We will be making changes to user management in CDMS. We'd like to explain why these changes are being made, how they might affect your study, and, most importantly, what benefits these changes bring to study management in this Knowledge Base article. Please note that all users will have the same access and permissions after this change.
 

Prior to roll out of the new permissions capabilities: User-level permissions

Castor CDMS's user and permission management is currently based on individually set permissions ('rights') per site. Furthermore, roles can be used to blind certain parts of the CRF for groups of users and to create a permissions template. If you're managing a user's permissions, you can use these 'templates' to assign an initial set of permissions. This is useful for setting up a study, but it can be challenging to manage permissions as a study advances:
 

1) Because roles simply allow you to construct a template of permissions, they can be altered on a per-user basis after the role is assigned.  

2) Because roles are merely permission templates, changing the permissions assigned to an existing role will not change the permissions for the users who have been assigned this role.

Next: Moving to role-level permissions

In the 2023.4.1.0 release, we will no longer support setting rights at the user level; instead, we will only enable setting permissions at the role level to increase efficiency and security. This means that roles will be the only mechanism to assign permissions, and assigning and overriding permissions at the user level will not be possible anymore. 
 

Migrating current permissions to role-based permissions

We will migrate the current permissions assigned to users in your study to roles automatically. New roles may be created for permission deviations for currently assigned roles. If no permission deviations occur for a specific role, the current role will remain assigned. Generated roles will take on the name of the existing role and a concatenated list of actual assigned permissions between brackets, in the example below: “Admin (edited: Add, View, Edit, Email, Rand.)”.

A description will be added to the generated role, stating that the role is generated based on deviation of permissions of an existing role (e.g., Generated based on the 'Admin' role). The generated role will be added to the role blinding settings for study structure elements that were blinded for the original role. Users will be given the same created role if they share the same permission deviations.
 

Example

• Site 1 follows the permission template for the Admin role as defined above.
  • This leaves the user with Add, View, Edit, Email, View randomization, Sign, Lock, Verify, Query, Archive, and Export permissions.
  • The existing role (Admin) will stay assigned to the user for Site 1.

  

The user has deviations in the assigned permissions for the Admin role for Site 1 and Site 2.

• For Site 2, an additional permission is assigned (marked 🟢) and 7 other permissions have been unassigned (marked 🔴).
  • This leaves the user with Add, View, Edit, Email, and Randomization permissions.
  • A new role will be created, named Admin (edited: Add, View, Edit, Email, Rand.). This role will be assigned to the user for Site 2.
• For Site 3, 10 permissions have been unassigned (marked 🔴).
  • This leaves the user with only the Export permission.
  • A new role will be created, named Admin (edited: Export). This role will be assigned to the user for Site 3.

 

 

Preview of changes in roles and role assignments

On the Users page, you may already preview the roles that will be generated. You can preview the impact on your study by clicking the ‘Preview’ button in the banner displayed at the bottom of the screen.

Clicking the button will open a page that lists two tables: 

1. Current and new roles; 
2. Current and new role assignments. 

Since the page is generated automatically, it will always reflect any modifications made to the current permissions, role assignments, and role deviations.

The Current and new roles tables show the current roles and associated permissions (in blue) and roles that will be generated since they deviate from the original role (in yellow). In addition, the number of assignments (role assigned to a specific user for a specific site) will be shown.

The Current and new role assignments table offers a list of users assigned to each site, together with their current and new roles. As mentioned before, if there were no permission deviations from the current role, the role will stay assigned (in white). If there were deviations, a new role will be generated and assigned (in yellow).

Changes to inviting users and assigning roles

Assigning roles via the User interface

Instead of assigning single permissions or utilizing a role as a permission template to define permissions, you are now prompted to select a role per site. We've added the ability to assign roles when adding new users, as well as assign roles in bulk (assigning roles to several users at the same time).

Assigning roles via the API

The API has also been modified to reflect the changes. As part of the transition to role-based permissions, the study-user endpoints no longer accept or return user-level permissions (in the institute_permissions array). In each of the endpoints, the API now accepts and returns role assignments per site (in the role_assignments array). Furthermore, the role parameter has been renamed to role_name and any parameters following old terminology have been updated (e.g., institute_id has been updated to site_id).

    "institute_permissions": [
      {
        "add": true,
        "view": true,
        "edit": true,
        "delete": true,
        "lock": true,
        "query": true,
        "export": true,
        "randomization_read": true,
        "randomization_write": true,
        "sign": true,
        "encrypt": true,
        "decrypt": true,
        "email_addresses": true,
        "sdv": true,
        "survey_send": true,
        "survey_view": true,
        "institute_id": "string",
        "role": "string"
      }
    ],

    "role_assignments": [
      {
        "site_id": "string",
        "role_id": "string",
        "role_name": "string"
      }
    ],

Glimpse at other improvements to user management

By changing the way users and permissions are managed, we are able to bring more improvements to the Users page. From the 2023.4.10 release on, the Users page will have a modern look and feel and will be split between a ‘Users’ and ‘Roles & permissions’ subpages. The Users subpage now allows you to filter on specific roles, sites, management permissions, and 2-factor authentication status. The Roles & permissions page provides you with an overview of current roles and associated permissions.