(a) Access controls are integral to computerised systems used in clinical trials to limit system access to authorised users and to ensure attributability to an individual. The security measures should be selected in such a way that they achieve the intended security.
(b) Procedures should be in place to ensure that user access permissions are appropriately assigned based on a user’s duties and functions, blinding arrangements and the organisation to which users belong. Access permissions should be revoked when they are no longer needed. A process should be in place to ensure that user access and assigned roles and permissions are periodically reviewed, where relevant.
(c) Authorised users and access permissions should be clearly documented, maintained and retained. These records should include any updates to a user’s roles, access permissions and time of access permission being granted (e.g., time stamp).