User Rights and Permissions
3.11 User Rights and Permissions
Reading 1
3 / 7
3.11 User Rights and Permissions
User rights are central to both confidentiality and study workflow. Not every team member needs the same level of access. A common mistake in research databases is granting broad permissions for convenience. This may seem efficient initially, but it increases the risk of accidental changes, unauthorized access, inappropriate exports, and difficulty demonstrating compliance during audits.
The principle of least privilege states that users should receive only the access needed to perform their responsibilities. A data entry clerk may need to create records and edit specific instruments but should not be able to modify project design or export full datasets. A study coordinator may need to run reports and review completeness. A monitor may need read-only access. A statistician may need export access but not permission to edit records. A data manager may need broader access to configure the project, manage queries, and support users.
REDCap allows detailed permission settings, including project design rights, data entry rights by instrument, data export rights, report access, user rights management, logging, file repository access, data import tool access, and record deletion permissions. Record deletion should be restricted carefully because deletion can compromise traceability. Export rights should be especially controlled when datasets contain identifiers.
User rights should be assigned through roles rather than individually whenever possible. Role-based configuration is easier to maintain and audit. If ten data clerks require the same permissions, a "Data Entry Clerk" role can be created and assigned to all of them. If responsibilities change, the role can be updated systematically. Roles should be documented in the data management plan.
Training should occur before production access is granted. Users should understand not only how to enter data, but also why individual accounts must not be shared, how to protect passwords, how to handle source documents, how to respond to validation warnings, and how to report access problems. User access should also be reviewed periodically, especially when staff leave the study or change roles.
**Table 3.10: Example REDCap User Role Matrix**
| Role | Typical permissions | Restrictions |
|---|---|---|
| Data Entry Clerk | Create records, edit assigned instruments | No design rights, no full export, no user rights management |
| Study Coordinator | Edit records, run site reports, review completeness | Limited export, no project design changes |
| Monitor | View records and reports, review audit logs if approved | No data editing unless specified |
| Statistician | Export de-identified or approved datasets | No record editing, no user management |
| Data Manager | Manage design, reports, users, exports, quality checks | Activities governed by data management plan |
| Principal Investigator | View dashboards and approved reports | Editing and export rights depend on study policy |