Permissions and Security

User Accounts

Each user can generate one or more sets of credentials for the warehouse. Each set of credentials has its own username and password. Once a user connects using credentials, they are authenticated as themselves inside the warehouse.

Users have read access only. They cannot perform insert, update, or delete operations.

📘

Protecting Your Warehouse Credentials

We recommend you keep your warehouse username and password in your favorite password manager. We don't recommend you hard-code the password into scripts, but this may be within your threat model in some cases, and that's OK!

If somehow you leak your Warehouse password, don't worry: you can revoke and issue a new password via your Profile settings screen in Benchling.

Project-based Permissions

A user in Benchling can have read access (or higher) to projects. All data in the warehouse is tied to a project. When querying against the warehouse, a user can see all rows belonging to projects that they have read access to.

Entities (sequences, proteins, custom entities) are either in a project or in the registry. If in the registry, the original project location before registering is used.

Batches are considered to be in the same project (and have the same permissions) as the entity they're attached to.

Assay requests, assay runs, and assay results are uploaded to a project at creation time. Users must have read access to the project to access the attached assay objects.

Implementation Overview

Permissions are implemented using row level security in the Postgres database. A list of user credentials and the projects each user has access to is periodically synced.

In Postgres, when querying user-accessible tables, the underlying technology is used to filter out rows belonging to projects that the user does not have access to. For the user, this is transparent - rows that they don't have access to are simply omitted from queries.

Limitations

Below is data that all users can access, due to limitations in the underlying technology:

  • All users will be able to see all table names and table schemas. These cannot be hidden.
  • Users may be able to see the queries that other users are running in certain circumstances.

❗️

Security Notice: SSL / TLS and PostgreSQL

Your Warehouse uses PostgreSQL. Consider this as another limitation to be aware of: Many PostgreSQL clients do not by default properly encrypt connections to the database.

It is very important to configure all of your Warehouse and PostgreSQL clients correctly. Please see our comprehensive configuration guide on how to do this!