Network Administrators
Network Administrators are responsible for the overall access control configuration of a network. As such, they are power users with the ability to view and manage any network entity or activity at any time.
Only trained staff from the HPHCI DPM act as Network Administrators. Our development team, (formally Lincoln Peak partners) is responsible for the development of the PopMedNet software and the hosting of the networks managed by the HPHCI DPM. All staff have passed background checks as a condition of employment with their respective organizations.
Access Control Management
The PopMedNet software uses a system of granular access controls to manage user permissions with a network implementation. These access controls allow for customized network configurations to meet individual network governance requirements.
Access controls may be applied network-wide or to specific entities such as Organizations, DataMarts, and Projects. The PopMedNet team exclusively manages all access controls for every entity in each network. No access control management is delegated to any other users. This ensures uniformity of permissions across entities, security groups, and users.
Requests to change access controls at the network-wide or entity level must be sent to the PopMedNet Team. The PopMedNet Team will review all requests to ensure that they are technically feasible and appropriate with regards to network governance. If the requested change would result in a violation of network governance, it may be rejected or escalated for review by the governing body of the network.
User Authentication
The PopMedNet software requires that all user accounts are approved or created only by authorized users. The PopMedNet Team exclusively approves and creates users in each network. No user approval or creation permissions are delegated to any other users.
All new users must be authenticated before their accounts are approved or created. If an unauthorized user registers for an account on any network, they will not be approved until they have been verified as an authorized user by a network coordinating center, (such as SOC), and/or an authorized user from their organization, depending on network governance requirements. Individual networks may also have additional requirements for user authorization, such as ensuring that appropriate signed forms are on record for the user. If the PopMedNet team is unable to authenticate the user, his or her registration will be rejected.
Once verifying that a user is authorized to participate in the network, the PopMedNet Team checks his or her registration to ensure that the appropriate corporate email address and other information is present. The PopMedNet Team then assigns the user to his or her specified organization and assigns security groups as appropriate. Security groups specify the permissions that apply to the user. See below for more information.
Designated Roles
The PopMedNet software uses Security Groups to determine the permissions that apply to each user. Security groups are a combination of a role (e.g. investigator, DataMart Administrator) and the network entity (Organization or Project) that the user has permission to act upon or within.
Security Groups and the permissions that apply to them are determined by the access control configuration of a network. The PopMedNet Team defines a standard set of roles that may be applied to entities within a network.
Role* | Description |
---|---|
Network (System) Administrator | Create, view and edit entities, (Organizations, DataMarts, Projects, Users), assign/edit permissions, edit notifications Only members of network operating centers based at HPHCI have this role Networks: Sentinel, PCORnet, HDC |
DataMart Administrator | Review and respond to requests via the DataMart Client. Depending on network governance, DataMart Administrators may also manage the metadata for their DataMart(s) and/or submit requests to their own DataMart(s). Networks: Sentinel, PCORnet, HDC |
Investigator | May submit requests and review/export aggregated (not site-specific) results within a Project. Networks: PCORnet |
Enhanced Investigator | May submit requests and review/export disaggregated (site-specific) results within a Project. Networks: Sentinel, PCORnet, HDC |
Observer | View and audit network or Project activity, excluding request results. Networks: Sentinel, PCORnet, HDC |
Enhanced Observer | View and audit network or Project activity, including request results. Networks: Sentinel, PCORnet, HDC |
Organization Administrator | Manage the metadata for their Organization and DataMart(s). Monitor their DataMart(s) activity. Networks: Sentinel, PCORnet, HDC |
Request Reviewer | Review requests before they are released to any DataMart(s). Networks: Sentinel, PCORnet |
Response Reviewer | Review responses for a specified DataMart or group of DataMarts before they are released to the Investigator. Depending on network governance, Response Reviewers may also have the option to group responses from multiple DataMarts into aggregate result sets before release. Networks: Sentinel, PCORnet |
Not all roles may be used in each network.