Protocol-based Permissions

Laboratories may want to limit what steps Researchers can start. At the time of writing, BaseSpace Clarity LIMS does not natively support protocol-based permissions. However, with an EPP at the beginning of the step we can check to see if the technician/researcher starting the step has been given approval to start the step, and halt the step from starting if they do not have permission. There are several ways this can be done, but special considerations to how these permissions are administered need to be made.

Solution

In order to allow an administrator to easily maintain permissions we will assign users to groups in a config file and our EPP will consume this information. One parameter of the EPP is the groups that are permitted to run the step. When the script is triggered at the start of the step, it will look for the name of the technician starting the step in the config file and determine if the technician is:

Included in the config file and,
Has been assigned to a group that is permitted to run the step.

It is important to remember that by exiting a script with a negative number an EPP will fail and the user will not be able to move forward in the step. We will take advantage of this EPP feature and if the technician/researcher is part of a permitted group the step would start as expected. But, if they are not part of a permitted group, entry into the step will be halted and an error box will appear with whatever the last print message was in the script.

try:
   # is the technicians name a key in the dictionary created from the config file
   # if so find the groups the techician has been assigned in the config
   config_groups = (configDict[first,last]).split(",")
   step_approved = [y.strip() for y in (args["groups"].split(","))]
   if bool(set(config_groups) & set(step_approved)) is False:
   #fail script, stop user from moving forward and have the last print statement appear in message
      print "Nice try %s %s, but you have not been approved to run this step % (first, last )
      exit (-1)

except:
   print "This technician's name has not been included in the config file "
   exit (-1

Parameters

The EPP command is configured to pass the following parameters:

-u

The username of the current user (Required)

-p

The password of the current user (Required)

-s

The URI of the step that launches the script - the {stepURI:v2:http} token (Required)

-g

The name of the permitted groups. The permitted groups should be separated by a commas, and passed as one string (enclosed in double quotes)

An example of the full syntax to invoke the script is as follows:

python /opt/gls/clarity/customextensions/Group_Permissions.py -u {username} -p {password} -s {stepURI:v2} -g "GroupD, GroupE"

User Interaction

The config file can reside in any directory that the EPP script will have access to.
The config file that is used in this example has tab delimited columns of Last Name, First Name, and Groups. The permitted groups need to be separated by commas (see the attached example config file). The script can be easily modified if a different format is desire for the config file
The EPP should be "automatically initiated" at "the beginning of the step"

If the user is not allowed to move forward a message box will appear and the step is aborted.

Assumptions and Notes

You are running a version of Python that is supported by Clarity LIMS, as documented in the Clarity LIMS Technical Requirements.
Both of the attached files are placed on the Clarity LIMS server, in the /opt/gls/clarity/customextensions folder.
The example code is provided for illustrative purposes only. It does not contain sufficient exception handling for use 'as is' in a production environment.

Attachments

Group_Permissions.py:

config.txt:

PreviousGenerating a Hierarchical Sample History NextSelf-Incremental Counters

Last updated 2 months ago