OpenLab Software - Remove User

We are using OpenLab CDS version 3.5.  In preparing to go-live, we have several technician accounts and test accounts that need to be disabled.  For all my other systems, we have the ability to "disable" accounts.  In OpenLab Control Panel, the only option is to remove.  Does remove permanently delete the account or does it go to a background repository to be referenced?

If permanently deleting, this is not ideal for most Pharma companies.  We typically NEVER delete accounts and keep them disabled.  Two reasons:  first, keep a record of who that account was assigned (e.g. full name) and second, prevent a duplicate ID from being used in the future.

Any help is appreciated.  

Parents
  • Hello,

    If the accounts are internally created in the software you can leave the accounts in the system and just remove all roles from the account. The account could still be used to login but would have no ability to do anything. If you are using domain authentication simply lock the accounts on the domain. Note the activity logs, audit trails and other resources that record user actions do not reference the account entries but rather embed the information so do not need the accounts to remain in the system.  

    Marty Adams 

  • Thanks Marty.  That's what I thought (no real way to disable accounts on Agilent software).  I know our AD will have the account disabled and I'll remove groups.  It's simply messy and most GMP relevant software systems have the ability to disable accounts to show the distinction from active accounts and prove they cannot be inadvertently used. 

    My thought is to add a group/role that has no rights or has deny-all rights and have them listed there.  The group could be named "Deactivated Accounts".  Does anyone know if this approach works out?

    Regards,


    Chris

  • Chris,

    If the account is disabled on the domain that is all that is really needed. The user account will no longer have any access to OLSS. You can add a group as specified in your reply, but that will not really help as the permissions are only allow based and are additive when a users has multiple roles of the same type. It would be more important the inactive users are removed from other roles than add to one with no permissions. If you simply want a group to track deactivated users it would be fine.

    Marty Adams

  • I understand, but what is missed in your scenario is if that AD account gets re-enabled.  Let's say the person comes back in another role or capacity that no longer requires an OpenLab login.  They could login, but with the groups removed, not much can be done.  BUT, could they view?  Would that login appear in the audit trail.  etc.  Having the additional disable of the account on the openlab side would be helpful.  It's how almost all other systems handle it.  It is important to distinctly show the account is disabled in each system rather than "hoping" it was done elsewhere. 

    Either way, I've got options and can explain to auditors (if they ask).  It is simply not as clean as all my other systems.  

    Regards,


    Chris

Reply
  • I understand, but what is missed in your scenario is if that AD account gets re-enabled.  Let's say the person comes back in another role or capacity that no longer requires an OpenLab login.  They could login, but with the groups removed, not much can be done.  BUT, could they view?  Would that login appear in the audit trail.  etc.  Having the additional disable of the account on the openlab side would be helpful.  It's how almost all other systems handle it.  It is important to distinctly show the account is disabled in each system rather than "hoping" it was done elsewhere. 

    Either way, I've got options and can explain to auditors (if they ask).  It is simply not as clean as all my other systems.  

    Regards,


    Chris

Children
Was this helpful?