Access Control

Overview

Using this menu the access of the users on the Registration system can be controlled. Only privileged users (e.g. system administrators) can have access to this menu. Users belong to group(s). Predefined groups can be used or new ones can be created by adding or removing different roles. When projects are created, user(s) with permission(s) should be added to it.
In the Access control menu three tabs: Users, Groups and Projects are available, where users, groups and projects can be added, removed or updated.

The main difference between the role- and project-based access is that the functions are controlled by role (e.g. register, upload, delete, amend, search etc.), while the access of a compound (to be able to register within a certain project and to be able to view the compound on the Browse or Search pages) is handled by the project-based access.

If the project based security is turned on, and project-user-permissions will be set for a certain project, only those preparations and compounds will be controlled, which have the project info. Therefore a user (who e.g. belongs to the Registrar group) will have access to all those compounds which have no project info, but will have no access to compounds having project info (unless he was specified as a user for that specific project in the Access Control Projects list).

A user who belongs to the Registrar_No_Amendment group (can register, but cannot modify the compound) and has write access within the given project, will not be able to modify the compound since the "function Amendment is not permitted with your existing roles" message will be received.

As a conclusion, the role-based access sets an upper limit to the user's permissions. By enabling the project-based access, the user's permissions can be reduced, but not increased.

Role based access of functionalities

Groups, regardless if they are present in a predefined list or they were just created, can have different roles. Example of roles: autoregister; view, list, modify submissions in the staging area; ability to register from the staging area; ability to read the amendment page, to amend etc.

E.g. a user who belongs to the Read only group, by default, will have the role to list and view submissions in the staging area, assign and unassign submissions in staging, read the amendment page, search for salts and solvates, view the audit, search for structures, export search results and self administration. The user who belongs to the Read only group will not be able to modify already registered compounds. For a more detailed role description check the Groups section.

Project based access of data

Project based access can be configured. By default it is disabled. Accordingly, the project field can be used to store data, but no data filtering or data access will be controlled based on the user and the project info.

In the Administration menu Configuration tab SecurityConfig of the application Project based access can be enabled. Once enabled, the access of the registered compounds can be controlled based on the project info and the relation between user and project.

User(s) can have different permission(s) within projects. Currently four types of permissions are available: write, write own, read and read own. The write permission includes the write own (which contains the read own) and the read permission. Therefore a user having write permission within a project is automatically having all the permissions, so there is no need to set the other permissions too. A user having read / write own permission is automatically having also the read own permission.

If project based access control is set, registration, amendment and search actions can be performed based on projects considering the user permission(s). E.g project A16 is created having two users as members: reg1 user having write permission and chemist4 having read own permission. Logged in as chemist4, the user cannot register lots within project A16. As for user reg1 registrations are allowed within project A16: a lot having reg1 as submitter and another lot having chemist4 as submitter are registered under the same PCN. Then, as chemist4 on the Details page and Search pages only one lot of the tree should be visible where previously two lots were registered. As for chemist4 (who belongs to "Registrar no restriction change" group) on the Details page the amendment of the owned lot should not be possible, since the chemist4 is having only read own permission. As for reg1 (who belongs to "Registrar" group) it is possible to amend both lots, since the user is having all the roles (register, amend etc.) and is having also the permission (write) to do it within the project.

Users

List of the Existing Users

The Users tab contains a list of the existing users. The list of users is displayed along with the groups where they belong to. The associated roles are also listed. E.g. "admin" user is part of a group called "super" and has all the available roles. The different roles for each group are listed below. You can filter the Users list by selecting a group or a role in the Filter drop-down list.

Add a new user

It is also possible to add new users by clicking on the [Add new user] button. In this case you need to provide a username and password and need to select at least one group where the new user should belong to, then first click on the Add user to group then [Create user] buttons.

Groups

A set of predefined groups are available immediately after the deployment, but certainly new groups can also be defined. The default groups with the default roles are:

Autoregister Only

This group has the role to perform autoregistration and self administration.

Import-Export

This group has the role to perform bulkload, to register with a specific ID, allocate specific PCNs, to search structures and export the search results, to export the regsys DB content to a downstream DB and self administration.

Read Only

This group has the role to list and view submissions in the staging area, assign and unassign his own submissions in staging, read the amendment page with the audit, search for structures and salts/solvates, view the audit, export search results and self administration.

Registrar

This group has the role to autoregister, list, view and modify submissions in staging, register from the staging, bulk register (register all) from the staging, assign and unassign submissions in staging, read the amendment page, amending a structure, lot, version and parent level amendment, view the audit, manual version correction, amending the molecular weight, delete and undelete ID's, rename and swap LnbRef, move lot, amend restriction level, update the layout of the structure, bulk restriction change, search for structures and salts/solvates, export search results, modify the dictionaries, modify the switchers and self administration.

OVERRIDE_SWITCHERS

Registrar - No Amendment

This group has the role to autoregister, list, view and modify submissions in staging, register from the staging, bulk register (register all) from the staging, assign and unassign submissions in staging, read the amendment page, view the audit, manual version correction, search for structures and salts/solvates, export search results and self administration.

Registrar - No Restriction Change

This group has the role to autoregister, list, view and modify submissions in staging, register from the staging, bulk register (register all) from the staging, assign and unassign submissions in staging, read the amendment page, amending a structure, lot, version and parent level amendment, manual version correction, amending the molecular weight, delete and undelete ID's, rename and swap LnbRef, move lot, update the layout of the structure, view the audit, search for structures and salts/ solvates, export search results and self administration.

Registry Administrator

This group has the role to list, view and delete submissions from the staging, assign and unassign submissions in staging, add salts and solvates to the DB, view the audit, bulkload, bulk restriction change, clear the DB, modify the dictionaries, export the regsys DB content to a downstream DB and self administration.

Super

This group has all the available roles.

User administrator

This group has user and self administration role and is able to modify the dictionary roles, furthermore, he has the ability to set the project based access control (read projects, if he has permission, and to modify projects with the user permissions).

Projects

Projects can be specified either during autoregistration or when registering the submission from the staging area. Projects can be also created also from the Administration page, Access control menu, Projects tab. Here, while creating the project, the users who can have access to it (with different permissions), can be added. The user's permissions are: read, write, read_own and write_own. For more details about the permissions please consult the Project based access of data section.
Projects can be filtered and searched or all projects can be displayed.