Roles & Permissions
Flask Track uses a role-based access control system to ensure laboratory data, workflows, compliance records, and operational actions are only accessible to authorized users.
Roles determine:
- What users can view
- What actions users can perform
- Which administrative features are available
- Whether users can modify operational or compliance data
Permissions are enforced at both the user interface and server level.
Access Control Philosophy
Laboratory systems require strong operational controls.
Flask Track roles are designed to:
- Protect scientific and compliance data
- Prevent accidental operational changes
- Support regulated environments
- Separate administrative and execution responsibilities
- Match real-world laboratory responsibilities
- Maintain auditability and accountability
Every user belongs to an organization and is assigned a role within that organization.
Role Hierarchy
Flask Track currently supports the following organizational roles:
| Role | Primary Purpose |
|---|---|
| Owner | Full organizational control |
| Admin | Administrative management |
| Scientist | Scientific and workflow authoring |
| Technician | Operational execution |
| Viewer | Read-only access |
| No Access | No organizational permissions |
Higher-level roles inherit the capabilities of lower-level roles unless otherwise restricted.
Owner
Owners have unrestricted access to the organization and all organizational resources.
This role is typically reserved for:
- Founders
- Principal investigators
- Laboratory directors
- Senior platform administrators
Owner Capabilities
Owners can:
- View all organizational data
- Create, edit, archive, and delete records
- Manage users and permissions
- Configure organizational settings
- Manage compliance systems
- Access audit and reporting systems
- Upload and remove files
- Configure workflows and protocols
- Manage integrations and API access
- Configure automation systems
- Access billing or subscription functionality
- Override administrative restrictions where permitted
Owners effectively control the entire organizational environment.
Typical Owner Responsibilities
- Organizational administration
- Compliance oversight
- Security management
- Workflow governance
- Regulatory review
- Operational supervision
Admin
Admins have broad administrative access but do not possess ownership-level authority.
This role is commonly assigned to:
- Laboratory managers
- Operations leads
- Senior coordinators
- Compliance administrators
Admin Capabilities
Admins can:
- View all organizational data
- Create and modify records
- Archive or remove operational records
- Manage users and invitations
- Configure workflows and protocols
- Upload and manage files
- Review compliance records
- Manage operational execution
- Access reporting systems
- Configure many administrative settings
Admins cannot perform restricted ownership-level operations.
Typical Admin Responsibilities
- Managing laboratory users
- Coordinating execution workflows
- Reviewing operational data
- Maintaining protocols and workflows
- Supporting compliance activities
Scientist
Scientists are responsible for designing, managing, and analyzing scientific workflows and laboratory processes.
This role is intended for:
- Scientists
- Researchers
- Protocol authors
- Experimental leads
- Process developers
Scientist Capabilities
Scientists can:
- View organizational data
- Create new scientific records
- Edit existing operational records
- Author protocols and workflows
- Manage scientific metadata
- Upload files and experimental evidence
- Record laboratory observations
- Generate reports
- Execute and review workflows
Scientists typically cannot:
- Delete protected records
- Manage organizational users
- Modify organization-level administrative settings
- Perform ownership-level actions
Typical Scientist Responsibilities
- Experimental design
- Workflow development
- Protocol maintenance
- Data analysis
- Execution oversight
- Scientific reporting
Technician
Technicians are responsible for operational execution and day-to-day laboratory work.
This role is intended for:
- Laboratory technicians
- Operators
- Manufacturing staff
- Execution personnel
Technician Capabilities
Technicians can:
- View operational data
- Execute assigned workflows
- Complete protocol steps
- Record observations
- Attach operational evidence
- Upload execution-related files
- Update execution status
- Submit structured laboratory forms
Technicians typically cannot:
- Create protocols or workflows
- Delete records
- Manage users
- Modify organizational settings
- Access restricted administrative features
Typical Technician Responsibilities
- Executing laboratory work
- Recording operational data
- Capturing compliance evidence
- Completing assigned steps
- Maintaining execution traceability
Viewer
Viewers have read-only access to organizational data.
This role is useful for:
- Auditors
- External collaborators
- Executives
- Quality assurance personnel
- Regulatory reviewers
Viewer Capabilities
Viewers can:
- View records and dashboards
- Access reports
- Review compliance records
- Read audit logs
- View attached files
Viewers cannot:
- Create records
- Edit records
- Delete records
- Upload files
- Execute workflows
- Modify organizational data
No Access
Users without an assigned role or organizational membership have no access to organizational resources.
They cannot:
- View data
- Access workflows
- Execute operations
- Access reports
- Perform administrative actions
Permission Categories
Permissions are generally grouped into several operational categories.
Data Access
Controls whether users may:
- View organizational data
- Access sensitive records
- Read compliance information
- Access audit history
Record Management
Controls whether users may:
- Create records
- Modify records
- Archive records
- Delete records
Examples include:
- Samples
- Batches
- Protocols
- Workflows
- Compliance records
- Inventory entities
Execution Permissions
Controls operational workflow capabilities such as:
- Completing protocol steps
- Recording events
- Uploading evidence
- Updating execution status
- Submitting structured forms
Compliance Permissions
Controls access to compliance-related functionality including:
- Incident recording
- Compliance approvals
- Authorization workflows
- Audit systems
- Regulatory records
Administrative Permissions
Controls organization-wide management capabilities including:
- User management
- Role assignment
- Organization settings
- Automation configuration
- API access management
- Integration configuration
Hidden Actions & Interface Behavior
Flask Track automatically adjusts the interface based on user permissions.
Users will only see actions they are authorized to perform.
Examples:
- Edit buttons are hidden when editing is not allowed
- Delete actions are hidden for restricted users
- Upload forms only appear for users with upload permissions
- Administrative controls are hidden from non-admin users
This helps:
- Reduce interface complexity
- Prevent accidental actions
- Improve operational clarity
- Reinforce security boundaries
Server-Side Security Enforcement
Permissions are enforced at the server level in addition to the user interface.
Even if a user manually attempts to access a restricted operation:
- The request will be denied
- No unauthorized changes will occur
- Restricted data will remain inaccessible
- Security rules will still apply
This ensures organizational protection even in cases of malformed requests or unauthorized access attempts.
Auditability & Accountability
Many sensitive operations are logged automatically.
Audit records may include:
- User identity
- Timestamp
- Modified entities
- Before and after values
- Operational context
This supports:
- Regulatory compliance
- Operational accountability
- Security investigations
- Change traceability
Principle of Least Privilege
Organizations should assign the minimum level of access necessary for each user.
Recommended practices include:
- Limiting Owner roles
- Using Viewer roles for external reviewers
- Restricting administrative permissions
- Separating operational and compliance responsibilities
- Periodically reviewing user access
Strong permission management improves both security and compliance readiness.
Requesting Additional Access
If a user requires additional capabilities:
- Contact an Admin or Owner
- Explain the operational need
- Request the minimum required access level
Roles may be updated at any time by authorized administrators.
Future Expansion
Flask Track permissions are designed to support future expansion into more granular access control models, including:
- Entity-level permissions
- Compliance-specific roles
- Facility or site restrictions
- Workflow-scoped permissions
- API token scopes
- Integration-specific access controls
Organizations with advanced operational requirements may adopt more specialized access models over time.
Last updated: roles and permissions reflect the current organizational access model of Flask Track.