this time.
Internalization	Create	Unused at this time.
	Update	Unused at this time.
	Delete	Unused at this time.
	Import	Import an Internationalization bundle via the Translations app or API call.

4.2.9. Manufacturing Execution System¶

Object Type	Permission	Description
Manufacturing Execution System	Quality Review	Perform Quality Review: mark as reviewed, request changes, fail batches, and enter Quality Review Signature.
	Operations Review	Perform Operations Review: mark as reviewed, request changes, and enter Operations Review Signature.
	Data Entry	Update, enter data, acknowledge label reconciliation, and make changes to data when requested by Quality Review.
	Batch creation and Print Labels.

4.2.10. Notebooks¶

Object Type	Permission	Description
Notebook	Create	Create a Notebook in the Notebooks app or via API call.
	Update	Update a Notebook in the Notebooks app or via API call, including changing the Notebook name, description, and tags.
	Delete	Archive/Unarchive a Notebook via API call or in the UI.
	Import	Unused at this time.
	Code Authoring
Notebook Entry	Create	Create a NotebookEntry in the Notebooks app or via API call.
	Update	Update a NotebookEntry in the Notebooks app or via API call, including changing the NotebookEntry name, description, tags, and entry information (widgets with configuration).
	Delete	Archive/Unarchive a NotebookEntry via API call or in the UI.
	Import	Unused at this time.
	Code Authoring	Controls whether the user can use the Generic renderer widget.
Notebook Entry Template	Create	Create a NotebookEntryTemplate in the Notebooks app or via API call.
	Update	Update a NotebookEntryTemplate in the Notebooks app or via API call, including changing the NotebookEntryTemplate name, description, tags. and entry information (widgets with configuration).
	Delete	Archive/Unarchive a NotebookEntryTemplate via API call or in the UI.
	Import	Unused at this time.
	Code Authoring	Controls whether the user can use the Generic renderer widget.