Authentication and Authorization

Antigen Plus provides a multi-layered approach to authentication and authorization, ensuring that only authorized users can access the system and that each user has appropriate permissions based on their role. This section describes the authentication methods, user account management, role-based access control, and security policies available in Antigen Plus.

Authentication Overview

Antigen Plus authenticates and authorizes users within the application itself, providing two different methods for user authentication:

  1. Windows Active Directory Authentication - Users are identified by their Windows login
  2. Username and Password Authentication - Users login with credentials maintained within Antigen Plus

These methods can be used exclusively or in combination, providing flexibility for different organizational security requirements.

Authentication Methods

Windows Active Directory Authentication

Windows Active Directory authentication is the default and most commonly used method. In this mode:

  • Users are identified automatically by their Windows login
  • No additional authorization is required at application startup
  • New accounts can be created automatically when enabled
  • This method simplifies user management by leveraging existing Windows credentials

Automatic Account Creation:

If Automatically create accounts from Windows logins is checked in the Maintain Accounts window, new Antigen Plus accounts will be created automatically whenever a new Windows user launches the software.

Per-User Control:

Windows Active Directory authorization can be enabled or disabled for individual users using the Login automatically from Windows account checkbox in the Account Settings window.

Username and Password Authentication

If Windows Active Directory authorization fails, is disabled, or the user logs out of the software, the user will be presented with a username/password dialog box to login.

Important Security Considerations:

  • Passwords are maintained within Antigen Plus itself
  • Application passwords are distinct from Windows account passwords
  • Each user can change their own password
  • Administrators can override user passwords if needed

Requiring Explicit Login:

If your site wants to require a separate username/password login each time Antigen Plus is launched, this can be accomplished by:

  1. Unchecking the Automatically create accounts from Windows logins box in the Maintain Accounts window
  2. Unchecking the Login automatically from Windows account box or deleting the user’s Windows account from the Account Settings window

User Account Management

User accounts in Antigen Plus are managed through the User Menu, which provides comprehensive account management capabilities. Only administrators have access to all account management features.

Account Management Functions

Change Password:

  • Any user can change their own password at any time
  • Password changes can be overridden by an administrator

Account Settings:

  • Users can change their name and password
  • Administrators can assign administration rights
  • Administrators can enable or disable accounts
  • New users cannot log in until added by an administrator or automatically created via Windows authentication

Switch User:

  • Logs the current user out and prompts for new credentials
  • Allows database selection at login
  • Current work is preserved and reappears when the original user logs back in

Maintain Accounts (Administrator Only):

  • Create, modify, and manage user accounts
  • Configure Windows Active Directory integration
  • Set user roles and privileges
  • Enable or disable user accounts
  • View all users and their access levels

Account Lifecycle Management

Creating Accounts:

  • Administrators can manually create accounts using Add in the Maintain Accounts window
  • Accounts can be automatically created from Windows logins when enabled
  • Each account must be assigned a role (privilege level)

Disabling Accounts:

  • Users who have saved work in the database cannot be deleted
  • To remove such users, disable their accounts by unchecking Enabled in Account Settings
  • Disabled users remain visible on saved work-ups for audit purposes
  • Users who have not saved any work can be deleted completely

Password Management:

  • Users without Windows authentication must be assigned a password
  • Password requirements can be configured via Security Settings
  • Administrators can reset user passwords as needed

For detailed information about account management procedures, see the User Menu in the User Guide and Authenticating Users documentation.

Role-Based Access Control

Antigen Plus implements a four-tier role-based access control (RBAC) system that provides appropriate levels of access based on job responsibilities. This follows the principle of least privilege, ensuring users have only the permissions necessary to perform their duties.

