Versions Compared

Old Version 3

changes.mady.by.user Alex Quail

Saved on

compared with

New Version 4

changes.mady.by.user Steffan Stringer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Summary

User accounts are required to access ClinSpark. To authorize access to certain studies and features, a user is assigned one to many Sites, Studies, and Roles.

...

The Administration > Users component provides capabilities for locating, exporting and managing users within an organization.

...

Roles & Studies

  • Newly created users will have no roles assigned. A user must be assigned at least one role to be able to log into ClinSpark.

  • Users can be restricted to 0 or more studies and sites. By default, users can interact with any study and site in the system unless defined otherwise on their account.

  • User management features comply with CFR 21 Part 11 guidelines:

    • Sessions timeout at configurable interval

    • Passwords and accounts can be configured for expiration

    • Failed logins are logged, user can be locked out after configurable number of failures and alerts are sent when failures threshold is reached

    • Lockout duration is configurable

    • Passwords are not stored in the database, but rather a salted hash is stored

Password Policy

ClinSpark allows organizations to configure certain password policies. These are configured with Administration > General Settings and are enforced across all user accounts:

  • Password Minimum Length

  • Password Expire Days (number of days until user forced to change password)

  • Alphanumeric passwords (passwords must contain digits and letters)

  • Special character passwords (must contain one or more: !#"$%&'()*+,-./:;<=>?@[]^_`{|}~)

  • Prevent re-use of previous account passwords (configurable system setting)

Password reuse

The system allows organizations to optionally enforce a strict password re-use policy through a controlled system setting. This setting helps follow a security best practice to mitigate vulnerabilities that are caused by password reuse. If this setting is not used, the default behavior is that users may not re-use their immediate past password. However, they may re-use use older passwords.

...

For security purposes, this system setting is not enforced when an administrative user resets the password of another user account, through the Administration > Users component. This is to ensure that administrative users are not informed of or exposed to any prior passwords that may have been in use with a user account.

Password Managers

Password managers offer greater security and convenience for the use of passwords to access online services. Strong security is achieved principally through the capability of most password manager applications to generate unique, long, complex, easily changed passwords for all online accounts and the secure encrypted storage of those passwords.

...

Users should discuss the use of password managers with their system administrators to understand if organization IS/IT policies are governing their use.

Password Reset Workflows

Password reset workflows are intended to be ‘self serve’ for users. When accounts are configured with an e-mail address, the password reset workflow is most commonly supported through that process.

...

The ‘Password Expiration Date’ field serves as an option for Admins to update after a password has been established (outside of reset workflow). Most commonly it’s used if an Admin wants to extend the current active password period for a given user, or remove it entirely.

Two Factor Authentication (2FA)

ClinSpark supports the ability to enable two factor authentication (2FA) for active users. This is an optional setting for all user accounts. Site administrators that have the ability to manage user accounts in the Administration > Users component can establish this setting new or existing accounts.

...

The 2FA e-mail template can be modified on request by Foundry Health ‘superadmin’ users.

Locked accounts

When users fail to authenticate into ClinSpark after a number of attempts, their account is flagged as ‘Locked’. This locking mechanism is in place to protect ClinSpark environments from malicious authentication activities. When an account is locked, e-mail alerts are sent to defined recipients as configured in Administration > General Settings > Communications, so that appropriate actions can be taken to investigate and resolve any locked accounts.

...

Self-service password reset helps ensure that legitimate users have a quick and secure way to get back into their ClinSpark account without having to wait for the lockout period to end or get in touch with a system administrator.

Audit events

Many actions related to user account management and access are audited. The following outlines all audit events.

  • When saving a new user, ClinSpark logs a Save audit type

  • When a user information update initiated by an administrator or user occurs, ClinSpark logs an Update audit type

  • When an administrator unlocks a given user, ClinSpark logs an Unlock audit type

  • When a user successfully authenticates, ClinSpark logs a Login audit type

  • When a user selects ‘log out’ feature from user menu, ClinSpark logs a Logout audit type

  • When a user fails to authenticate with correct password, this will produce a Login fail audit type

  • When a user changes their password or administrator changes user password, ClinSpark logs a Password Reset audit type

  • When a user attempts an action that they are not authorized for (accessing a URL a user’s role does not support), ClinSpark logs an Unauthorized User Action audit type

  • When adding a study to a user in order to restrict the user, ClinSpark logs an Add Study audit type; notes section will contain study name

  • When removing a study from a user in order to remove the user’s study restriction, ClinSpark logs a Remove Study audit type; notes section will contain study name

  • When adding a role to a given user, ClinSpark logs an Add Role audit type. The ‘notes’ section will contain the role description.

  • When removing a role from a given user, ClinSpark logs a Remove Role audit type. The ‘notes’ section will contain the role description.

  • When adding a study specific role, ClinSpark logs a Add Study Role audit type. The ‘notes’ will indicate which study and role was impacted.

  • When removing a study specific role, ClinSpark logs a Remove Study Role audit type. The ‘notes’ will indicate which study and role was impacted.

  • When adding a site, ClinSpark logs an Add Site audit type. The ‘notes’ section will contain the site name.

  • When removing a site, ClinSpark logs a Remove Site audit type. The ‘notes’ section will contain the site name.

  • When applying an eSignature, ClinSpark logs an eSignature audit type. The ‘notes’ section will contain the area where the eSignature was applied.

  • When an eSignature attempt fails, ClinSpark logs an eSignature Fail audit type. The ‘notes’ section will contain details aboutthe failure.

...

Audit types

A list of all the Audit types are in the drop down and are generated through various Audit Events.

...

Print User Barcode

Each user account is associated with a unique ClinSpark barcode. Application user barcodes can be printed from within the Action menu on user account administration screen.

...