Analyst Software. Laboratory Director s Guide to Security and Regulatory Compliance. Part Number: A June 2003

Transcription

1 Analyst Software Laboratory Director s Guide to Security and Regulatory Compliance Part Number: A June 2003

2 This document is provided to customers who have purchased MDS Sciex equipment to use in the operation of such MDS Sciex equipment. This document is copyright protected and any reproduction of this document or any part of this document is strictly prohibited, except as MDS Sciex may authorize in writing. Equipment that may be described in this document is protected under one or more patents filed in the United States, Canada, and other countries. Additional patents are pending. Software that may be described in this document is furnished under a license agreement. It is against the law to copy, modify, or distribute the software on any medium, except as specifically allowed in the license agreement. Furthermore, the license agreement may prohibit the software from being disassembled, reverse engineered, or decompiled for any purpose. Portions of this document may make reference to other manufacturers products, which may contain parts that are patented and may contain parts whose names are registered as trademarks and/or function as trademarks. Any such usage is intended only to designate those manufacturers products as supplied by Applied Biosystems/ MDS Sciex for incorporation into its equipment and does not imply any right and/or license to use or permit others to use such product names as trademarks. All products and company names mentioned herein may be the trademarks of their respective owners. Applied Biosystems/MDS Sciex makes no warranties or representations as to the fitness of this equipment for any particular purpose and assumes no responsibility or contingent liability, including indirect or consequential damages, for any use to which the purchaser may put the equipment described herein, or for any adverse circumstances arising therefrom. Applied Biosystems/MDS Sciex is a joint venture between Applera Corporation and MDS Sciex, the instrument technology division of MDS Inc. ANALYST is a registered trademark owned by Applera Corporation or its subsidiaries in the United States and certain other countries. ISO 9001 REGISTERED COMPANY For Research Use Only. Not for use in diagnostic procedures. Equipment built by MDS Sciex, a division of MDS Inc., at 71 Four Valley Dr., Concord, Ontario, Canada L4K 4V8. MDS Sciex and Applied Biosystems are ISO 9001 registered Edition MDS Sciex, a division of MDS Inc., and Applera Corporation, Joint Owners. All rights reserved. Printed in Canada.

3 Contents Foreword v Audience v Guide Organization v Related Documentation vii Technical Support vii Chapter 1. Security and Regulatory Compliance Security Requirements Analyst and Windows Security: Working Together Audit Trails within Analyst and Windows Analyst and 21 CFR Part Chapter 2. Windows and Analyst Security Configuration Security and Installation Process Overview Chapter 3. Windows Security Steps for Configuring Windows Security Definition of Users and Groups Users and Groups Active Directory Support Windows File System System Auditing Event Viewer File and Folder Permissions Alerts Chapter 4. Analyst Installation Release Notes System Requirements iii

4 Installing Analyst Regulated Environment Options Software Component Verification Understanding Analyst Files Folder Structure Flat Files Network Acquisition Chapter 5. Analyst Security Configuration Steps for Configuring Analyst Security Configuring Security Mode Acquisition Process Screen Lock and Auto Logout Configuring People and Roles Accessing the Analyst Software Configuring Project Security Setting Access Rights for Projects and Files Configuring Remote Sample Queue Monitoring Printing Your Security Configurations Chapter 6. Audit Trails Audit Trail Manager Instrument Audit Trail Project Audit Trail Changing the Audit Trail Settings Quantitation Audit Trail Changing the Results Tables Settings Archiving Electronic Mail Notification Enabling or Disabling Data File Checksum Searching Audit Trail Records Exploring Processing History Chapter 7. Data System Conversion Translating MassChrom Data Files to Analyst Format The Instrument File Generator The Experiment File Converter Index iv

5 Foreword This guide explains the security features of the Analyst software and how these features work with Windows security. It also describes how to install and configure Analyst stations. For a list of platforms supported and detailed installation instructions, please refer to the release notes included on your software installation CD. Audience The information contained in this guide is intended for two primary audiences: The Laboratory Administrator, who is concerned with the daily operation and use of the Analyst software and attached instrumentation from a functional perspective. The System Administrator, who is concerned with system security and system and data integrity. Guide Organization This guide is organized in the chronological order in which tasks should be performed to install, configure, and administer the Analyst software. Chapter 1 Security and Regulatory Compliance This section provides an overview of the Analyst software security features. v

