Access Rights and Administration

Electronic data management software has to provide a user management system on different levels. Whereas authentication is typically performed via user ID and password, access rights are defined via membership of users in departments, teams, and roles. The following structure shows a potential organization  

A role is a group of access rights that either defines access to individual modules (e.g., user management system, template creation module) or to individual task-related functions (e.g., IT administrator, reviewer, approver) of the software. 

In the simplest model, a document or file is created in a department that defines the users and their access rights according to the static organization of an institution or company. In contrast, a team represents a usually temporary new constellation of users. This is helpful for the typical study or project organization, where several scientists from different departments work for a limited time on a collaborative task. Teams can cover multiple laboratories or users, each of which may have rights in the team other than what they have in their default department. 

A record, file, or document created within a team derives the access rights from the team s definition rather than from the department. The important difference to file-based storage is that now the record inherits the access rights rather than the software environment. 

If electronic records derive their rights and restrictions from the corresponding department or team, in which they have been created, a possible scenario is a user might work at the same time on two records, one of which underlies GxP rules and requires an electronic signature and one of which does not. 

---