REDCap Account: When a person is set up with an SMPH REDCap account, they are given access to the overall SMPH REDCap system. They can create their own projects or their account can be added to projects.
Project Users: Each REDCap project has users. These are the specific users with REDCap accounts that can access the project. In order for someone to be a added as a user to a project, they first need an SMPH REDCap account. When a user account is added to a project, the user must be assigned a role or given a set of custom permissions. The role or permissions given to a user account is determined at the project-level settings, and determines a user's access to data and ability to make changes in that specific project. For a detailed review of the user rights settings that can be granted or restricted, please see: REDCap: User Rights Definitions
User Roles: Each project can have pre-defined user roles. Then individual users can be assigned to a role. This is helpful, for instance, if a project will have a number of data entry staff who only need access to certain parts of the project, or a statistician who may need to export data but not enter data. By setting up a pre-defined user role, it streamlines the process for adding new users to a project. Please see: REDCap: Recommended User Roles for recommended access based on a role.
User Rights Management: User rights management is the responsibility of the project owner (the person who creates the project) and/or the users they add to the project with User Rights access. User roles and individual user access rights should be set appropriately and reviewed periodically.
Summary of Best Practices for User Rights Management in REDCap:
ONLY provide needed access rights: Only provide user rights that a person actually needs. DO NOT just check all possible options in the User Rights section in REDCap. This is especially important for the high level roles of "Project Design & Setup" and "User Rights". Additionally, DO NOT select "REDCap Mobile App" rights if you are not using the Mobile App as this complicates changes to your project.
Set expiration dates for users: If you are adding a user to a project who you know will need access to the project for a limited amount of time, set an expiration date for their access at the time you add them to the project.
Review your User Access Dashboard periodically: The User Access Dashboard will show all of the users for all of the projects that you manage User Rights before. Review it at least every six months to ensure that all users have the appropriate level of access to the projects they are on.
Create and utilize User Roles in your project: A User Role has a pre-defined level of access. For instance, you might create a user role for Data Entry, that allows a user to enter data but not change project settings or delete records.
Consolidate sensitive information in one instrument: If there are users who should not see identifiable information in the project, the best solution is to keep all of the sensitive information on one instrument and restrict read access to it.
Make use of Data Access Groups (DAGs) (for multi-site projects): Data Access Groups allow users to be assigned to a group (for instance, a study site) and then only have access to records from that particular DAG. Please see: REDCap: Data Access Groups (DAGS) for more information.
Have a process for when study team members leave their role: If you have a study team member who is departing, make sure their access to your REDCap project is expired. It is also important to ensure that their account is not tied to any project settings (for instance, API tokens or automated survey invitations) that will need to be transferred over to another study team member.
Please note that in order to have an SMPH REDCap account created, all users must complete HIPAA training. This is UW-Madison SMPH Institutional Policy, because REDCap is a system that contains PHI.
For users that will be accessing a research project, you must complete Human Subjects Protection training (through any accredited institution) in order to be granted access to SMPH REDCap.
A valid UW email address, or a project sponsor with a valid UW email address.
New User Training: When you submit a request for a new account, you will need to complete a brief interactive training module which covers the basics of REDCap.
Once your account is granted, you will need to log in once in order to complete the account set-up. Once you have logged in for the first time, your account will be available to be added to a REDCap project.
REDCap Account Creation Step by Step:
1. Submit account request
2. Complete REDCap Interactive Training
3. Complete current UW-Madison HIPAA training and Human Subjects Protection training (if indicated)
4. Wait to receive your account activation email
5. Log in to your account for the first time
Add a New User to Your REDCap Project
Please be aware, in order to add a new user to your project, they must:
Already have been granted an SMPH REDCap account.
The user must have logged in at least once.
Please note: We are not able to provide group accounts for SMPH REDCap. Because we are required to confirm that all users have completed HIPAA and/or HSP training, we cannot allow accounts to be set up for groups of individuals (e.g. a "XYZ Lab" general account that multiple people will use.)
Adding a New User to Your Project
To access the User Rights module, you can navigate to it from the "Project Setup" tab or from the left-hand menu in your project.
To add a new user, you will start typing their name or REDCap log-in into the field next to "Add with Custom Rights" or "Assign to Role" buttons. IMPORTANT! You must select a user who already has a REDCap account. You will know that they already have a REDCap account because when you start typing their information in, they will show up in a drop-down. If they do not show up, then they will need to be set up with an SMPH REDCap account before they can be added to your project.
Do not free-type a name or email address into these fields. If their name doesn't show up automatically, they do not have a REDCap account! Free-typing a name or email address into this field will not create access to your project. A user must first be set up with an SMPH REDCap account, which will cause their name to be available to add from the Add User fields. If you try to add users this way, they will not get access and you will need to remove these entries before your project is moved to Production.
When you add a new user, you will need to either select what rights they have (for definitions of all the user rights settings, please see: REDCap: User Rights Definitions) or assign them a User Role that you have pre-defined.
Adding User Roles to Your REDCap Project
To create a new User Role, navigate to the User Rights module. Enter the name of the role you'd like to create and hit the "Create Role" button:
This will bring up a pop-up with the permissions you can grant or restrict for the role. For a detailed review of the user rights settings that can be granted or restricted, please see: REDCap: User Rights Definitions. Please see REDCap: Recommended User Roles for recommendations on which rights to give various user roles in your project.
Automatic Account Suspension
Users that have not logged into REDCap or used the API in the past 180 days will automatically have their account suspended by the REDCap system. Users will not be able to access any projects once an account is suspended. Users will be notified via email of their suspension and will need to contact the REDCap support team to unsuspend their account. The REDCap support team will confirm the user has taken the REDCap training, has current UW-Madison HIPAA training and, if applicable, current Human Subjects Protection training before unsuspending the account. Once unsuspended, users will have the same access they previously had to projects.
Remove a User from Your REDCap Project (Delete or Set an Expiration Date)
To remove a user from your REDCap project, you can either set an expiration date OR you can remove the user entirely.
Setting an Expiration Date An expiration date should be set when a user has left your project for a new position or role within your department as of a specific date. If the user should immediately lose access to the project and data, you can set an expiration date in the past and then save your changes. You can also update an expiration date if a user will continue with your project longer than initially planned. There are two options for adding or editing an expiration date. Both options begin with navigating to the User Rights Module and finding the user's name in your list of staff.
Option 1: Next to the username, click on the word 'never' (or the date if you've already entered an expiration date) in the Expiration column (picture A). In the "Change user expiration" field that appears, add or update a date and then Save (picture B).
Option 2: Click on the user's name and select the button "Edit User Privileges". (If they are assigned to a User Role, you will need to first un-assign them from the User Role before you can set an expiration date.) At the top of the "Edit existing user" page, enter an expiration date and then save your changes.
Removing a User Removing a user should only be done if the user was added mistakenly or was added with a "non-account" (e.g. email address, misspelled username, etc.). Click on the user's name and select the button "Edit User Privileges". Then select the 'Remove User' button at the bottom of the screen and confirm your changes.
Modifying User Rights in Bulk
User rights can be managed by downloading/uploading a CSV file of all users or roles. Use this feature if you have multiple projects that should have the same user setup.
The User Access Dashboard
The User Access Dashboard should be reviewed at least every six months. The User Rights Dashboard will give you an overview of the users for each project where you have User Rights access. To see your User Access Dashboard, navigate to the REDCap Home Page when you are logged in and click the link at the top of the page:
