Users and Permissions
How users and groups of users are organized in LABDRIVE
When you first have access to a LABDRIVE platform, you begin with a single sign-in identity that has complete access to all services and resources in the account. This identity is called the Administrator and is accessed by signing in with the email address and password that you provided. This user is capable of creating other user or group accounts as needed.
We strongly recommend that you do not use the Administrator user for your everyday tasks, and keep it only for the higher-level activities.
User accounts
A user account represents the person or service who uses the account to interact with LABDRIVE. A primary use for user accounts is to give people the ability to sign in to the LABDRIVE Management Interface for interactive tasks and to make programmatic requests using the API.
A user in LABDRIVE consists of a name, a password to sign in (or an identifier of an external identity provider, if using Federated Identity) and
Several access keys and credentials to access the different LABDRIVE services (such as the API, the S3 protocol server, etc).
Platform permissions: Permissions to perform certain actions or to access certain platform elements
Content permissions: Permissions to see or change data containers and archival nodes in the Archival structure.
When you create a user, you grant it permissions by making it a member of a group that has appropriate permission policies attached (recommended), or by directly attaching policies to the user.
Groups
A LABDRIVE user group is a collection of LABDRIVE users.
You can use groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users. For example, you could have a group called Researchers and give that group the types of permissions that researchers typically need.
Any user in that group automatically has the permissions that are assigned to the group. If a new user joins your organization and should have similar privileges, you can assign the appropriate permissions by adding the user to that group. Similarly, if a person changes jobs in your organization, instead of editing that user's permissions, you can remove them from the old groups and add them to the appropriate new groups.
Permissions
Two types of permissions exist:
Permissions governing the access to the content (content permissions): Used, for example, to limit what data containers or content a user or group of users are allowed to see.
Permissions governing the actions in the platform (action permissions): That include, for example, if a user is able to configure the lifecycle settings, storage configuration, etc.
Permissions can be assigned to users or groups. Assigning them to groups usually makes the management easier, and is the recommended way.
Managing users and groups
Using the Management Interface
1. Sign in to the LABDRIVE Management Interface
2. Select Configuration (1) and then Users or Groups (2), depending on what you need to do.
For groups
In Groups, you can add new groups selecting Add Group in the menu and introducing the group name and description.
When the group has been created, you can edit it and then modify the Platform Permissions for the group by selecting Permissions.
Creating a user account
In Users, you can add new users selecting Add user and then, indicating the following details:
In the Auth Type, you can select Password when you do not want to use an external Identity provider or Identifier, if you want to use a 3rd party Identity Provider to manage the user log-in. See how this is obtained in Users and Permissions - Using a 3rd party Identity provider.
Note that you can add more than one identifier for a single user. This is making LABDRIVE to use the same account, no matter what IdP the user is using to log-in.
Deleting a user account
In Users, you can select Edit User and set Active to No.
Users cannot be deleted in LABDRIVE, to preserve platform logs and events (that are linked to the activity of a given user account), but they can be disabled and archived.
Archival node or container permissions (content permissions)
Once a group or user exists, you can go to the Configuration and then to Archival Structure:
For the node you want to adjust permissions, select Edit node and go to the Permissions section:
More information about permission in the Archive organization section.
Using the API (Groups)
API examples here are shown just for illustrative purposes. Check the LABDRIVE API documentation for additional information and all available methods.
Creating groups
1. Sign in to the LABDRIVE Management Interface
2. Obtain your LABDRIVE API key by selecting your name and then Access Methods:
3. Use this method:
Get existing groups
1. Sign in to the LABDRIVE Management Interface
2. Obtain your LABDRIVE API key by selecting your name and then Access Methods:
3. Use this method:
Assigning content permissions (archival node or container) to a group
See the Archive organization section
Assigning action permissions to a group
1. Sign in to the LABDRIVE Management Interface
2. Obtain your LABDRIVE API key by selecting your name and then Access Methods:
3. Use this method:
Type: Use "User" or "Group" to assign the permission to a user or to a group.
id: The user or group id to assign the permission to.