6 Foreword Chapter 2 Windows and Analyst Security Configuration Process Overview This section describes how the Analyst software access control and auditing components work in conjunction with Windows access control and auditing components. Chapter 3 Windows Security Configuration This section describes how to configure Windows security prior to installing the Analyst software. System configuration is usually performed by network administrators or people with network and local administration rights. Chapter 4 Installing the Analyst Software This section explains how to install the Analyst software. The Analyst software comes with an installation CD to guide you step-by-step through the installation process. Chapter 5 Analyst Security Configuration This section describes procedures on how to configure Analyst security. Windows Users and Groups are available to the Analyst security Configuration so that you can control access to the Analyst software. Chapter 6 Setting up the Audit Trail This section explains the various types of audit trails available in the Analyst software and how they are used. Chapter 7 Data Systems Conversions This section explains how to migrate data from the Applied Biosystems/MDS Sciex Macintosh MassChrom software to the Analyst software. vi

7 Related Documentation Analyst Laboratory Director s Guide The Analyst software comes with comprehensive online Help to assist you in the daily operation of the software. In addition, before installing the software, you should read the release notes contained on the software installation CD. The following documentation is also available for reference: Analyst Operator s Manual Analyst Online CD Manuals Technical Support If you encounter problems configuring or using the Analyst software, consult the following documentation for assistance before contacting support:! Analyst online Help! Release notes If you have a technical question or request for assistance please contact Applied Biosystems/MDS Sciex support:! Toll Free (North America only): ! Web: vii

8 Foreword viii

9 1 Security and Regulatory Compliance This section provides an overview of the Analyst software security features. The Applied Biosystems/MDS Sciex Analyst software provides the laboratory director with the following: Customizable administration to meet the needs of both research and regulatory requirements. Security and auditing tools which adhere to 21 CFR Part 11 guidelines for the use of electronic record keeping. Flexible and effective management of access to critical instrument functions. Controlled and audited access to your vital data and reports. Easy security management linking to Windows security. Security Requirements Security requirements range from relatively open environments, such as research or academic laboratories, to the most stringently regulated, such as forensic laboratories. Laboratory monitoring agencies such as the Food and Drug Administration (FDA) and the Environmental Protection Agency (EPA) require adherence to Good Laboratory Practices (GLP). The Analyst software supports regulated laboratory environments and assists you in 9

10 Security and Regulatory Compliance achieving GLP compliance. In particular, the Analyst software auditing and access control components are designed to help you meet the recommendations of the Code of Federal Regulations (CFR), Title 21, Chapter I, Part 11, Electronic Records; Electronic Signatures Final Rule, for file and process security, validation, and data tracking. This introduction will help you understand how the Analyst software incorporates several layers of security to allow the laboratory director complete control over access to the instruments and data, and the flexibility to ensure compliance at any level. Analyst and Windows Security: Working Together The Analyst software and the Windows New Technology File System (NTFS) both have security features designed to control system and data access. Understanding how these features work together is critical to implementing the desired level of security for data acquisition and processing. Windows is typically used in a network environment, thus the ability to control access to systems and data is critical. Windows security provides the first level of protection by requiring users to log on to the network by means of a unique user identity and password. This ensures that only those who are recognized by the Windows Local or Network security settings can have access to your systems. For more information, see Windows Security on page 19. The Analyst software has three progressively secure system access modes: Single User Mode Integrated Mode Mixed Mode Single User Mode: This mode treats the current user that is logged onto Windows as an Analyst Administrator with full access to all Analyst 10

11 Analyst Laboratory Director s Guide software functionality. Anyone who can successfully log on to Windows on the computer will have Analyst Administrator privileges. Note: In Single User Mode, the People and Roles tabs are not available. For more information, see Configuring Security Mode on page 34. Integrated Mode: This mode allows the current user who is logged onto Windows to have access to the Analyst software, providing that the Windows user is also someone who should have and is allowed access to the Analyst software. Mixed Mode: This mode allows the user who is logged onto the Analyst software to be different (or the same) as the current user who is logged onto Windows. The user logged on to the Analyst software can be assigned to a specified role in the same way as in Integrated Mode. The difference is that the user logged on to the Analyst software may be different from the user logged on to Windows. This provides the possibility of having a group login for Windows with a known password, while requiring the Analyst software user to log on to the Analyst program using a unique user name, password, and if required, domain. If you select Mixed Mode, the Screen Lock/Auto Logout feature is available for use. Each security mode adds functionality to the previous mode, and all modes provide the administrator with the ability to configure access to project information (methods, data, and reports). The Analyst project security configuration is tied to the Windows NTFS, therefore there is no need to set the NTFS object permissions externally. The Analyst software functionality is a subset of the functionality available in Windows, but it allows you to manage project security directly with the Analyst software. For more information, see Analyst Security Configuration on page 33. The Analyst software also provides completely configurable Analyst Roles that are distinguished from the User Groups associated with Windows. Through the use of Roles, the laboratory director can easily control access to the instrument, on a function-by-function basis. For more information, see Configuring People and Roles on page

