Getting Started: Users & Access

Introduction

This tutorial walks you through setting up user management and access control in Flywheel from scratch. By the end of this tutorial, you will have created users, assigned roles, and configured authentication.

What You Will Learn

• How to create your first user
• Understanding site, group, and project roles
• Assigning users to groups and projects
• Configuring authentication methods
• Creating API keys for programmatic access

Prerequisites

• Site Admin role in Flywheel
• At least one group and project created (learn how)

Step 1: Understand the Role Hierarchy

Before creating users, understand Flywheel's three-level permission system:

1. Site Role - Platform-wide access (Admin, Developer, User)
2. Group Role - Group-level permissions (Admin, read-write, read-only)
3. Project Role - Project-specific control (Admin, read-write, read-only, or custom)

Users must have a role at all three levels. The most restrictive role applies.

For complete details, see Roles and Permissions Concepts.

Step 2: Create Your First User

Let's create a user who will be a researcher on your project.

1. Navigate to Users in the left navigation panel
2. Click Create New User

3. Enter the user information:

   • First and last name: The user's full name
   • Email address: Must match their authentication method email
   • Site Role: Choose User for researchers

4. Click Save

The user now exists but cannot access any data yet. We'll assign permissions in the next step.

For detailed instructions, see How to Create a User.

Step 3: Assign Group and Project Access

Now grant the user access to a specific group and project:

1. On the user detail page, click the Permissions tab
2. Under Group Permissions, click Add Group Permission
3. Select your group and assign the read-write role
4. Under Project Permissions, click Add Project Permission
5. Select your project and assign the read-write role
6. Click Save

The user can now access data in this project.

Step 4: Configure Authentication

Choose an authentication method for your users:

Option A: ORCID Authentication

Best for researchers with ORCID accounts:

1. Instruct users to configure their ORCID account
2. Users must make their primary email public in ORCID settings

See detailed steps: Configure ORCID Authentication

Option B: Institutional Authentication (CILogon)

Best for users at academic institutions:

1. Determine your institution's ePPN format
2. Create users with ePPN as email address
3. Users sign in via CILogon using institutional credentials

See detailed steps: Add Institutional Collaborators

Step 5: Create an API Key (Optional)

If the user needs programmatic access:

1. Navigate to the user's detail page
2. Click Create API Key
3. Set an expiration date (recommended)
4. Copy the API key and securely share it with the user

The user can now use this key with the Flywheel CLI or SDK.

See detailed steps: Create API Keys

What You Have Learned

You now know how to:

• Create users with appropriate site roles
• Assign group and project permissions
• Configure authentication methods
• Create API keys for programmatic access

Next Steps

Now that you understand the basics of user management:

• Create custom project roles for fine-grained access control
• Monitor user activity with access logs
• Manage site mode to control user registration