Skip to main content

Overview

bLIS uses a flexible role-based access control (RBAC) system. Each user can have multiple allowed roles and access to specific organizations. This allows fine-grained control over what users can see and do.

User Management

Creating Users

New users are typically created through your SSO provider or manually by administrators. Each user requires:
  • Email: Unique identifier and login credential
  • Organization: Primary organization the user belongs to
  • Default Role: The role assigned when the user logs in
  • Allowed Roles: All roles the user can switch between
  • Allowed Organizations: Organizations the user can access

User Fields

FieldDescription
EmailUnique email address (case-insensitive)
UsernameOptional display name
Default RoleRole assigned at login (e.g., lab_tech)
Allowed RolesJSON array of roles user can access
Allowed OrgsJSON array of organization IDs user can view
Is ActiveWhether the user can log in
Is System UserWhether this is an automated/service account
Email VerifiedWhether email has been confirmed
Last LoginTimestamp of most recent login

Common Roles

bLIS supports customizable roles, but common roles include:
  • lab_tech: Laboratory technician - can enter and validate results
  • lab_admin: Laboratory administrator - can manage test specs and users
  • pathologist: Can validate and finalize results
  • billing: Access to invoicing and financial data
  • read_only: View-only access for auditing or reporting
Users can have multiple roles. For example, a senior technician might have both lab_tech and lab_admin roles, allowing them to perform daily work and administrative tasks.

Role Switching

Users with multiple allowed roles can switch between them without logging out. The current role determines:
  • Which accessions and data are visible
  • Which actions can be performed (creating, editing, validating)
  • Which menu items and features are available
  • Which organizations can be accessed

User Overrides

Temporary access can be granted using user overrides. This is useful for:
  • Granting temporary elevated permissions
  • Allowing access to additional organizations during coverage
  • Testing role-based permissions
Overrides can specify:
  • Role: Override the user’s default role
  • Organization: Change the user’s organization context
  • Allowed Orgs: Temporarily expand organization access
User overrides are designed for temporary access. For permanent changes, update the user’s base settings instead.

Organization Access

Users can be granted access to multiple organizations through the Allowed Orgs field. This is essential for:
  • Reference laboratories that process samples from multiple clients
  • Supervisors who oversee multiple locations
  • Billing staff who need cross-organization visibility
When a user has access to multiple organizations, they can filter and view data from any allowed organization.

System Users

System users (isSystemUser: true) are special accounts for:
  • Automated processes and integrations
  • Instrument connections and data uploads
  • Scheduled tasks and batch operations
System users:
  • Don’t require email verification
  • Can be assigned to automated actions
  • Should be carefully secured with strong credentials

Managing Active Status

The Is Active flag controls whether a user can log in:
  • Active (true): User can log in normally
  • Inactive (false): User is blocked from logging in
Use inactive status to:
  • Temporarily suspend a user account
  • Preserve user data and history while preventing access
  • Disable former employees without deleting records
Deactivating users preserves their action history and audit trail, which is important for compliance and troubleshooting.

Best Practices

Security

  • Regularly review user access and remove unnecessary permissions
  • Use role-based access rather than individual permissions
  • Disable accounts promptly when users leave
  • Monitor system user credentials carefully

Organization

  • Use consistent role names across your organization
  • Document what each role can and cannot do
  • Regularly audit user roles and organization access
  • Use the principle of least privilege

Maintenance

  • Review inactive users periodically
  • Clean up old user overrides
  • Monitor last login dates to identify unused accounts
  • Keep allowed organizations up to date as users change responsibilities

Troubleshooting

User Can’t Access Certain Accessions

  • Check if user’s Allowed Orgs includes the accession’s organization
  • Verify user’s current role has appropriate permissions
  • Check if a user override is limiting access

User Can’t Perform Specific Actions

  • Confirm user’s current role (not just allowed roles)
  • Check if user has switched to a lower-privilege role
  • Verify the action isn’t restricted to specific roles

Login Issues

  • Confirm Is Active is set to true
  • Check if email is verified (if required)
  • Verify SSO provider configuration
  • Review authentication logs for errors