Secure Configuration Guide

TABLE OF CONTENTS


Overview

This guide explains how to configure Laser AI administrative and privileged access securely. It is intended for organization-level Owners and Administrators who manage users, organization settings, project permissions, projects, folders, templates, vocabularies, highlights, references, and related organization assets.

Laser AI uses a two-level permission model:

  • Organization-level roles control access to organization-wide users, settings, assets, projects, folders, and shared resources.

  • Project-level roles control access to project setup, project data, screening and extraction tasks, references, exports, logs, and team management.

For secure operation, assign each user the lowest role that supports their responsibilities, review privileged access regularly, and remove or downgrade access when it is no longer required.


Administrative Account Categories

For the purpose of this Secure Configuration Guide, Laser AI distinguishes between top-level administrative accounts and privileged accounts.

Account category

Laser AI role

Description

Top-level administrative account

Owner

The Owner role is the highest administrative role in Laser AI. Owners can manage organization-wide administrative settings and Owner account lifecycle actions.

Privileged account

Administrator

Administrators can manage users, organization assets, projects, and folders. Administrators have broad administrative access but cannot manage Owner-only settings.

Privileged account

Data Manager

Data Managers can manage organization-level templates, vocabularies, highlight sets, and library references.

Privileged account

Library Manager

Library Managers can manage organization library references and attachments and can access projects as Librarians or Visitors, depending on the applicable permission.

Privileged account

Project Manager

Project Managers have full control within an assigned project, including project setup, task flow, team management, and project data access.

Standard account

Member

Members have the narrowest organization-level access and can only access projects and resources assigned to them.


Security-Sensitive Settings by Role

The following table summarizes the security-sensitive settings and actions that each administrative or privileged role can change, based on the Laser AI permission model.

Role

Security-sensitive settings or actions the role can change

Security implication

Owner

Create and remove Owner accounts; promote Members to Owner; demote Owners to Member; manage project role definitions; manage RIS file mapping settings; manage default project settings.

Owner accounts control the highest-impact organization settings and the lifecycle of other Owner accounts. Assign this role only to users who need top-level administrative control.

Administrator

Create and remove organization Members; change organization member roles; edit member details; create projects; join any project as Manager; manage organization-level templates, highlight sets, vocabularies, and library references.

Administrators have broad access to users, projects, and organization assets. They can expand their project access by joining projects as Managers.

Data Manager

Manage screening instruction templates; manage extraction form templates; manage global highlight sets; manage vocabularies; manage organization library references and attachments.

Data Managers can change shared organization assets used across projects. Incorrect changes may affect review workflows, extraction forms, vocabularies, highlights, and library materials.

Library Manager

Manage organization library references and upload organization library attachments; access projects as Visitor where permitted.

Library Managers can affect organization-level reference and attachment materials and may have visibility into project outputs depending on assigned access.

Project Manager

Configure project setup, task flow, instructions or forms; manage project team members; access project data; distribute or manage tasks, depending on project permissions.

Project Managers control project-level access and workflow. Assign this role only to users who need full control over a project.

Member

Edit own user details; create personal highlight sets; view permitted global highlight sets.

Members have limited organization-level access and should be the default role for ordinary users.


Use the following configuration as the recommended secure baseline for organization access.

Setting

Recommended secure configuration

Security impact

Organization Owner access

Assign only to users who must manage organization-wide settings and Owner accounts.

Owner access controls the highest-impact configuration areas and should be tightly limited.

Administrator access

Assign only to users who must manage users, organization assets, all projects, or folders.

Administrators can manage broad organization resources and add themselves to projects.

Data Manager access

Assign only to users responsible for organization vocabularies, templates, and project outputs.

Data Managers can access project outputs across the organization.

Library Manager access

Assign only to users responsible for PDF and library reference management.

Library Managers can access projects as Librarians and manage library-related materials.

Member access

Use as the default role for ordinary users.

Members have the narrowest organization-level access and only see assigned projects.

Project role assignment

Assign the lowest project role needed for the user’s work.

Project roles control access to project setup, tasks, data, exports, logs, and team management.

Inactive accounts

Use the available inactive-account label where applicable. Accounts inactive for more than 3 months are automatically disabled when this option is configured.

Reduces the risk of unused accounts retaining access.


Recommended practice

Assign the lowest role that supports the user’s responsibilities. Treat Owner, Administrator, Data Manager, Library Manager, and Project Manager access as privileged access and review these assignments regularly. Owner access should be limited to users who need top-level control over organization-wide administrative settings.


Securely Accessing Administrative Accounts

When creating an account, an Owner or Administrator enters the user’s organization role, email address, first name, and last name. The user receives an email with a link to the platform and account setup information.

The account creation link is valid for 7 days. If the link expires, the account must be removed and created again, or the Laser AI team must reset the password.

Password reset emails are sent on request. The reset link expires within 5 minutes. If the recipient did not request the reset, they should ignore the message.

Recommended practices:

  1. Create named user accounts for each person who needs access.

  2. Assign Owner and Administrator roles only to users with a clear administrative responsibility.

  3. Confirm that the email address is correct before creating the account.

  4. Encourage users to complete account setup promptly because the setup link expires after 7 days.

  5. Use password reset only when needed and rely on the 5-minute reset link expiry to limit exposure.

  6. Review administrative accounts regularly and remove or downgrade access when responsibilities change.

Configuring Organization-Level Access

Only Owners and Administrators can create, edit, or delete user accounts in the organization. Only Owners can create or delete other Owner accounts.

To create a user:

  1. Open the Users dashboard from the main side navigation.

  2. Select Create User.

  3. Enter the required details:

    • organization role;

    • email address;

    • first name;

    • last name.

  4. Add optional user details if needed, including the inactive-account label where applicable.

  5. Select Create.

To modify or remove a user:

  1. Open the Users dashboard.

  2. Select the user.

  3. Review the user’s account details, organization role, and assigned projects.

  4. Select Edit account to update details or change the user’s organization role.

  5. Select Delete account to remove the user from the organization.

Security considerations:

  • Use Member for users who only need access to assigned projects.

  • Use Administrator only when the user must manage users, assets, all projects, or folders.

  • Use Owner only when the user must manage organization settings or other Owner accounts.

  • Review each user’s project assignments before deleting or downgrading the account.

Configuring Project-Level Access

Project teams are managed from the Team section on the Project dashboard or the Team icon on the sidebar.

Laser AI supports the following project roles:

  • Manager: Has access to all features and data in the project. Managers set up task flow, create instructions or forms, and add members to the project team.

  • Senior Researcher: Performs screening and extraction activities, can edit instruction details, view all references, and export results. Senior Researchers cannot access history logs and cannot manage team members.

  • Researcher: Has access to assigned tasks, general progress information, and project details.

  • Librarian: Manages project references, attachments, and bibliographic data. Librarians cannot receive screening or extraction tasks.

  • Visitor: Can view project progress and results but cannot edit anything. Visitors cannot receive screening or extraction tasks.

By default, organization Members are assigned the Researcher role when added to a project. Other organization roles are assigned as Managers by default. A user’s project role can be changed in the team section.

Recommended secure configuration:

  • Assign Manager only to users who need full project control.

  • Assign Senior Researcher only when the user needs broader review, instruction, reference, or export access.

  • Assign Researcher for users who only need to complete assigned screening or extraction tasks.

  • Assign Librarian for users who manage references, PDFs, attachments, and bibliographic data.

  • Assign Visitor for read-only access to project progress and results.

  • Review default Manager assignments after adding organization-level privileged users to a project.

Removing or Replacing Project Users

Project team members can be removed or replaced from the Team member dashboard.

Available actions include:

  • Remove user from project: The user is removed from the project. Their references return to review tasks and must be redistributed from the relevant Stage Dashboard.

  • Replace user with a new team member: All tasks assigned to the replaced user are automatically reassigned to the new team member.

If a Researcher has draft work when they are removed or replaced, Laser AI asks whether to mark the tasks as completed or discard the user’s work and return the tasks to distribution.

Security considerations:

  • Remove users from projects when they no longer need access.

  • Replace users when work continuity is required and tasks should move directly to another user.

  • Confirm that removed or replaced users appear correctly in the Team progress panel.

Managing Project Role Permissions

Project role permissions can be modified by the Owner in the project Settings tab. This allows the organization to adapt project roles to its internal workflow.

Security considerations:

  • Keep project role changes narrow and role-based.

  • Avoid granting broad permissions to roles used by many users.

  • Review role definitions after changing project permissions.

  • Treat permissions related to exports, logs, team management, task distribution, conflict resolution, reference management, and project setup as privileged.

Operating Administrative Accounts Securely

Administrators should regularly review:

  • all Owners and Administrators;

  • users with Data Manager or Library Manager roles;

  • users assigned as project Managers;

  • inactive users;

Recommended review events include:

  • user joins or leaves the organization;

  • user changes job responsibilities;

  • project starts or closes;

  • project role permissions are changed;

  • organization settings are changed;

  • administrative access is granted or removed.


Administrative Access Review Procedure

Organization Owners and Administrators should review administrative and privileged access on a regular basis to confirm that each user still has the lowest role required for their responsibilities.

At minimum, access should be reviewed:



Review event

Recommended action

A new user is added to the organization

Confirm that the user receives the lowest appropriate organization role and project role.

A user changes responsibilities

Review the user’s organization role and project roles. Downgrade or remove access that is no longer required.

A user leaves the organization

Remove the user from active projects, reassign project responsibilities where needed, and delete or deactivate the account.

A project starts

Review project team assignments and confirm that only users who need full project control are assigned as Project Managers.

A project closes

Remove project access that is no longer needed and review any remaining privileged project roles.

Project role permissions are changed

Review project role assignments and confirm that the updated permissions still follow least-privilege principles.

Administrative access is granted or removed

Confirm that the change was intentional, documented, and approved by an appropriate Owner or Administrator.





Recommended Review Frequency

Access type

Recommended review frequency

Reviewer

Owner accounts

At least quarterly and whenever an Owner is added or removed

Existing Owner

Administrator accounts

At least quarterly and whenever administrative responsibilities change

Owner or Administrator

Data Manager and Library Manager accounts

At least quarterly or when organization assets, vocabularies, templates, or library responsibilities change

Owner or Administrator

Project Manager roles

At project start, during major project changes, and at project close

Project Manager, Owner, or Administrator

Inactive users

At least quarterly, or more frequently if required by the organization’s internal policy

Owner or Administrator


Access Review Criteria

During each review, confirm the following:

  • Each Owner still requires top-level administrative access.

  • Each Administrator still requires broad user, project, folder, or organization asset management access.

  • Each Data Manager still requires access to organization templates, vocabularies, highlight sets, documents, or library references.

  • Each Project Manager still requires full control of the assigned project.

  • Users who only need to complete assigned review work are assigned the Researcher role at the project level.

  • Users who only need read-only access are assigned the Visitor role at the project level.

  • Inactive users are removed, downgraded, or labeled inactive according to the organization’s account management process.

  • Users who no longer need access are removed from projects or deleted from the organization.

  • Any role changes continue to follow the principle of least privilege.

Documentation of Access Reviews

Organizations should document administrative access reviews according to their internal compliance process. The review record should include:

  • review date;

  • reviewer name or role;

  • roles reviewed;

  • users whose access was changed;

  • reason for each access change;

  • any follow-up actions needed.




Decommissioning Administrative Accounts

When an Owner, Administrator, or other privileged user no longer requires access:

  1. Review the user’s organization role.

  2. Review the projects assigned to the user and their role in each project.

  3. Reassign project responsibilities before removal where needed.

  4. Replace the user in active projects if their assigned tasks should transfer to another user.

  5. Remove the user from projects where access is no longer needed.

  6. Downgrade the organization role or delete the user account.

  7. For Owner accounts, ensure the change is performed by an Owner, because only Owners can create or delete other Owner accounts.

Security considerations:

  • Do not leave unused Owner or Administrator accounts active.

  • Use account deletion or role downgrade when privileged access is no longer required.

  • Use project replacement when tasks must continue under a new team member.

  • Use project removal when the user should no longer have project access and tasks should return to distribution.

Secure Configuration Review Checklist

Use this checklist to review secure configuration periodically.

  • Owner accounts are limited to users who need organization-wide control.

  • Administrator accounts are limited to users who need broad user, asset, project, or folder management permissions.

  • Data Manager and Library Manager accounts are assigned only to users with matching responsibilities.

  • Ordinary users are assigned the Member role at the organization level.

  • Project Managers are limited to users who need full project control.

  • Project roles are reviewed after users are added because some organization roles are assigned Manager access by default.

  • Inactive-account handling is configured where applicable.

  • Removed or replaced project users are reviewed in the Team progress panel.

  • Draft work is handled intentionally when users are removed or replaced.

  • Project role permissions are reviewed after any customization.

  • Export, log, team management, and project setup permissions are treated as privileged.

Availability and use

This Secure Configuration Guide is publicly available in the Laser AI Knowledge Base at:
 https://help.laser.ai/support/home

Organization Owners, Administrators, and other users responsible for secure configuration should use this guide when initially configuring Laser AI, reviewing administrative and privileged access, changing organization or project-level permissions, and decommissioning administrative accounts.

Customers using Laser AI as part of a FedRAMP authorization package should refer to this guide as the product’s Secure Configuration Guide for administrative and privileged access configuration.







Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article