Skip to content

Update user roles list to matrix table #538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 24 commits into from
Apr 25, 2025
Merged
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
1e79341
Update roles list to matrix table
justinegeffen Apr 4, 2025
03266a0
Update platform_versioned_docs/version-25.1/orgs-and-teams/roles.mdx
justinegeffen Apr 7, 2025
9706fe5
Apply suggestions from code review
justinegeffen Apr 7, 2025
aa6e8d9
Update platform_versioned_docs/version-25.1/orgs-and-teams/roles.mdx
justinegeffen Apr 7, 2025
cf7ec03
Merge branch 'master' into justinegeffen-user-roles
justinegeffen Apr 7, 2025
9778553
Update platform_versioned_docs/version-25.1/orgs-and-teams/roles.mdx
justinegeffen Apr 25, 2025
3057a8a
Apply suggestions from code review
justinegeffen Apr 25, 2025
eb4b705
Update platform_versioned_docs/version-25.1/orgs-and-teams/roles.mdx
justinegeffen Apr 25, 2025
bb25d30
Update roles.mdx
justinegeffen Apr 25, 2025
729648f
Rename platform_versioned_docs/version-25.1/orgs-and-teams/roles.mdx …
justinegeffen Apr 25, 2025
aeb02f1
Merge branch 'master' into justinegeffen-user-roles
justinegeffen Apr 25, 2025
373fefd
Update roles.mdx
justinegeffen Apr 25, 2025
ebf0185
Merge branch 'master' into justinegeffen-user-roles
justinegeffen Apr 25, 2025
b8addad
Update platform-enterprise_versioned_docs/version-25.1/orgs-and-teams…
justinegeffen Apr 25, 2025
038b9ce
Update platform_versioned_docs/platform-cloud/version-25.1/orgs-and-t…
justinegeffen Apr 25, 2025
83c8064
Update roles.mdx
justinegeffen Apr 25, 2025
af1edcb
Update roles.mdx
justinegeffen Apr 25, 2025
7c3fa88
Update roles.mdx
justinegeffen Apr 25, 2025
30bd4bf
Update roles.mdx
justinegeffen Apr 25, 2025
0ad9519
Update roles.mdx
justinegeffen Apr 25, 2025
f69edfd
Update roles.mdx
justinegeffen Apr 25, 2025
4414ce0
Update roles.mdx
justinegeffen Apr 25, 2025
7e26756
Update roles.mdx
justinegeffen Apr 25, 2025
7a51cb5
Update roles.mdx
justinegeffen Apr 25, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 46 additions & 7 deletions platform-cloud/docs/orgs-and-teams/roles.mdx
Original file line number Diff line number Diff line change
@@ -18,12 +18,51 @@ You can group **members** and **collaborators** into **teams** and apply a role

