Configuring tenant and data access in Benchling ensures that the right users and teams can access the appropriate tools, projects, and data structures based on their roles. Admins can manage this access through tenant-wide, organization-wide, team-level, and project-level permissions. By layering different scopes of permissions, companies can implement the principle of least privilege and maintain centralized control over data integrity and data governance, especially in hybrid GxP/non-GxP environments. This article walks through each component of tenant and access configuration and provides instructions for how admins can perform each task.
Tenant-scoped roles overview
Benchling supports several roles that apply across the entire tenant, including Tenant Admin, User Admin, and App Admin. These tenant-scoped roles grant administrative access at a broad level, often across all objects of a specific type. These permissions can be layered with access granted from organizations, projects, and registries.
Tenant Admins can configure tenant-scoped roles. Benchling recommends that you always assign users the least permissive role required to do their job. For example, grant the User Admin role instead of Tenant Admin when users only need to manage accounts and membership.
Available tenant-scoped roles
This table indicates what access each role grants to a user. Even if an action is not granted by a tenant-scoped role, the user still might have access from another role such as team administrator or by direct addition to a project or other object in Benchling.
| Access | Tenant Admin | User Admin | App Admin | Organization Admin* |
| Manage tenant settings (e.g. IP allowlists, audit configuration) | ✓ | ✗ | ✗ | ✗ |
| Manage application access for organizations, teams, and users | ✓ | ✗ | ✗ | ✗ |
| Assign tenant-scoped roles | ✓ | ✗ | ✗ | ✗ |
| Create users | ✓ | ✓ | ✗ | ✗ |
| Update/suspend users | ✓ | ✓ | ✗ | ✗ |
| Manage organization/team membership and roles** | ✓ | ✓ | ✗ | Only for organizations/teams they administer |
| Create apps | ✓ | ✗ | ✓ | ✗ |
| Manage apps | ✓ | ✗ | ✓ | ✗ |
| Manage projects, schemas, registries | ✗ | ✗ | ✗ | Only within owned/admin organizations |
*Organization Admin is scoped to a single organization, not the tenant, but is listed here for context.
**This allows users with this access to add themselves to an organization or team, even as an admin of the group. Once added, the user is a regular member or admin of that group, including access to data granted to the group. Also, some customers have a setting enabled to automatically give the Tenant Admin role to anyone who is given Organization Admin access, which normally only another Tenant Admin can do but under these circumstances could be done by anyone with the access to manage organization membership and roles.
Some customers have a setting that automatically assigns Tenant Admin when users are given Organization Admin access, in which case anyone with access to manage organization membership and roles can grant Tenant Admin access.
Tenant admin console overview
Many of the actions that tenant admins take to manage users, organizations, teams, and global settings across their tenant are taken in the Tenant Admin Console (TAC). It is a centralized interface for managing users and permissions.
Inside the Tenant Admin Console, you’ll find tools and pages that support:
- User management – Search, edit, suspend, or create user accounts; filter users by access or affiliation
- Application access control – Assign or revoke access to Benchling applications at the org, team, or individual level
- Membership management – Add or remove users from teams and organizations
- Organization and team visibility – View all organizations and teams in your tenant along with their admins
- Tenant settings – Access controls and administrative configuration for managing tenant-level roles like Tenant Admins
Access the tenant admin console
To access the suite of tools within the TAC:
- Click your Avatar on the Navigation bar
- From the menu, click Tenant Admin Console
You will be taken to the Tenant Admin Console homepage, which shows a dashboard that lists the organizations, teams, users, apps, and settings in your tenant.
You can take different actions in the tenant by navigating through these tabs.
Manage users in the tenant admin console
Tenant admins can view and manage all users across the tenant, regardless of which organizations or teams those users belong to. The Users tab in the TAC lets you create users, find and manage individual accounts, track access levels, and take administrative actions. These actions are facilitated by a search for users search bar and the ability to select multiple users to take action on with checkboxes.
The sections below walk you through the actions you can take to create and manage users.
Create new users
Before users can contribute to projects or access data, they must be added to the tenant and assigned to the appropriate organization and team by the tenant admin. This can be done individually, as described below, or in bulk.
If your organization uses SAML single sign-on, your tenant may be configured to enable users to create a user account when they first access Benchling through SAML SSO. This configuration enables you to control user access using a Benchling Active Directory group.
