Table of Contents | ||||
---|---|---|---|---|
|
Summary
Every ClinSpark instance contains a unique user account type called ‘Superadmin’, which is reserved for and used exclusively by Foundry Health IQVIA team members. This account type exists as a mechanism to help Foundry Health IQVIA configure, manage, and support ClinSpark instances based on ongoing customer needs.
Superadmin accounts inherit all available Role Actions and all configured Roles in a given environment, and, can access every area of ClinSpark. Additionally, these accounts are given access to specific features which are intended only for Foundry HealthIQVIA. This is due to the implications these features/configurations have across an instance. An incorrectly configured system setting or lab interface (for example) could have undesired impact to trial conduct and system stability.
...
Superadmin users have access to the Administration > Support component, which allows the Foundry Health IQVIA team access to a specific set of dashboard components built for support and billing purposes. This area is most frequently accessed to review internal server log statements.
...
The Advanced System Setup area allows Foundry Health IQVIA to enable/disable full system features for customer use. This is an important configuration task that takes place when environments are put in place for customers.
...
For Volunteer Questions, only Superadmin users can modify question Answer Patterns.
...
Study > Data
Up until version 23.3, only Superadmin users have access to a support feature in Study > Data, for each form/timepoint. This ‘Move’ action item is available in order to perform audited actions in the user interface in order to resolve certain service requests to modify site, subject, and study event details on study forms.
...
Starting in version 23.3, this feature is not exclusive to Superadmin users, and is available to customers to use. It is protected by a role action called ‘Study Data Move Form Data’. More details about that role action are available on this article: https://foundryhealth.atlassian.net/wiki/spaces/DOCS/pages/3709239305/Role+Actions#Study-Data-Move-Form-Data
...
Devices > Configure
For most customers, nearly all of the device integration capabilities for a given ClinSpark instance are established and maintained by Superadmin users. Additionally, when a given device is ‘archived’ from system use, it’s not visible to non-Superadmin users.
...
Only a Superadmin type account can create or manage other Superadmin accounts in the user interface. Since Foundry Health IQVIA staff are the only users who are given Superadmin accounts, these actions are carried out by a member of the Foundry Health IQVIA team.
Customers are unable to create Superadmin accounts.
...
When a brand new ClinSpark environment is created, there are processes that ‘bootstrap’ the environment with a very basic set of configurations in order to make it accessible by Foundry Health IQVIA staff prior to the handover of the environment to customers. This bootstrapping process creates a small set of Superadmin accounts for engineering and support team members, who can access and review the environment prior to customer handover.
After the bootstrapped accounts are created, the ClinSpark user interface must be used to add or modify Superadmin accounts. Foundry Health IQVIA staff are granted Superadmin accounts in applicable customer environments to support onboarding, training, and support efforts. Foundry Health IQVIA team members are only given access to customer ClinSpark environments once they have received the proper level of training necessary to perform actions applicable to their role.
...
If someone with a Superadmin account leaves the Foundry Health IQVIA team, or no longer requires access to an environment, their access is revoked within the time interval specified in SOPs, and their account set to an archived status.
Are there periodic reviews of Superadmin accounts in customer environments?
On a quarterly basis, IQVIA conducts a review of all superadmin accounts across customer PROD MAIN/TEST environments. An internal JIRA ticket is raised to initiate the process, and all actions taken during the review period are tracked on the JIRA ticket. A member of the support team reviews an export of superadmin users across all customer PROD instances and takes action accordingly. Review tasks are:
Ensure that any recent superadmin leavers of the organization are removed from customer environments
Ensure that all existing SA users have MFA enabled in all PROD MAIN instances
Ensure that all SA users are using an approved IQVIA domain for their email address
Ensure that superadmin account details appropriately identify the account owner via username and email address.
Can a standard account be promoted to Superadmin?
Standard accounts can be ‘promoted’ to Superadmin. However, this can only be done by a Foundry Health IQVIA team member who is also a Superadmin.
...
Superadmin accounts are not impacted by customer SSO configurations, and for now, do not use SSO Identity Providers to log into ClinSpark instances. Foundry Health IQVIA team members log into ClinSpark instances with username/password credentials via standard login screen workflows. Superadmin accounts in ClinSpark production environments have two-factor authentication (2FA) enabled.
How can customers see Superadmin accounts in their environment?
In current releasereleases, Superadmin accounts are not visible to standard users when viewing the Administration > Users component. Additionally, Superadmin accounts are also suppressed from the user export in this component, if a non-Superadmin creates the report. If a Superadmin creates the export, all accounts are visible.
...
Upon request, Foundry Health IQVIA may be able to provide other ‘exports’ or ways to see Superadmin accounts in a given environment. Customers who wish to discuss this should open a service desk ticket. Future enhancements in later releases are likely to improve the visibility of Superadmin accounts to certain user types.
...
If necessary to review Superadmin actions outside of user interface controls, it may be possible for Foundry Health IQVIA to assist customers to build a query to access a read-replica database to report on actions a given Superadmin user has taken. Questions or interest in this topic should be raised via the service desk.