Benchling has multiple roles that apply at the tenant level. The permissions granted by these roles apply to all objects of the relevant types in the tenant and can be layered on top of each other and permissions granted at other scopes like projects or template collections.
We recommend that you give users the least permissive role required to complete their tasks, such as granting a user the User Admin role instead of Tenant Admin when they have to manage user lifecycle tasks.
Available roles:
- Tenant Admin - broad tenant access including user management and tenant settings
- User Admin - user lifecycle management, including creating user accounts and adding users to organizations and teams
- App Admin* - app management, including creating new apps and updating existing ones
Access granted by each role
This table indicates what access each role grants to a user. Note that these permissions stack onto other permissions the user might have from projects, registries, and other objects in Benchling, so even if an action is not granted by a tenant scoped role, the user still might be able to have that access from another role such as a team admin or by being directly added to a project or other object in Benchling.
| Access | Tenant Admin | User Admin | App Admin* | Organization Admin** |
| Manage tenant settings, including things like IP allowlists and audit configuration | ✅ | ⛔ | ⛔ | ⛔ |
| Manage application access for organizations, teams, and users | ✅ | ⛔ | ⛔ | ⛔ |
| Assign tenant scoped roles | ✅ | ⛔ | ⛔ | ⛔ |
| Create users | ✅ | ✅ | ⛔ | ⛔ |
| Update/suspend existing users | ✅ | ✅ | ⛔ | ⛔ |
| Manage organization and team membership and roles (even groups they’re not members/admins of)*** | ✅ | ✅ | ⛔ | Only for the organizations and teams they are admins of |
| Create apps | ✅ | ⛔ | ✅ | ⛔ |
| Manage existing apps | ✅ | ⛔ | ✅ | ⛔ |
| Manage projects, schemas, or registries | ⛔ | ⛔ | ⛔ | Only for the projects, schemas, or registries where the organization is an owner or admin |
* App Admin is currently in Beta. If you’d like to try it out in your tenant, please reach out to your account team or Benchling Support.
** Organization Admin is scoped only to one organization and thus is not technically “tenant scoped” but many customers only have a single organization so we’re including it here for convenience.
*** This allows users with this access to add themselves to an organization or team, even as an admin of the group. Once added, the user is a regular member or admin of that group, including access to data granted to the group. Also, some customers have a setting enabled to automatically give the Tenant Admin role to anyone who is given Organization Admin access, which normally only another Tenant Admin can do but under these circumstances could be done by anyone with the access to manage organization membership and roles.
How to manage tenant scoped roles
Managing tenant scoped roles can only be done by Tenant Admins in the Tenant admin console.
- Open the user menu in the bottom left corner and click the “Tenant admin console” option at the top.
- Navigate to the USERS tab. The “Roles” column on the table shows which roles have been assigned to a user - if a user doesn’t have any tenant scoped roles the column will be blank for them.
- In the menu for each user is the option to “Manage roles” which will bring up a dialog where you can manage which roles are assigned to the user. Any current tenant scoped roles will be already checked when the dialog is opened. Changes to the assigned roles for the user will take effect immediately once saved.