### Workspace participant roles

- **Owner**: The participant has full permissions for all resources within the workspace, including the workspace settings.
- **Admin**: The participant has full permissions for resources associated with the workspace and access to all the actions associated with all roles, including all data-related roles. They can create, modify, and delete pipelines, compute environments, actions, credentials, and secrets. They can also add/remove users in the workspace and edit the workspace settings. A participant with this role cannot delete a workspace.
- **Maintain**: The participant can launch pipelines and modify pipeline executions (e.g., change the pipeline launch compute environment, parameters, pre/post-run scripts, Nextflow config), create new pipeline configurations in the Launchpad, and add secrets. They can upload, download, and preview data in Data Explorer, hide/unhide buckets, manage buckets, and manage the metadata associated with buckets.They can also add, update, and delete a Studio session. This includes starting, stopping, and changing the configuration. A participant with this role cannot modify compute environment settings and credentials, but can manage workspace labels and resource labels.
- **Launch**: The participant can launch pipelines and modify the pipeline input/output parameters in the Launchpad. This includes starting, stopping, and changing the configuration. They cannot modify the launch configuration or other resources. They can list, search and view the status, configuration, and details of Studio sessions and connect to a running session.
- **Connect**: The participant can list, search, and view the status, configuration, and details of Studio sessions. They cannot add, update (start/stop/change config) or delete Studio sessions. They can also connect to a running sessions and interact with the contents, and access team resources in read-only mode. They cannot launch or maintain pipelines. A participant with this role also cannot manage any data in Data Explorer — uploading, downloading, or previewing data, hiding/unhiding, managing buckets, or managing the metadata associated with buckets.
- **View**: The participant can only access team resources in read-only mode. This includes the ability to list, search, and view the status, configuration, and details of mounted data in Data Explorer and Studio sessions.
| Permission / Role | Owner | Admin | Maintain | Launch | Connect | View |
|--------------------------------------------|-------|-------|----------|--------|---------|------|
| **Organization: Settings:** Add, edit, delete | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Workspaces:** Add, delete | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Workspaces:** Edit, change visibility | ✔ | ✔ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Members:** Add, delete, change role | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Teams:** Add, edit, delete | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Teams: Members:** Add, remove | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Teams: Workspaces:** Add, remove, change role | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Collaborators:** Add, edit, delete | ✔ | ✔ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Managed identities:** Add, delete | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Managed identities:** Edit | ✔ | ✔ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Managed identities: Users:** Manage credentials | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Workspace: Settings: Studios:** Edit session lifespan | ✔ | ✔ | ✖ | ✖ | ✖ | ✖ |
| **Workspace: Settings: Labels & Resource Labels:** Add, edit, delete | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Compute environments:** Add, rename, make primary, duplicate, delete | ✔ | ✔ | ✖ | ✖ | ✖ | ✖ |
| **Workspace: Actions:** Add, edit, delete | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Credentials:** Add, edit, delete | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Secrets:** Add, edit, delete | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Participants:** Add, remove, change role | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Pipelines:** Launch | ✔ | ✔ | ✔ | ✔ | ✖ | ✖ |
| **Workspace: Pipelines:** View | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| **Workspace: Pipelines:** Define input/output parameters | ✔ | ✔ | ✔ | ✔ | ✖ | ✖ |
| **Workspace: Pipelines:** Modify execution configurations | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Pipelines:** Add, edit, duplicate, delete | ✔ | ✔ | ✔ | ✔ | ✖ | ✖ |
| **Workspace: Pipelines:** Modify resource labels | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Pipelines:** Create, modify, delete | ✔ | ✔ | ✖ | ✖ | ✖ | ✖ |
| **Workspace: Pipelines: Run:** Apply labels, relaunch, save as new pipeline | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Pipelines: Run:** Resume, delete, star (favourite) | ✔ | ✔ | ✔ | ✔ | ✖ | ✖ |
| **Workspace: Pipelines:** Modify resource labels | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Datasets:** Add, edit | ✔ | ✔ | ✔ | ✔ | ✖ | ✖ |
| **Workspace: Datasets:** Delete | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Data Explorer:** Upload, download, preview data | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Data Explorer:** Attach, edit, remove buckets | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Data Explorer:** Hide/unhide buckets | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Data Explorer:** Edit bucket metadata | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Studios:** Add, edit, delete a studio | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Studios:** List/search/view studios | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| **Workspace: Studios:** Connect to a running session | ✔ | ✔ | ✔ | ✔ | ✔ | ✖ |
| **Workspace: Studios:** Add, edit, delete studio | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Studios:** Edit studio resource labels | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Studios:** Start, stop studio session | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Studios:** Add as new (duplicate studio) | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Studios: Checkpoints:** Edit studio checkpoint name | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace:** View (read-only) resources | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |

### Role inheritance

@@ -35,4 +74,4 @@ Example:
- If the participant role is Admin and the team role is Launch, the user will have Admin rights.
- If the participant role is Launch and the team role is Launch, the user will have Launch rights.

As a best practice, use teams as the primary vehicle for assigning rights within a workspace and only add named participants when one-off privilege escalations are deemed necessary.
As a best practice, use teams as the primary vehicle for assigning rights within a workspace and only add named participants when one-off privilege escalations are deemed necessary.
Original file line number Diff line number Diff line change
@@ -18,12 +18,51 @@ You can group **members** and **collaborators** into **teams** and apply a role

