Identity and Access Management¶
CellEngine uses role-based access for sharing folders and experiments.
The standard roles available to all users are as follows:
| Role | Description |
|---|---|
| Limited read-only | Can view experiment, but not save a copy or download files. Can view folder. |
| Read-only | Can view and save a copy of experiment and download files. If a user wants to modify the experiment, they will have to save their own copy first. |
| Basic read/write | Can modify experiment or folder, but not delete it or share it. This is the suggested role to provide to other users if you want them to have read/write access. |
| Full read/write | Can modify, delete and share experiment or folder. This is the default role assigned to you when you create a new experiment or folder. |
(See Standard Role Definitions for more details.)
Domain administrators can also create custom roles comprised of approximately 50 different granular permissions. For example, you could create a custom role that only allows modifying gates and combine it with another role that allows viewing the experiment in order to separate access and ability to perform tasks. Custom roles are usable by any user in the domain that has permission to change permissions.
Roles can be assigned to folders and experiments. Permissions are inherited, so if a user has “Basic read/write” on a folder, they will be able to view and modify all experiments and sub-folders in that folder.
In Depth: Permissions and Roles¶
Key Points
- Operations in CellEngine require specific permissions.
- Permissions are combined into roles that can be assigned to users on folders and experiments.
- CellEngine provides four standard roles, and domain administrators can create additional roles.
- Permissions inherit dynamically from folders.
Operations in CellEngine require users to have specific permissions for each
experiment or folder. For example, a user must have the fcsfile.upload role
for each experiment to which they are allowed to upload an FCS file. There are
about 50 different permissions currently.
Permissions are combined into roles. CellEngine provides four standard roles, shown in the tables above and below. Domain administrators can create additional, custom roles.
Permissions and roles can be assigned to experiments or folders. Experiments
inherit permissions from folders in which they reside. For example, if a user
has the experiment.read permission assigned to a folder, they will be able to
view all experiments in that folder. A user’s effective set of permissions are
aggregated across the experiment and all of its containing folders. For example,
if a user has fcsfile.delete on the experiment and fcsfile.upload on the
folder containing the experiment, they can perform both of those operations on
the experiment. This inheritance is dynamic, meaning that if you have an
existing experiment in a folder and grant a user a new role on the folder, the
user effectively gains that role on the experiment also. Likewise, if you later
remove that role from the folder, the user will effectively lose that role on
the experiment.
When a user creates an experiment or folder, they are automatically granted the new role for experiments or new role for folders set for their account, respectively. For users not in a domain, that role is Full Read/Write. For users in a domain, domain administrators can select a different role in the user's profile page. Being the primary researcher or creator of an experiment does not itself confer any permissions. Because the Full Read/Write role allows changing permissions, users with that role can grant other users access to their experiments and folders, as well as change or remove their own access.
Warning
CellEngine uses the “fcsfile.download” and “attachment.download”
permissions to control if a user can download FCS files and attachments,
respectively. Note, however, that a user can still download files when they
have the “experiment.clone” permission and do one of the following:
- Save a copy of the experiment.
- Export populations (potentially including the Ungated population) to a new experiment.
- Run an algorithmic analysis such as UMAP.
Ensure that custom roles are created with this caveat considered.
