VCU REDCap Project Access Policy

REDCap Security Update - User Expiration Dates In Projects

Summary: Access to individual REDCap projects will require at least annual action by project owners.

This REDCap security requirement requires an expiration date be established for all REDCap users within each project. Expiration dates cannot extend beyond 1 year (365 days) into the future. The expiration date is managed within the User Rights area in each REDCap project and can be modified by those REDCap users who have “User Rights” privileges.

Reason for the Change: The expiration date of one year aligns with the VCU Password Authentication and Access Standard requirement that passwords must be changed every 365 days at a minimum, abides by information security guidelines, and adheres to the principle of least privilege.

Important Note: To help address this new security requirement while minimizing administrative burden, expiration dates for all users will be addressed initially by the VCU REDCap team, in an automated fashion, by following the rules listed below:
  1. REDCap users who have no expiration date (null) will have an expiration date set to 365 days from the “current date”. The “Current date” is the date the automated updating of expiration dates occurs.
  2. Users who have an expiration date extending beyond the 365 day limit (e.g. an expiration date set for 1/1/2030) will have an expiration date set to 365 days from the “current date”.
  3. Users who have an expiration date that has lapsed (expired) will see no change to the expiration date and that user will not have access to that REDCap project.
  4. Users who have an expiration date 365 days or less from the “current date” will see no change in expiration date.
Project Owner Responsibilities
A project owner is defined as any individual who has User Rights permissions within a given REDCap project. It is recommended that project owners follow these guidelines to ensure appropriate access and permissions are set for all users.
  1. Review all permissions for all users within your REDCap project(s) and ensure appropriate permissions are set.
  2. Update expired users by either deleting the user from the project or assigning an appropriate expiration date.
  3. When updating expiration dates, please note that only dates between 7 and 365 days from “today” will be available for selection. This is intended functionality.
  4. All project owners will be emailed alerts periodically to inform them of REDCap users who have expiration dates coming due. Alerts at 30 days, 7 days, and 1 day prior to expiration will be sent.
  5. If an expiration date lapses prior to updating for a particular user, that user will be locked out of the project until the expiration date is updated appropriately.
  6. If a project owner is locked out they may contact for assistance.
Frequently Asked Questions
Q: How do I set a REDCap user's expiration date?
A: Instructions below:
  1. Go to the "User Rights" page on the left-menu
  2. Set the Expiration date by clicking the Expiration date in the Expiration Date column
  3. Alternatively, left-click the user's eID username, edit privileges, and set an expiration date.
Q: How do I change my REDCap email notifications inbox when a project user's access is expiring in 30 days, 7 days, and 1 day?
A: The REDCap Access notifier will notify your Primary Email Address which can be found in your "My Profile" page at ... rofile.php or the top-right menu option "My Profile" in the REDCap home screen. Edit your "Primary email" and Save Basic Info.

Q: How do I turn off the REDCap email notifications when a project user's access is expiring in 30 days, 7 days, and 1 day?
A: At the moment there is no option to turn off access expiration email notifications.