### Workspace participant roles

- **Owner**: The participant has full permissions for all resources within the workspace, including the workspace settings.
- **Admin**: The participant has full permissions for resources associated with the workspace and access to all the actions associated with all roles, including all data-related roles. They can create, modify, and delete pipelines, compute environments, actions, credentials, and secrets. They can also add/remove users in the workspace and edit the workspace settings. A participant with this role cannot delete a workspace.
- **Maintain**: The participant can launch pipelines and modify pipeline executions (e.g., change the pipeline launch compute environment, parameters, pre/post-run scripts, Nextflow config), create new pipeline configurations in the Launchpad, and add secrets. They can upload, download, and preview data in Data Explorer, hide/unhide buckets, manage buckets, and manage the metadata associated with buckets.They can also add, update, and delete a Studio session. This includes starting, stopping, and changing the configuration. A participant with this role cannot modify compute environment settings and credentials, but can manage workspace labels and resource labels.
- **Launch**: The participant can launch pipelines and modify the pipeline input/output parameters in the Launchpad. This includes starting, stopping, and changing the configuration. They cannot modify the launch configuration or other resources. They can list, search and view the status, configuration, and details of Studio sessions and connect to a running session.
- **Connect**: The participant can list, search, and view the status, configuration, and details of Studio sessions. They cannot add, update (start/stop/change config) or delete Studio sessions. They can also connect to a running sessions and interact with the contents, and access team resources in read-only mode. They cannot launch or maintain pipelines. A participant with this role also cannot manage any data in Data Explorer — uploading, downloading, or previewing data, hiding/unhiding, managing buckets, or managing the metadata associated with buckets.
- **View**: The participant can only access team resources in read-only mode. This includes the ability to list, search, and view the status, configuration, and details of mounted data in Data Explorer and Studio sessions.
| Permission / Role | Owner | Admin | Maintain | Launch | Connect | View |
|--------------------------------------------|-------|-------|----------|--------|---------|------|
| **Organization: Settings:** Add, edit, delete | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Workspaces:** Add, delete | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Workspaces:** Edit, change visibility | ✔ | ✔ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Members:** Add, delete, change role | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Teams:** Add, edit, delete | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Teams: Members:** Add, remove | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Teams: Workspaces:** Add, remove, change role | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Collaborators:** Add, edit, delete | ✔ | ✔ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Managed identities:** Add, delete | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Managed identities:** Edit | ✔ | ✔ | ✖ | ✖ | ✖ | ✖ |
| **Organization: Managed identities: Users:** Manage credentials | ✔ | ✖ | ✖ | ✖ | ✖ | ✖ |
| **Workspace: Settings: Studios:** Edit session lifespan | ✔ | ✔ | ✖ | ✖ | ✖ | ✖ |
| **Workspace: Settings: Labels & Resource Labels:** Add, edit, delete | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Compute environments:** Add, rename, make primary, duplicate, delete | ✔ | ✔ | ✖ | ✖ | ✖ | ✖ |
| **Workspace: Actions:** Add, edit, delete | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Credentials:** Add, edit, delete | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Secrets:** Add, edit, delete | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Participants:** Add, remove, change role | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Pipelines:** Launch | ✔ | ✔ | ✔ | ✔ | ✖ | ✖ |
| **Workspace: Pipelines:** View | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| **Workspace: Pipelines:** Define input/output parameters | ✔ | ✔ | ✔ | ✔ | ✖ | ✖ |
| **Workspace: Pipelines:** Modify execution configurations | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Pipelines:** Add, edit, duplicate, delete | ✔ | ✔ | ✔ | ✔ | ✖ | ✖ |
| **Workspace: Pipelines:** Modify resource labels | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Pipelines:** Create, modify, delete | ✔ | ✔ | ✖ | ✖ | ✖ | ✖ |
| **Workspace: Pipelines: Run:** Apply labels, relaunch, save as new pipeline | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Pipelines: Run:** Resume, delete, star (favourite) | ✔ | ✔ | ✔ | ✔ | ✖ | ✖ |
| **Workspace: Pipelines:** Modify resource labels | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Datasets:** Add, edit | ✔ | ✔ | ✔ | ✔ | ✖ | ✖ |
| **Workspace: Datasets:** Delete | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Data Explorer:** Upload, download, preview data | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Data Explorer:** Attach, edit, remove buckets | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Data Explorer:** Hide/unhide buckets | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Data Explorer:** Edit bucket metadata | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Studios:** Add, edit, delete a studio | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Studios:** List/search/view studios | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| **Workspace: Studios:** Connect to a running session | ✔ | ✔ | ✔ | ✔ | ✔ | ✖ |
| **Workspace: Studios:** Add, edit, delete studio | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Studios:** Edit studio resource labels | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Studios:** Start, stop studio session | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Studios:** Add as new (duplicate studio) | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace: Studios: Checkpoints:** Edit studio checkpoint name | ✔ | ✔ | ✔ | ✖ | ✖ | ✖ |
| **Workspace:** View (read-only) resources | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |

### Role inheritance

@@ -35,4 +74,4 @@ Example:
- If the participant role is Admin and the team role is Launch, the user will have Admin rights.
- If the participant role is Launch and the team role is Launch, the user will have Launch rights.

