Users and Permissions

How users and groups of users are organized in LABDRIVE

When you first have access to a LABDRIVE platform, you begin with a single sign-in identity that has complete access to all services and resources in the account. This identity is called the Administrator and is accessed by signing in with the email address and password that you provided. This user is capable of creating other user or group accounts as needed.

User accounts

A user account represents the person or service who uses the account to interact with LABDRIVE. A primary use for user accounts is to give people the ability to sign in to the LABDRIVE Management Interface for interactive tasks and to make programmatic requests using the API.

A user in LABDRIVE consists of a name, a password to sign in (or an identifier of an external identity provider, if using Federated Identity) and

• Several access keys and credentials to access the different LABDRIVE services (such as the API, the S3 protocol server, etc).

• Platform permissions: Permissions to perform certain actions or to access certain platform elements

• Content permissions: Permissions to see or change data containers and archival nodes in the Archival structure.

When you create a user, you grant it permissions by making it a member of a group that has appropriate permission policies attached (recommended), or by directly attaching policies to the user.

Groups

A LABDRIVE user group is a collection of LABDRIVE users.

You can use groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users. For example, you could have a group called Researchers and give that group the types of permissions that researchers typically need.

Any user in that group automatically has the permissions that are assigned to the group. If a new user joins your organization and should have similar privileges, you can assign the appropriate permissions by adding the user to that group. Similarly, if a person changes jobs in your organization, instead of editing that user's permissions, you can remove them from the old groups and add them to the appropriate new groups.

Permissions

Two types of permissions exist:

• Permissions governing the access to the content (content permissions): Used, for example, to limit what data containers or content a user or group of users are allowed to see.

• Permissions governing the actions in the platform (action permissions): That include, for example, if a user is able to configure the lifecycle settings, storage configuration, etc.

Permissions can be assigned to users or groups. Assigning them to groups usually makes the management easier, and is the recommended way.

Managing users and groups

Using the Management Interface

1. Sign in to the LABDRIVE Management Interface

2. Select Configuration (1) and then Users or Groups (2), depending on what you need to do.

For groups

In Groups, you can add new groups selecting Add Group in the menu and introducing the group name and description.

When the group has been created, you can edit it and then modify the Platform Permissions for the group by selecting Permissions.

Creating a user account

In Users, you can add new users selecting Add user and then, indicating the following details:

In the Auth Type, you can select Password when you do not want to use an external Identity provider or Identifier, if you want to use a 3rd party Identity Provider to manage the user log-in. See how this is obtained in Users and Permissions - Using a 3rd party Identity provider.

Deleting a user account

In Users, you can select Edit User and set Active to No.

Users cannot be deleted in LABDRIVE, to preserve platform logs and events (that are linked to the activity of a given user account), but they can be disabled and archived.

Archival node or container permissions (content permissions)

Once a group or user exists, you can go to the Configuration and then to Archival Structure:

For the node you want to adjust permissions, select Edit node and go to the Permissions section:

More information about permission in the Archive organization section.

Using the API (Groups)

Creating groups

1. Sign in to the LABDRIVE Management Interface

2. Obtain your LABDRIVE API key by selecting your name and then Access Methods:

3. Use this method:

curl --request POST \
 	--url "$your_platform_url/api/group" \
 	--header "Content-Type: application/json" \
 	--header "authorization: Bearer $your_platform_api_key" \
 	--data '{
 		"name": "New group name",
 		"description": "New group description"
 	}'

Get existing groups

1. Sign in to the LABDRIVE Management Interface

2. Obtain your LABDRIVE API key by selecting your name and then Access Methods:

3. Use this method:

	curl --request GET \
      --url "$your_platform_url/api/groups" \
      --header "authorization: Bearer $your_platform_api_key"

Assigning content permissions (archival node or container) to a group

See the Archive organization section

Assigning action permissions to a group

1. Sign in to the LABDRIVE Management Interface

2. Obtain your LABDRIVE API key by selecting your name and then Access Methods:

3. Use this method:

@TO DO LIBNOVA ticket https://trello.com/c/fFj5PZsK/197

/container/{id}/permission/{permission}/{type}/{type_id}

You can get a list of all available permission-keys you can include in the previous call using the following method:

curl --request GET \
    --url "$your_platform_url/api/permissions" \
    --header "Content-Type: application/json" \
    --header "authorization: Bearer $your_platform_api_key"

Using the API (Users)

Creating users

1. Sign in to the LABDRIVE Management Interface

2. Obtain your LABDRIVE API key by selecting your name and then Access Methods:

3. Use this method:

	curl --request POST \
 	--url "$your_platform_url/api/user/internal" \
 	--header "Content-Type: application/json" \
 	--header "authorization: Bearer $your_platform_api_key" \
 	--data '{
 		"name": "New user",
 		"email": "example@email.com",
 		"password": "password",
 		"groups": [1, 2],
 		"keywords": ["user"],
 		"identifier": "Identifier"
 	}'

All content permissions and action permissions available for user groups that are showcased in the previous section, are also available to users.

Using a 3rd party SAML Identity Provider

An identity provider (abbreviated IdP or IDP) is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications (Service Providers, abbreviated SP) within a federation or distributed network.

Identity providers offer user authentication as a service. LABDRIVE outsource the user authentication step to a trusted identity provider, consuming its federated identity services.

This way, users do not need to provide their credentials to log-in into the platform.

