Users, Roles & Security

Candid has a very granular and customizable, role-based permissions system.

All system actions and behavior are controlled by a user’s assigned System Role in tandem with their assigned Analysis Team Role. These two levels of security govern all behavior in the system.

System Role: governs your actions across the system.
Analysis Team Membership Role: governs what you can do and see on a given analysis.
Review Period Membership allows a user to participate in a TFL Review.

System Roles

Every user in Candid is assigned a System Role that contols what they are allowed to see and do in the system. Examples of actions in this category include managing settings and starting new Analyses.

Default System Role	Description
Administrator	Users who oversee the application. They support, maintain, train, and can perform all actions in the system.
Statistician	Users who write the Statistical Analysis Plans (SAPs) and act as the project manager for analyses.
Programming Manager	Users who manage Programmers and programming assignments.
Programmer	Users who implement the SAPs and write SAS code to produce TFLs.
User	System users who are not members of Biometrics and do not review TFLs. Users in this role can be an Observer or a Reviewer in a TFL Review Period.
Anonymous	Users who are not logged into the system.

Analysis Team Membership Roles

Analysis Team Roles govern your actions on an Analyses when you are on the team. Example of actions in this category are managing the Analysis team and scheduling review periods.

Default Analysis Team Role	Description
Statistician Owner	Statistician primarily responsible for the SAP and overseeing the schedule of an Analysis.
Programmer Owner	Primary programmer responsible for producing TFLs for an Analysis. Typically oversees the programming team assigned to the Analysis.
Programmer	Default role for any Programmer assigned to an Analysis team.
Observer	A user who is not a Biostats Team Member (e.g. Programmer or Statistician). Observers can access the Completed TFL Index.

Note

Open the Permissions page under Candid's Help menu to see all the Permissions in your environment.

Review Period Membership

Access to Review Periods is done on each Review Period's Administration page.

Summary of Candid's behavior when editing the Review Team:

Any user in the system can be added to a review team.
Adding a user to a review team will automatically add them as an Observer on the analysis team (if the user is not already on the team).
Review Period team is automatically added to the next Review Period during its setup.

View User Accounts

From the main menu click Help to expand the list.
Click the User List link.

Note

This user list shows only those that are in the current organizationl context (shown in the upper left corner of the page under the user's name and role).

Authentication

Candid supports three authentication modes: Windows Authentication, Forms Authentication and Single Sign-on (SSO). For self-hosted environments with Active Directory, we recommend using Windows Authentication mode. For cloud hosting, we recommend using Forms Authentication mode or Okta single sign-on authentication.

Windows Authentication Mode

Candid can be configured to use Windows Authentication when installed inside a company’s network. Users are automatically authenticated when they access Candid and never have to provide a username and password.

Forms Authenticaion Mode

Candid can also be configured to manage user accounts and passwords in Stand Alone mode. When operating in this mode, Candid will manage the accounts and passwords for reach user. Users will be required to enter their username and password when accessing Candid.

Single Sign-On (SSO)

Candid has built-in support for Okta and Azure Single Sign-on.

Open browser and navigate to the Candid home page. A login screen will be displayed.
Enter your username and password to login to Candid.

Updating your password if you are already logged in

Log in to Candid.
Click your name at the top left of the page to open the Profile page.
On the left-hand side, click the Password link.
Complete the form:
Current password
New password
Confirm new password – must match the password you entered into New password
Click the button to complete the process.

Changing your password if you forgot or are accessing Candid for the first time

From the Candid login page, click the Forgot your Password link.
Enter the email address that was used to configure your Candid user account and click the button.
Check your inbox for an email from candid@zeroarc.com (check junk mail if you do not see it, or confirm with your Candid Administrator that your Email Confirmed property is checked for your Candid account).
Click the link in the email you received (in the body of the email click the ‘here’ hyperlink in "Please reset your Candid password by clicking here").
A form will open for you to enter a new password; complete the form and click .
The succesfull password reset page will open, click the click here to log in link.
You will be back at the login page; enter your email address and the new password you just set.

Password Complexity Requirements

When setting your password, the system will display your organization's chosen password complexity requirements for Candid. The default password requirements are to have at least 12 characters and contain at least 2 unique characters.

Azure and Okta Single Sign-on is Supported

For organizations that use Azure or Okta we can configure Candid such that your users can access the application via a chiclet on your Okta application dashboards or other related internal dashboards.

Ask us about this feature for more information.

Troubleshooting Single Sign-on Configurations

Email Address in Candid must match exactly the address used in your company's SSO account.
Recommend user name to match email address before the @ symbol
Email Confirmed property on user's Candid account must be checked Yes as confirmed.