Permissions: Include the permission keys here. See below for a list of permission keys.
You can get a list of all available permission-keys you can include in the previous call using the following method:
Using the API (Users)
API examples here are just illustrative. Check the LABDRIVE API documentation for additional information and all available methods.
Creating users
1. Sign in to the LABDRIVE Management Interface
2. Obtain your LABDRIVE API key by selecting your name and then Access Methods:
3. Use this method:
All content permissions and action permissions available for user groups that are showcased in the previous section, are also available to users.
Using a 3rd party SAML Identity Provider
An identity provider (abbreviated IdP or IDP) is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications (Service Providers, abbreviated SP) within a federation or distributed network.
Identity providers offer user authentication as a service. LABDRIVE outsource the user authentication step to a trusted identity provider, consuming its federated identity services.
This way, users do not need to provide their credentials to log-in into the platform.
Authorizing the LABDRIVE Service Provider
In order to start using SAML authentication, both your Identity Provider and our Service provider must be able to communicate with each other. There are two ways that this can be achieved:
If your organization is federated
If your organization is already part of a SAML federation such as InCommon, eduGAIN, UK Federation among others, the configuration required to authorize the LIBNOVA Service Provider is minimal. Your IdP should release at least the eduPersonTargetedID attribute, and optionally any other attribute that might be used to configure automated account creation (affiliation, groups, etc). Please use our Service Provider's entityID (https://access.libnova.com/shibboleth
) for attribute release.
If your organization is not federated
In the case that your organization is NOT part of any federation, please contact LIBNOVA Support to initiate a metadata exchange process.
Please use our metadata file and provide your organization will have to provide us with your Identity Provider's metadata when ready. Attributes described in the previous section should also be released by your IdP.
If the Identity Provider you are using is Microsoft Azure, please follow the Configuring Azure SAML-based authentication guide.
Identity workflows
LABDRIVE offers extreme flexibility on how accounts are created and user identities are managed. There are several platform settings that impact how the user identities are managed, and how the authentication process gets managed:
List of authorized IdPs for automated user account creation
Regular expression for automated permissions assignment
Allow insecure accounts creation, to allow the user to provide its own email and name if the IdP is not providing them.
When a log-in request is received by the platform, LABDRIVE will check if the identity for the user that is provided by the IdP matches any of the identities assigned to the LABDRIVE users.
If the identity matches, the user is logged-in in the account.
If there is not a matching identity,
If the issuing IdP is in the list of authorized IdPs for automated user account creation, LABDRIVE analyzes the request looking for the user email and name.
If the IdP is releasing the email and user attributes to the LABDRIVE platform, two options are offered to the user:
"Create a new LABDRIVE account": To create a new account with the received email and name already filled-in, with no possibility of changing them.
"Associate this identity to an existing LABDRIVE account": In which the user is presented its IdP identity identifier, along with instructions on how to add it to its existing account. The user will then log-in with its existing account, go to its user settings, and add/paste the provided identifier in the Identifiers field. Next time the user tries to log-in using the identity, he/she will be logged in.
If the IdP is not releasing the email and user name, LABDRIVE will check for the Allow insecure accounts creation setting.
If it is enabled, two options are offered to the user:
"Create a new LABDRIVE account": LABDRIVE asks the user for its email and name and
If the email is not already associated to an existing account, LABDRIVE creates the account based on them.
If the email is already associated, we redirect the user to the association instructions (below).
"Associate this identity to an existing LABDRIVE account": In which the user is presented its IdP identity identifier, along with instructions on how to add it to its existing account. The user will then log-in with its existing account, go to its user settings, and add/paste the provided identifier in the Identifiers field. Next time the user tries to log-in using the identity, he/she will be logged in.
If the Allow insecure accounts creation is not enabled, the user is presented with its identity identifier and a message to provide it to a LABDRIVE administrator, in order for the account to be created. No automated account is created.