12 Security and Regulatory Compliance Audit Trails within Analyst and Windows The auditing features within the Analyst software compliment the built-in Windows auditing components. Together, they are key in the creation and management of electronic records. The Analyst software provides a system of audit trails specifically geared towards addressing the requirements of electronic record keeping. Separate audit trails record changes to instrument parameters, maintenance, project information (methods, data, batches, and data acquisition), and results table and report generation. Electronic signatures may be applied to critical tuning, acquisition, processing, and review activities. For more information, see Audit Trails on page 57. The Audit Trail Manager (ATM) module within the Analyst software allows easy configuration and review of audit trail information. The Audit Trail Manager allows record sorting, printing, searching, and processing review. The ATM may be configured to provide notification of attempted unauthorized use of the system. For more information, see Audit Trail Manager on page 58. Windows maintains three audit trails, known as event logs, which capture a range of security, system, and application related events. In most cases, the auditing is designed to capture exceptional events, such as a logon failure. The administrator may configure this system to capture a wide range of events, such as access to specific files or Windows administrative activities. For more information, see System Auditing on page 22. The Analyst software uses the Application Event log to capture information about the operation of the software. This log may be used as a troubleshooting aid since instrument, device, and software interactions are recorded in detail here. Windows also provides the Event Viewer tool to access the event log information. The Analyst Security Structure diagram provides an overview of the levels of security that the Administrator can configure when installing the Analyst software. 12

13 Analyst Laboratory Director s Guide Analyst security interaction Analyst and 21 CFR Part 11 Electronic record keeping is generally understood to be an activity that can significantly reduce the burden associated with traditional paper records. The Analyst software provides a secure user environment, which conforms to the 21 CFR Part 11 requirements for the creation of electronic records, with the implementation of: Mixed Mode and Integrated Mode Security linked to Windows security. Controlled Access to Functionality through customizable roles. Controlled Access to Project Data on a role-by-role or group basis. Audit Trails for instrument operation, maintenance, data acquisition, data review, and report generation. 13

14 Security and Regulatory Compliance Electronic Signatures utilizing a combination of user ID and password. Within 21 CFR Part 11 there are requirements for the control of electronic records that extend beyond the domain of the Analyst software. These requirements include the distribution and control of records in a closed or open system. As a tool for producing electronic records, the Analyst software forms a part of an overall strategy of compliance, and provides a simple, yet powerful suite of tools to ensure that records created conform to the 21 CFR Part 11 standards for electronic records in a secure GLP environment. 14

15 2 Windows and Analyst Security Configuration This section describes how the Analyst access control and auditing components work in conjunction with Windows access control and auditing components. Since the Analyst software works with the security, application, and system event auditing components of the Windows Administrative Tools, you must configure Windows security appropriately. After installing the Analyst software you can set Analyst security and authorizations for your system. Security and Installation Process Overview The following shows the workflow process for configuring the Analyst security features. 15

16 Windows and Analyst Security Configuration Security and installation process 16

17 Analyst Laboratory Director s Guide You can configure security at the following levels: Access to Windows. Access to the Analyst software. Selective access to the Analyst software functionality. Access to specific projects. Access to instrument station status. The Security Configuration table indicates the options for setting the various levels of security. Security Configuration Windows Security Install Analyst CFR Mid-Range Non GLP Format Drives to NTFS Yes Yes Optional Configure Users/Groups Yes Yes Optional Enable Windows Auditing, and File and Directory Auditing Yes Optional Optional Set File Permissions Yes Optional Optional Install Analyst Yes Yes Yes Select CFR Options Yes Optional No Event Viewer (Inspect Install) Analyst Security Select Security Mode Add/Configure Analyst Roles and People Configure Audit Trail Manager, Instrument, Project and Quantitation Audit Trails Yes Yes Yes Integrated or Mixed Any Single User Yes Yes Optional Yes Optional No 17

18 Windows and Analyst Security Configuration Security Configuration (Continued) CFR Mid-Range Non GLP Configure Notification Yes Optional No Common Tasks Activate Checksum Yes Optional No Add New Projects and Sub-Projects Configure Project Audit Trail for new Projects and Sub-Projects Yes Yes Yes Yes Optional No Transfer Existing Data Yes Yes Yes Maintenance: Maintenance Log for Instrument Yes Yes Yes Security, Data, Project Maintenance Yes Yes Yes 18

