# Configured Role-Based Permissions Manage the permissions of the System Administrator, Facility Administrator, Researcher, and Collaborator user roles to restrict or allow the following actions: * Sign in to Clarity LIMS. * Sign in to the API. * View and interact with certain features of the interface. * Perform certain actions in the interface. * View and restrict any actions in the interface. \[Clarity LIMS v6.1 and above] **NOTE**: You can use System Settings to configure role-based permission in Clarity LIMS v6.3. For details, see [#roles-and-permissions-management](https://help.connected.illumina.com/clarity-lims/clarity-lims-v6.3-and-lablink-v2.5/administration/system-settings#roles-and-permissions-management "mention"). ### Command-line Permissions Tool Role-based permissions are controlled through the permissions-tool.jar tool, at /opt/gls/clarity/tools/permissions/. For assistance with running the command-line permissions tool, contact the Illumina Support team. Functionality includes the following commands: * [#listroles](#listroles "mention")—List all roles in the system. * [#describerole](#describerole "mention")—List names and descriptions of all permissions in the system. * [#createrole](#createrole "mention")—Create a role. * [#showsummary](#showsummary "mention")—List permissions assigned to each role in the system. * [#listpermissions](#listpermissions "mention")—List permissions assigned to a specific role. * [#assignpermission](#assignpermission "mention")—Assign a permission to a role. * [#removepermission](#removepermission "mention")—Remove a permission from a role. **NOTE**: The permissions-tool.jar tool function names and property names are case-sensitive. If you type the incorrect case, your command or property cannot be understood. There can be a delay (up to 20 minutes) before changes to some API-related permissions take effect. ### Supported Commands #### **listRoles** List all user roles in the system: ``` java -jar permissions-tool.jar -a -u -p listRoles ``` #### **describeRole** Show permissions for a specific role: ``` java -jar permissions-tool.jar -a -u -p describeRole ``` #### **createRole** Create a role: {% code fullWidth="false" %} ``` java -jar permissions-tool.jar -a -u -p createRole ``` {% endcode %} #### **showSummary** Show assigned permissions for all roles: ``` java -jar permissions-tool.jar -a -u -p showSummary ``` #### **listPermissions** List names and descriptions of all permissions: ``` java -jar permissions-tool.jar -a -u -p listPermissions ``` #### **assignPermission** Assign a permission to a role (the example assigns permission to create controls): ``` java -jar permissions-tool.jar -a -u -p assignPermission Controls:create ``` \[Clarity LIMS v6.1 and above] Assign a permission to a role (the example assigns read-only permission to a role): ``` java -jar permissions-tool.jar -a -u -p assignPermission RoleOnly ``` Refer to [#supported-permissions](#supported-permissions "mention"). #### **removePermission** Remove a permission from a role (the example removes permission to create controls): ``` java -jar permissions-tool.jar -a -u -p removePermission Controls:create ``` Refer to [#supported-permissions](#supported-permissions "mention"). #### Usage ``` java -jar permissions-tool.jar -a -u -p [] ``` #### **Options**
-a--apiUriREST API base URI (ends with "/api/<version>/") Must be completed as: http://<servername>/api/v2/
-p--passwordLIMS password (required)
-u--usernameLIMS sign-in username (required)
### Supported Permissions The sections below list LIMS permissions and actions, and the user roles to which each permission/action is assigned by default. By default, System Administrators and Facility Administrators have all permissions listed. #### **Permission: AdministerLabLink** The default role with AdministerLabLink permission is Administrator. This permission is added to the existing System Administrator & Facility Administrator roles. The Collaborator role is based on the existing Collaborator role in LabLink v1.0. Note: The existing Researcher role does not have the new permission and behaves similarly to the LabLink Collaborator role. | Action | Permission Required | System Administrator and Facility Administrator | Collaborator | | ----------------------------- | ------------------------------ | :---------------------------------------------: | :----------: | | Sign in to LabLink | CollaborationsLogin action | Yes | Yes | | Manage Project | Projects create, read, update. | Yes | Yes | | Manage Sample | Samples create, read, update. | Yes | Yes | | Manage User | Users create, read, update. | Yes | No | | Manage Configuration | Configuration update | Yes | No | | View the Configuration page | AdministerLabLink | Yes | No | | View the User Management page | AdministerLabLink | Yes | No | #### **Permission: ClarityLogin** Default roles with this permission: Administrator, Researcher
Allows:Result of denied permission
  • Sign in to ClarityLIMS
  • Access Lab View and Projects and Samples screen
  • Access Consumables > Reagents configuration tab; view, edit, and delete reagent lots; add lots to existing kits.
  • Access Consumables > Controls configuration tab and view control details
  • Access Consumables > Instruments configuration tab; add, edit, delete, and activate instruments; view instrument types.

