# TRE Roles and Permissions {% hint style="info" %} Apollo and Trusted Research Environments licenses are required to use Trusted Research Environments on the DNAnexus Platform. [Contact DNAnexus Sales](mailto:sales@dnanexus.com) for more information. {% endhint %} To maintain strict governance and compliance, administration and usage within a DNAnexus Trusted Research Environment (TRE) are divided across distinct user roles. This separation of duties ensures that data providers maintain control over their assets while providing data users, such as researchers, with a clear, structured path to access data. These roles fall into two categories: **Data Providers** (those who configure the TRE and manage access) and **Data Users** (those who discover, request, and analyze the data). ## Platform Roles and Capabilities The following table outlines the key personas and their specific permissions within the TRE framework. | Persona | Category | Core Responsibilities and Permissions | | ------------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Org Admin** | Data Provider | Grants TRE management privileges to specific members within the organization. Delegates the initial setup authority by assigning the *Research Environment Management* permission. | | **TRE Admin** | Data Provider | Creates and modifies the TRE configuration. Transitions the TRE state (for example, from Draft to Active). Configures the data inventory and Data Showcase. Defines the access request review pipeline and sets global project policies. Assigns Authorized Users and Reviewers. | | **Reviewer** | Data Provider | Must be an Authorized User selected by the TRE Admin. Evaluates submitted data access requests via **Data Resources** > **Request Center** > **My Reviews**. Registers "Approve" or "Reject" decisions and can provide a justification message. | | **Authorized User** | Data User | Allowed by the TRE Admin to view the TRE in **Data Resources** > **Resource Center**. Can explore data distributions and participant counts using the view-only Cohort Browser in the Data Showcase. | | **Request Owner** | Data User | An Authorized User who initiates a data access request. Selects specific data cohorts and fields for their research. Manages project collaborators within the access request. Becomes the owner of the resulting secure project once data is dispensed. Can track access request status in **Data Resources** > **Request Center** > **My Requests**. Projects created from the approved request are subject to [default restrictions](/user/trusted-research-environments/creating-projects.md#default-project-restrictions) that apply to all TRE projects. | | **Collaborator** | Data User | A DNAnexus Platform user invited by the request owner to collaborate. Works within the approved, access-controlled project workspace. Cannot modify the data request. Cannot invite additional members. Only the request owner can manage project membership. Works under the same [default restrictions](/user/trusted-research-environments/creating-projects.md#default-project-restrictions) that apply to all TRE projects. | {% hint style="info" %} Each TRE also includes a platform-managed TRE robot user for internal TRE operations such as dispensal workflows. This identity is not an assignable user role. TRE admins should manage related behavior through TRE settings rather than direct manual permission changes. {% endhint %} ## Role Interactions Throughout the Data Lifecycle The data access lifecycle requires seamless handoffs between these personas. ### 1. Setup and Publication The **Org Admin** selects a **TRE Admin**, who then builds the data inventory, sets the security policies, and publishes the TRE to the **Active** state. ### 2. Discovery and Access Request An **Authorized User** browses available research environments in **Data Resources** > **Resource Center**. After finding a relevant dataset, they become a **Request Owner** by creating a data access request, selecting the specific cohort and fields, and submitting the request. ### 3. Review and Decision The system routes the access request to the assigned **Reviewers** in **Data Resources** > **Request Center**. The reviewers evaluate the request against the TRE governance rules and approve or reject it. ### 4. Analysis and Collaboration On approval, the system dispenses the read-only data into a secure workspace. The **Request Owner** and their invited **Collaborators** then conduct their research within the boundaries of the TRE policies. To get started, researchers can [discover research environments and explore data](/user/trusted-research-environments/discovering-tres.md). Reviewers can go directly to [reviewing access requests](/user/trusted-research-environments/reviewing-access-requests.md). TRE Admins setting up a new environment should start with [Managing Trusted Research Environments](/admin/trusted-research-environments.md). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://documentation.dnanexus.com/user/trusted-research-environments/roles-and-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.