19 3 Windows Security This section describes how to configure Windows security prior to installing the Analyst software. System configuration is usually performed by network administrators or people with network and local administration rights. Steps for Configuring Windows Security In order to use the Analyst software to manage security, the Analyst Administrator must have the right to change permissions for the project folder and all the subfolders. If the root directory is on a local computer, then the Analyst Administrator could be part of the local administrators group. Only the Analyst user who manages security must be in the local administrators group. In order for the Analyst software to work well, users should be part of the Windows local user group. If certain users need to be able to stop the Analyst Service, this specific right can be set up without giving the user all the local administrator rights and thereby compromising local security. If you plan to use network acquisition, the network administrator must set up Windows security so that the Analyst Administrator has the right to change permissions for the required folders. It is not recommended that local users on acquisition computers be added to a network project security folder. 19

20 Windows Security For the workflow process for configuring Windows security, see the following figure, Workflow process for configuring Windows security. Workflow process for configuring Windows security Definition of Users and Groups User: Any user who may log on to Windows. Groups: Method of defining or classifying user rights by group identity on a Windows system. Administrators Group: A group of users with administrative rights on the network domain(s). Local Administrators Group: A group of users with administrative rights on the local computer. Global Group: A group of users who exist throughout a domain. 20

21 Analyst Laboratory Director s Guide Analyst People: A Windows user or group of users who has been granted rights to access and use Analyst software components. Analyst Role: Method of defining or classifying Analyst users rights by group identity for operating Analyst components and accessing Analyst files. Active Directory: The Active Directory system allows you to allocate and find resources on the network. For more information on Analyst users, see Configuring People and Roles on page 40. Users and Groups The Analyst software uses the user names and passwords recorded in the primary domain controller security database or Active Directory. Passwords are managed using the tools provided with Windows. Before you configure your security requirements, you must do the following: Remove all unnecessary Users and User Groups such as replicator, power user, backup operator from both local and network. Establish User Groups with the purpose of holding nonadministrative, Analyst People, and configuring system permission. Create suitable procedures and account policies for Users in Group Policy. See your Windows documentation for more information on the following: Users and Groups and Active Directory Users. Password and Account Lockout Policies for User Accounts. User Rights Policy. When working in an Active Directory environment, the Active Directory group policy settings affect the workstation security. Please discuss group policies with your Active Directory administrator as part of a comprehensive Analyst software deployment. 21

22 Windows Security Active Directory Support Active Directory can work in two environments, mixed and native. The Analyst security configuration window and Analyst security database allows user accounts to be specified in user principal name (UPN) format, and administrators can add new people in the Add Person/Role dialog box in UPN format. Mixed Environment: The network is comprised of both Windows 2000 and Windows NT servers and clients. Native Environment: The network is comprised of Windows 2000 servers and clients. If the Analyst software starts in the mixed environment, the logon window contains the user name, password, and domain fields. If you are using a Windows NT account, you should provide all three parameters. If you are using a Windows 2000 account, you can enter your user name in UPN format, and the domain field is ignored. If the Analyst software starts in the native environment, the domain field is not displayed, and the Analyst software accepts your user name in UPN format only. The Analyst Status window will also display your user name in UPN format. Windows File System The Analyst software requires that files and directories be located on a hard-disk partition formatted as the Windows New Technology File System (NTFS), which can control and audit access to Analyst files. The FAT file system cannot control or audit access to folders or files and is therefore not suitable for a secure environment. System Auditing Enabling system auditing can inform you of events that pose security risks and can detect security breaches. For example, auditing failed log ons to Windows can indicate attempted log ons using random passwords. Auditing successful log ons can be used to help detect actual log ons using stolen passwords. Auditing successful and failed file writes and other processes can be used to help check for viruses. You 22

23 Analyst Laboratory Director s Guide might want to audit successful and failed access to sensitive files, directories, and printers. It is recommended that you only audit abnormal occurrences such as failed log on attempts, attempts to access sensitive data, and changes to security settings. It is suggested that you customize the event logs as follows: Set appropriate event log size. Set automatic overwrite of old events. It is also recommended that you set Windows computer security settings. Additionally, you might want to implement a process of review and archival. For more information regarding security settings and audit policies, refer to your Windows documentation. Event Viewer You can launch the Event Viewer through the Analyst software or through Windows Administrative Tools. The Event Viewer records the audited events in the Security Log, System Log, or Application Log. Refer to your Windows documentation for information about viewing the details of audited events in the Event Log dialog box. File and Folder Permissions In order to manage security on a network drive, the Analyst Administrator must have the right to change permissions for the Analyst Data folder and all the subfolders. As this folder is on the network, the Analyst Administrator, by default, may not have access. Access must be set up by the network administrator. Before selecting the events or actions that will be audited, set the permissions (or detailed permissions) for the files and folders. The permissions for folders can be applied to subfolders and/or files in the folder. Once file and folder permissions have been set, you can define the events that will be written to the Security log. Note: You must consider the access needs of users to the drive and folder on each computer. You must configure sharing and associated permissions. For more information about file sharing, refer to the operating system documentation. For information on the Analyst software files and folder permissions, see Configuring Project Security on page

24 Windows Security Alerts In the event of a system or user problem, a network message can be sent to a designated person, such as the System Administrator, on the same or another computer. For more information about creating an alert object, refer to the operating system documentation. 24

25 4 Analyst Installation This section explains how to install the Analyst software. The Analyst software comes with a software installation CD to guide you step-by-step through the installation process. Before installing the software, you should understand the difference between a processing workstation and an acquisition workstation, and then complete the appropriate installation procedure. For more information, please refer to the release notes included on your software installation CD. Note: To install the Analyst software, you must have local administrator privileges for the workstation on which you are installing the software. Release Notes Release notes are shipped with the Analyst software, and should be read before installation. The release notes contain information related to: Minimum hardware requirements Supported devices Minimum software requirements Issues or notes Note: The release notes can also be found on the software CD and can be read with WordPad or Adobe Acrobat Reader. 25

26 Analyst Installation System Requirements For minimum installation requirements, please refer to the release notes included on your software installation CD. Installing Analyst An acquisition workstation is used for controlling instrumentation and acquiring data. If you are setting up an acquisition workstation, you must first install the software for the National Instruments GPIB Interface Card and, if necessary, upgrade the mass spectrometer firmware as part of the installation process. General Sequence for data processing and acquisition workstations Item Comments Processing Station Instrument Station Instructions Install GPIB and Drivers. Must install. No Yes Release Notes Install Serial Card and Drivers. Probably need to install. No Optional Release Notes Install ADC and Drivers. Install MDAC. Install Analyst/ Verify Installation. Verify/ Upgrade mass spectrometer firmware. May need to install. Must install if not previously installed. No Optional Release Notes Yes Yes Must install. Yes Yes Release Notes. See also Software Component Verification on page 27. Must complete if mass spectrometer firmware is not current. No Yes Release Notes 26

27 Analyst Laboratory Director s Guide Regulated Environment Options By default, all audit trail settings are set to off. After installation, the Analyst Administrator can change the selection in the Security Configuration module or in the Audit Trail Manager component. Software Component Verification After you install the Analyst software, a Software Component Verification procedure automatically checks that all the necessary software components were successfully installed and generates an installation report. This report is in the form of an event log item from Analyst Installer in the Event Viewer Application log. Verify that the installation was successful immediately after completion. There is an event log for the checksum inspection of the core installed files. For more information about checksum, see Enabling or Disabling Data File Checksum on page 66. To verify Software Component Verification results 1. Click Start, point to Settings, and then click Control Panel. 2. Double-click Administrative Tools, and then double-click Event Viewer. 3. In the Tree tab, click Application Log. 4. Click Analyst Installer event. In the Event Detail message scroll down to Total files verified. Errors should read zero. Understanding Analyst Files When you install the Analyst software, the software creates a default directory structure to provide a consistent and logical means of accessing project files. In addition, as you create new projects, the Analyst software sets up a project directory structure automatically. The installation includes the following projects: API Instrument: The API Instrument project contains critical instrument information and should not be used for routine data acquisition. 27

28 Analyst Installation Default: The Default project contains the default instrument configuration information used in configuring new folders. Example: The Example project contains information that can be used for building methods and creating batches. It also contains example data files that can be used to explore Analyst. Folder Structure The project hierarchy below shows the typical contents of the different subdirectories. For more information on folder structure, refer to the online Help or the Analyst Operator s Manual. 28

29 Analyst Laboratory Director s Guide Sample folder structure Flat Files Whether you acquire data locally or through network acquisition, if you have large data files or if you perform high throughput quantitative analysis, it is recommended that flat files are used. 29

