icon-administration.png
Administering XNAT

Monitoring XNAT


Advanced Topics

[Edit Nav]

Managing User Accounts

Introduction

All access to any XNAT site is restricted to valid users of the site. User accounts determine the data and pages which are accessible to visitors of the site.

Unless you enable optional logins, all visitors of your site will need to login using a valid user account. Users can register themselves on your site, or the site administrator can create user accounts. Depending on your configuration, these user accounts may need to be enabled before the accounts are functional. These user accounts can be given permission to access the data by associating users with projects. Furthermore, users can be given administrative access to data and pages in the administration section.

NOTE: If your site is configure to enable optional logins, then visitors of your site will be automatically logged in as the guest account. The permissions assigned to the guest account will determine which data and pages un-authenticated users will have access to.

Registration

In a standard XNAT installation, user accounts must be created by either the user themselves or by the site administrator. Users will be given the option of registering for an account when they first visit the site.
xnat_user_register.png
The User Registration form collects the necessary data for the creation of an account including First & Last Name, Email, and Username. Once a user has registered for an account, their new account will need to be enabled (optional). Upon account enabling, users will be emailed a Welcome email which will notify the registered email address of the account creation.

Site administrators can directly create user accounts without requiring users to submit the registration form. Creating user accounts directly can be a convenient way for site administrators to pre-register users, particularly when they are going to setup project access for those accounts.

Enabling Accounts

By default, user accounts in XNAT are disabled. This prevents unwanted users from being able to access your XNAT installation without your permission. User accounts are not functional while disabled. You can configure XNAT to automatically enable user accounts on the Administration -> Default Settings. Otherwise, a site administrator will need to manual enable new user accounts via the Administration -> Users -> {USER} -> Enable User link. When new users are registered (and need enabling) an email will be sent to the site administrator to trigger this process.

Optional Login

On most XNAT installations, user accounts are fundamental and should not be optional. They are not only used for permissions, but also to build a meaningful audit trail of what users accessed and when. In certain situations, the requirement to login to access the site is unnecessary. For example, on servers that are focused on sharing public data user logins can be made optional to make the sharing process more convenient and less restrictive. The requirement to login can be disabled on the Administration -> Default Settings form. If logins are optional, then visitors to the site will be automatically logged into the site as the guest account. They will be able to access and download any data which is accessible to the guest account (public projects).

Permissions

User accounts are used to govern which data a visitor of the site has access to. The permissions that a user account has are generally governed by which projects that account has been assigned to. Users can be assigned to projects according to certain pre-defined roles: Owners, Members, and Collaborators. [Related: XNAT Security Structure: Ownership]

In addition to the permissions users acquire based on project membership, user accounts also inherit permissions which are given to the guest user account. The guest account has access to all data from public projects, and project level only access to protected projects.

Administrators

To a large extent, XNAT manages itself. However some actions require manual intervention by a site administrator. XNAT allows user accounts to be labeled as two different types of administrators; site and data administrators.
xnat_user_configure.png

Site Administrators (Site Manager)

Site administrators have access to the Administration section of the website. They have permission to configure any data which belongs to the administration schema (xdat), including user acounts, user groups, data-types, etc. Site administrators do NOT automatically have access to any data other then that core admin data.

Data Administrators

Data administrators have access to ALL of the data within an XNAT installation. If they have Read Only access, then they can read (and download) all projects, subjects and experiments. Read, Edit & Delete access will give users full permissions on all data in the database. These roles should not be given out casually and should probably be limited to one or two site administrators.

Enhanced Authentication Options

In a standard XNAT installation, all user accounts are registered and authenticated based on the contents of XNAT's PostgreSQL database. In some situations, external authentication servers can be used to authenticate and create user accounts. XNAT comes with support for using an LDAP (or Active Directory) server to authenticate and create user accounts. The XNAT team is working on additional authentication mechanisms and the authentication system is easily customizable to allow for unique authentication implementations. [Related: Enhanced Authentication Options]