Policy - User Account Management

Overview

This document is being written to address customer IT security/ risk management processes.

Input from customer Thermo Fisher requires this document to address the following topics:

• New User Account Request Process

• New User Account Approval Process

• Who approves roles for users

• Creation/ onboarding process for accounts

• Periodic review of user access rights and remove any unnecessary ones

• Notification process for when Customer users (or 3rd party contractors) are terminated and access needs to be revoked

• User removal process

• Process for assigning/ changing roles and responsibilities to users in the system/ application

Input from ChatGPT: prompt “What are the key components of a user account policy for a startup software-as-a-service?”

1. User account creation and verification procedures

2. Password policy (e.g. length, complexity requirements)

3. User data protection and privacy policy

4. User account suspension and termination criteria

5. User account permissions and roles

6. Session management and inactivity timeout

7. Two-factor authentication (2FA)

8. Data backup and recovery policy

9. Incident response and reporting procedures

10. Compliance with relevant regulations (e.g. GDPR, HIPAA).

Account Types

There are 4 types of NimbleStory accounts:

• NimbleStory Customer Accounts

  • These are our primary user account types and are used to login and interact with NimbleStory in a web browser.

  • These accounts can be granted access to the Organization as a whole using our Organizational Level roles

  • Provisioning/ Deprovisioning: These accounts can be provisioned in a few different ways depending on an Organizations needs/ license levels, see Customer Account Provisioning Methods for details

  • Rights/ Permissions: These accounts can be assigned rights and permissions to Organizations and Projects via Role Based Access controls by higher-level Customer and Administration accounts.

• NimbleStory Administration Accounts

  • These are CMS-level accounts granted only to a small group of NimbleStory support staff for the purposes of configuring and maintaining the system for customers.

  • Provisioning: These accounts are provisioned manually during training/ onboarding of support staff.

  • Rights/ Permissions: These accounts can be assigned rights and permissions to Organizations and Projects via Role Based Access controls by higher-level administration accounts.

  • Deprovisioning: These accounts are deprovisioned manually during offboarding of support staff.

• NimbleStory Service Accounts

  • These are special accounts used for operations like guest access to shared content.

  • Provisioning: These accounts are provisioned manually by System Accounts as needed.

  • Rights/ Permissions: These accounts can be assigned rights and permissions to Organizations and Projects via configuration controls by System Accounts as needed.

  • Deprovisioning: These accounts are deprovisioned manually by System Accounts as needed.

• NimbleStory System Accounts

  • These are host-level accounts granted only to system administrators operating the NimbleStory platform itself.

  • Provisioning: These accounts are provisioned manually during training/ onboarding of administration staff.

  • Rights/ Permissions: These accounts do not interact with content directly, but support the underlying database and file systems that the system utilizes.

  • Deprovisioning: These accounts are deprovisioned manually during offboarding of administration staff.

Customer Account Permissions Model

NimbleStory permissions are based on Organizations and Projects

Organization Level Roles include:

• Organization Administrator

  • full control to edit the Organization settings/ theme/ options.

  • full control to create/ edit/ remove Projects

  • full control to invite/ edit/ remove Users (other Customer Accounts in this Org)

  • full control to view/ filter/ export Organizational Usage Reporting

• Organization Project Manager

  • full control to create/ edit/ remove Projects

  • full control to invite/ edit/ remove Users (other Customer Accounts in this Org)

• Organization User Manager

  • full control to create/ edit/ remove Organization Users (other Customer Accounts in this Org)

Project Level Roles include:

• Project Administrator

  • full control to edit the Project settings/ theme/ options.

  • full control to create/ edit/ remove User Access to the Project

  • full control to view/ filter/ export Project Usage Reporting

  • full control to create/ edit/ share/ remove Project Content

• Project Curator

  • full control to create/ edit/ share/ remove Project Content

• Project User Invite

  • full control to invite/ edit/ remove Users (other Customer Accounts in this Org)

• Project Plan Status

  • full control to update Project Plans

Customer Account Provisioning Methods

NimbleStory supports multiple methods of customer account provisioning that can be configured for Organizations independently.

Use of some of these methods (like Enterprise Single-Sign-On), may require higher-level license agreements and can be discussed with your account rep.

• User Invitation by an existing Customer Account (preferred)

  • Handled via the main NimbleStory User Interface

  • Users with invite privileges to a Project can simply click the Invite User button to invite additional users to the Project

  • This will spawn a dialog that prompts the inviting user to add the new users Email, Name, and other pertinent info for invitation

  • On submission, the invite process will create a user account and generate an email notification to the new user with a onetime login link for access

  • User Invite privileges can be set Organization-wide or on specific Projects

• User Invitation by Support Desk request (deprecated)

  • [This process is being deprecated in favor of self-invitation, but is still supported for those Organizations that have not yet added User Invite permissions to their projects)

  • Users may submit a request for additional accounts via our support desk

  • This will spawn a verification process by which the support desk agent needs to verify the request itself AND the submitter’s identity/ right to request new users for the target project.

  • Once verified, a NimbleStory System Administrator will create the new account and generate an email notification to the new user with a onetime login link for access

• Single-Sign-On Auto Provisioning (by configuration/ license level)

  • [This process depends on an Organizations license level and requires specific one-time configurations to enable]

  • During an Organization’s Single-Sign-On Configuration, we will make the determination if there is a desire to auto-create users to the Organization.

  • If configured to auto-create users, any user logging in successfully with Single-Sign-On for the current organization, would be created immediately if they did not already exist in NimbleStory.

  • In this scenario, the Organizational Customer Point of Contact would determine what projects were made available to these new users by default.

• Bulk Import (by contract)

  • Manual process initiated by NimbleStory System Administrators

    • Typically done as part of New Organization Onboarding to generate the initial set of accounts

    • A bulk load file is generated (user email, first and last names, company name, phone, other fields as needed)

    • The bulk load file is validated / corrected to fit the data model of the import process

    • The import file is loaded into the system by a NimbleStory Administrator and processed

    • Accounts are created and stored

    • (optionally) End users are notified that their account has been provisioned