As a best practice, use teams as the primary vehicle for assigning rights within a workspace and only add named participants when one-off privilege escalations are deemed necessary.
As a best practice, use teams as the primary vehicle for assigning rights within a workspace and only add named participants when one-off privilege escalations are deemed necessary.
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
---
title: "User roles"
description: "Understand the various roles in Seqera Platform."
date: "10 Jun 2024"
tags: [roles, user-roles]
---

Organization owners can assign role-based access levels to individual **participants** and **teams** in an organization workspace.

:::tip
You can group **members** and **collaborators** into **teams** and apply a role to that team. Members and collaborators inherit the access role of the team.
:::

### Organization user roles

- **Owner**: After an organization is created, the user who created the organization is the default owner of that organization. Aditional users can be assigned as organization owners. Owners have full read/write access to modify members, teams, collaborators, and settings within an organization.
- **Member**: A member is a user who is internal to the organization. Members have an organization role and can operate in one or more organization workspaces. In each workspace, members have a participant role that defines the permissions granted to them within that workspace.

### Workspace participant roles

| Permission / Role | Owner | Admin | Maintain | Launch | Connect | View |
|--------------------------------------------|-------|-------|----------|--------|---------|------|
| **Organization: Settings:** Add, edit, delete |||||||
| **Organization: Workspaces:** Add, delete |||||||
| **Organization: Workspaces:** Edit, change visibility |||||||
| **Organization: Members:** Add, delete, change role |||||||
| **Organization: Teams:** Add, edit, delete |||||||
| **Organization: Teams: Members:** Add, remove |||||||
| **Organization: Teams: Workspaces:** Add, remove, change role |||||||
| **Organization: Collaborators:** Add, edit, delete |||||||
| **Organization: Managed identities:** Add, delete |||||||
| **Organization: Managed identities:** Edit |||||||
| **Organization: Managed identities: Users:** Manage credentials |||||||
| **Workspace: Settings: Studios:** Edit session lifespan |||||||
| **Workspace: Settings: Labels & Resource Labels:** Add, edit, delete |||||||
| **Workspace: Compute environments:** Add, rename, make primary, duplicate, delete |||||||
| **Workspace: Actions:** Add, edit, delete |||||||
| **Workspace: Credentials:** Add, edit, delete |||||||
| **Workspace: Secrets:** Add, edit, delete |||||||
| **Workspace: Participants:** Add, remove, change role |||||||
| **Workspace: Pipelines:** Launch |||||||
| **Workspace: Pipelines:** View |||||||
| **Workspace: Pipelines:** Define input/output parameters |||||||
| **Workspace: Pipelines:** Modify execution configurations |||||||
| **Workspace: Pipelines:** Add, edit, duplicate, delete |||||||
| **Workspace: Pipelines:** Modify resource labels |||||||
| **Workspace: Pipelines:** Create, modify, delete |||||||
| **Workspace: Pipelines: Run:** Apply labels, relaunch, save as new pipeline |||||||
| **Workspace: Pipelines: Run:** Resume, delete, star (favourite) |||||||
| **Workspace: Pipelines:** Modify resource labels |||||||
| **Workspace: Datasets:** Add, edit |||||||
| **Workspace: Datasets:** Delete |||||||
| **Workspace: Data Explorer:** Upload, download, preview data |||||||
| **Workspace: Data Explorer:** Attach, edit, remove buckets |||||||
| **Workspace: Data Explorer:** Hide/unhide buckets |||||||
| **Workspace: Data Explorer:** Edit bucket metadata |||||||
| **Workspace: Studios:** Add, edit, delete a studio |||||||
| **Workspace: Studios:** List/search/view studios |||||||
| **Workspace: Studios:** Connect to a running session |||||||
| **Workspace: Studios:** Add, edit, delete studio |||||||
| **Workspace: Studios:** Edit studio resource labels |||||||
| **Workspace: Studios:** Start, stop studio session |||||||
| **Workspace: Studios:** Add as new (duplicate studio) |||||||
| **Workspace: Studios: Checkpoints:** Edit studio checkpoint name |||||||
| **Workspace:** View (read-only) resources |||||||

### Role inheritance

If a user is concurrently assigned to a workspace as both a named **participant** and member of a **team**, Seqera assigns the higher of the two privilege sets.

Example:

- If the participant role is Launch and the team role is Admin, the user will have Admin rights.
- If the participant role is Admin and the team role is Launch, the user will have Admin rights.
- If the participant role is Launch and the team role is Launch, the user will have Launch rights.

As a best practice, use teams as the primary vehicle for assigning rights within a workspace and only add named participants when one-off privilege escalations are deemed necessary.