Sign In screen

  • Sorry, you do not have permission to sign in to Clarity LIMS.
#### **Permission: APILogin**
Allows:Result of denied permission
  • Access LIMS Rest API

Sign In screen

  • 403 Forbidden error via http://host/api/*
#### **Permission: Project**
Action:Allows:Result of denied permission
  • create
  • Create project
  • Modify project details
  • Modify project custom fields

Projects and Samples

  • New Project button hidden
  • View project details (read-only)

Note: No permission is needed to upload files to a project

  • Update
  • Modify project details

Projects and Samples

  • Save button disabled (if delete is permitted)
  • Button menu hidden (if delete is not permitted)
  • View project details (read-only)
  • Delete
  • Delete project containing no samples.
  • Delete project containing samples (also requires Sample:delete permission)

Projects and Samples

  • Delete button disabled (if update is permitted)
  • Button menu hidden (if update is not permitted)
#### **Permission: Sample**
Action:Allows:Result of denied permission
  • create
  • Submit/add samples
  • Upload sample list
  • Download sample list example
  • Modify samples.

Projects and Samples

  • Submit Samples title hidden
  • Download Example Sample List link hidden
  • Upload Sample List button hidden
  • Add Samples button hidden
  • Modify Samples button renamed Download List
  • Modify Samples button hidden (sample list)

Sample Management

  • Sample + button hidden
  • Update
  • Modify samples.

Projects and Samples

  • Modify Samples button renamed Download List
  • Delete
  • Delete a submitted sample on Projects and Samples screen, provided no work has been performed on the sample.
  • Delete a submitted sample in API, provided no work has been performed on the sample.

Projects and Samples

  • Delete button hidden
  • 403 Forbidden error via http://host/api/sample
{% hint style="info" %} The Sample:update permission is automatically granted to roles that have the Sample:create permission at the time of migration to Clarity LIMS v5.x. If you have removed create permissions from any default role, the role does not acquire the update permission. {% endhint %} #### **Permission: Controls** Default roles with these permissions: Administrator
Action:Allows:Result of denied permission
  • create
  • Create control samples.

Controls

  • New Control button hidden
  • New Control button hidden
  • Update
  • Modify control samples.
  • Archive control samples (requires both update and delete permissions)

Controls

  • Save button disabled (if delete is permitted)
  • Button menu hidden (if delete is not permitted)
  • View control sample details (read-only)
  • Delete
  • Delete control samples.
  • Archive control samples (requires both update and delete permissions)

Controls

  • Delete button disabled (if update is permitted)
  • Button menu hidden (if delete is not permitted)
  • Archived toggle disabled
{% hint style="info" %} Users with ClarityLogin permission can access the Consumables > Controls tab and view control sample details (read only). {% endhint %} #### **Permission: ReagentKit** Default roles with these permissions: Administrator
Action:Allows:Result of denied permission
  • create
  • Create reagent kits

Reagents

  • New Reagent Kit button hidden
  • View reagent kit details (read-only)
  • Update
  • Modify reagent kits
  • Archive reagent kits (requires both update and delete permissions)

Reagents

  • Save button disabled (if delete is permitted)
  • Button menu hidden (if delete is not permitted)
  • View kit details (read-only - except for Status)
  • Delete
  • Delete reagent kits
  • Archive reagent kits (requires both update and delete permissions)