Standard Role Definitions¶
| Permission | Limited read-only | Read-only | Basic read/write | Full read/write |
|---|---|---|---|---|
| audittrail.comment | ✔ | ✔ | ||
| attachment.delete | ✔ | ✔ | ||
| attachment.download | ✔ | ✔ | ✔ | |
| attachment.update | ✔ | ✔ | ||
| attachment.upload | ✔ | ✔ | ||
| compensation.create | ✔ | ✔ | ||
| compensation.delete | ✔ | ✔ | ||
| compensation.update | ✔ | ✔ | ||
| experiment.changePermissionExternal | ✔ | |||
| experiment.changePermissionInternal | ✔ | |||
| experiment.changePrimaryResearcher | ✔ | |||
| experiment.clone | ✔ | ✔ | ✔ | |
| experiment.delete | ✔ | |||
| experiment.move | ✔ | |||
| experiment.read | ✔ | ✔ | ✔ | ✔ |
| experiment.saveRevision | ✔ | ✔ | ||
| experiment.signRevision | ✔ | ✔ | ||
| experiment.update | ✔ | ✔ | ||
| fcsfile.delete | ✔ | ✔ | ||
| fcsfile.download | ✔ | ✔ | ✔ | |
| fcsfile.lockGates | ✔ | ✔ | ||
| fcsfile.unlockGates | ✔ | ✔ | ||
| fcsfile.update | ✔ | ✔ | ||
| fcsfile.upload | ✔ | ✔ | ||
| folder.changePermissionExternal | ✔ | |||
| folder.changePermissionInternal | ✔ | |||
| folder.create | ✔ | ✔ | ||
| folder.createExperiment | ✔ | ✔ | ||
| folder.createFolder | ✔ | ✔ | ||
| folder.delete | ✔ | |||
| folder.move | ✔ | |||
| folder.read | ✔ | ✔ | ✔ | ✔ |
| folder.removeExperiment | ✔ | |||
| folder.removeFolder | ✔ | |||
| folder.update | ✔ | ✔ | ||
| gate.create | ✔ | ✔ | ||
| gate.delete | ✔ | ✔ | ||
| gate.lock | ✔ | ✔ | ||
| gate.unlock | ✔ | ✔ | ||
| gate.update | ✔ | ✔ | ||
| illustration.create | ✔ | ✔ | ||
| illustration.delete | ✔ | ✔ | ||
| illustration.update | ✔ | ✔ | ||
| population.create | ✔ | ✔ | ||
| population.delete | ✔ | ✔ | ||
| population.update | ✔ | ✔ | ||
| scaleset.update | ✔ | ✔ |
Requirements for Common Tasks¶
The table below lists which permissions are required for common actions available in the CellEngine Web interface. For permissions required by individual API methods, refer to the API reference.
When multiple permissions are shown in the right-hand column, all of those permissions are required unless otherwise indicated.
Note: experiment.read is effectively required for all actions within
experiments in order to use the Web interface. Nonetheless, that permission is
listed for specific actions where it’s required by the underlying API.
| Task | Permissions |
|---|---|
| Algorithms | |
| Run algorithm (e.g., UMAP, SOM) | experiment.readexperiment.clonefcsfile.downloadfolder.createExperiment4 |
| Attachments | |
| Delete attachment | attachment.delete |
| Download attachment | experiment.readattachment.download |
| Rename attachment | attachment.update |
| Upload attachment | attachment.upload |
| Compensations | |
| Create compensation matrix | compensation.create |
| Delete compensation matrix | compensation.delete |
| Import compensation from file | compensation.updateor compensation.create |
| Update compensation matrix | compensation.update |
| Experiments | |
| Change annotation column order and wrapping | experiment.readexperiment.update |
| Change annotation sort order | experiment.readexperiment.update |
| Change annotation validators | experiment.readexperiment.update |
| Change comments, tags and custom fields | experiment.readexperiment.update |
| Change experiment-wide compensation | experiment.readexperiment.update |
| Change permission: Grant permission to user in same domain | experiment.readexperiment.changePermissionInternal |
| Change permission: Grant permission to user outside of domain | experiment.readexperiment.changePermissionExternal |
| Change permission: Revoke other user’s permission | experiment.readexperiment.changePermissionInternalor experiment.changePermissionExternal |
| Change permission: Revoke your own permission | experiment.read |
| Change primary researcher | experiment.readexperiment.updateexperiment.changePrimaryResearcher |
| Comment on audit trail | audittrail.comment |
| Compare experiments or revisions | experiment.read |
| Create a revision | experiment.readexperiment.saveRevision |
| Download audit trail | experiment.read |
| Download GatingML | experiment.read |
| Download JSON | experiment.read |
| Import compensations | experiment.read1compensation.create |
| Import Diva workspace | population.creategate.createillustration.createscaleset.update |