If the issuing IdP is NOT in the list of authorized IdPs for automated user account creation, the user is presented a message indicating that its IdP is not within the allowed IdPs, and accounts can't be created. The IdP identifier and the user identifier are presented to the user so they can be sent to the administrator in the case he/she wants to configure them.
Please note that if the Allow insecure accounts creation setting is enabled, the user can provide a fake name and email to the platform, and the account will be created without verifying them, potentially making impersonation attacks possible.
Automated account creation
When your users try to log-in for the first time, if the Identity Provider id has been included in the authorized IdP list, an account for the user will be created.
To include an IdP in the authorized IdPs' list:
1. Go to Configuration and then to Federated Authentication:
2. Add the id of the authorized IdP to the list.
If you do not know your IdP's id, ask one user to try to log-in using it and then review the Log section in this page. The id of the failed log-in attempt is retained there.
If you want to receive a notification every time a new account is automatically created, go to your notification settings (in the account name menu and then My Profile) and enable the Automatic account create notification.
Automated permissions
When the accounts are automatically created for users, they do not belong to any LABDRIVE group by default. If you want to make them part of a group, you can use the Automated Permissions Configuration to create a rule that will be applied every time an account is created:
1. Go to Configuration and then to Federated Authentication:
2. Go to the Automated account configuration section.
3. Select Add
4. Indicate a meaningful name for the rule that you are creating, indicate the group to which the users will belong and then the SAML attribute and the regular expression you want. If the value for the attribute matches the regular expression, LABDRIVE will make the user a member of the group.
For instance, lets say you want for any user with the attribute "affiliation" set to researchers@acme.com to be part of the group "System Administrators". You would add a new rule and define:
Name: Make researchers@acme.com part of Sysadmin group
Group: Select "System Administrators"
Select Add, and then,
In the Attribute, set "affiliation"
In the Regex field, set "^researchers@acme\.com$"
Select OK and Create.
Much like any programming language, a regular expression is a succinct language in its own right. For instance, in the Regex syntax, a non-escaped dot means "any" character. If misused, this may allow users to access content they should not be able to access. When creating your regex expression, make sure to test that it works for the cases it should work and that it does not work for the cases it should not.
The IdPs do not always release all available attributes to the Service Providers (LABDRIVE). The attribute you are looking for may not be part of what the IdP is providing. If this is the case, ask your IdP administrator to release the attributes you need.
When a user logs-in, full details of the IdP's released attributes is saved in the log. This may be useful for you to know the attributes that it is releasing to LABDRIVE.
How to log-in using an IdP
In case you want to use an external Identity Provider:
1.Select the Your Identity Provider link in the log-in page of LABDRIVE :
2. A list of Identity Providers will be presented. Select yours:
3. Select Continue.
If you do not have a LABDRIVE account and your IdP has been authorized, an account will be created for you.
How to log-in with more than one identity to the same LABDRIVE account
Users can link a single LABDRIVE account to more than one of the federated identities available. This way, when the user is using more than one email account for more than one organization, the user can log-in with any of them to the same LABDRIVE account.
To do this, a user with permissions to manage user accounts in LABDRIVE needs also to introduce the identifier in the user authentication section.
If the user has already created two accounts in LABDRIVE with two different identities, move all existing content from one account to the other, remove the eduPersonTargetedID from the one to erase and add it as an additional identifier to the LABDRIVE account that you want for the user to use. Then, disable the previous account.
To do it, a user with permission to manage user accounts in LABDRIVE needs to introduce the identifier in the user authentication section.
The identifier must be the eduPersonTargetedID attribute. The eduPersonTargetedID is used in lieu of the eduPersonPrincipalName to guarantee uniqueness across all possible Identity Providers:
One Identity Provider/user identifier cannot be used for more than one LABDRIVE account, but one LABDRIVE user can use multiple user identifiers.
Last updated