Authorizing the LABDRIVE Service Provider

In order to start using SAML authentication, both your Identity Provider and our Service provider must be able to communicate with each other. There are two ways that this can be achieved:

If your organization is federated

If your organization is already part of a SAML federation such as InCommon, eduGAIN, UK Federation among others, the configuration required to authorize the LIBNOVA Service Provider is minimal. Your IdP should release at least the eduPersonTargetedID attribute, and optionally any other attribute that might be used to configure automated account creation (affiliation, groups, etc). Please use our Service Provider's entityID (https://access.libnova.com/shibboleth) for attribute release.

If your organization is not federated

In the case that your organization is NOT part of any federation, please contact LIBNOVA Support to initiate a metadata exchange process.

Please use our metadata file and provide your organization will have to provide us with your Identity Provider's metadata when ready. Attributes described in the previous section should also be released by your IdP.

If the Identity Provider you are using is Microsoft Azure, please follow the Configuring Azure SAML-based authentication guide.

Identity workflows

LABDRIVE offers extreme flexibility on how accounts are created and user identities are managed. There are several platform settings that impact how the user identities are managed, and how the authentication process gets managed:

• List of authorized IdPs for automated user account creation

• Regular expression for automated permissions assignment

• Allow insecure accounts creation, to allow the user to provide its own email and name if the IdP is not providing them.

When a log-in request is received by the platform, LABDRIVE will check if the identity for the user that is provided by the IdP matches any of the identities assigned to the LABDRIVE users.

• If the identity matches, the user is logged-in in the account.

• If there is not a matching identity,

  • If the issuing IdP is in the list of authorized IdPs for automated user account creation, LABDRIVE analyzes the request looking for the user email and name.

    • If the IdP is releasing the email and user attributes to the LABDRIVE platform, two options are offered to the user:

      • "Create a new LABDRIVE account": To create a new account with the received email and name already filled-in, with no possibility of changing them.

      • "Associate this identity to an existing LABDRIVE account": In which the user is presented its IdP identity identifier, along with instructions on how to add it to its existing account. The user will then log-in with its existing account, go to its user settings, and add/paste the provided identifier in the Identifiers field. Next time the user tries to log-in using the identity, he/she will be logged in.

    • If the IdP is not releasing the email and user name, LABDRIVE will check for the Allow insecure accounts creation setting.

      • If it is enabled, two options are offered to the user:

        • "Create a new LABDRIVE account": LABDRIVE asks the user for its email and name and

          • If the email is not already associated to an existing account, LABDRIVE creates the account based on them.

          • If the email is already associated, we redirect the user to the association instructions (below).

        • "Associate this identity to an existing LABDRIVE account": In which the user is presented its IdP identity identifier, along with instructions on how to add it to its existing account. The user will then log-in with its existing account, go to its user settings, and add/paste the provided identifier in the Identifiers field. Next time the user tries to log-in using the identity, he/she will be logged in.

      • If the Allow insecure accounts creation is not enabled, the user is presented with its identity identifier and a message to provide it to a LABDRIVE administrator, in order for the account to be created. No automated account is created.

  • If the issuing IdP is NOT in the list of authorized IdPs for automated user account creation, the user is presented a message indicating that its IdP is not within the allowed IdPs, and accounts can't be created. The IdP identifier and the user identifier are presented to the user so they can be sent to the administrator in the case he/she wants to configure them.

Automated account creation

When your users try to log-in for the first time, if the Identity Provider id has been included in the authorized IdP list, an account for the user will be created.

To include an IdP in the authorized IdPs' list:

1. Go to Configuration and then to Federated Authentication:

2. Add the id of the authorized IdP to the list.

Automated permissions

When the accounts are automatically created for users, they do not belong to any LABDRIVE group by default. If you want to make them part of a group, you can use the Automated Permissions Configuration to create a rule that will be applied every time an account is created:

1. Go to Configuration and then to Federated Authentication:

2. Go to the Automated account configuration section.

3. Select Add

4. Indicate a meaningful name for the rule that you are creating, indicate the group to which the users will belong and then the SAML attribute and the regular expression you want. If the value for the attribute matches the regular expression, LABDRIVE will make the user a member of the group.

For instance, lets say you want for any user with the attribute "affiliation" set to researchers@acme.com to be part of the group "System Administrators". You would add a new rule and define:

• Name: Make researchers@acme.com part of Sysadmin group

• Group: Select "System Administrators"

• Select Add, and then,

  • In the Attribute, set "affiliation"

  • In the Regex field, set "^researchers@acme\.com$"

Select OK and Create.

How to log-in using an IdP

In case you want to use an external Identity Provider:

1.Select the Your Identity Provider link in the log-in page of LABDRIVE :

2. A list of Identity Providers will be presented. Select yours:

3. Select Continue.

How to log-in with more than one identity to the same LABDRIVE account

Users can link a single LABDRIVE account to more than one of the federated identities available. This way, when the user is using more than one email account for more than one organization, the user can log-in with any of them to the same LABDRIVE account.

To do this, a user with permissions to manage user accounts in LABDRIVE needs also to introduce the identifier in the user authentication section.

To do it, a user with permission to manage user accounts in LABDRIVE needs to introduce the identifier in the user authentication section.

The identifier must be the eduPersonTargetedID attribute. The eduPersonTargetedID is used in lieu of the eduPersonPrincipalName to guarantee uniqueness across all possible Identity Providers: