Role-based access control (RBAC)

SeqsLab role-based access control (SeqsLab RBAC) allows administrators to enforce fine-grained access to datasets, tools, and jobs. Registered users may have limited read and/or write access permissions depending on their assigned roles, ensuring the secure storage and processing of potentially sensitive genomic and biomedical datasets.

SeqsLab RBAC organizes roles into three categories:

• Administrative roles manage platform and organization operations — adding users, assigning roles, and configuring settings. They do not include data, tool, or job permissions.

• Fine-grained roles control access to a specific aspect of the platform (data, tools, or jobs) and serve as the building blocks for custom permission sets.

• Coarse-grained roles bundle multiple fine-grained roles for a complete workflow scenario, and may include additional workflow-specific logic such as state-based permissions.

Overview

What is RBAC?

Role-Based Access Control (RBAC) is a security framework that restricts system access based on a user’s role within an organization. Instead of assigning permissions directly to individual users, SeqsLab groups permissions into roles that align with specific job functions.

Why RBAC?

• Security: Ensures users only access resources necessary for their job function

• Compliance: Meets regulatory requirements (HIPAA, GDPR, CLIA/CAP) for genomic and clinical data

• Simplicity: Easier to manage permissions for groups of users rather than individuals

• Auditability: Clear tracking of who can access what resources and when

• Scalability: Easy to onboard new users by assigning appropriate roles

Key Features

SeqsLab RBAC implements several critical security principles:

1. Least Privilege: Users receive only the minimum permissions needed for their tasks

2. Organization Isolation: All data is strictly isolated by organization — users cannot access resources from other organizations

3. Ownership Tracking: Resources track who created them for fine-grained access control

4. Composable Roles: Roles can inherit from other roles to build complex permission structures

5. Service Integration: Consistent RBAC across all SeqsLab services (DRS, TRS, WES, Healthcare)

Architecture

Core Components

The SeqsLab RBAC system consists of three main components:

1. Users: Individual accounts associated with an organization

2. Roles: Named collections of permissions (e.g., “Data Hub Writer”, “Job Executor”)

3. Permissions: Specific actions on resources (e.g., “view DRS object”, “execute workflow”)

User → Assigned Roles → Permissions → Access to Resources

Permission Model

Each resource in SeqsLab defines permissions for standard CRUD operations:

• add: Create new instances

• view: Read a single instance

• list: Query/list multiple instances

• change: Update an existing instance

• delete: Remove an instance

Some services define additional custom permissions:

• writeDs/readDs: Dataset content operations (DRS)

• versions/files: Tool version management (TRS)

• requests: Run request management (WES)

Permission Evaluation Flow

When a user attempts an action, SeqsLab evaluates permissions in this order:

1. Authentication — reject with 401 Unauthorized if not authenticated

2. Role check — reject with 403 Forbidden if the required role is not assigned

3. Organization check — reject with 404 Not Found if the resource belongs to a different organization

4. Ownership check — reject with 403 Forbidden if the operation requires ownership and the user is not the owner

5. Custom checks — reject with 403 Forbidden if any additional conditions are not met (e.g., biosample state)

Role Composition

Roles can inherit permissions from other roles. A user with JobExecutor automatically has all permissions from LabelWriter, DataHubWriter, and ToolUser.

Note

Roles are additive. A user with multiple roles has the combined permissions of all assigned roles.

Administrative Roles

Administrative roles manage platform operations and user access. They are intentionally scoped to administrative tasks only and do not include permissions for data, tools, or jobs.

Important

Administrative roles do not include data hub, dataset, tool, or job permissions. Administrators who also need to work with data or run workflows must be assigned additional fine-grained or coarse-grained roles.

Role	Scope	Permissions
Global Administrator	Platform-wide	Create and configure organizations, manage platform settings and runtime options, override organization isolation for maintenance
Organization Administrator	Single organization	Manage users, assign roles, configure organization settings, manage labels, view audit logs. Inherits User Administrator and Label Administrator.
User Administrator	Organization users	Create and deactivate user accounts, assign roles to users, view user activity and access logs

Note

Global Administrator is reserved for platform operators and system maintainers only.

Fine-Grained Roles

Fine-grained roles provide targeted permissions for a single aspect of the platform. They are the building blocks for custom permission sets and can be combined freely to match specific job requirements.

Data roles

Data roles control access to genomic data objects (via the Data Repository Service) and dataset files. Data hub roles manage object metadata; dataset roles manage file content. Both are required to upload data.

Role	Access Level	Permissions
Data Hub Viewer	Read-only	View DRS object metadata, list objects
Data Hub Writer	Read-write	Create and manage own DRS objects
Data Hub Administrator	Admin	Manage all DRS objects in organization
Dataset Viewer	Read-only	Download dataset files
Dataset Writer	Read-write	Upload dataset files
Dataset Administrator	Admin	Manage all datasets in organization
Data Administrator	Full admin	Complete control over data hub and datasets. Inherits Data Hub Administrator and Dataset Administrator.

Note

To upload data, users need both Data Hub Writer (to register the DRS object) and Dataset Writer (to upload file content).

Tool roles

Tool roles control access to workflow tools, containers, and versions via the Tool Registry Service.

Role	Access Level	Permissions
Tool Registry Viewer	Read-only	Browse available tools, view tool details
Tool Registry Writer	Read-write	Register new tools, manage own tools
Tool Registry Administrator	Admin	Manage all tools in organization
Tool User	Read-only	View and download tools for workflow execution
Tool Supporter	Read-write	Manage tool files and resources
Tool Version Developer	Read-write	Create and manage tool versions
Tool Administrator	Full admin	Complete tool management. Inherits Tool Registry Administrator, Tool Version Developer, and Tool Supporter.

Job roles

Job roles control workflow execution and monitoring via the Workflow Execution Service.

Role	Access Level	Permissions
Job Viewer	Read-only	View workflow runs, logs, and status
Job Executor	Read-write	Submit and manage own workflow runs. Inherits Data Hub Writer, Tool User, and Label Writer.
Job Administrator	Admin	Manage all workflow runs in organization

Important

Job Executor inherits Data Hub Writer and Tool User to facilitate workflow execution, but users still need Dataset Writer to upload input files.

Label roles

Label roles control resource organization and tagging.

Role	Access Level	Permissions
Label Writer	Read-write	Create and edit labels for organizing resources
Label Administrator	Admin	Manage all labels in organization

Coarse-Grained Roles

Coarse-grained roles bundle multiple fine-grained roles into a single assignment designed for a complete workflow scenario. They may also include workflow-specific permission logic not available in any individual fine-grained role.

The healthcare reporting roles are the primary example of coarse-grained roles in SeqsLab. Each role covers the full set of permissions needed for a specific stage of the genetic test sample lifecycle, including state-based access controls that enforce proper clinical workflow gates.

Role	Workflow Stage	Inherits From	Purpose
Reporter Data Entry Operator	PENDING	(none)	Enter patient and sample data
Medical Technologist	PENDING, ANALYSIS, REVIEW	Data Administrator	Manage wet-lab operations, data uploads, and variant curation
Bioinformatics Scientist	ANALYSIS, REVIEW	Data Hub Writer, Dataset Viewer, Dataset Writer, Job Executor, Tool User	Execute analysis pipelines and create genomic interpretations
Laboratory Supervisor	REVIEW, REPORT	Dataset Viewer, Data Hub Viewer	Approve reviews and create clinical reports
Medical Director	REPORT, CLOSED	Dataset Viewer, Data Hub Viewer	Sign out or reject final clinical reports

Unlike fine-grained roles, healthcare coarse-grained roles also enforce state-based permissions — what a role can do depends on the sample’s current lifecycle state. For example, Laboratory Supervisor can only update a biosample when it is in REVIEW state.

See also

See Healthcare RBAC for a complete description of each healthcare role’s permissions, state conditions, and typical workflow.

How Permissions Work

Organization Isolation

Every user and resource belongs to an organization. Users can only access resources within their own organization. Cross-organization access is never permitted, and resources from other organizations appear as not found (404).

Important

Organization isolation is enforced at every layer of the system and cannot be bypassed except by Global Administrator.

Ownership-Based Access

Writer roles (e.g., Data Hub Writer, Tool Registry Writer) can modify only their own resources. Administrator roles can modify all resources in the organization. Ownership is determined by the user who created the resource.

For example, a user with Data Hub Writer who creates genome_sample_1.vcf can modify and delete it, while another Data Hub Writer cannot. A Data Hub Administrator can modify both users’ files.

State-Based Permissions

Coarse-grained healthcare roles enforce state-based permissions tied to the sample lifecycle. Permissions are conditional on the biosample’s current state.

Role	Can update biosample when state is	Can delete biosample when state is
Reporter Data Entry Operator	PENDING	PENDING
Medical Technologist	Any state	Not permitted
Bioinformatics Scientist	PENDING or ANALYSIS	Not permitted
Laboratory Supervisor	REVIEW	CLOSED
Medical Director	REPORT	Not permitted

Common Workflows

Research Analysis

A research scientist analyzing genomic variants typically uses a combination of fine-grained roles:

• Data Hub Writer and Dataset Writer to upload reference genomes and sample data

• Tool Registry Writer and Tool Version Developer to register analysis pipelines

• Job Executor to submit workflow runs (includes Tool User and Data Hub Writer)

• Dataset Viewer to download result files

Clinical Laboratory

A clinical laboratory processing genetic tests assigns one coarse-grained role per staff member based on job function. The sample lifecycle maps directly to role responsibilities:

Stage	Role	Action
PENDING	Reporter Data Entry Operator	Register patient record and biosample
PENDING → ANALYSIS	Medical Technologist	Upload sequencing files, transition sample to ANALYSIS
ANALYSIS → REVIEW	Bioinformatics Scientist	Execute variant calling pipeline, create interpretations
REVIEW	Medical Technologist	Curate variants, select panels, add clinical comments
REVIEW → REPORT	Laboratory Supervisor	Approve review, create PhenopacketReport
REPORT → CLOSED	Medical Director	Review and sign out the final report

Clinical workflows use coarse-grained roles because they require multiple fine-grained permissions, workflow state enforcement, and regulatory compliance (CLIA/CAP).

Platform Administration

An organization administrator onboarding new staff uses administrative roles:

• User Administrator creates accounts and assigns roles

• Organization Administrator configures organization settings and reviews audit logs

Administrative roles do not include data or job permissions. If an administrator also needs to work with data, assign additional fine-grained roles such as Data Administrator.

Role Assignment

How to Assign Roles

1. Log in with User Administrator or higher privileges

2. Navigate to User Management

3. Select the user to modify

4. Locate the Roles configuration

5. Select the appropriate roles based on the user’s job function

6. Save changes and notify the user — they may need to sign out and back in

Tip

Assign administrative roles separately from data/tool/job roles. An organization manager who also needs data access should receive both Organization Administrator and the appropriate fine-grained data roles.

Example: Research Organization

Job Title	Assigned Roles	Notes
Lab Director	Organization Administrator, Data Administrator, Job Administrator	Manages team and has full data and job access
Bioinformatician	Data Hub Writer, Dataset Writer, Job Executor	Uploads data and runs analyses
Research Scientist	Data Hub Viewer, Dataset Viewer, Job Viewer	Read-only access to data and workflows
Pipeline Developer	Tool Registry Writer, Tool Version Developer, Job Executor	Develops and tests pipelines
IT Manager	User Administrator	Manages user accounts only; no data or job access

Example: Clinical Laboratory

Job Title	Assigned Roles	Notes
Laboratory Director	Medical Director, Organization Administrator	Signs reports and manages organization
Intake Coordinator	Reporter Data Entry Operator	Enters patient and sample data
Lab Technician	Medical Technologist	Manages wet-lab operations and data uploads
Lab Supervisor	Laboratory Supervisor, User Administrator	QC approval and user management
Bioinformatics Scientist	Bioinformatics Scientist	Runs pipelines and creates interpretations

Best Practices

For Administrators

1. Apply Least Privilege: Assign the minimum roles necessary for each user’s job function

2. Separate Administrative and Operational Roles: Do not conflate user management with data access

3. Use Coarse-Grained Roles for Clinical Staff: A single healthcare role covers all required permissions

4. Regular Audits: Review user roles quarterly and remove unnecessary permissions

5. Document Exceptions: If granting elevated privileges, document the business justification

6. Onboarding and Offboarding: Create standard role sets for common job functions; revoke access promptly when users leave

For Users

1. Request Appropriate Roles: Understand your job function and request matching roles from your administrator

2. Report Access Issues: If you encounter permission errors, contact your User Administrator

3. Never Share Credentials: Each user must have their own account for audit purposes

4. Respect Data Boundaries: Do not attempt to access resources outside your organization

5. Follow Workflows: For healthcare, respect biosample state transitions

Troubleshooting

403 Forbidden on an Action

Possible causes:

• Missing required role

• Resource belongs to another user (ownership check failed)

• Biosample is not in the required state (healthcare workflows)

• Organization mismatch

Resolution: Check your assigned roles with your administrator, verify resource ownership, and confirm the biosample state if applicable.

404 Not Found on a Resource You Know Exists

Possible causes:

• Resource belongs to a different organization

• Missing view or list permission

• Resource has been deleted

Resolution: Verify the organization matches your account and request the appropriate viewer role.

Can View but Cannot Edit

Possible causes:

• Assigned viewer role but not a writer or administrator role

• Resource is owned by another user

• Biosample is not in the required state for your role

Resolution: Request a writer or administrator role, or for healthcare resources, wait for the biosample to transition to the appropriate state.

Getting Help

Contact your User Administrator to review or modify your assigned roles. For platform-level issues, contact your Organization Administrator or submit a support request to support@seqslab.net including your username, organization, the action attempted, and the error message received.

Further Reading

• Healthcare RBAC — State-based permissions for clinical laboratory workflows

• Roles — Complete role reference

• GA4GH Standards

• HL7 FHIR