Manage organizations & users

Information regarding roles, permissions, and user and organization management

Purpose: This document covers organizations, user roles and permissions, and user and organization management in Verily Workbench.



Introduction

Flexible and structured management of users is a core requirement for enterprise software platforms. Organizational administrators should have visibility into the status of their population of managed users. IT and security administrators should be able to set organization-wide defaults and policy requirements, and well-defined organizational roles should support self-service actions where possible to ensure scalability.

To support these needs, Verily Workbench maintains a top-level Organization concept, representing a set of users linked by their employer or primary institutional identity. Each user, workspace, and data collection belongs to exactly one organization, creating a clear boundary of ownership, management, and control.

Most Workbench customers will identify an organization admin from within their team to manage the organization and user lifecycle, enable self-service onboarding and offboarding of researchers, and direct control over policy and billing details. In some cases (and depending on the license agreement) a Workbench customer may delegate this responsibility to the Workbench Support team instead. For more information about admin and user roles, see Organization roles and permissions.

Most of the operations described below may be done via both the Workbench web UI, or the Workbench CLI. In a few cases, it is necessary to use the CLI.

Key concepts

Organization

An organization in Workbench represents the top level of tenancy within the enterprise platform. Every workspace, data collection, and user can trace back to a single owning organization, providing a logical unit of separation, administration, and ownership.

Conceptually, a Workbench organization is somewhat similar to a Google Cloud organization (where Google Cloud projects are all housed under a single Google Cloud organization) or to an Active Directory domain (where Active Directory users are housed under a single domain). Of course, there are differences in how exactly this concept is applied to the Workbench system.

Each organization contains the following:

  • Metadata and configuration (e.g., name, description).
  • Users and roles.
  • Resources (e.g., workspaces and data collections).
  • A group containing all members of the organization. Can be used for sharing resources with the whole organization.

User lifecycle

The lifecycle of a Workbench user involves the following states:

  • Invited: The user has been invited to join Workbench and (if required by license) acknowledge the terms of service.
  • Active: The user is in good standing and may access Workbench features subject to their parent organization’s configuration.
  • Disabled: The user has been disabled by an organization or Workbench administrator. The user may be re-enabled with all prior permissions kept intact.
  • Archived: The user has been permanently removed from all access to Workbench. All permissions and group memberships have been removed.

Every Workbench user must be a member of exactly one organization. It is typically an organization admin who invites new users to the system (see Invite a new user to your organization). Administrators may also transition a user to a temporary Disabled state (if they expect to regain access in the near future), or a more permanent Archived state (if they are no longer an employee or have left the sponsoring organization).

Managing organizations

Organization roles and permissions

The set of roles and permissions at the organization level is as follows:

Role Description Permissions
Workbench support A Workbench-wide role. Generally assumed by the Workbench Support and Operations teams.
  • Create a new organization
  • Configure organization admins (plus permissions inherited from rows below)
Organization admin An individual with delegated responsibility to manage organization-level configuration and user lifecycles.
  • Invite new users
  • Update organization configuration and defaults
  • Disable and archive users (plus permissions inherited from rows below)
Organization user An end user of Workbench who is a member of an organization.
  • View organization details
Pod Manager A pod manager can create pods in addition to everything an organization user can do. When a pod is created, this user is granted Pod Admin on the pod.
  • Create pod

Request a new organization

New organizations are created by the Workbench support role. Generally a new organization will be created as part of the onboarding process of a new Workbench customer.

In some scenarios, it may make sense to create a new organization to represent a new group of users who will access Workbench under an existing license agreement (i.e., collaborators from a new institution or customer organization). In this case, please contact Workbench Support to request a new organization. Include at least the following information:

Name: Example Organization
Short name: example-org
Administrator emails: admin.1@example.com, admin.2@example.com

Verify details of the new organization

In the Workbench web UI, you can view the organizations to which you have access.

select Organizations from the left nav
To view and manage your organizations, select Organizations from the left nav.

The Organizations page includes the organization that you belong to (also listed in Your profile), as well as any other organizations for which you have administrative permissions.

The Organization page highlighting the pulldown menu next to the organization name
From the Organizations page, select the org you want to view.

You should be able to select the new organization from the pulldown menu, and verify that you are an Admin for that org.