30 Analyst Installation Flat means these files are ordinary sequential files where data is stored byte after byte and not organized in special structures as in compound documents. Flat files are more stable and less likely to become corrupted. Since the structure is simpler, reading and writing data is more efficient, and provides problem-free transfer of large amounts of data over the network. Data in compound documents are more difficult to transmit over the network because of their structural limitations. If the flat file format is selected for a.wiff file scan, data from every scan will be stored in separate flat files. For example, the scans of the first sample from Test.wiff will be stored in a file called Test.wiff.1.Scan, the scans from the second sample will be stored in a file called Test.wiff.2.Scan and so on for each sample. Network Acquisition Network acquisition allows you to acquire data from several instruments into network-based project folders/.wiff files that can be processed on remote workstations. This process is network-failure tolerant, thus ensuring no data is lost. At the start of network acquisition, the Analyst software creates a temporary subfolder with the same name as the network project folder in the Wiff_Cache_Backup folder. Data is acquired in a local temporary file. A network file is created using an asynchronous process that takes place in the background. Depending on network performance and file size, the remote file is updated in near real-time. Locally, the Analyst queue displays the acquisition into the local cache. If a local user opens a file during data acquisition, it is the cache file that is opened. The status of the remote file during acquisition is hidden from the local user. Users from other workstations are able to open network files and view updates during acquisition. After data acquisition is completed, the Analyst software ensures that the network files were written correctly, and then deletes the temporary files. When the Analyst software starts up, it checks the contents of the Wiff_Cache_Backup folder. If temporary files are present, it means that a previous network acquisition was interrupted and the Analyst software will finish writing the network file. 30

31 Analyst Laboratory Director s Guide To configure network acquisition, you must perform the following steps: 1. Set up acquisition security in Security Configuration. By default, the acquisition account is set to Client. For more information on selecting an acquisition account, see Acquisition Process on page If required, set up flat files for network acquisition. 3. Create a root directory. 4. Set the root directory. 5. Set up your projects in the root directory. To set up flat files (optional) 1. In Configure mode, from the Tools menu, point to Settings, and then select Queue Options. The Queue Options dialog box appears. 31

32 Analyst Installation 2. Select Use flat files for scan data if you want to use a split file format for acquisition. 3. Click OK. To create a root directory Note: To perform this procedure, you should have the requisite access rights. 1. On the Tools menu, point to Projects, and then select Create Root Directory. 2. Browse to the location where the root directory is to be created. 3. In the New text box, name the directory. 4. Click OK. To set the root directory 1. On the Tools menu, point to Projects, and then select Set Root Directory. 2. Browse to the location where the root directory is to be created. 3. In the Browse for Folder dialog box, browse to your created root directory. 4. Click OK. Once the root directory has been set, you can set up your projects. 32

33 5 Analyst Security Configuration This section describes procedures on how to configure Analyst security. Windows Users and Groups are available to the Analyst security Configuration so that you can control access to the Analyst software. You can configure security at the following levels: Selective access to the Analyst software functionality. Access to specific projects, folders, and files. Access to computers. Steps for Configuring Analyst Security Note: Any changes to the Analyst security configuration take effect after the Analyst software has been restarted. The following diagram illustrates the general workflow process for configuring the Analyst software: 33

34 Analyst Security Configuration Configuring Analyst security Configuring Security Mode The Analyst security component allows you to choose a security mode, set up security for the acquisition process, and set up system lockout and auto logout. The security modes are as follows: Single User Mode Integrated Mode Mixed Mode For more information about security modes, see Analyst and Windows Security: Working Together on page

35 Analyst Laboratory Director s Guide To select the security mode 1. On the Navigation bar, under Configure, double-click Security Configuration. The Security Configuration dialog box appears. 2. In the Security Configuration dialog box, click Advanced. 3. Click the Security tab. 35

36 Analyst Security Configuration 4. Click a Security Mode: Single User Mode, Mixed Mode, or Integrated Mode. Note: Any changes to Analyst security configuration take effect after the Analyst software has been restarted. 5. Click Apply, and then click OK. 6. Restart the Analyst software. Acquisition Process You can setup security for the acquisition process. Client and Special Acquisition Administrator accounts are network accounts that are used for reading and or writing data into project folders during normal acquisition, but not during tuning. It is the network administrator s responsibility to provide access rights for network accounts. Client Account: Uses the same account that you use to log on to the Analyst software. In integrated mode, the user who has logged on to Windows is also logged on to the Analyst software. In mixed mode, the Windows user and the Analyst software user may be different. 36

37 Analyst Laboratory Director s Guide Special Acquisition Administrator Account: Used in a regulated environment. The operator must provide a user name, domain, and password for this account. Once the network administrator sets up this account, it can be used by the Analyst software to read or write data regardless of who the current the Analyst software user is. This means that although the current user may not have rights to modify data in project folder, data acquisition can still take place. Account information is stored in the registry in encrypted form. To select an acquisition account mode 1. On the Navigation bar, under Configure, double-click Security Configuration. The Security Configuration dialog box appears. 2. In the Security Configuration dialog box, click Advanced. 3. Click the Security tab. 4. Click an Acquisition Account option: Client Account or Special Acquisition Administration Account. If you select Special Acquisition Administration Account, the Set Acquisition Account dialog box will open. If you are using Active Directory in the Native environment, the domain field is not visible and you can enter your username in user principal name (UPN) format. 5. If you selected Special Acquisition Administration Account, type the User name, Password, and if necessary, Domain. 6. Click OK. 37