The Four Privilege Levels

1. Administrator

Administrators have full system access and management capabilities:

System Management:

  • Maintain user accounts and access privileges
  • Configure system-wide options and settings
  • Set custom exclusion criteria
  • Customize default results columns
  • Configure specimen number requirements

Data Management:

  • Save panels
  • Review panels tested by themselves or other technologists
  • Remove reviews
  • Add suppliers
  • Edit cells
  • Edit all patient information (full PHI access)

Configuration Access:

  • Modify system options (General, Search, Printing)
  • Configure analyzer connections
  • Set security policies and timeout parameters
  • Manage backup and restore operations

2. Full Access

Full access users have comprehensive operational capabilities without system administration rights:

Operational Capabilities:

  • Save panels
  • Review panels tested by other technologists
  • Add suppliers
  • Edit cells

Data Access:

  • Cannot edit patient information
  • Can add phenotypes to existing patients
  • Can view patient information as needed for testing

Limitations:

  • Cannot modify system-wide settings
  • Cannot manage user accounts
  • Cannot change security policies

3. Save Panels

This is the standard privilege level for laboratory technologists:

Capabilities:

  • Search for appropriate cells
  • Select cells for panels
  • Enter test results
  • Save panels and worksheets

Typical Use Case:

  • Day-to-day testing operations
  • Routine antibody identification work
  • Standard laboratory workflow

4. Read Only

The most restrictive access level, suitable for training or review purposes:

Capabilities:

  • Search for cells
  • Select cells for panels
  • Enter test results (for practice or demonstration)

Limitations:

  • Cannot save any work
  • All entered data is lost when the application closes or work is cleared

Typical Use Case:

  • Training new staff
  • Demonstration and education
  • Auditors or observers who need to see the system

Security Principle

The four-tier RBAC system implements defense in depth by ensuring:

  • Users have only necessary privileges for their role
  • Sensitive operations (user management, system configuration) are restricted to administrators
  • Patient information can only be fully edited by administrators
  • Audit trails are maintained for all saved work
  • Clear separation of duties between roles

Password Policies and Security Settings

Antigen Plus provides configurable security settings that allow administrators to enforce password policies and session security appropriate for their environment.

Password Configuration Options

Administrators can configure password requirements through the Security Settings window (available in the User Menu). The following password policies can be enforced:

Password Requirements:

Organizations can configure requirements for:

  • Minimum password length
  • Password complexity rules
  • Password expiration
  • Prevention of password reuse

Best Practice Recommendations:

  1. Strong Passwords: Require minimum 8-character passwords with complexity requirements
  2. Regular Changes: Consider password expiration policies for high-security environments
  3. Unique Passwords: Ensure Antigen Plus passwords are distinct from other system passwords
  4. No Sharing: Enforce policies against password sharing between users

Security Timeout Settings

Automatic Application Exit:

The Security Settings window allows configuration of automatic timeout:

  • Check Exit the Application after [X] minutes of inactivity
  • Set the desired time parameter (in minutes)
  • When triggered, the application shuts down automatically
  • Work in progress is preserved and reappears when the user logs back in

Security Benefits:

  • Prevents unauthorized access to unattended workstations
  • Ensures PHI is not left visible on unattended screens
  • Complies with HIPAA and organizational security policies
  • Works with both Windows authentication and manual password modes

Implementation Considerations:

  • Set timeout values appropriate for your workflow
  • Shorter timeouts increase security but may impact productivity
  • Typical values range from 5-30 minutes depending on environment
  • Consider shorter timeouts in shared workstation environments

Session Management

Unlike web-based applications, Antigen Plus is a native Windows application and does not use browser-based sessions. However, it implements similar security controls:

User Session Control:

  • Switch User function allows users to change without closing the application
  • Current work is preserved per user
  • Each user session is independent
  • Audit logs track all user sessions and activities

Automatic Logout:

  • Configurable inactivity timeout automatically exits the application
  • User must re-authenticate to continue work
  • Preserves work in progress for the logged-out user
  • Prevents unauthorized access to unattended systems

Work Preservation:

  • Unsaved work remains associated with the user who created it
  • When a user logs back in, their work in progress is restored
  • This applies to Search, Selected Cells, and Results Worksheets
  • Multiple users can work independently on the same workstation

User Activity Logging and Audit Trail

Antigen Plus maintains comprehensive audit logs for security monitoring and compliance purposes.

