Table of Contents |
---|
Summary
User accounts are required to access ClinSpark. To authorize access to certain studies and features, a user account is typically assigned one to many Sites, Studies, and Roles.
When creating a new user, the organization’s authentication rules set in Administration > General Settings are inherited by default. Password Can Expire and Session Timeout Minutes can be overridden at the per-user level.
Users can be assigned multiple roles and authorization is an aggregate of all the roles. Once assigned, the user will be authorized to perform any function within those roles.
Users can be restricted to one or more studies and/or sites, which facilitates controlled access to users internal or external to the customer organization.
The Administration > Users component provides capabilities for locating, exporting and managing users within an organization.
...
Roles & Studies
Newly created users will have no roles assigned. A user must be assigned at least one role to be able to log into ClinSpark.
Users can be restricted to 0 or more studies and sites. By default, users can interact with any study and site in the system unless defined otherwise on by their account configuration, or, specific access controls in place on a given study. Information about managing user access for sites and studies can be viewed in this article: Restricting User Access
User management features comply with are designed to meet CFR 21 Part 11 guidelines:
Sessions timeout at configurable interval (see also User Session Timeout Features)
Passwords and accounts can be configured for expiration
Failed logins are logged, login attempts are tracked; user can be locked out after configurable number of failures and alerts are sent when failures threshold is reached
Lockout duration is configurable
Passwords ‘in plain text’ are not stored in the database, but rather a salted hash is stored
Password Policy
ClinSpark allows organizations to configure certain password policies. These are configured with Administration > General Settings and are enforced across all user accounts:
Password Minimum Length
Password Expire Days (number of days until user forced to change password)
Alphanumeric passwords (passwords must contain digits and letters)
Special character passwords (must contain one or more:
!#"$%&'()*+,-./:;<=>?@[]^_`{|}~
)Prevent re-use of previous account passwords (configurable system setting)
Password reuse
The system allows organizations to optionally enforce a strict password re-use policy through a controlled system setting. This setting helps follow a security best practice to mitigate vulnerabilities that are caused by password reuse. If this setting is not used, the default behavior is that users may not re-use their immediate past password. However, they may re-use use older passwords.
If the setting value is 1 or greater, ClinSpark will check prior account passwords against this configuration and prevent use of a password, if it was within the defined value.
View file | ||
---|---|---|
|
This setting is enforced in workflows where a user resets their own password; either through their user profile, self-service password reset workflows, or a forced password reset during authentication (login) workflows.
...
Users should discuss the use of password managers with their system administrators to understand if organization IS/IT policies are governing their use.
Password Reset Workflows
Password reset workflows are intended to be ‘self serve’ for users. When accounts are configured with an e-mail address, the password reset workflow is most commonly supported through that process.
However, there may be times when an administrative user needs to manually reset a password for a given user. To accomplish this, within the ‘Update User’ workflow, the two password fields must be supplied with a temporary password.
...
The ‘Password Expiration Date’ field serves as an option for Admins to update after a password has been established (outside of reset workflow). Most commonly it’s used if an Admin wants to extend the current active password period for a given user, or remove it entirely.
Two Factor Authentication (2FA)
ClinSpark supports the ability to enable two factor authentication (2FA) for active users. This is an optional setting for all user accounts. Site administrators that have the ability to manage user accounts in the Administration > Users component can establish this setting new or existing accounts.
...
E-mail based 2FA workflows that contain authentication codes are only valid for a limited period of time, which is specified in the e-mail received.
The 2FA e-mail template is controlled by a system configuration and can be modified on request by Foundry Health ‘superadmin’ users.via the service desk, via IQVIA superadmin users.
Disabling SSO
When a ClinSpark instance is configured to use SSO, there are options that become available that can disable SSO authentication enforcement. This is a per-account configuration. Typically, we see customers using SSO to enforce authentication for most of their internal staff users, and setting up ClinSpark accounts for external users (such as sponsors or monitors) that do not enforce SSO authentication.
To learn more SSO setup and configuration, visit this article: Single Sign-on (SSO)
Within the account management screen, users can determine if SSO has been ‘disabled’ on an account.
When SSO is disabled for a given user account, the user will be allowed to authenticate into ClinSpark using their application username and password.
If SSO however is not disabled, ClinSpark will not allow that user to authenticate.
Locked accounts
When users fail to authenticate into ClinSpark after a number of attempts, their account is flagged as ‘Locked’. This locking mechanism is in place to protect ClinSpark environments from malicious authentication activities. When an account is locked, e-mail alerts are sent to defined recipients as configured in Administration > General Settings > Communications, so that appropriate actions can be taken to investigate and resolve any locked accounts.
...
Self-service password reset helps ensure that legitimate users have a quick and secure way to get back into their ClinSpark account without having to wait for the lockout period to end or get in touch with a system administrator.
Audit events
Many actions related to user account management and access are audited. The following outlines all audit events.
When saving a new user, ClinSpark logs a Save audit type
When a user information update initiated by an administrator or user occurs, ClinSpark logs an Update audit type
When an administrator unlocks a given user, ClinSpark logs an Unlock audit type
When a user successfully authenticates, ClinSpark logs a Login audit type
When a user selects ‘log out’ feature from user menu, ClinSpark logs a Logout audit type
When a user fails to authenticate with correct password, this will produce a Login fail audit type
When a user changes their password or administrator changes user password, ClinSpark logs a Password Reset audit type
When a user attempts an action that they are not authorized for (accessing a URL a user’s role does not support), ClinSpark logs an Unauthorized User Action audit type
When adding a study to a user in order to restrict the user, ClinSpark logs an Add Study audit type; notes section will contain study name
When removing a study from a user in order to remove the user’s study restriction, ClinSpark logs a Remove Study audit type; notes section will contain study name
When adding a role to a given user, ClinSpark logs an Add Role audit type. The ‘notes’ section will contain the role description.
When removing a role from a given user, ClinSpark logs a Remove Role audit type. The ‘notes’ section will contain the role description.
When adding a study specific role, ClinSpark logs a Add Study Role audit type. The ‘notes’ will indicate which study and role was impacted.
When removing a study specific role, ClinSpark logs a Remove Study Role audit type. The ‘notes’ will indicate which study and role was impacted.
When adding a site, ClinSpark logs an Add Site audit type. The ‘notes’ section will contain the site name.
When removing a site, ClinSpark logs a Remove Site audit type. The ‘notes’ section will contain the site name.
When applying an eSignature, ClinSpark logs an eSignature audit type. The ‘notes’ section will contain the area where the eSignature was applied.
When an eSignature attempt fails, ClinSpark logs an eSignature Fail audit type. The ‘notes’ section will contain details aboutthe failure.
...
Audit types
A list of all the Audit types are in the drop down and are generated through various Audit Events.
...
Print User Barcode
Each user account is associated with a unique ClinSpark barcode. Application user barcodes can be printed from within the Action menu on user account administration screen.
...