Access Control

    Users

    The administrator who has USER_ADMINISTRATION role can access this page and all the operations that belongs to users:

    • list and search users

    • create, edit and delete users

    • synchronize remote users and groups

    • resolve user conflicts

      images/download/attachments/1806845/users_new.png
      Users page

    The list of users from the local DB and from external authentication sources is displayed on the main page. New users (only local) can be added, existing local user details can be found and modified here. Filtering of the list of all type of users is possible based on username or e-mail address.

    In the Source column the source of the given user’s authentication is visible: it can be a locally created user or a remote one: LDAP, Active Directory or SAML. By default the local authentication is used, but AD/LDAP authentication can be configured on the Authentication Providers page.

    In Active column the status of the given user (active/inactive) is visible. Please find more information about deactivate/activate a user here: Deactivate/Activate a user.

    Groups

    To access the Groups page, the Administrator user should have the same USER_ADMINISTRATION role as in case of the Users page. Groups include sets of roles (each group one set of roles). Roles are sets of actions — actions like registration, amendment etc. — which those users to whom a given role have been granted are allowed to execute.

    On this page Administrator users can:

    • List and search groups by name or role

    • Create, edit and delete groups

    • Associate roles and users to a group

    • Synchronize groups with remote authentication providers

      images/download/attachments/1806845/groups_Sync.png
      Groups page

    The Source column indicated the origin of the group, that can beLocal (DB), LDAP, Active Directory or SAML

    Projects

    Using Projects you can control who can access the compounds that belong to a certain project.

    Projects are usually defined in order to apply project based access to the Registration system. By default, this functionality is turned off, and accordingly, the project field can be used to store data, but no data filtering or data access will be controlled based on the user and the project info. In order to have a project based access in your system you need to turn on this functionality. More about Project based access can be found here.

    On this page you can:

    • manage the list of projects and assign users to different projects (for full control you need to have ROLE_ACL_READ_PROJECTDETAILS, ROLE_ACL_MODIFY_PROJECTDETAILS and ROLE_ACL_MODIFY_PROJECTS roles)

    • change project related settings (MODIFY_PARAMETERS role is necessary to be able to modify these settings)

      images/download/attachments/1806845/image2018-5-4_10-4-44.png
      Projects page

    When creating a project, users can be associated with it. User(s) can have different permission(s) within projects. Currently five types of permissions are available:

    • Read / write all submissions (1)

    • Read all , write own submissions (2)

    • Read all submissions (3)

    • Read / write own submissions (4)

    • Read own submissions (5)

    Authentication Providers

    You can configure Compound Registration to use an external service to authenticate users. At the moment Compound Registration supports LDAP, Active Directory and SAML.

    Currently only LDAP and Active Directory configuration is exposed on the Administration UI ( Administration > Access Control > Authentication Providers ). To configure SAML please visit this page.

    images/download/attachments/1806845/auth_prov.png
    Active Directory configurations