| Import illustrations | experiment.read1illustration.create |
| Import populations | experiment.read1population.creategate.create |
| Import scales | experiment.read1scaleset.update |
| List and view experiments | experiment.read |
| Move experiment to folder | experiment.readexperiment.movefolder.createExperiment5folder.removeExperiment6 |
| Move experiment to trash (soft-delete) | experiment.readexperiment.updateexperiment.delete |
| Remove experiment from trash (un-delete) | experiment.readexperiment.update |
| Rename experiment | experiment.readexperiment.update |
| Save a copy of experiment | experiment.readexperiment.clonefolder.createExperiment5 |
| Set retention policy | experiment.readexperiment.update |
| Sign a revision | experiment.readexperiment.signRevision |
| FCS Files | |
| Add and change FCS file annotations | fcsfile.update |
| Change “control” status | fcsfile.update |
| Change file’s per-file compensation | fcsfile.update |
| Concatenate FCS files | fcsfile.uploadfcsfile.delete2 |
| Delete FCS file | fcsfile.delete |
| Delete FCS file annotations | fcsfile.update, experiment.update |
| Download annotations | experiment.read |
| Download FCS file3 | experiment.readfcsfile.download |
| Import FCS file | experiment.read1experiment.clone1fcsfile.upload |
| Lock gates for FCS file | fcsfile.updatefcsfile.lockGates |
| Rename FCS file | fcsfile.update |
| Rename FCS file panel | fcsfile.update |
| Rename FCS file reagent | fcsfile.update |
| Unlock gates for FCS file | fcsfile.updatefcsfile.unlockGates |
| Upload FCS file | fcsfile.upload |
| Folders | |
| Change permission: Grant permission to user in same domain | folder.changePermissionInternal |
| Change permission: Grant permission to user outside of domain | folder.changePermissionExternal |
| Change permission: Revoke other user’s permission | folder.changePermissionInternalor folder.changePermissionExternal |
| Change permission: Revoke your own permission | folder.read |
| Create folder | folder.create4 |
| List and view folders | folder.read |
| Move folder | folder.updatefolder.movefolder.createFolder5folder.removeFolder6experiment.move7 |
| Move folder to trash (soft-delete) | folder.deleteexperiment.delete7 |
| Remove folder from trash (un-delete) | folder.updateexperiment.update7 |
| Rename folder | folder.update |
| Gates and Populations | |
| Add or remove polygon point | gate.update |
| Apply tailoring | gate.update |
| Convert rectangle to polygon | gate.update |
| Copy/paste gate geometry | gate.update |
| Copy/paste populations | experiment.readgate.createpopulation.create |
| Copy/paste populations, linked | population.create |
| Create “not”, “and” and “or” populations | population.create |
| Create combo populations | population.create |
| Create gate/population | gate.createpopulation.create |
| Delete gate/population | gate.deletepopulation.delete |
| Download populations | see download FCS file |
| Enable/disable quadrant skewing | gate.update |
| Export populations to new experiment | experiment.readexperiment.clonefcsfile.downloadfolder.createExperiment4 |
| Lock gate | gate.updategate.lock |
| Modify gate | gate.update |
| Rename gate/population | gate.updatepopulation.update |
| Reset all gates/populations | gate.deletepopulation.delete |
| Reset gate to global gate | gate.delete |
| Tailor a gate to a file | gate.create |
| Turn off tailoring | gate.update |
| Turn on tailoring | gate.delete |
| Unlock gate | gate.updategate.unlock |
| Illustrations | |
| Create illustration | illustration.create |
| Delete illustration | illustration.delete |
| Download a PDF or PNG of illustration | experiment.read |
| Modify illustration | illustration.update |
| Save a copy of an illustration | experiment.readillustration.create |
| Scales | |
| Modify scales | scaleset.update |
| Statistics | |
| Download | experiment.read |
1Required on source experiment.
2Required if automatically deleting source files after concatenating.
3Includes downloading the original file or gated populations, in any format (FCS, TSV, CSV).
4Required on parent folder, if any.
5Required on new parent folder, if any.
6Required on old parent folder, if any.
7Required on all experiments in/below folder.