User Activity Log

What Is Logged:

  • All user login and logout events
  • All activity involving patient information (PHI)
  • Timestamp and user identification for all logged events

Accessing the Log:

  • Available through View User Activity Log in the User Menu
  • Only administrators can access the activity log
  • Log can be exported in CSV format for external analysis
  • Useful for security audits, compliance reporting, and incident investigation

Security and Compliance Benefits:

  • HIPAA compliance - tracks all access to PHI
  • Accountability - associates all actions with specific users
  • Incident response - provides forensic data for security investigations
  • Audit support - demonstrates access controls are functioning

Saved Work Audit Trail

Panel and Worksheet Tracking:

  • Every saved panel records the user who created it
  • Timestamps for panel creation and modification
  • Patient information edits are logged with:
    • User who made the change
    • Date and time of edit
    • Reason for the edit (required field)

Data Retention:

  • Saved panels are retained for a minimum of 10 years
  • Panels cannot be deleted until they are at least 10 years old
  • This ensures long-term availability for patient history and audits
  • Supports regulatory requirements for laboratory record retention

Security Best Practices for Authentication and Authorization

  1. Principle of Least Privilege:

    • Assign the minimum role necessary for each user’s job function
    • Use Read Only access for training and demonstration
    • Limit Administrator privileges to authorized IT and management staff

  2. Access Review:

    • Regularly review user accounts and privileges
    • Disable accounts for departed employees immediately
    • Audit administrator access quarterly
    • Remove unnecessary accounts

  3. Password Management:

    • Enforce strong password policies through Security Settings
    • Never share passwords between users
    • Change default passwords immediately
    • Consider password expiration for high-security environments

  4. Session Security:

    • Enable automatic timeout in shared workstation environments
    • Set timeout values appropriate for your security requirements
    • Train users to use Switch User rather than leaving workstations unlocked
    • Consider shorter timeouts (5-10 minutes) in high-traffic areas

  5. Monitoring and Auditing:

    • Regularly review the User Activity Log
    • Investigate suspicious login patterns
    • Export logs periodically for long-term retention
    • Include log review in security incident response procedures

  6. Windows Integration:

    • Use Windows Active Directory authentication when possible
    • Leverage existing Windows password policies
    • Ensure Windows accounts are properly secured
    • Coordinate Antigen Plus access with Windows account lifecycle

Authentication Security Checklist

Use this checklist to ensure proper authentication security:

  • Authentication method selected (Windows AD vs. manual passwords)
  • Windows AD automatic account creation enabled/disabled as appropriate
  • Administrator accounts identified and configured
  • All users assigned appropriate privilege levels
  • Password policies configured in Security Settings
  • Automatic timeout enabled and set appropriately
  • User Activity Log reviewed regularly
  • Process established for onboarding new users
  • Process established for disabling departed user accounts
  • Training provided on Switch User functionality
  • Password sharing prohibited in organizational policy

Integration with Database Security

Authentication and authorization in Antigen Plus works in conjunction with database security:

Database-Level Access:

During first use and upgrades, Antigen Plus needs db_owner access to the database in order to install the database schema. Once the database schema has been initialized, use of the software requires db_datareader and db_datawriter access.

For cloud databases, database access is handled automatically. For on-premises database installations, database access is the resposibility of the customer.

  • Database access is controlled separately via SQL Server permissions
  • When initializing or upgrading an on-premises databases, make sure that the user launching Antigen Plus has db_owner access to the Antigen Plus database.
  • Everyday users should have db_datareader and db_datawriter access to the Antigen Plus database.
  • Consider using Active Directory groups for SQL Server authentication
  • See Deployment Security for database security details

Application-Level Access:

  • Once database access is granted, Antigen Plus handles user authentication
  • Application roles (Administrator, Full Access, etc.) control what users can do
  • This provides defense in depth - both database and application security layers

Coordination:

  • Ensure database access and application access are managed together
  • Removing a user requires actions at both the database and application level
  • Consider using the same Active Directory groups for both layers

For complete information on user account management procedures, see: