Configured Role-Based Permissions

Manage the permissions of the System Administrator, Facility Administrator, Researcher, and Collaborator user roles to restrict or allow the following actions:

  • Sign in to Clarity LIMS.

  • Sign in to the API.

  • View and interact with certain features of the interface.

  • Perform certain actions in the interface.

  • View and restrict any actions in the interface. [Clarity LIMS v6.1 and above]

Command-line Permissions Tool

Role-based permissions are controlled through the permissions-tool.jar tool, at /opt/gls/clarity/tools/permissions/.

For assistance with running the command-line permissions tool, contact the Illumina Support team.

Functionality includes the following commands:

NOTE: The permissions-tool.jar tool function names and property names are case-sensitive. If you type the incorrect case, your command or property cannot be understood.

There can be a delay (up to 20 minutes) before changes to some API-related permissions take effect.

Supported Commands

listRoles

List all user roles in the system:

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> listRoles

describeRole

Show permissions for a specific role:

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> describeRole <rolename>

createRole

Create a role:

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> createRole <rolename>

showSummary

Show assigned permissions for all roles:

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> showSummary

listPermissions

List names and descriptions of all permissions:

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> listPermissions

assignPermission

Assign a permission to a role (the example assigns permission to create controls):

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> assignPermission <rolename> Controls:create

[Clarity LIMS v6.1 and above] Assign a permission to a role (the example assigns read-only permission to a role):

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> assignPermission <rolename> RoleOnly

Refer to Supported Permissions.

removePermission

Remove a permission from a role (the example removes permission to create controls):

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> removePermission <rolename> Controls:create

Refer to Supported Permissions.

Usage

java -jar permissions-tool.jar -a <apiUri> -u <username> -p <password> <command> [<args>]

Options

-a

--apiUri

REST API base URI (ends with "/api/<version>/") Must be completed as: http://<servername>/api/v2/

-p

--password

LIMS password (required)

-u

--username

LIMS sign-in username (required)

Supported Permissions

The sections below list LIMS permissions and actions, and the user roles to which each permission/action is assigned by default.

By default, System Administrators and Facility Administrators have all permissions listed.

The default role with AdministerLabLink permission is Administrator. This permission is added to the existing System Administrator & Facility Administrator roles.

The Collaborator role is based on the existing Collaborator role in LabLink v1.0.

Note: The existing Researcher role does not have the new permission and behaves similarly to the LabLink Collaborator role.

Action

Permission Required

System Administrator and Facility Administrator

Collaborator

Sign in to LabLink

CollaborationsLogin action

Yes

Yes

Manage Project

Projects create, read, update.

Yes

Yes

Manage Sample

Samples create, read, update.

Yes

Yes

Manage User

Users create, read, update.

Yes

No

Manage Configuration

Configuration update

Yes

No

View the Configuration page

AdministerLabLink

Yes

No

View the User Management page

AdministerLabLink

Yes

No

Permission: ClarityLogin

Default roles with this permission: Administrator, Researcher

Allows:
Result of denied permission
  • Sign in to ClarityLIMS

  • Access Lab View and Projects and Samples screen

  • Access Consumables > Reagents configuration tab; view, edit, and delete reagent lots; add lots to existing kits.

  • Access Consumables > Controls configuration tab and view control details

  • Access Consumables > Instruments configuration tab; add, edit, delete, and activate instruments; view instrument types.

Sign In screen

  • Sorry, you do not have permission to sign in to Clarity LIMS.

Permission: APILogin

Allows:
Result of denied permission
  • Access LIMS Rest API

Sign In screen

  • 403 Forbidden error via http://host/api/*

Permission: Project

Action:
Allows:
Result of denied permission
  • create

  • Create project

  • Modify project details

  • Modify project custom fields

Projects and Samples

  • New Project button hidden

  • View project details (read-only)

Note: No permission is needed to upload files to a project

  • Update

  • Modify project details

Projects and Samples

  • Save button disabled (if delete is permitted)

  • Button menu hidden (if delete is not permitted)

  • View project details (read-only)

  • Delete

  • Delete project containing no samples.

  • Delete project containing samples (also requires Sample:delete permission)

Projects and Samples

  • Delete button disabled (if update is permitted)

  • Button menu hidden (if update is not permitted)

Permission: Sample

Action:
Allows:
Result of denied permission
  • create

  • Submit/add samples

  • Upload sample list

  • Download sample list example

  • Modify samples.

Projects and Samples

  • Submit Samples title hidden

  • Download Example Sample List link hidden

  • Upload Sample List button hidden

  • Add Samples button hidden

  • Modify Samples button renamed Download List

  • Modify Samples button hidden (sample list)

Sample Management

  • Sample + button hidden

  • Update

  • Modify samples.

Projects and Samples

  • Modify Samples button renamed Download List

  • Delete

  • Delete a submitted sample on Projects and Samples screen, provided no work has been performed on the sample.

  • Delete a submitted sample in API, provided no work has been performed on the sample.

Projects and Samples

  • Delete button hidden

  • 403 Forbidden error via http://host/api/sample

The Sample:update permission is automatically granted to roles that have the Sample:create permission at the time of migration to Clarity LIMS v5.x. If you have removed create permissions from any default role, the role does not acquire the update permission.

Permission: Controls

Default roles with these permissions: Administrator

Action:
Allows:
Result of denied permission
  • create

  • Create control samples.

Controls

  • New Control button hidden

  • New Control button hidden

  • Update

  • Modify control samples.

  • Archive control samples (requires both update and delete permissions)

Controls

  • Save button disabled (if delete is permitted)

  • Button menu hidden (if delete is not permitted)

  • View control sample details (read-only)

  • Delete

  • Delete control samples.

  • Archive control samples (requires both update and delete permissions)

Controls

  • Delete button disabled (if update is permitted)

  • Button menu hidden (if delete is not permitted)

  • Archived toggle disabled

Users with ClarityLogin permission can access the Consumables > Controls tab and view control sample details (read only).

Permission: ReagentKit

Default roles with these permissions: Administrator

Action:
Allows:
Result of denied permission
  • create

  • Create reagent kits

Reagents

  • New Reagent Kit button hidden

  • View reagent kit details (read-only)

  • Update

  • Modify reagent kits

  • Archive reagent kits (requires both update and delete permissions)

Reagents

  • Save button disabled (if delete is permitted)

  • Button menu hidden (if delete is not permitted)

  • View kit details (read-only - except for Status)

  • Delete

  • Delete reagent kits

  • Archive reagent kits (requires both update and delete permissions)

Reagents

  • Delete button disabled (if update is permitted)

  • Button menu hidden (if delete is not permitted)

  • Archived toggle disabled

Users with ClarityLogin permission can access the Consumables > Reagents tab. They can also view, edit, and delete reagent lots, and add lots to existing kits. No additional ReagentKit permissions are required.

Permission: Role

Default roles with these permissions: Administrator

Action:
Allows:
Result of denied permission
  • read

  • View client (researcher/contact) details, including details such as username and roles in API

  • View users and clients (contacts) on Users and Clients screen

  • 403 Forbidden error via http://host/api/roles

  • create

  • Create user roles.

  • 403 Forbidden error via http://host/api/roles

  • Update

  • Modify existing user roles.

  • Add/remove user role permissions

  • 403 Forbidden error via http://host/api/roles

  • Delete

  • Delete user roles.

  • 403 Forbidden error via http://host/api/roles

APILogin permission is required for role management. All users with ClarityLogin permissions can view and edit their own user details (except for assigning/removing roles).

Permission: Read-Only [Clarity LIMS v6.1 and above]

Default roles with this permission: Not applicable. You can assign this permission to any role.

At least one System Administrator must be available to reconfigure user roles. Therefore, we recommend that you do not assign the Read-Only permission to the default Administrator and API users.

Action:
Allows:
  • read

  • View project and sample details on the Projects & Samples screen

  • View lab activities, in-progress steps, and steps that are ready to be worked on in Lab View

Permission: User

Default roles with these permissions: Administrator

Action:
Allows:
Result of denied permission
  • read

  • View users and clients on Users and Clients screen

  • View client details, including details such as username and roles in API

  • 403 Forbidden error via http://host/api/researchers

  • create

  • Create users and clients on Users and Clients screen (User:update permission is required to assign permissions to the user)

  • Send login instructions and password reset emails on Users and Clients screen (either this action or User:update is required)

  • Create clients in API.

  • Create user credentials and assign roles in API.

Users and Clients

  • New User button hidden

  • View user details (read-only)

  • 403 Forbidden error via http://host/api/researchers

  • Update

  • Update users and clients on Users and Clients screen

  • Send sign in instructions and password reset emails on Users and Clients screen (either this action or User:create is required)

  • Modify client details in API.

  • Assign role to user in API.

  • Remove role from user in API.

  • Save button disabled (if delete is permitted)

  • Button menu hidden (if delete is not permitted)

  • View user/client details (read-only)

  • 403 Forbidden error via http://host/api/researchers

  • Delete

  • Delete users and clients on Users and Clients screen.

  • Delete a client and associated user in API.

  • Delete button disabled (if update is permitted)

  • Button menu hidden (if delete is not permitted)

  • 403 Forbidden error via http://host/api/researchers

In the LIMS user interface, the term 'contact' has been replaced with 'client.' However, the API still uses the permission Contact.

All users with ClarityLogin permission can view and edit their own user details (except for assigning/removing roles).

Permission: Contact

Default roles with these permissions: Administrator

Action:
Allows:
Result of denied permission
  • read

  • View clients on Users and Clients screen

  • View client details in API

  • 403 Forbidden error via http://host/api/researchers

  • create

  • Create clients on Users and Clients screen.

  • Create clients in API.

Contact:update permission is required to assign permissions to clients.

  • New User button hidden

  • View user details (read-only)

  • 403 Forbidden error via http://host/api/researchers

  • Update

  • Update client details on Users and Clients screen.

  • Update client details in API.

  • Assign role to/remove role from client.

  • 403 Forbidden error via http://host/api/researchers

This permission does not affect the display of clients in Project and Samples and Sample Accessioning screens.

  • Delete

  • Delete clients in API

  • Delete clients on Users and Clients screen.

Clients with associated user details cannot be deleted

  • Delete button disabled (if update is permitted)

  • Button menu hidden (if delete is not permitted)

  • 403 Forbidden error via http://host/api/researchers

In the LIMS user interface, the term 'contact' has been replaced with 'client.' However, the API still uses the permission Contact.

Users with ClarityLogin permission can view and edit their own client and user details.

Clients can edit their own details (except for assigning/removing roles) without having update permission.

Permission: Process

Default roles with these permissions: Administrator

Action:
Allows:
Result of denied permission
  • read

  • View master steps

  • 403 Forbidden error via http://host/api/roles

  • create

  • Create master steps.

  • 403 Forbidden error via http://host/api/roles

  • Update

  • Modify master steps.

  • 403 Forbidden error via http://host/api/roles

In the LIMS user interface, the term 'process' has been replaced with 'master step.' However, the API still uses the permission Process.

Permission: OverviewDashboard

Default roles with this permission: Administrator

Action:
Allows:
Result of denied permission
  • read

  • Access the Overview Dashboard

  • No Dashboards button

Permission: Configuration

Default roles with this permission: Administrator

Action:
Allows:
Result of denied permission
  • update

  • Manage all configuration in the LIMS interface (ClarityLogin permission is also required)

  • Manage configuration in API (APILogin permission is also required)

  • 403 Forbidden error via any URI that begins with http://host/api/configuration.

Permission: ReQueueSample

Default roles with this permission: Administrator, Researcher, Collaborator

Allows:
Result of denied permission
  • Requeue a sample in sample search.

  • Requeue a sample in container search.

Sample and Container Search

  • Requeue button hidden.

Permission: SampleWorkflowAssignment

Default roles with this permission: Administrator, Researcher, Collaborator

Allows:
Result of denied permission
  • Assign sample to workflow from Projects and Samples screen.

Sample Management

  • Sample cannot be dragged into workflow widgets.

  • Workflow selection widget hidden

  • Workflow lozenge Remove button hidden

  • Delete workflow button hidden.

Permission: RemoveSampleFromWorkflow

Default roles with this permission: Administrator

Allows:
Result of denied permission
  • Remove sample from queue.

  • Remove sample from workflow.

Sample Management

  • Remove from this queue option hidden (if Move to next step is permitted)

  • Options button hidden (if Move to next step is not permitted)

Permission: MoveToNextStep

Default roles with this permission: Administrator

Allows:
Result of denied permission
  • Move sample to next step in workflow

Sample Management

  • Move to the next step option hidden (if Remove from this queue is permitted)

  • Options button hidden (if Remove from this queue is not permitted)

Permission: SampleRework

Default roles with this permission: Administrator

Allows:
Result - permission granted
  • Rework a sample from a previous step.

Sample Management

  • In Select the next step of the sample drop-down list, Rework from an earlier step option displays.

  • On Protocol Step Results screen, a button displays to allow the sample to be reworked from an earlier step.

Permission: ReviewEscalatedSamples

Default roles with this permission: Administrator

Allows:
Result - permission granted
  • Review escalated samples.

Sample Escalation

  • Enter Review Comment box enabled.

Permission: ESignatureSigning

Default roles with this permission: Administrator

Allows:
Result of denied permission
  • Sign an eSignature on step completion.

Record Details

  • Error message in e-Signature popup

Permission: CanEditCompletedSteps (LIMS v5.1 and Later)

Default roles with this permission: None

Allows:
Result - permission granted
  • Edit button when viewing a completed step.

  • Select button to edit completed step details on Record Details screen.

Assign Next Steps.

  • Edit button displays.

Record Details

  • After clicking Edit button, Record Details fields are editable, as applicable/permitted.

Modifications are limited to what is available on the Record Details screen for the step.

Details such as sample placement or routing cannot be modified.

Only steps completed after upgrading to LIMS v5.1 can be edited. Steps completed in v5.0 or earlier cannot be edited.

Steps that were executed using the Process API cannot be edited.

For details, see Modify Completed Step Details .

Last updated