T2.2: User Management

Overview

The default HealthShare security domain provides internal user management for deployments that do not integrate with an external identity provider. User accounts, passwords, and profile information are managed directly within HealthShare. Even deployments using external authentication typically use the default domain for system administrators and service accounts.

Creating Users in the Default Domain

Navigate to HealthShare > Security > Users, click "Create New User", and enter the required fields: Username (unique, cannot change after creation), Full Name (displayed in Clinical Viewer and audit logs), and Password (hashed and stored locally). Select the default internal security domain, assign initial roles, set the default facility, and configure optional properties (email, phone, department).

User Account Properties

Each account includes: Username, Full Name, Password, Security Domain, Roles, Default Facility, Status (Active/Inactive), Email, Phone, and Login Permissions (Management Portal, Terminal, Web Application access).

Password Policies

Configured at the domain level: minimum length (typically 8-12 characters), complexity requirements (uppercase, lowercase, digits, special characters), password expiration (e.g., every 90 days), password history (prevent reuse of last N passwords), account lockout after failed attempts, and lockout duration (automatic unlock or administrator intervention).

User Activation and Deactivation

Deactivation disables an account without deleting it — the user cannot log in but their audit history is preserved. Reactivation re-enables the account with existing credentials. Best practice: deactivate rather than delete departing users to maintain audit integrity.

Bulk User Management

For larger deployments:

• Import users from CSV files using HealthShare import utilities
• Use ObjectScript APIs (HS.Local.User class) for programmatic provisioning
• Script automated user creation for migration from other systems
• Schedule batch provisioning jobs for regular onboarding cycles
• Always test bulk operations in a non-production environment first
• Verify role assignments and facility mappings after bulk import

---

LDAP Integration Architecture

When a user enters enterprise credentials: HealthShare connects to the configured LDAP server, performs an LDAP bind with the user's credentials, queries the directory for user attributes (groups, department), maps attributes to HealthShare roles and properties, and auto-provisions the account if the user does not yet exist locally.

Active Directory Configuration

Navigate to System Administration > Security > System Security > LDAP Configuration. Configure:

• LDAP Server: AD server hostname or IP (use LDAPS port 636 for encryption)
• Base DN: Search base (e.g., DC=hospital,DC=org)
• Bind DN: Service account for querying AD (e.g., CN=HSService,OU=ServiceAccounts,DC=hospital,DC=org)
• Bind Password: Service account password
• Search Filter: User lookup pattern (e.g., (&(objectClass=user)(sAMAccountName=%u)))
• Use TLS/SSL: Enable LDAPS for encrypted directory communication

Attribute Mapping

Map AD attributes to HealthShare properties:

• sAMAccountName → Username
• displayName → Full Name
• mail → Email
• memberOf → Roles (via group-to-role mapping)
• department → Department/Facility (optional)

Group-to-Role Mapping

Define mapping rules from AD groups to HealthShare roles. Example: CN=Physicians,OU=ClinicalGroups,DC=hospital,DC=org maps to %HS_Clinician. Multiple AD groups can map to a single role. A user's effective roles are the union of all mapped roles. Group membership is re-evaluated at each login, so AD changes take effect at next login.

Custom Domain and Auto-Provisioning

Create a new domain at HealthShare > Security > Security Domains with type "LDAP", link it to the LDAP configuration, set default roles, and enable auto-provisioning. When enabled, users who authenticate via LDAP but lack a HealthShare account are created automatically with attributes from the directory and roles from the group mapping. No administrator intervention is required.

---

Built-In Roles

%HS_Administrator: Full access to system configuration, user management, federation settings, productions, consent policies, and facility settings. Assign only to system administrators.

%HS_Clinician: Access to patient records in the Clinical Viewer, MPI search, and clinical data viewing (subject to consent policies). Standard role for physicians and clinicians.

%HS_Nurse: Similar to %HS_Clinician but may restrict access to certain sensitive data categories. Aligns with nursing scope of practice.

%HS_Viewer: Read-only access to clinical data. Cannot modify records or configurations. Suitable for users who need to view but not interact with patient information.

%HS_ClinicalAdmin: Administrative access to clinical configuration (consent policies, CITs, delivery policies) without system-level administration. For clinical informatics staff.

%HS_Coordinator: Access to care coordination features — care team assignments and care plans. Used by care coordinators and case managers.

Role Hierarchy and Inheritance

Roles can include other roles as members. When a parent role includes a child role, users with the parent inherit all permissions of the child. Example: a custom "ChiefPhysician" role might include %HS_Clinician plus additional administrative permissions. The effective permissions for a user are the union of all directly and indirectly assigned roles.

