© 2024 IQVIA - All Rights Reserved
Superadmin Accounts
- 1 Summary
- 2 Administration Components
- 2.1 Support
- 2.2 Sites
- 2.3 General Settings
- 2.3.1 Advanced System Setup
- 2.3.2 Organization Basics
- 2.3.3 Barcodes
- 2.3.4 Communications
- 2.3.5 Volunteer Settings
- 2.4 System Settings
- 3 Volunteers > Configure
- 4 Study > Data
- 5 Devices > Configure
- 6 Common Questions & Answers
- 6.1 Who can create & manage Superadmin accounts?
- 6.2 When are Superadmin accounts created?
- 6.3 When are Superadmin accounts deactivated?
- 6.4 Are there periodic reviews of Superadmin accounts in customer environments?
- 6.5 Can a standard account be promoted to Superadmin?
- 6.6 How are Superadmin accounts secured? Do they use SSO?
- 6.7 How can customers see Superadmin accounts in their environment?
- 6.8 Is there a way to see what actions a Superadmin has taken?
Summary
Every ClinSpark instance contains a unique user account type called ‘Superadmin’, which is reserved for and used exclusively by IQVIA team members. This account type exists as a mechanism to help IQVIA configure, manage, and support ClinSpark instances based on ongoing customer needs.
Superadmin accounts inherit all available Role Actions and all configured Roles in a given environment, and, can access every area of ClinSpark. Additionally, these accounts are given access to specific features which are intended only for IQVIA. This is due to the implications these features/configurations have across an instance. An incorrectly configured system setting or lab interface (for example) could have undesired impact to trial conduct and system stability.
This article outlines some of the key areas Superadmin users have access to.
Administration Components
Support
Superadmin users have access to the Administration > Support component, which allows the IQVIA team access to a specific set of dashboard components built for support and billing purposes. This area is most frequently accessed to review internal server log statements.
This menu item is only visible to Superadmin users.
Any system configurations with ‘support’ type classification appear in this Support area.
Sites
For customers who operate ClinSpark under an early-phase model where volunteer database and recruitment features are enabled, Superadmin users are able to create ‘site’ entities. This is due to the implication sites have for use across several instance configurations, and, the licensing/pricing fees related to multi-site use.
For customers who use ClinSpark under later-phase multi-site configurations, where ‘Volunteers’ features are disabled (also referred to as “headless mode”), non Superadmin users have the ability to create sites.
For a given site, certain configuration settings are exclusive to Superadmin users which include the following:
Defining Mobile App Display Name/URL
Verified Clinical Trials (VCT) transform script definition
Ability to add new lab interfaces
For a given lab interface, the ability to modify:
Order Requisition Template
Order Transform Script
Result Transform Script
Mock Result Transform Script
Order Confirmation Transform Script
General Settings
There are several settings in the Administration > General Settings component that are only visible to Superadmin users.
Advanced System Setup
The Advanced System Setup area allows IQVIA to enable/disable full system features for customer use. This is an important configuration task that takes place when environments are put in place for customers.
A detailed overview of this area of ClinSpark and system-wide configurations can be reviewed in this article: General Settings > Advanced System Setup | Summary
Organization Basics
Within Organization Basics area, only Superadmin users are allowed to establish and modify the ‘Org URL’, which is a setting used by many of the features across ClinSpark.
Barcodes
Within Barcodes only Superadmin can modify the visible settings. This is due to the implications these padding, delimiter, and prefix settings have across a variety of ClinSpark features that leverage barcodes, as well as site lab interface workflows. Typically these settings are established for customers during onboarding phases.
For Label Merge Tags, only Superadmin can add new Merge Tags and modify a given tag transform script.
Communications
The Communications area contains features supporting SendGrid and password reset.
Within Recruitment Email the ‘Set Webhooks’ action item, which sets specific webhooks via the Sendgrid API, is reserved for Superadmin. Additionally, only Superadmin can establish the Google Recaptcha Keys, which are used for both SendGrid and password reset functions.
The Correspondence Template Merge Tags are accessible to qualified ClinSpark users with access to the General Settings component. However, only Superadmin have the ability to add new Merge Tags into a given environment, and, modify their Transform Script.
Volunteer Settings
The Volunteer Settings area contains several configurations which are exclusive to Superadmin.
Ability to establish the system Volunteer Monitoring URL. This is typically the URL established for SparkPlug configurations and features supporting ‘Monitoring’ style devices and workflows. When this URL is not defined, certain ‘Monitoring’ device configurations and workflows available within CRF Design, Data Collection, and Volunteer components are disabled. More details about this are located in this help article.
Ability to archive ‘Volunteer Data Collection Connectivity’ settings, which includes Concomitant Medications (Screening), Demographics, Medical History, and Substance Use. These influence certain user interface options in the Volunteer component (and a given volunteer profile), and the Volunteer Connectivity forms available for study use.
For each Interface Parameter, only Superadmin users can modify the following:
Data Type
Code List Name
Code List Options
Only Superadmin users can add, modify, and view Volunteer Races.
System Settings
Certain features exposed in the Administration > System Settings component are for Superadmin users, specifically access to configuration fields that govern view and data logic for reports, dashboard components, and volunteer search functions.
Standard ClinSpark Administrators (non Superadmin) do have access to some parts of the configurations, such as the ability to define Role/Role Action/Study restrictions, visibility into script MD5 checksums (hashes), and audit trails.
A detailed overview of each setting exclusive to Superadmin:
General:
Ability to view and download ‘scripts’ & ‘settings values’
Ability to change report names
Ability to view synchronization statuses
Ability to add new system settings
Ability to manage Org images (background images visible on login screen)
Note: a regular ClinSpark Administrator can access audit trail on all visible settings
Dashboard components; only Superadmin can access:
View Script
Data Script
Data Script Template
Type
Configuration Import (action)
Global settings; only Superadmin can:
Add new or Edit existing settings
Set ‘visibility’ flag (hide/show from non-Superadmin)
Note: The “RecruitmentApiHandler” system setting in ClinSpark can only be configured / updated by Superadmin
Reports; only Superadmin can access:
View Script
Data Script
Data Script Template
Icon
Configuration Import (action)
Volunteer Search Functions: only Superadmin can add or edit
Volunteers > Configure
Within the Volunteers > Configure area, there are certain configurations exclusive to Superadmin users.
For Correspondence Templates, only Superadmin users can modify the HTML Header Text.
For Recruitment Questions, only Superadmin users can modify the Question Code.
For Volunteer Questions, only Superadmin users can modify question Answer Patterns.
Study > Data
Up until version 23.3, only Superadmin users have access to a support feature in Study > Data, for each form/timepoint. This ‘Move’ action item is available in order to perform audited actions to resolve certain service requests to modify site, subject, and study event details on study forms.
Starting in version 23.3, this feature is not exclusive to Superadmin users, and is available to customers to use. It is protected by a role action called ‘Study Data Move Form Data’. More details about that role action are available on this article: Role Actions | Study Data Move Form Data
Devices > Configure
For most customers, nearly all of the device integration capabilities for a given ClinSpark instance are established and maintained by Superadmin users. Additionally, when a given device is ‘archived’ from system use, it’s not visible to non-Superadmin users.
For a given Device Integration profile, Superadmin users have the ability to do the following:
Add new device integrations, and archive existing
Modify device type, Manufacturer, ‘Direct’ setting, Monitoring Type, and Model
Add new device parameters, and archive existing
Modify device parameters including ‘Enrollment’ setting, Monitoring Source, Captured Date Time, and Data Type
Add and modify device settings
Common Questions & Answers
Many customers have questions about Superadmin accounts, their use, and governance. The following section hopes to address some of the common questions we receive.
Who can create & manage Superadmin accounts?
Only a Superadmin type account can create or manage other Superadmin accounts in the user interface. Since IQVIA staff are the only users who are given Superadmin accounts, these actions are carried out by a member of the IQVIA team.
Customers are unable to create Superadmin accounts.
When are Superadmin accounts created?
Superadmin accounts are created one of two ways:
Via automated script when environments are first created
Using the ClinSpark user interface
When a brand new ClinSpark environment is created, there are processes that ‘bootstrap’ the environment with a very basic set of configurations in order to make it accessible by IQVIA staff prior to the handover of the environment to customers. This bootstrapping process creates a small set of Superadmin accounts for engineering and support team members, who can access and review the environment prior to customer handover.
After the bootstrapped accounts are created, the ClinSpark user interface must be used to add or modify Superadmin accounts. IQVIA staff are granted Superadmin accounts in applicable customer environments to support onboarding, training, and support efforts. IQVIA team members are only given access to customer ClinSpark environments once they have received the proper level of training necessary to perform actions applicable to their role.
When are Superadmin accounts deactivated?
If someone with a Superadmin account leaves the IQVIA team, or no longer requires access to an environment, their access is revoked within the time interval specified in SOPs, and their account set to an archived status.
Are there periodic reviews of Superadmin accounts in customer environments?
On a quarterly basis, IQVIA conducts a review of all superadmin accounts across customer PROD MAIN/TEST environments. An internal JIRA ticket is raised to initiate the process, and all actions taken during the review period are tracked on the JIRA ticket. A member of the support team reviews an export of superadmin users across all customer PROD instances and takes action accordingly. Review tasks are:
Ensure that any recent superadmin leavers of the organization are removed from customer environments
Ensure that all existing SA users have MFA enabled in all PROD MAIN instances
Ensure that all SA users are using an approved IQVIA domain for their email address
Ensure that superadmin account details appropriately identify the account owner via username and email address.
Can a standard account be promoted to Superadmin?
Standard accounts can be ‘promoted’ to Superadmin. However, this can only be done by a IQVIA team member who is also a Superadmin.
By the same process, a Superadmin account can also be ‘downgraded’ to a standard account. This can only be done by another Superadmin.
How are Superadmin accounts secured? Do they use SSO?
Superadmin accounts must meet the same complexity password requirements as all other ClinSpark user accounts. These environment-specified authentication requirements are based on the configurations established by customers via the Administration > General Settings component.
Superadmin accounts are not impacted by customer SSO configurations, and for now, do not use SSO Identity Providers to log into ClinSpark instances. IQVIA team members log into ClinSpark instances with username/password credentials via standard login screen workflows. Superadmin accounts in ClinSpark production environments have two-factor authentication (2FA) enabled.
How can customers see Superadmin accounts in their environment?
In current releases, Superadmin accounts are not visible to standard users when viewing the Administration > Users component. Additionally, Superadmin accounts are also suppressed from the user export in this component, if a non-Superadmin creates the report. If a Superadmin creates the export, all accounts are visible.
Upon request, IQVIA may be able to provide other ‘exports’ or ways to see Superadmin accounts in a given environment. Customers who wish to discuss this should open a service desk ticket. Future enhancements in later releases are likely to improve the visibility of Superadmin accounts to certain user types.
Is there a way to see what actions a Superadmin has taken?
Superadmin accounts are like standard user accounts, in that these accounts have audit trails and all actions taken are audited and visible in applicable audit trails. Nothing exempts a Superadmin from having their actions audited in ClinSpark.
If necessary to review Superadmin actions outside of user interface controls, it may be possible for IQVIA to assist customers to build a query to access a read-replica database to report on actions a given Superadmin user has taken. Questions or interest in this topic should be raised via the service desk.
Exported and Printed Copies Are Uncontrolled