Reagents

  • Delete button disabled (if update is permitted)
  • Button menu hidden (if delete is not permitted)
  • Archived toggle disabled
{% hint style="info" %} Users with ClarityLogin permission can access the Consumables > Reagents tab. They can also view, edit, and delete reagent lots, and add lots to existing kits. No additional ReagentKit permissions are required. {% endhint %} #### **Permission: Role** Default roles with these permissions: Administrator
Action:Allows:Result of denied permission
  • read
  • View client (researcher/contact) details, including details such as username and roles in API
  • View users and clients (contacts) on Users and Clients screen
  • 403 Forbidden error via http://host/api/roles
  • create
  • Create user roles.
  • 403 Forbidden error via http://host/api/roles
  • Update
  • Modify existing user roles.
  • Add/remove user role permissions
  • 403 Forbidden error via http://host/api/roles
  • Delete
  • Delete user roles.
  • 403 Forbidden error via http://host/api/roles
{% hint style="info" %} APILogin permission is required for role management. All users with ClarityLogin permissions can view and edit their own user details (except for assigning/removing roles). {% endhint %} #### **Permission: Read-Only** \[Clarity LIMS v6.1 and above] Default roles with this permission: Not applicable. You can assign this permission to any role. {% hint style="info" %} At least one System Administrator must be available to reconfigure user roles. Therefore, we recommend that you do not assign the Read-Only permission to the default Administrator and API users. {% endhint %}
Action:Allows:
  • read
  • View project and sample details on the Projects & Samples screen
  • View lab activities, in-progress steps, and steps that are ready to be worked on in Lab View
#### **Permission: User** Default roles with these permissions: Administrator
Action:Allows:Result of denied permission
  • read
  • View users and clients on Users and Clients screen
  • View client details, including details such as username and roles in API
  • 403 Forbidden error via http://host/api/researchers
  • create
  • Create users and clients on Users and Clients screen (User:update permission is required to assign permissions to the user)
  • Send login instructions and password reset emails on Users and Clients screen (either this action or User:update is required)
  • Create clients in API.
  • Create user credentials and assign roles in API.

Users and Clients

  • New User button hidden
  • View user details (read-only)
  • 403 Forbidden error via http://host/api/researchers
  • Update
  • Update users and clients on Users and Clients screen
  • Send sign in instructions and password reset emails on Users and Clients screen (either this action or User:create is required)
  • Modify client details in API.
  • Assign role to user in API.
  • Remove role from user in API.
  • Save button disabled (if delete is permitted)
  • Button menu hidden (if delete is not permitted)
  • View user/client details (read-only)
  • 403 Forbidden error via http://host/api/researchers
  • Delete
  • Delete users and clients on Users and Clients screen.
  • Delete a client and associated user in API.
  • Delete button disabled (if update is permitted)
  • Button menu hidden (if delete is not permitted)
  • 403 Forbidden error via http://host/api/researchers
In the LIMS user interface, the term 'contact' has been replaced with 'client.' However, the API still uses the permission Contact. All users with ClarityLogin permission can view and edit their own user details (except for assigning/removing roles). #### **Permission: Contact** Default roles with these permissions: Administrator
Action:Allows:Result of denied permission
  • read
  • View clients on Users and Clients screen
  • View client details in API
  • 403 Forbidden error via http://host/api/researchers
  • create
  • Create clients on Users and Clients screen.
  • Create clients in API.

Contact:update permission is required to assign permissions to clients.

  • New User button hidden
  • View user details (read-only)
  • 403 Forbidden error via http://host/api/researchers
  • Update
  • Update client details on Users and Clients screen.
  • Update client details in API.
  • Assign role to/remove role from client.
  • 403 Forbidden error via http://host/api/researchers

This permission does not affect the display of clients in Project and Samples and Sample Accessioning screens.

  • Delete
  • Delete clients in API
  • Delete clients on Users and Clients screen.

