...
User accounts are required to access ClinSpark. To authorize access to certain studies and features, a user account is typically assigned one to many Sites, Studies, and Roles.
When creating a new user, the organization’s authentication rules set in Administration > General Settings are inherited by default. Password Can Expire and Session Timeout Minutes can be overridden at the per-user level.
Users can be assigned multiple roles and authorization is an aggregate of all the roles. Once assigned, the user will be authorized to perform any function within those roles.
Users can be restricted to one or more studies and/or sites, which facilitates controlled access to users internal or external to the customer organization.
The Administration > Users component provides capabilities for locating, exporting and managing users within an organization.
...
Newly created users will have no roles assigned. A user must be assigned at least one role to be able to log into ClinSpark.
Users can be restricted to 0 or more studies and sites. By default, users can interact with any study and site in the system unless defined otherwise on by their account configuration, or, specific access controls in place on a given study. Information about managing user access for sites and studies can be viewed in this article: Restricting User Access
User management features comply with are designed to meet CFR 21 Part 11 guidelines:
Sessions timeout at configurable interval (see also User Session Timeout Features)
Passwords and accounts can be configured for expiration
Failed logins are logged, login attempts are tracked; user can be locked out after configurable number of failures and alerts are sent when failures threshold is reached
Lockout duration is configurable
Passwords ‘in plain text’ are not stored in the database, but rather a salted hash is stored
...
Password Minimum Length
Password Expire Days (number of days until user forced to change password)
Alphanumeric passwords (passwords must contain digits and letters)
Special character passwords (must contain one or more:
!#"$%&'()*+,-./:;<=>?@[]^_`{|}~)Prevent re-use of previous account passwords (configurable system setting)
...
If the setting value is 1 or greater, ClinSpark will check prior account passwords against this configuration and prevent use of a password, if it was within the defined value.
| View file | ||
|---|---|---|
|
This setting is enforced in workflows where a user resets their own password; either through their user profile, self-service password reset workflows, or a forced password reset during authentication (login) workflows.
...
The 2FA e-mail template is controlled by a system configuration and can be modified on request via the service desk, via IQVIA superadmin users.
Disabling SSO
When a ClinSpark instance is configured to use SSO, there are options that become available that can disable SSO authentication enforcement. This is a per-account configuration. Typically, we see customers using SSO to enforce authentication for most of their internal staff users, and setting up ClinSpark accounts for external users (such as sponsors or monitors) that do not enforce SSO authentication.
To learn more SSO setup and configuration, visit this article: Single Sign-on (SSO)
Within the account management screen, users can determine if SSO has been ‘disabled’ on an account.
When SSO is disabled for a given user account, the user will be allowed to authenticate into ClinSpark using their application username and password.
If SSO however is not disabled, ClinSpark will not allow that user to authenticate.
Locked accounts
...