Q: In a previous issue of EduQuest-ions & Answers, you discussed how some users prefer hard copy backups. That triggered questions in my mind about managing user rights in software used for CAPA, complaint handling, managing quality data (such as in SAP systems), and other quality-related processes. Specifically:
1. Do we need records to document changes of user in/user out for quality-related software?
2. If we do need such records, what kind of information should be documented? Is an audit trail within the software sufficient, or should we have records — on paper or e-records — with electronic signatures?
3. Would it be sufficient to create a report after a specified time (for example, once a month or once a quarter) where all users of the system are documented along with their permissions, and define it as a record?
A: The overall answer is “yes”. For each of your quality-related systems, your company should document which user roles/responsibilities have what rights. Each electronic system should have a system administrator responsible for creating, editing, maintaining and removing access rights to that system. You should follow a formal process that documents user rights at a particular time. And it should be the responsibility of a supervisor or manager to give the system administrator information regarding who should have what rights.
[pullquote align=”right” cite=”” link=”” color=”” class=”” size=””]It’s good practice to periodically review the rights and permissions of the users in each system, and then document that review.[/pullquote]
Many systems have an audit trail of the system administrator’s activities, and that record can be used to track changes. It’s also good practice to periodically review the rights and permissions of the users in each system, and then document that review.
Some companies do such reviews monthly; others just quarterly or annually. It’s up to you and your company to determine the appropriate interval. In the review, be sure to document what was reviewed; who did the review and when; and what were the final results.
One more word of advice: it’s considered best practice to assign individuals to specific groups, then provide rights to those groups — rather than giving each individual his or her own set of rights.
Answered by Janis Olson , EduQuest VP of Regulatory and Quality Services (22 years as an FDA investigator and director of information resources) and instructor of EduQuest’s Quality Risk Management for FDA/ISO/ICH Compliance training class.