To check whether user signups are enabled on your tenant:
- In the bottom-left corner, click your avatar icon, then click Tenant Admin Console
- Click the Settings tab
- Select Configurations from the left menu
- Scroll down to the Security section, then check whether Signups is listed as Enabled or Disabled
- To change this setting, contact Benchling Support
If your organization is not configured to allow user signups, then user accounts must be provisioned by a user with Tenant Admin or User Admin permissions.
To provision users to your Benchling tenant:
- Go to the Users tab of the tenant admin console
- Click Create Users
- Use the textboxes to add the user’s name, email, and username
- Use the + icon to add additional users
- If you would like to associate the user with an organization, optionally use the organizations dropdown to designate which organization they should join and use the role dropdown to assign them admin permissions if needed
- If you would like to associate the user with a team, optionally use the teams dropdown to designate which team they should join and use the role dropdown to assign them admin permissions if needed
- Once you have created all the users and associated them with any organizations and teams, click Create
To bulk create users, click Upload spreadsheet where you can copy over user information in CSV format to go through the creation flow.
Note: if you use an SSO to log-in, make sure to match usernames and emails to the SSO system.
Add or remove users from an organization or team
If you didn’t associate a user with an organization or a team when creating the account, or if their work has changed and they need to access a different part of the tenant, you can take this action in the Users tab of the TAC.
- Select users using the checkboxes at the left
- Click the Organization or Team icons at the upper right of the dashboard
- From the menu select the Add or Remove option based on the action you want to take
- Use the dropdown in the modal that opens to select the team or organization and click Save
Manage tenant-scoped roles
To add or remove tenant-scoped roles for a user:
- Find the user whose role you want to change
- Click the … menu in their row and choose Manage roles
- In the pop-up window, check or uncheck the appropriate roles
- Click Save
Changes take effect immediately.
Edit name or email
- Use the search bar to locate the user
- Click the pencil icon next to their name
- Edit the Name, Handle, or Email fields
- Click Save
Suspend or un-suspend the user
Suspending users is important for managing active access, especially when team members leave or change roles. Rather than deleting accounts, you can deactivate (or suspend) users while preserving their ownership and activity history. Suspended users cannot log in or access data, but their content remains accessible to collaborators.
To suspend a user while keeping their data associations:
- In the bottom-left corner, click your avatar icon, then click Tenant Admin Console
- Click the Users tab
- Search for the user(s) you want to suspend
- To suspend an individual user, click the … icon in the user row, then select Suspend user. Alternatively, to suspend users in bulk, click the checkbox next to each user’s name that appears when you hover over the row, then click the … icon in the page header, then select Suspend users
- To unsuspend users, follow the same steps, then select Unsuspend user(s)
To un-suspend an individual user:
- Use the search bar to locate the user, you may want to use the Account status dropdown to search only for suspended users
- Click the ⋯ icon in their row
- Select Unsuspend user
To suspend or un-suspend multiple users:
- Select multiple users using the checkboxes
- Click the ⋯ icon in the top-right toolbar
- Choose Suspend or Unsuspend
Filter user list
Using filters can help you answer important administrative questions quickly and streamline bulk management tasks. For example, you might filter by Organization to view all users in a particular org, or by Account Status to find suspended users that need review. Filtering by Application Access helps ensure users have the correct toolsets enabled.
You can filter users by:
- Organization
- Team
- Application Access
- Account Status (active or suspended)
Selecting multiple applications shows users with access to any of the selected apps.
Understand user access and permissions
If you want a complete picture of what projects and Registries a user has access to, you’ll want to click into the user’s profile. In that dashboard, you can see the basic settings (name, username, and email) as well as a list of what they have access to.
To view a user’s details:
- Use the search bar to locate the user
- Click the ⋯ icon in their row
- Select View user details
- Click into the Access tab to view information about the projects and Registries they have access to
Within the Access tab, you can also get more information about a user’s permissions and edit project or Registry settings.
To view a user’s permissions within a project or Registry:
- Find the project or Registry you want more information about in the Access tab
- Click on the ⋯ icon in the relevant row
- Click View effective permissions from the menu
- Scroll through the summary of the actions that the user can perform in the project or Registry
Manage application access
Application access management allows tenant admins to control which Benchling applications users can access across the tenant. This includes enabling or restricting access to core apps like Registry, Inventory, Molecular Biology, and Results. Admins can make these changes at the individual user level, or apply them in bulk at the team or organization level.
This is useful for aligning access with licensing, job roles, team responsibilities, and compliance requirements. For example, a scientist on the Molecular Biology team may need access to Molecular Biology and Registry, but not to Inventory or Results. Likewise, disabling access for users in a team that no longer uses a module can help optimize license use and reduce clutter.
Benchling also enforces dependencies between applications—some apps require access to others (e.g., Inventory requires Registry access).
Access levels
- Full Access – full application functionality
- No Access – no application access
Application access does not override project- or registry-level permissions.
Change application access for an individual user
- Click the Users tab
- Click ⋯ and select Manage application access from the menu
- Use the dropdowns to adjust application access
- Click Save
Note: Notebook access is always Full and managed via project permissions.
Change application access for a team or organization
- Go to the Teams or Organizations tab
- Click ⋯ for the group
- Select Manage application access
- Adjust and Save
Changes apply to all current and future members.
Understand application dependencies
Some apps (e.g., Inventory, Results) require Registry, Benchling warns you if a dependency is missing.
Access precedence
- The last change takes priority
- Org > Team > User settings are cumulative
- Always apply user-level overrides last
Source of Truth
The Users tab displays each user’s effective access.
Manage application provisioning in the settings tab
The Settings tab of the TAC allows you to add additional users as tenant admins, control certain configurations for data management and security, permission controls, opt-in to AI features, and provision applications.
You can take different actions by navigating through the menu at the left. The sections below will walk you through some of the actions you can take in each part of the menu.
Add or remove tenant admins
In the general settings tab, you can add or remove tenant admins.
To add a tenant admin:
- Type the user’s name into the bottom of the textbox that lists the current tenant admins
- Click the user’s name when it comes up on the search and they will be added to the list of tenant admins
- To save changes, click Save in the blue bar at the top
To remove a tenant admin, click the x next to the user's name, then click Save in the blue bar at the top.
Data management configurations
The Configurations tab allows you to adjust formatting of data management. You can adjust or customize:
- Date/time format for audit exports
- Audit log columns
- Bulk export settings
- Benchling sharelink settings
- Authentication session length
- Idle session timeout
- External view of Google or Microsoft attachments in the Notebook
Configure data modification business rules
The Data Modifications menu allows you to decide if data modification rationale should be required on your tenant and determine if it is required if it should be tenant-wide or limited to specific projects to align data integrity controls with GxP or non-GxP workflows.
If you choose to enable the data modification rationale setting for the tenant or for specific projects, you will be asked to configure the Reasons for Change field in order to save your changes. Data Modifications apply to:
- Archiving/unarchiving objects or projects
- Moving objects to different projects
- Updating a Text Box from a Notebook Template
- Updating structured tables (Results, Inventory, Registration, Plate Creation, Box Creation, Mixture Prep)
- Merging entities from a Registration table (Merge duplicate entities into the Registry)
- Updating project collaborators or metadata
- Sharing projects when creating/joining organizations
- Updating fixed plates or storables
- Updating registry items, collaborators, settings, tags, or container name templates
- Performing bulk spreadsheet actions (e.g., update bioentities, inventory items, registry entities, mixture ingredients, containers, plates, boxes, locations)
Note: Data modifications do not apply to API-based changes.
Tenant Admins can configure data modifications; if enabling data modifications for specific projects, Organization Admin permission is also required to view all projects. To configure data modifications:
- In the bottom-left corner, click your avatar icon, then click Tenant Admin Console
- Click the Settings tab, then select Data Modifications
- Select a Data Modification rationale setting:
- Disabled – No data mod rationale is required (suitable for non-GxP tenants)
- Enabled for Tenant – Applies rationale capture to all projects (ideal for GxP tenants)
- Enabled for Specific Projects – Apply controls only to selected projects; the same reason codes and comment settings apply across all selected projects (useful when some GxP projects require data modifications, while some non-GxP research projects do not)
- Add rationale codes:
- Click the + icon
- Type the reason
- Press Enter or click the checkmark to save
Note: Special characters aren’t supported in rationale codes
- If you want to require users to add a comment when changing data, click the checkbox to enable
- When setting project-specific data modifications, configure project movement settings to allow or prevent objects moving between data modification-enabled projects and data modification-disabled projects. If the Allow checkboxes are unchecked, users will see an error banner when attempting to move items between projects and the move will be prevented
- Click Save at the top of the screen
- Refresh your browser to see the new settings
Enable folder-level permissions
In the Permission Controls menu, you can enable folder permissions. To learn more about different permissions structures, see the linked article.
Configure your IP allowlist
In the IP Allowlists menu, you can manage which IP addresses are allowed to access Benchling. To learn more about managing IP allowlists, see the linked article.
Opt-in to AI features
Provisioning for Benchling AI features that have been released broadly or in beta that you can explore in your tenant is done through the AI Settings menu. In this menu, you can enable various features for select users or for all users in the tenant.
To learn more about each of the applications available, visit the Benchling Intelligence section of the help center.
Manage application provisioning
Capability management allows you to manage provisioning of certain applications through the Application Provisioning menu. Application provisioning is also linked to opting into certain beta programs like Insights Labs. To learn more about Insights Labs, see the linked article.
Export user statistics
Tenant Admins can export key user data to support internal reporting, license audits, or usage reviews.
- In the bottom-left corner, click your avatar icon, then click Tenant Admin Console
- Click the Users tab
- Apply filters as desired
- Click Export filtered users
This generates a CSV file containing user-specific details, such as:
- Verified email status
- Organizations
- Teams
- Roles
- Applications
- Suspended status
- Joined on date
- Last seen date
- API key created date
- Number of active warehouse credentials
Configure audit logs
Audit logs are documents containing the histories of objects, like entries, entities, schemas, tables, insights, etc., and include all the information necessary to understand how the object has changed over time. Audit logs are only available on Enterprise or Industry plans. Most audit log columns are not configurable to ensure compliance; however, some columns can be customized to help with organization and readability. To customize your audit logs:
- In the bottom-left corner, click your avatar icon, then click Tenant Admin Console
- Click the Settings tab, then select Configurations
- Customize fields using their respective drop-down menus in the Data Management section - you can select custom date and/or time formats for audit exports as well as select audit log columns for export. Required columns can’t be deselected
Available audit log columns are as follows.
| Audit log column | Required | Column description |
| Timestamp (UTC)* | Yes |
Datetime of an update in either:
|
| Name | No | First and last name of the user that made the update |
| User | Yes | Username for the account that made the update. This could be a person or service account |
| Transaction ID | No | ID that groups related updates initiated by the same action |
| Event Description | Yes | Overview of the update, including the audited object type |
| Action | Yes | The object property that was updated |
| Old Value | Yes | If an update is made, the previous value is stored. If a deletion occurs, the removed value is stored |
| New Value | Yes | If an update is made, the new value is stored. If a creation occurs, the added value is stored |
| Item | Yes | Name of the updated object |
| Item Developer ID | No | Object API ID |
| Item ID | No |
Benchling ID For example, Registry ID, Experiment ID or barcode |
| Item Type | No | Type of object |
| Electronically signed | Yes | |
|
Parent Item 1 Parent Item 2 Parent Item 3 |
No |
Related objects that help identify where the update happened Note: An updated object can have up to three parents, but often has fewer or none. For example, a Result table row has the following parents: Parent Item 1: the Result table where the row is found Parent Item 2: the entry where the result table (and relevant row) is found |
|
Parent Item 1 Developer ID Parent Item 2 Developer ID Parent Item 3 Developer ID |
No | API ID for corresponding parent |
|
Parent Item 1 Type Parent Item 2 Type Parent Item 3 Type |
No | Object type of corresponding parent |
| Reason code | Yes | |
| Comment | Yes | |
| Delegate User | No | Benchling team member acting as Benchling Support on the tenant |
Export and download audit logs
In addition to exporting audit logs at the individual object level, audit logs can be exported for organizations, teams, users, and apps at the tenant admin level. To export audit logs:
- In the bottom-left corner, click your avatar icon, then click Tenant Admin Console
- Click the Organizations, Teams, Users, or Apps tab
- Click the … icon in the desired row and click Export audit log
Activity log overview
Users with Organization Administrator permissions can view and search all read and write activity across the organization. Filter by user and time period to monitor engagement and usage trends.
Access the activity log
To view and search organization activity:
- In the bottom-left corner, click your avatar icon, then select your organization from the menu
- Click View Activity to open the Activity Log in a new page
- Filter and search the activity log
Organizations and teams overview
Benchling provides two levels for organizing users: organizations and teams. Most companies will have one organization and create multiple teams within that organization to reflect different groups or functions, which can be used for managing access policies at scale.
Create a new Organization
Tenant Admins can create new organizations in Benchling when onboarding a new group or setting up a new business unit. Through this process, you can share specific projects and assign initial members or teams:
- In the bottom-left corner, click your avatar icon, then click Create or join organization
- Click Create an organization
- Fill out the following fields:
- Give your organization a name
- Give your organization a handle (no spaces) (a unique identifier other users can search for)
- If desired, upload a file to use as the organization avatar
- If desired, invite members or teams to join the organization. Invited users receive an email prompting them to join, or they can be added manually after creation via the Members tab in the Organization Settings
- Click Next: Share Projects
- If desired, choose projects to share with the organization. You can set permissions using the Permissions dropdown options.
