IMedConsent Security

From iMedConsent_Docs
Jump to: navigation, search

This section explains the security roles in iMedConsent, what access each provides and how to administer them.

NOTE: The iMedConsent system relies on the local facility system (Windows authentication, Domain authentication) security settings and electronic medical record system authentication (Access/Verify codes for the VA’s CPRS, for example) to make it “secure.” The iMedConsent “security roles” are nothing more than a way to limit users’ access to the various functionality in the program itself.

All iMedConsent security role administration is handled through the ACLEditor (Access Control List Editor) application that was installed on the iMedConsent server at the time of implementation. Typically the folder into which this application is copied during installation is locked down to only allow system administrators or application administrators access to the program itself.

The default location for the ACLEditor is the following folder: \\[iMedConsentServer]\iMed##\Admin\ACLEditor.exe

To run the ACLEditor, simply navigate to the folder on your network and double-click the ACLEditor.EXE file.

The following will be displayed:
ACLeditor.jpg

  • Note that the folder in which the ACLEditor.EXE resides should be secured against unauthorized use of this potentially sensitive application.


Users


To administer the iMedConsent security, only “add” various groups to the appropriate users.
The iMedConsent System recognizes the following groups:

• Users

• Authors

• Adminstrators

• Server Operators

The following table outlines the different actions to which each group has access:

Useractions3.jpg
Useractions2.jpg

The iMedConsent system is installed with all users being a member of all security groups (to ease implementation and installation). The first thing to do is “lock down” the application so that generic users are only a member of the USERS group. To do so, perform the following steps:

1. If not already started, start ACLEditor. The following will be displayed:

ACLeditor.jpg


2. Click on the Users tab. The asterisk (*) represents all users not specifically listed here.

Number1.jpg

3. If a user is not specifically listed here by name or machine name, then that user will be a member of those security groups listed for this pseudo-user. Double click the asterisk. The following will be displayed:

Number3m.jpg


4. As shown, the generic user (represented by the asterisk) is a member of all four security groups. This means that anyone not specifically listed in this list will be able to do anything with the system! This needs to be lock down. Click the Administrators group item in the list and click on the Remove button. The following will be displayed:

Number4jpg.jpg

5. Repeat this with the Authors and Server Operators items in the Member Of list. The following will be displayed:

Number5m.jpg

6. Clicking on OK now, the changes will NOT take effect. First click on the Apply button before doing so. Click on the Apply button now. That will disable the Apply button.

7. Click on the OK button. The following will be displayed:

Number1.jpg

8. Double-check the security group settings for the generic user by double-clicking on the asterisk. The generic user is now associated only with the Users security group.

Adding a user to the administrators group is nearly as simple:

1. Start ACLEditor if it is not already started. Click on the Users tab. The following will be displayed:

Number1.jpg

2. Click on the Add button. The following will be displayed:

Number3.jpg

3. Into the Name text box, type the user name for someone on the network whom is to be made an administrator of the iMedConsent system. For example, adding a new user, newuser:

Number3.jpg

4. Click on the User option in the Name Type list.

5. Click on the Create button. This will clear the Name and Name Type selected. This allows multiple users to be added. Click on the Close button. The following will be displayed:

Number5.jpg

6. Double-click on the user just created newuser. The following will be displayed:

Number6.jpg

7. Notice that the Member Of list is empty. That’s because this user has not been added to any security groups.

8. Users can be in any of the groups mentioned above and the groups ARE NOT cumulative. A user added only to the Administrators group can NOT process a document. A user added only to the Server Operators group cannot administer or author documents or even use the system.

9. Click on the Add button. The following will be displayed:

Number9.jpg

10. Double-click the Administrators group name. The following will be displayed:

Number11.jpg

11. The user added is now a member of the Administrators group. Repeat this process with the Users, Authors, and Server Operators groups. Afterwards the new "super user” can perform any task in the iMedConsent system.

Users vs. Computers in the User Setup Screen

Setting up users cab be done by specifying either network usernames or network computer names. Administrative users can specify that for a given user, regardless of where she uses iMedConsent and also that a given machine, regardless of who is using the machine (exceptions apply – see below) will have only the rights given to that machine.

If a user with permissions set uses a machine with permissions set, the user’s permissions rule.

Best Practices

The following is a suggested setup, noting each facility has specific needs..
.
Bestpractices.jpg