38 Analyst Security Configuration 7. Click Apply, and then click OK. Screen Lock and Auto Logout For security purposes, you can set the computer screen to lock after a defined period of inactivity. You can also set an auto logout time where the Analyst client will close after a defined period of inactivity. Screen lock and auto logout are available in Mixed Mode only. When the screen locks, the Unlock Analyst dialog box indicating that the system has been locked, as well as the currently logged on user name and domain, will appear. If the auto logout option is also set, the time remaining before the Analyst software closes is also displayed. Only the currently logged on user, the Administrator, or the Supervisor can either unlock the Analyst software or close the Analyst software. If the screen is not unlocked, after a defined period, the Analyst client will close and all unsaved data will be lost. To set up screen lock and auto logout Note: Screen lock and auto logout are only available in Mixed Mode. 1. On the Navigation bar, under Configure, double-click Security Configuration. The Security Configuration dialog box appears. 2. In the Security Configuration dialog box, click Advanced. 3. Click the Security tab. 38

39 Analyst Laboratory Director s Guide 4. Select Screen Lock. The Auto Logout and Wait fields are enabled. 5. In the Screen Lock Wait field, type the amount of minutes to elapse before the screen locks. 6. If required, select Auto Logout, and in the Wait field, type the amount of minutes to elapse before the Analyst client closes. Once the Screen Lock time has elapsed, the Unlock Analyst dialog box appears. 39

40 Analyst Security Configuration You have a 10-second grace period to move the mouse or press a key to clear the Unlock Analyst dialog box. Only the current user, Administrator, or Supervisor can either unlock the screen or log out the user. The Unlock Analyst dialog box also indicates the time left before you are logged out. Important! If you are automatically logged out, the Analyst client closes and all unsaved methods, batches, or quantitation results will be lost. 7. To unlock the screen, type your password, and then click UNLOCK. 8. To log out the user, type your user name if necessary, and password, and then click LOGOUT. Configuring People and Roles The Analyst software limits access to people authorized to log on to the workstation and to the Analyst software, using the same user name and password for both. The Analyst software does not allow multiple logons by a single user. Note: The People and Role tabs are not available in Single User Mode. An Analyst Administrator can configure an Analyst Person or People from among the Users and Groups that can log on to the Windows 40

41 Analyst Laboratory Director s Guide workstation. Only an Analyst Person or People can be assigned to an Analyst Role or Roles. Only Analyst Roles can access Analyst components. The Analyst software comes with six predefined roles, which cannot be deleted but their rights can be modified, and that reflect typical users of the Analyst software. You can also choose to define your own Roles and configure system access depending on your own specific requirements. Access to the Analyst software is controlled by Role, not by People, although you can create roles that consist of only a single person. A summary of the default Role privileges appears in the following table. Analyst Roles Role Typical Tasks Access Administrator Analyst System administration. Security configuration. Oversees instrument operation. Analyzes data for use by end user. All Analyst functionality Acquisition Method Analyst Application Audit Trail Manager Compound Optimization Explore Hardware Configuration Quantitation Report Template Editor Sample Queue Tune View Status 41

42 Analyst Security Configuration Analyst Roles Role Typical Tasks Access Operator End User QA Reviewer Supervisor Oversees daily use of the system, including maintenance, sample organization, data gathering, and processing. Provides samples. Receives processed results. Integrates results with input and output from other applications. Review data Review audit trails Review quantitation results Unlock Analyst or log out user. Acquisition Method Analyst Application Audit Trail Manager Batch Compound Optimization Explore ExpressView Hardware Configuration Report Template Editor Sample Queue Tune View Status Acquisition Method Analyst Application Audit Trail Manager Compound Optimization Explore ExpressView Report Template Editor View Status Analyst Application Audit Trail Manager Quantitation Report Template Editor View Status Unlock/Logout Application Accessing the Analyst Software Before you can assign a person or people to a specific role, you must first add the person to the Analyst software. To either add a person or 42

43 Analyst Laboratory Director s Guide people and assign them to Analyst Roles, or remove a person or people, you must be logged on as an Analyst Administrator. Note: If you have one person assigned to a single role, and that role is to be deleted, you will be asked if you want to delete the person as well as the role. You must also add Windows Users and/or Groups to the Analyst security database before you configure Analyst People and Role access to the Analyst software. Note: Any changes to Analyst security configuration take effect after the Analyst software has been restarted. To add People to Analyst 1. On the Navigation bar, under Configure, double-click Security Configuration. The Security Configuration dialog box appears. 2. In the Security Configuration dialog box, click the People tab. 3. Click New Person. 4. Using the system dialog box, add a user or group. 43

