| Table of Contents | ||||
|---|---|---|---|---|
|
Summary
Every ClinSpark instance contains a unique user account type called ‘Superadmin’, which is reserved for and used exclusively by Foundry Health IQVIA team members. This account type exists as a mechanism to help Foundry Health IQVIA configure, manage, and support ClinSpark instances based on ongoing customer needs.
Superadmin accounts inherit all available Role Actions and all configured Roles in a given environment, and, can access every area of ClinSpark. Additionally, these accounts are given access to specific features which are intended only for Foundry HealthIQVIA. This is due to the implications these features/configurations have across an instance. An incorrectly configured system setting or lab interface (for example) could have undesired impact to trial conduct and system stability.
...
Superadmin users have access to the Administration > Support component, which allows the Foundry Health IQVIA team access to a specific set of dashboard components that allow for review of instance usage overview for billing purposes, and, access built for support and billing purposes. This area is most frequently accessed to review internal server log statements.
...
This menu item is only visible to Superadmin users.
Any system configurations with ‘support’ type classification appear in the this Support area.
...
Sites
Superadmin users are able to create ‘site’ entities, for For customers who operate ClinSpark under an early-phase model where volunteer database and recruitment features are enabled, Superadmin users are able to create ‘site’ entities. This is due to the implication sites have for use across several instance configurations, and, the licensing/pricing fees related to multi-site use.
For customers who use ClinSpark under later-phase multi-site configurations, where ‘Volunteers’ features are disabled (also referred to as “headless mode”), non Superadmin users have the ability to create sites.
Additionally, for For a given site, certain configuration settings are exclusive to Superadmin users which include the following:
...
The Advanced System Setup area allows Foundry Health IQVIA to enable/disable full system features for customer use. This is an important configuration task that takes place when environments are put in place for customers.
...
Within Barcodes only Superadmin can modify the visible settings. This is due to the implications these padding, delimterdelimiter, and prefix settings have across a variety of ClinSpark features that leverage barcodes, as well as site lab interface workflows. Typically these settings are established for customers during onboarding phases.
...
For Volunteer Questions, only Superadmin users can modify question Answer Patterns.
...
Study > Data
Up until version 23.3, only Superadmin users have access to a support feature in Study > Data, for each form/timepoint. This ‘Move’ action item is available in order to perform audited actions in the user interface in order to resolve certain service requests to modify site, subject, and study event details on study forms.
...
Starting in version 23.3, this feature is not exclusive to Superadmin users, and is available to customers to use. It is protected by a role action called ‘Study Data Move Form Data’. More details about that role action are available on this article: https://foundryhealth.atlassian.net/wiki/spaces/DOCS/pages/3709239305/Role+Actions#Study-Data-Move-Form-Data
...
Devices > Configure
For most customers, nearly all of the device integration capabilities for a given ClinSpark instance are established and maintained by Superadmin users. Additionally, when a given device is ‘archived’ from system use, it’s not visible to non-Superadmin users.
...
Add new device integrations, and archive existing
Modify device type, Manufacturer, ‘Direct’ setting, Monitoring Type, and Model
Add new device parameters, and archive existing
Modify device parameters including ‘Enrollment’ setting, Monitoring Source, Captured Date Time, and Data Type
Add and modify device settings
Common Questions
...
& Answers
Over time we Many customers have received questions from customers about these types of Superadmin accounts, their use, and governance. The following section hopes to address some of the common questions we receive.
Who can create & manage Superadmin accounts?
Only a Superadmin type account can create or manage other Superadmin accounts in the user interface. Since Foundry Health IQVIA staff are the only users who are given Superadmin accounts, these actions are carried out by a member of the Foundry Health IQVIA team.
Customers are unable to create Superadmin accounts.
| View file | ||
|---|---|---|
|
When are Superadmin accounts created and/or deactivated?
Foundry Health team engineers and support
...
When are Superadmin accounts created?
Superadmin accounts are created one of two ways:
Via automated script when environments are first created
Using the ClinSpark user interface
When a brand new ClinSpark environment is created, there are processes that ‘bootstrap’ the environment with a very basic set of configurations in order to make it accessible by IQVIA staff prior to the handover of the environment to customers. This bootstrapping process creates a small set of Superadmin accounts for engineering and support team members, who can access and review the environment prior to customer handover.
After the bootstrapped accounts are created, the ClinSpark user interface must be used to add or modify Superadmin accounts. IQVIA staff are granted Superadmin accounts in applicable customer environments to support onboarding, training, and support efforts. Foundry Health IQVIA team members are only given access to customer ClinSpark environments once they have received the proper level of training necessary to perform actions applicable to their role.
When are Superadmin accounts deactivated?
If someone with a Superadmin account leaves the Foundry Health IQVIA team, or no longer requires access to an environment, their access is revoked within the time interval specified in SOPs, and their account set to an archived status.
Are there periodic reviews of Superadmin accounts in customer environments?
On a quarterly basis, IQVIA conducts a review of all superadmin accounts across customer PROD MAIN/TEST environments. An internal JIRA ticket is raised to initiate the process, and all actions taken during the review period are tracked on the JIRA ticket. A member of the support team reviews an export of superadmin users across all customer PROD instances and takes action accordingly. Review tasks are:
Ensure that any recent superadmin leavers of the organization are removed from customer environments
Ensure that all existing SA users have MFA enabled in all PROD MAIN instances
Ensure that all SA users are using an approved IQVIA domain for their email address
Ensure that superadmin account details appropriately identify the account owner via username and email address.
Can a standard account be promoted to Superadmin?
Yes, but only by a Foundry Health Standard accounts can be ‘promoted’ to Superadmin. However, this can only be done by a IQVIA team member who is also a Superadmin.
By the same process, a Superadmin account can also be downgraded ‘downgraded’ to a standard account. This can only be done by another Superadmin.
...
Superadmin accounts must meet the same complexity password requirements as all other standard ClinSpark user accounts. These are customerenvironment-specified authentication requirements are based on the configurations established by customers via the Administration > General Settings component.
Superadmin accounts are not impacted by customer SSO configurations, and for now, do not use SSO Identity Providers to log into ClinSpark instances. Foundry Health IQVIA team members log into ClinSpark instances with username/password credentials via standard login screen workflows. Superadmin accounts in ClinSpark production environments with release 1.5 or higher have 2FA have two-factor authentication (2FA) enabled.
How can
...
customers see Superadmin accounts in
...
their environment?
In current releases, Superadmin accounts are not visible to standard users when viewing the Administration > Users component. Additionally, Superadmin accounts are also suppressed from the user export in this component, if a non-Superadmin creates the report. If a Superadmin creates the export, all accounts are visible.
...
Upon request, Foundry Health IQVIA may be able to provide other ‘exports’ or means ways to see Superadmin accounts in a given environment. Customers who wish to discuss this should open a service desk ticket. Future enhancements in later releases are likely to improve the visibility of Superadmin accounts to certain user types.
...
Superadmin accounts are like standard user accounts, in that these accounts have audit trails and all actions taken are audited and visible in applicable audit trails. Nothing exempts a Superadmin from having their actions audited in ClinSpark.
If necessary to review Superadmin actions outside of user interface controls, it may be possible for Foundry Health IQVIA to assist customers to build a query to access a read-replica database to report on actions a given Superadmin user has taken. Questions or interest in this topic should be raised via the service desk.