- Click Share and Complete Setup
Alternatively, you can create an organization from the Organizations tab in the Tenant Admin Console by clicking Create organization. If you choose this method, you can set up the organization name and handle and add members/projects after the organization has been created.
Manage members from the organization page
Organization and tenant admins can manage members directly from the Organization Page.
This is important for maintaining accurate team structures, aligning access with org-specific responsibilities, and ensuring users are correctly assigned to the projects, data, and permissions relevant to their role. It also helps decentralize user management so that Org Admins can manage their groups independently without relying on Tenant Admins for every change.
Add a member
Adding a member to an organization is different from creating a new user. Creating a user means provisioning a brand new account in the Benchling tenant, often for someone who has not yet logged in. Adding a member to an organization, however, means assigning an existing user (who already has an account) to a specific org, giving them access to projects and data governed by that organization.
This distinction is important for maintaining proper access control. For example, you may need to onboard a new hire (create a user) and assign them to the appropriate org. Or, you may want to move an existing user to a new org due to a role change or project transfer — without needing to recreate their account.
- Click your avatar icon, select your organization
- On the Members tab, type the user’s email
- Press Add. The user will receive a registration email
Edit Roles or Remove Members
You can also change between Member and Admin roles, or remove users as needed.
Leave an Organization
If you’ve been added to the wrong organization or no longer need access, you can remove yourself. Leaving an organization means you will no longer be able to create or view its projects, unless you are the project owner or the project is shared with you individually.
Before leaving, ensure that another organization member has admin access to any projects you own that need to remain accessible.
- In the bottom-left corner, click your avatar icon, then select the organization you want to leave
- In the Members tab, hover over your name
- Click the trash can icon that appears labeled “Leave Organization”
- Click OK to confirm
You can alternatively leave an organization from your account settings: On the Organizations page, click Leave next to the organization name, then click Confirm leaving to complete the process.
Create Teams
Teams simplify user management by enabling permission assignment at a group level. Tenant Admins and User Admins can create teams from the Tenant Admin Console:
- In the bottom-left corner, click your avatar icon, then click Tenant Admin Console
- Click the Settings tab, then select Data Modifications
- Click the Teams tab
- Click Create team
- To add members to the team, click on the Members tab in the Team Settings, search for the user you want to add in the search box at the top right, then click Add Member
- Set the member’s role as either Admin or Member:
- Admin – Can manage team settings and often receive elevated access when the team is assigned as a collaborator
- Member – Standard access; receives the team's default project permissions
Note: We recommend assigning Admins to team leads and program managers, and Members to everyone else
If you have Organization Administrator permissions, navigate to the Teams tab of your Organization and click Create team to create a team.
Project, folder, and registry permissions overview
Benchling’s permissions system controls who can take what actions on which data. This is governed by a few key concepts:
- Collaborators: Users, teams, organizations or apps
- Access Policies: Defined sets of actions a collaborator can take on an item
- Projects: Collections of data; almost all items in Benchling are associated with a project, either by being associated with the project directly, or by living in a folder hierarchy under the project
See Permissions overview for an overview of types of permission, how they interact, and how to configure them.
Frequently asked questions
Q: Are data modifications configurable at folder or subfolder folders?
A: No. Data modifications are only configurable at the tenant or project level.
Q: Who can access the Tenant Admin Console?
A: Only users with the Tenant Admin role.
Q: Can I create users without assigning them to an organization or team?
A: Users must belong to an organization in order to access data. Team assignment is optional. If left unassigned, users won’t be able to see any data in the space.
Q: What happens when I suspend a user?
A: They are logged out and lose access. Their data is preserved.
Q: Can I suspend multiple users at once?
A: Yes. Use checkboxes and the bulk action menu.
Q: How does application access hierarchy work?
A: The most recent change takes precedence. Apply user overrides last.
Q: Where can I confirm a user’s application access?
A: The Users tab reflects their effective access from all levels.
Q: What access do new users have by default?
A: Full access to Notebook. Other apps must be assigned.
Q: Can I edit a user’s handle or email after creation?
A: Yes. Use the pencil icon in the Users tab.
Q: Will users receive an email when I create their account?
A: Yes, if you check the box to send activation emails.
Q: I don’t see an application in the access list. What should I do?
A: Contact Benchling Support to verify the application is enabled.