44 Analyst Security Configuration 5. Click Apply, and then click OK. 6. Proceed to To assign People to Roles To assign People to Roles 1. On the Navigation bar, under Configure, double-click Security Configuration. 2. In the Security Configuration dialog box, click the People tab. 3. In the left window, select the Person. 4. In the Available Roles window, select the required Role, and then click Add. 5. Click Apply, and then click OK. To create a user-defined Role 1. On the Navigation bar, under Configure, double-click Security Configuration. The Security Configuration dialog box appears. 2. In the Security Configuration dialog box, click Advanced. 3. Click the Roles tab. 44

45 Analyst Laboratory Director s Guide 4. Click New Role. The New Role dialog box appears. 5. Type the Role Name and Description, and then click OK. By default, a user-defined Role will have full access rights to the Analyst software. In the Access to Analyst window, a green check mark denotes system access is enabled; a red X denotes system access is disabled. 6. Click Apply, and then click OK. 7. Proceed to To set access rights for a user-defined Role. 45

46 Analyst Security Configuration To set access rights for a user-defined Role 1. On the Navigation bar, under Configure, double-click Security Configuration. 2. In the Security Configuration dialog box, click Advanced. 3. Click the Roles tab. 4. In the Roles window, select the Role to be configured. 5. In the Access to Analyst window, select the access requirement, and then click the Enable/Disable toggle button. Double-click components in the Access Rights list to enable or disable access as appropriate. To configure access at a functional level, expand the components, and then double-click the functionality to enable or disable it. 6. Click Apply, and then click OK. To delete a user-defined Role 1. On the Navigation bar, under Configure, double-click Security Configuration. 2. In the Security Configuration dialog box, click Advanced. 3. Click the Roles tab. 4. In the Roles window, select the Role to be deleted, and then click Delete. If you have a person who is assigned to a single role, and that role is to deleted, you will be asked if you want to delete the person as well as the role. 5. Click Yes to confirm or No to close the dialog box. 6. Click Apply, and then click OK. To remove People from Roles 1. On the Navigation bar, under Configure, double-click Security Configuration. 2. In the Security Configuration dialog box, click the People tab. 3. In the left-hand window, select the Person. 4. In the Role(s) Selected window, select the required Role, and then click Remove 46

47 Analyst Laboratory Director s Guide 5. Click Apply, and then click OK. To delete People 1. On the Navigation bar, under Configure, double-click Security Configuration. 2. In the Security Configuration dialog box, click the People tab. 3. In the left window, select the Person/People to be deleted, and then click Delete. 4. Click Yes to confirm or No to close the dialog box. 5. Click Apply, and then click OK. Configuring Project Security You can configure access to projects and project files by People or Roles. The Analyst software organizes all Analyst files into project folders under the Analyst Data folder (except the compound database and the library search database, which is stored in the Analyst Data folder). The API Instrument folder contains information about the instrument and related instrument configurations. All other files generated while using the Analyst software will be saved in folders within the active project folder, which can be one of the project folders provided with the Analyst software or, typically, a project folder created by an operator. For more information on creating projects, refer to the online Help. Common Analyst file types and folders are listed in the following table. The API Instrument folder has all the subdirectories, except Processing Methods and Results. Asterisked (*) subdirectories exist only in the API instrument folder. All other subfolders exist within each project folder. They may be in the project level folder or within each sub-project. Analyst User Files Extension File Type Sub-folder Name.aasf Acquisition script Acquisition Scripts.aasf Acquisition script (supplied Example) Example Scripts 47

48 Analyst Security Configuration Analyst User Files (Continued) Extension File Type Sub-folder Name.ata Audit trail archives Project Information.atd Instrument audit trail data Instrument audit trail settings Project audit trail data Project audit trail settings.dab Acquisition batch files Batch Project Information.dam Acquisition method Acquisition Methods.dat Acquisition batch template Batch\Templates.dab Batch Batch.dll Dynamic link library Processing Scripts.eph Explore processing history Processing Methods data.hwpf Hardware profile Configuration*.ins.mdb.pdf Instrument data calibration information MS Access database Exported data Instrument Data*.psf Parameter settings Parameter Settings*.qmf Quantitation method Quantitation Methods.rdb Result table. Holds Results Quantitation audit trail data..rpt Report template Templates Templates\Method Templates\Report Templates\Workspace.rtf.rtf.sdb Rich text format Log records from automated collection Quantitation audit trail settings Log Project Information 48