Who is accessing key documents in your trial master file? What changes were made, and by whom and when? How do you keep unauthorized parties from seeing certain documents?
Regulators, investors and other parties will ask these questions. Every clinical trial team needs to know the answers — and they need to be able to provide evidence of the answers on demand, too.
Role-based access controls (RBAC) offer a way to answer these questions. Here’s why every eTMF needs RBAC options.
How Role-Based Access Works
Role-based access control, or RBAC, assigns every software user a role. Each role has permission to access certain documents, applications or other tools on the software platform. When a user logs in, their assigned role controls what they can see and do.
Despite the name, role-based access control affects more than merely access. RBAC “can refine the way a user interacts with data,” writes Maile McCarthy at infrastructure access platform strongDM. For example, a role may include the ability to view a certain document but not to change it. Or a role may allow a user to edit certain documents.
Although role-based access control has existed in some form since the 1970s, it wasn’t until 1992 that the process began to standardize controls and expectations. A standard for RBAC control was issued by the American National Standards Institute in 2004.
Today, all role-based access controls must meet three minimum requirements:
- Role assignment: Every user must be assigned a role.
- Role authorization: A user’s active role must be authorized. Users cannot simply assign themselves roles and automatically gain all the permissions associated with that role.
- Permission authorization: Permissions are connected to roles. A user can exercise a permission (such as opening a document) only if the user has a role that includes that permission.
Many commonly-used software platforms and applications include role-based access controls. Users of Windows, for example, may have found they cannot install a program without being assigned the role of administrator. Similarly, Google Drive users who share files with others can choose whether another user can merely view a document or may also edit it.
Putting Role-Based Access To Work in Your eTMF
Role-based access provides an important layer of protection for documents stored in an eTMF. According to the Verizon 2021 Data Breach Investigations Report, 61 percent of data breaches start with a hacker leveraging someone else’s credentials to access information.
With role-based access, the information a user can access is connected to the role they are assigned — and the same goes for a hacker who steals that user’s login credentials. When roles follow the “principle of least privilege” (POLP), giving each user only the minimum access they need, even a compromised credential may not provide access to an entire system, writes Andra Andrioaie at Heimdal Security.
Yet role-based access controls don’t merely thwart data breaches. They also help your team work more efficiently. Robust RBAC can even create automatic logs of key actions and tasks, helping your team meet regulatory demands.
Requiring every team member to request permission for each action they take in the eTMF can quickly lead to chaos, especially when clinical trial team members don’t work in the same location or even the same time zone. When permissions are automatically defined by roles, “RBAC allows everyone to work autonomously,” writes Marie Prokopets, co-founder of real-time access control system Nira. RBAC also makes it easier to add new users to the system, because roles are predefined.
Role-based access controls also help clinical trial teams meet ALCOA-C expectations:
- Attributable: RBAC can help track who accessed, documented or edited information.
- Legible: RBAC eliminates the need for handwritten access tracking.
- Contemporaneous: RBAC tools can log access, editing and other actions a user takes in real time.
- Original: RBAC logs are created as events happen, giving administrators access to the first record of user behavior tracked within the eTMF.
- Accurate: Because user permissions are linked to roles, administrators can be certain a user is where they are authorized to be and doing what they are authorized to do, with clear information about those activities.
- Complete: Administrators can control roles, permissions and which information is logged.
Every eTMF needs robust RBAC capabilities. When role-based access controls work well, document quality needs are met and crucial information remains protected.