Custom Roles

Navigate to System Administration > Security > Roles, click "Create New Role", define the name, description, and included resources/privileges, optionally include other roles for hierarchy, and assign to users who need the defined access level.

---

Assigning Roles

Navigate to HealthShare > Security > Users, select the user, go to the Roles tab, add or remove roles, and save. Changes take effect at the user's next login, not immediately for active sessions.

Bulk Role Assignment Methods

Domain Default Roles: All users in a domain automatically receive the configured default roles. LDAP Group-to-Role Mapping: AD group membership determines HealthShare roles; changes to AD groups update roles at next login. Programmatic Assignment: ObjectScript APIs enable scripted role assignment for migration or batch provisioning.

Reviewing Effective Permissions

Check directly assigned roles, roles inherited through hierarchy, domain default roles, and LDAP-mapped roles. The Management Portal's "Effective Permissions" view shows the combined result. Compare effective permissions against job requirements.

Role Membership Auditing

Best practices for ongoing role governance:

• Conduct periodic access reviews (quarterly or semi-annually)
• Verify users still need their assigned roles based on current job function
• Remove roles for users who change positions or leave the organization
• Monitor for dormant accounts (users who have not logged in for extended periods)
• Use HealthShare audit reports to identify users with excessive privileges
• All role assignment changes are recorded in the security audit log with details of who made the change, what roles were added or removed, and when the change occurred
• Retain audit logs according to organizational and regulatory retention requirements

---

Assigning Users to Facilities

Navigate to HealthShare > Security > Users, select the user, go to Facility Assignments, add facilities from the facility registry, designate one as the default (primary) facility, and save.

Default Facility

The default facility determines: the initial Clinical Viewer context, which facility's patients appear first in search results, the facility context for consent policy evaluation, and the facility context for audit logging.

Multi-Facility Users

Assign the user to all relevant facilities. The user can switch between facility contexts in the Clinical Viewer. Data access at each facility is subject to applicable consent policies. Audit logs track which facility context the user was operating in.

Facility-Based Access Control

Facility assignments interact with consent policies (facility-level restrictions based on user affiliation), role-based access (roles may have facility-scoped permissions), and data segregation (users may only see data from assigned facilities depending on configuration).

Edge Gateway Relationship

Each facility is associated with one or more Edge Gateways that store local patient data. User facility assignments determine the routing context for data queries and clinical data retrieval.

Managing at Scale

Use LDAP attribute mapping to auto-assign facilities based on AD attributes (e.g., office location). Review assignments when clinicians transfer between locations. Deactivate facility assignments for users who no longer work at a facility.

---

Push Notification Configuration

Navigate to HealthShare > Configuration > Delivery Policies. Enable push notification delivery, configure the delivery mechanism (HealthShare inbox, email, HL7 message, or custom), set priority levels, configure notification templates, and define routing rules.

Notifications can be triggered by: new lab results, discharge summaries, medication changes, ADT events (admission/discharge/transfer), radiology reports, pathology results, or custom clinical events.

Push Subscription Types

• Patient-based: Notifications for all clinical events related to a specific patient
• Event-based: Notifications for specific event types regardless of patient
• Facility-based: Notifications for events at a specific facility
• Combined: Patient + event type combinations (e.g., lab results for Patient X)

Clinicians manage subscriptions through the Clinical Viewer. Administrators can manage on behalf of clinicians. Subscriptions can be time-limited or automatically created based on care team membership.

Message Repository

Stores notifications when clinicians are offline. Configure at HealthShare > Configuration > Message Repository Settings. Set retention period (e.g., 30-90 days), storage limits per user, archival policies, and cleanup jobs. Messages support status tracking: unread, read, acknowledged, archived.

Delivery Filter Management

Create filters based on event type, data source, patient attributes, and clinician role. Set filter actions: deliver, suppress, delay, or escalate. Common patterns include: deliver critical lab results immediately, suppress routine vital signs for outpatients, delay non-urgent notifications overnight, and escalate unacknowledged urgent alerts.

Clinician Enrollment

1. Assign the clinician appropriate HealthShare roles (e.g., %HS_Clinician) 2. Configure delivery preferences (notification channel, frequency, quiet hours) 3. Set facility assignments (determines which facility events are subscribable) 4. Create initial subscriptions based on patient panel or care team assignments 5. Verify delivery with a test notification

Enroll new clinicians during onboarding. Deactivate subscriptions (do not delete) for departing clinicians. Update subscriptions when clinicians change facilities.

---