
TABLE OF CONTENTS
- Overview
- Security-Sensitive Settings by Role
- Recommended Secure Defaults
- Securely Accessing Administrative Accounts
- Configuring Organization-Level Access
- Configuring Project-Level Access
- Removing or Replacing Project Users
- Managing Project Role Permissions
- Operating Administrative Accounts Securely
- Decommissioning Administrative Accounts
- Secure Configuration Review Checklist
- Availability and use
Overview
This guide explains how to configure Laser AI administrative and privileged access securely. It is intended for organization-level Owners and Administrators who manage users, organization settings, project permissions, projects, folders, templates, vocabularies, highlights, references, and related organization assets.
Laser AI uses a two-level permission model:
Organization-level roles control access to organization-wide users, settings, assets, projects, folders, and shared resources.
Project-level roles control access to project setup, project data, screening and extraction tasks, references, exports, logs, and team management.
For secure operation, assign each user the lowest role that supports their responsibilities, review privileged access regularly, and remove or downgrade access when it is no longer required.
Administrative Account Categories
For the purpose of this Secure Configuration Guide, Laser AI distinguishes between top-level administrative accounts and privileged accounts.
Security-Sensitive Settings by Role
The following table summarizes the security-sensitive settings and actions that each administrative or privileged role can change, based on the Laser AI permission model.
Recommended Secure Defaults
Use the following configuration as the recommended secure baseline for organization access.
Recommended practice
Assign the lowest role that supports the user’s responsibilities. Treat Owner, Administrator, Data Manager, Library Manager, and Project Manager access as privileged access and review these assignments regularly. Owner access should be limited to users who need top-level control over organization-wide administrative settings.
Securely Accessing Administrative Accounts
When creating an account, an Owner or Administrator enters the user’s organization role, email address, first name, and last name. The user receives an email with a link to the platform and account setup information.
The account creation link is valid for 7 days. If the link expires, the account must be removed and created again, or the Laser AI team must reset the password.
Password reset emails are sent on request. The reset link expires within 5 minutes. If the recipient did not request the reset, they should ignore the message.
Recommended practices:
Create named user accounts for each person who needs access.
Assign Owner and Administrator roles only to users with a clear administrative responsibility.
Confirm that the email address is correct before creating the account.
Encourage users to complete account setup promptly because the setup link expires after 7 days.
Use password reset only when needed and rely on the 5-minute reset link expiry to limit exposure.
Review administrative accounts regularly and remove or downgrade access when responsibilities change.
Configuring Organization-Level Access
Only Owners and Administrators can create, edit, or delete user accounts in the organization. Only Owners can create or delete other Owner accounts.
To create a user:
Open the Users dashboard from the main side navigation.
Select Create User.
Enter the required details:
organization role;
email address;
first name;
last name.
Add optional user details if needed, including the inactive-account label where applicable.
Select Create.
To modify or remove a user:
Open the Users dashboard.
Select the user.
Review the user’s account details, organization role, and assigned projects.
Select Edit account to update details or change the user’s organization role.
Select Delete account to remove the user from the organization.
Security considerations:
Use Member for users who only need access to assigned projects.
Use Administrator only when the user must manage users, assets, all projects, or folders.
Use Owner only when the user must manage organization settings or other Owner accounts.
Review each user’s project assignments before deleting or downgrading the account.
Configuring Project-Level Access
Project teams are managed from the Team section on the Project dashboard or the Team icon on the sidebar.
Laser AI supports the following project roles:
Manager: Has access to all features and data in the project. Managers set up task flow, create instructions or forms, and add members to the project team.
Senior Researcher: Performs screening and extraction activities, can edit instruction details, view all references, and export results. Senior Researchers cannot access history logs and cannot manage team members.
Researcher: Has access to assigned tasks, general progress information, and project details.
Librarian: Manages project references, attachments, and bibliographic data. Librarians cannot receive screening or extraction tasks.
Visitor: Can view project progress and results but cannot edit anything. Visitors cannot receive screening or extraction tasks.
By default, organization Members are assigned the Researcher role when added to a project. Other organization roles are assigned as Managers by default. A user’s project role can be changed in the team section.
Recommended secure configuration:
Assign Manager only to users who need full project control.
Assign Senior Researcher only when the user needs broader review, instruction, reference, or export access.
Assign Researcher for users who only need to complete assigned screening or extraction tasks.
Assign Librarian for users who manage references, PDFs, attachments, and bibliographic data.
Assign Visitor for read-only access to project progress and results.
