Schema permissions and access policies are designed to align with higher-level Registry and Project permissions, not override them; but they play an important role in deciding the access a user has to information within individual schemas.
Note: At this time, schema access policies only apply to Entity, Entry, Run and Result schemas.
Registry schema permissions behavior
Registry permissions determine who can view and edit registered entities, configurations, and settings. Schema permissions determine if users can interact with entity objects or modify a specific schema.
If there are overlapping permissions or access policies assigned to users, teams, and/or organizations, Benchling allows the most permissive access policy to that user or user group.
For example, if a team needs access to the Registry and permissions to create new entities for a specific schema, then their Registry access level would be Write and their schema level access policy would be Create.
Project-based Registry schema permissions
Registry schemas can derive permissions from the Registry or Projects assigned in Registry Settings. Permissions default to Registry-based permissions, but entities might use Project-based permissions in specific scenarios.
To determine if a schema has Registry-based or Project-based permissions, view the schema in the Schema Access Policy.
To make schema permissions Project-based, tenant admins can contact Benchling Support for reconfiguration.
Run and Result schema permissions behavior
By default, organization admins have full access to all Run and Result schemas. To enable team admins and team members to create (but not update) Run and Results schemas, select the option under Schema Permissions on the Team Settings page. You can update schema definitions in Feature Settings.
Schema access policy descriptions
Access policies determine the actions a user can take with individual permission types. For example, you might set an access policy allowing a user with Read permissions to edit existing schema descriptions.
There are two types of access policies:
General access policies determine actions a user can take across the tenant. You can customize general access policies in Registry Settings.
Schema access policies determine how users interact with schema definitions and their objects. At this time, schema access policies can’t be modified.
The table below explains each schema action type and what it controls.
Default schema access policies
You can grant the following permissions to users, teams, and organizations:
The table below displays the default actions users can perform at the schema level with these permissions. To configure schema permissions, visit Managing schema permissions.
*Schema objects might additionally depend on higher-level registry or project permissions.
The None policy may be assigned to members of an organization or team. The organization owner can’t be assigned None permissions or be removed as a collaborator. To remove authorization from an organization or team admin, remove the organization or team from the schema permissions. To remove an individual’s authorization, remove them from the schema permissions entirely.
If a user is not added as a collaborator on a schema and their higher-level permissions allow, they can view schema objects, but they cannot use the schema for structured options, like registration tables or searches.
In the example below, a user with entity permissions but no permissions to the Donor schema can view the entity page, but can’t search for the Donor schema in the drop-down menu.
Custom default schema permissions
Organization admins can configure default schema permissions to add schema collaborators. These default permissions automatically apply to all newly created schemas in an organization and can be set for Entity, Results, and Run schemas.
Configure default schema permissions
Click your avatar in the bottom-left corner of your tenant.
In Feature Settings, select Access Policies.
In the left-side menu, click Schema Access Policies, then click the Settings tab.
Select the organization from the Organization drop-down menu, then select the schema type from the list that displays below it.
Search for users, teams, or organizations under Default Options, and click Add.
In the Schema Access Policy column, select the default access policy for each collaborator.
Can you set all schema policies in bulk?
No, it is not currently possible to bulk assign schema policies. Each schema must be updated manually.
What are the default policies when creating a new schema?
Each schema can have either Read, Create or Admin access policy applied.
Can you set schema policies from the API?
No, currently you can only set schema policies in Registry Settings.
Can you remove schema access for all users?
No, at least one admin must be assigned schema access. The same is true for Registry Settings.