To verify the details of the new organization (and to confirm that you’ve been granted administrative permissions), use the wb org describe and wb org user list commands from the command-line interface (CLI):

$ wb org describe --org=example-org

ID: example-org
Name: Example Organization
ToS Required: true
Description: (unset)

$ wb org user list --org=example-org

EMAIL                           STATE       TOS STATUS           ROLES
admin.1@example.com             ENABLED     TOS_OK               ADMIN

Grant the organization admin role

The individual(s) entrusted to administer a given organization may change over time. An admin can grant admin privileges to another org member with the wb org role grant CLI command or via the Workbench web UI.

In the Permissions tab for an organization for which you have admin access, you can manage the roles for other users, or allow them to create pods.

Click on the 'three-dot' menu for an org member to manage their role.
Click on the 'three-dot' menu for an org member to manage their role.
Manage a user role
You can set a user as 'Admin' or allow them to create pods.

To grant the admin role to a user who's not part of the organization, use the Assign roles button.

add an admin from another org
You can assign the admin role to users from other orgs.

$ wb org role grant --org=example-org --email=admin.2@example.com --role=ADMIN
Granted ADMIN role to admin.2@example.com in example-org.

Set organization-level defaults

Organization administrators may update metadata related to the organization and set defaults which will apply to certain aspects of Workbench usage by members of the organization. This may be done via the Edit button at the top right of the Organizations page, or by using the wb org update CLI command:

wb org update --org=example-org --new-description="Researchers working under Example Corp to access the Foo Bar dataset in Workbench"

Managing users

Invite a new user to your organization

An organization admin is responsible for inviting new users to Workbench. You can do this via the CLI, or the Workbench web UI.

To invite a new user to an organization, click on the Add users button from the organization's page.

From the Organizations page, you can invite new users to an org you administer.
From the Organizations page, you can invite new users to an org you administer.

An organization admin can invite a user with the wb org user invite command:

wb org user invite --org=example-org --email=user.1@example.com

After a user has been invited, the rest of the flow is typically as follows:

  1. (Optional, but necessary to allow the user to create new workspaces): the organization admin grants the user access to billing resources within the organization. This is done by adding the user to a pod. See Set up billing with pods for more detail.

  2. The organization admin notifies the user that they’ve been invited and to visit https://workbench.verily.com/ to acknowledge the terms of service and gain access to Workbench.

  3. The invited user logs in, acknowledges the terms of service, and continues to Workbench.

Acknowledge the terms of service

Depending on licensing terms, when a new user first logs in to Workbench, they may be asked to first acknowledge the standard terms of service:

After clicking Accept and continue, the user is redirected to the Workbench homepage and may access workspaces and data collections shared with them.

Screenshot showing Verily Terms of Service acknowledgment dialog.
The Workbench terms of service dialog window.

View users in your organization

An organization admin may get an overview of all users within the organization via the Members tab of the Organizations page in the UI, or with the wb org user list command:

$ wb org user list --org=example-org

EMAIL                        STATE            TOS STATUS      ROLES
admin.1@example.com          ACTIVE           TOS_OK          ADMIN
user.1@example.com           ARCHIVED         TOS_OK          USER

Disable or archive a user

If a user should no longer have access to Verily Workbench, an organization admin may temporarily disable or permanently remove a user’s access.

Disabling ("Deactivating") a user in Workbench will cause their login access to Workbench to be revoked, without permanently removing that user’s presence in workspace and organization ACLs and permission sets. This allows the operation to be completed quickly and to be easily reversible, e.g., if an employee is on temporary leave.

In the Members list for an organization, click on the 'three-dot' menu for a user, and select Deactivate.

Deactivating (disabling) a user
Deactivating (disabling) a user.

Disable a user with the wb org user disable command:

$ wb org user disable --email=user.1@example.com --org=example-org

User user.1@example.com disabled in the organization example-org.

Re-enabling a user

Once disabled, a user can be re-enabled via the Workbench UI by re-inviting them, and via the CLI using the wb org user enable command.

Archiving a disabled user

A user may also be more permanently removed from Workbench via the CLI, with the wb org user archive command.

$ wb org user archive --org=example-org --email=user.1@example.com
Email: user.1@example.com
State: DISABLED
ToS Status: TOS_OK
Org Roles: USER
Archiving users cannot be undone. Are you sure you want to archive this user? (y/N) y
User user.1@example.com has been archived in the organization example-org.

Last Modified: 13 January 2025