Review default Manager assignments after adding organization-level privileged users to a project.
Removing or Replacing Project Users
Project team members can be removed or replaced from the Team member dashboard.
Available actions include:
Remove user from project: The user is removed from the project. Their references return to review tasks and must be redistributed from the relevant Stage Dashboard.
Replace user with a new team member: All tasks assigned to the replaced user are automatically reassigned to the new team member.
If a Researcher has draft work when they are removed or replaced, Laser AI asks whether to mark the tasks as completed or discard the user’s work and return the tasks to distribution.
Security considerations:
Remove users from projects when they no longer need access.
Replace users when work continuity is required and tasks should move directly to another user.
Confirm that removed or replaced users appear correctly in the Team progress panel.
Managing Project Role Permissions
Project role permissions can be modified by the Owner in the project Settings tab. This allows the organization to adapt project roles to its internal workflow.
Security considerations:
Keep project role changes narrow and role-based.
Avoid granting broad permissions to roles used by many users.
Review role definitions after changing project permissions.
Treat permissions related to exports, logs, team management, task distribution, conflict resolution, reference management, and project setup as privileged.
Operating Administrative Accounts Securely
Administrators should regularly review:
all Owners and Administrators;
users with Data Manager or Library Manager roles;
users assigned as project Managers;
inactive users;
Recommended review events include:
user joins or leaves the organization;
user changes job responsibilities;
project starts or closes;
project role permissions are changed;
organization settings are changed;
administrative access is granted or removed.
Administrative Access Review Procedure
Organization Owners and Administrators should review administrative and privileged access on a regular basis to confirm that each user still has the lowest role required for their responsibilities.
At minimum, access should be reviewed:
Recommended Review Frequency
Access Review Criteria
During each review, confirm the following:
Each Owner still requires top-level administrative access.
Each Administrator still requires broad user, project, folder, or organization asset management access.
Each Data Manager still requires access to organization templates, vocabularies, highlight sets, documents, or library references.
Each Project Manager still requires full control of the assigned project.
Users who only need to complete assigned review work are assigned the Researcher role at the project level.
Users who only need read-only access are assigned the Visitor role at the project level.
Inactive users are removed, downgraded, or labeled inactive according to the organization’s account management process.
Users who no longer need access are removed from projects or deleted from the organization.
Any role changes continue to follow the principle of least privilege.
Documentation of Access Reviews
Organizations should document administrative access reviews according to their internal compliance process. The review record should include:
review date;
reviewer name or role;
roles reviewed;
users whose access was changed;
reason for each access change;
any follow-up actions needed.
Decommissioning Administrative Accounts
When an Owner, Administrator, or other privileged user no longer requires access:
Review the user’s organization role.
Review the projects assigned to the user and their role in each project.
Reassign project responsibilities before removal where needed.
Replace the user in active projects if their assigned tasks should transfer to another user.
Remove the user from projects where access is no longer needed.
Downgrade the organization role or delete the user account.
For Owner accounts, ensure the change is performed by an Owner, because only Owners can create or delete other Owner accounts.
Security considerations:
Do not leave unused Owner or Administrator accounts active.
Use account deletion or role downgrade when privileged access is no longer required.
Use project replacement when tasks must continue under a new team member.
Use project removal when the user should no longer have project access and tasks should return to distribution.
Secure Configuration Review Checklist
Use this checklist to review secure configuration periodically.
Owner accounts are limited to users who need organization-wide control.
Administrator accounts are limited to users who need broad user, asset, project, or folder management permissions.
Data Manager and Library Manager accounts are assigned only to users with matching responsibilities.
Ordinary users are assigned the Member role at the organization level.
Project Managers are limited to users who need full project control.
Project roles are reviewed after users are added because some organization roles are assigned Manager access by default.
Inactive-account handling is configured where applicable.
Removed or replaced project users are reviewed in the Team progress panel.
Draft work is handled intentionally when users are removed or replaced.
Project role permissions are reviewed after any customization.
Export, log, team management, and project setup permissions are treated as privileged.
Availability and use
This Secure Configuration Guide is publicly available in the Laser AI Knowledge Base at:
https://help.laser.ai/support/home
Organization Owners, Administrators, and other users responsible for secure configuration should use this guide when initially configuring Laser AI, reviewing administrative and privileged access, changing organization or project-level permissions, and decommissioning administrative accounts.
Customers using Laser AI as part of a FedRAMP authorization package should refer to this guide as the product’s Secure Configuration Guide for administrative and privileged access configuration.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article