Security and Accounts

Before proceeding, make sure that you understand the institutional structure of Specify and have the proper permissions to make changes.

Please read Introducing the new Role-Based Access System in Specify 7 before configuring your institution’s policies and user accounts.

To access the Security and Accounts panel, you must first navigate to the User Tools menu. You access this menu by clicking on your username in the navigation menu.

User name selected in navigation menu

Now click on :fingerprint_: Security and Accounts.

If your account has permission, you will now see this panel on the left:

User Roles

User Roles are a set of permission policies that apply to every user assigned that role. These roles are managed under each collection. A user assigned a role in one collection is not automatically assigned the same role in another.

New Collection User Roles

Add Role allows you to add a new role from an existing role or create an entirely new one by clicking on New.

Import allows you to import a .json file of a user role(s).

If the name of the imported role or roles matches existing ones, it will prompt you to update your existing roles. If the name of the imported role is new you can add it to your role library.

JSON importer

Export allows you to export a .json of your user roles.

In this instance, I am viewing the Full Access role that was created in my database.

Name Description Example
Name Name of the role Full Access, Collection Admin, Student, Guest
Description Brief text field to give usage or additional information associated with the name This is our role for student data entry personnel

Under the User Accounts separator, you will see the following Add button:


Clicking this will automatically open the Specify User query builder.

From here, you can configure a query and find exactly the user account you would like to add to the role:

Once I have selected every agent I would like to assign the role to, I can click Select to continue.


rmartin now belongs to the Full Access role in my selected collection. This can be done either from the User Role page or from the user account page.

Role Permission Policies (Policy Builder)

Using the Policy Builder (seen below) admin users can build the role’s policies. Some policies that apply only at the institution-level are not present at the collection-level.

In this example, the role Limited Access has the following two permissions:

Policy Builder

Querybuilder → All → Execute, Export, and Record Set creation permissions
TableAll Tables → Read, Create, and Update permissions. No ability to delete entries in all tables.

The Policy Builder can be visualized as either as a grid or in-line rows. You can switch the view by clicking on the Switch button.

Switch Policy Builder view

You can delete policies by clicking on the Delete button on the left of each policy.

Clicking the Add button opens the new policy interface:

Policy adder


The All option allows you to assign blanket permissions to every table and function in Specify. This is generally not recommended, but it can allow you to quickly create a user with Read only permission.


The Table option allows you to choose a specific table to grant Read, Create, Update, or Delete permissions to the role.


The Tool option grants permission to the many Specify tools. This includes the Schema Config, Query Builder, Record Sets, App Resources, Pick Lists, and Sp Audit Log querying.

Tool option


The System option grants access to collections.

System option


The Report option grants the ability to execute reports.


The Export option grants the ability to execute a DwCA export.


The Permissions option allows users within the role to Read, Update, Create, Delete, or Copy From Library within the components of the Security and Accounts panel.

Permissions option


The Tree option grants the ability to Merge, Move, Synonymize, Desynonymize, or Repair all or a subset of selected trees.

Tree option


The Querybuilder option grants the ability to Execute, Export, or Create a Record Set using the Query Builder.

Querybuilder option


The Workbench option grants the ability to Create, Update, Delete, Upload, Unupload, Validate, and Tranfer using the WorkBench.

Workbench option


The Preferences option grants the user permissions to edit protected preferences.

Warning: User preferences apply to current user only. No special permissions are required to edit most user preferences.
However, some user preferences are protected as enabling them can cause data loss or database corruption if you are not careful. Users can only enable such options if they have been given “Preferences → User → Edit Protected” policy
Examples of protected options are “Allow dismissing error messages”, and “No restrictions mode” in the WorkBench and Query Builder.

Preferences option

Remove deletes the user role. If the role has been assigned users, you will see a warning. The users will not be deleted but they will lose the assigned role.

Close closes the current view. If you have made changes, this will become a red Cancel button.

Export allows you to export the role. This is downloaded as a .json file and can be imported in any collection or database under the user roles.

Save commits the changes to the database.

Important: To save a user role, you must ensure that every added policy has at least one checkbox activated. If you would like for the user to have no permissions in that table or function, make sure that no other policy grants that ability.

The Specify 7 permission system is additive. All users are implicitly denied all access. You can explicitly give some access. You can not explicitly deny access. Instead, to remove some access, either unassign the user from the policy that gave them that access (would affect this user only), or remove the policy from the role definition (would affect all users with that role).

Please check this box if you want to proceed warning

User Permissions

Under every user is the set of User Permissions. This includes the username, password, collection access, agent, user roles, custom policies, and Specify 6 permissions.

Account Setup Options

Name is the username that the user will use when logging in to Specify.

Change Password opens the set password dialog.

image generates a sign-up link for a new user using single sign on (SSO) if it is configured.


This will only be visible for administrators.

Checking Institution Admin gives absolute permission to everything in all collections. This should only be granted to trusted, admin level users.

You can also configure Institution-wide policies. This uses the same Policy Builder as the collection-level policy and User Role forms use. These policies will apply to all assigned collections.

Some policies are available on the institutional level only. Below is the list of institution-level permissions (these can only be applied to individual users, not inside of roles):

Relationship Ability Description
Admin > User > Password Update Ability to change passwords
Admin > User > Agents Update Ability to reassign user account agent
Admin > User > Sp6 > Is Admin Update Ability to make a user an admin
Admin > User > Sp6 > Collection Access Read Grant Sp6 collection access
Admin > User > Sp6 > Collection Access Update Grant Sp6 collection update access
Admin > User > Invite Link Create Allow user to create an invite link
Admin > User > Oic Providers Read Allow user to read OpenID providers
Export > Feed Force Update Force an update of the RSS feed
Permissions > Library > Roles Read Allow a user to read user roles
Permissions > Library > Roles Create Allow a user to create a user role
Permissions > Library > Roles Update Allow a user to update a user role
Permissions > Library > Roles Delete Allow a user to delete a user role


Under this separator, you have several elements. First, you have the pick list with all collections in the database:

Collection Pick List

Choosing a collection, making changes, then switching that collection does not lead to a loss of changes made in the first collection. The changes are there if you switch back to the previous collection, and can be saved permanently by pressing the Save button. Just because it is not visible does not mean it has been lost.

Under this, you will see the Enable Collection Access checkbox. This indicates whether the user has access to that collection or not.

The Agent query combobox allows you to select an agent in the database that corresponds to the user account.

Agent combobox

Assigned User Roles

You can check one or more user roles to assign to that user under the currently selected collection. The :pencil2: icon allows you to modify these roles.

Assigned user roles

Custom Collection-level Policies

For every user, you can specify individual policies that apply only to the current collection. This is not intended to be used in place of roles. These permissions are additive, only working to grant new permissions, not take away.

See Policy Builder for more information on how to build a policy.

User’s Permission Profile (read-only)

You can click on this heading to expand the User’s Permission Profile. This is a read-only visualization of the user’s current permissions. At the top are all of the system tables and at the bottom you will see a collapsed Advanced Tables section. The Permission Profile is an outcome of combining all the policies from the roles the user is part of and the roles that are directly assigned to the user at the institutional and collection level. You can click on any checkbox to see exactly where the user obtained the permission.

Either to the right or below this visualization is the total system permission visual:

Specify 6 Permissions

Make Admin allows you to make the selected user an admin in Specify 6. Once the user has been made an admin, you can click Remove Admin to take this permission away.

Set Collections allows you to select which collections the user has access to in Specify 6.

Set user collection access

The User Group pick list allows you to choose the group from Specify 6 that your user falls into. The permissions for these groups are set in Specify 6’s security center.

User Groups in Specify 6


Selecting your institution’s name from the panel on the left displays the institution name, all roles contained within, as well as user accounts defined in the institution.

Institution Library of Role Templates

This contains the list of role templates available at the Institution level. These can be created, exported, and importing under collections to be used across the database. These roles cannot be assigned to users directly, but are rather meant to be used as a template when creating roles on the collection level.

Role Library

User Accounts Defined in this Institution

This lists every user in the institution.

User Accounts

Each admin user will have their role shown to the right of their name.

abentley (Specify 7 Admin) (Specify 6 Admin)

This indicates that abentley is an admin in both Specify 7 and 6.


This contains the list of roles available at the collection level. These can be created, exported for use in other collections, and roles can be imported under this collection.

Collection User Roles

User Accounts Assigned to this Collection

User Accounts assigned to this collection

Each user has their role in brackets to the right of their name.

abentley (Collection Admin)

This indicates abentley has the Collection Admin role assigned to that user.

rmartin (Full Access)

This indicates rmartin has the Full Access role assigned to that user.