Clients with associated user details cannot be deleted

  • Delete button disabled (if update is permitted)
  • Button menu hidden (if delete is not permitted)
  • 403 Forbidden error via http://host/api/researchers
In the LIMS user interface, the term 'contact' has been replaced with 'client.' However, the API still uses the permission Contact. Users with ClarityLogin permission can view and edit their own client and user details. Clients can edit their own details (except for assigning/removing roles) without having update permission. #### **Permission: Process** Default roles with these permissions: Administrator
Action:Allows:Result of denied permission
  • read
  • View master steps
  • 403 Forbidden error via http://host/api/roles
  • create
  • Create master steps.
  • 403 Forbidden error via http://host/api/roles
  • Update
  • Modify master steps.
  • 403 Forbidden error via http://host/api/roles
In the LIMS user interface, the term 'process' has been replaced with 'master step.' However, the API still uses the permission Process. #### **Permission: OverviewDashboard** Default roles with this permission: Administrator
Action:Allows:Result of denied permission
  • read
  • Access the Overview Dashboard
  • No Dashboards button
#### **Permission: Configuration** Default roles with this permission: Administrator
Action:Allows:Result of denied permission
  • update
  • Manage all configuration in the LIMS interface (ClarityLogin permission is also required)
  • Manage configuration in API (APILogin permission is also required)
  • 403 Forbidden error via any URI that begins with http://host/api/configuration.
#### **Permission: ReQueueSample** Default roles with this permission: Administrator, Researcher, Collaborator
Allows:Result of denied permission
  • Requeue a sample in sample search.
  • Requeue a sample in container search.

Sample and Container Search

  • Requeue button hidden.
#### **Permission: SampleWorkflowAssignment** Default roles with this permission: Administrator, Researcher, Collaborator
Allows:Result of denied permission
  • Assign sample to workflow from Projects and Samples screen.

Sample Management

  • Sample cannot be dragged into workflow widgets.
  • Workflow selection widget hidden
  • Workflow lozenge Remove button hidden
  • Delete workflow button hidden.
#### **Permission: RemoveSampleFromWorkflow** Default roles with this permission: Administrator
Allows:Result of denied permission
  • Remove sample from queue.
  • Remove sample from workflow.

Sample Management

  • Remove from this queue option hidden (if Move to next step is permitted)
  • Options button hidden (if Move to next step is not permitted)
#### **Permission: MoveToNextStep** Default roles with this permission: Administrator
Allows:Result of denied permission
  • Move sample to next step in workflow

Sample Management

  • Move to the next step option hidden (if Remove from this queue is permitted)
  • Options button hidden (if Remove from this queue is not permitted)
#### **Permission: SampleRework** Default roles with this permission: Administrator
Allows:Result - permission granted
  • Rework a sample from a previous step.

Sample Management

  • In Select the next step of the sample drop-down list, Rework from an earlier step option displays.
  • On Protocol Step Results screen, a button displays to allow the sample to be reworked from an earlier step.
#### **Permission: ReviewEscalatedSamples** Default roles with this permission: Administrator
Allows:Result - permission granted
  • Review escalated samples.

Sample Escalation

  • Enter Review Comment box enabled.
#### **Permission: ESignatureSigning** Default roles with this permission: Administrator
Allows:Result of denied permission
  • Sign an eSignature on step completion.

Record Details

  • Error message in e-Signature popup
#### **Permission: CanEditCompletedSteps (LIMS v5.1 and Later)** Default roles with this permission: None
Allows:Result - permission granted
  • Edit button when viewing a completed step.
  • Select button to edit completed step details on Record Details screen.

Assign Next Steps.

  • Edit button displays.

Record Details

  • After clicking Edit button, Record Details fields are editable, as applicable/permitted.
Modifications are limited to what is available on the Record Details screen for the step. Details such as sample placement or routing cannot be modified. Only steps completed after upgrading to LIMS v5.1 can be edited. Steps completed in v5.0 or earlier cannot be edited. Steps that were executed using the Process API cannot be edited. For details, see [modifying-completed-step-details](https://help.connected.illumina.com/clarity-lims/clarity-lims-v6.3-and-lablink-v2.5/clarity-lims-v6.3-reference-guide/lab-view/modifying-completed-step-details "mention").