In a medical device quality system, who can view, edit, approve, and sign records is a regulated decision, not just an IT setting. FDA 21 CFR Part 11 expects access limited to authorised individuals and an audit trail that attributes every action to a real person. ISO 13485:2016 Clause 6.2 ties responsibilities to defined competence. Electronic records under both frameworks only hold up when the system can show exactly who did what, and when.
A defensible access model usually rests on a few principles:
- Give every user a personal account and never a shared login, so each action stays attributable for Part 11 audit trails
- Assign access by role rather than per person, mapping each role to the responsibilities it genuinely needs
- Apply least privilege: grant the minimum rights a role requires, and widen them only when there is a reason
- Separate duties, so the person who authors a document is not the only one who approves it
- Scope access to the project or area where someone actually works, instead of granting system-wide rights by default
- Control onboarding and offboarding, so a departing user is deactivated and their open tasks, approvals, and roles are reassigned rather than orphaned
- Review access on a schedule to catch role creep before an auditor does
Handled this way, access control protects record integrity and leaves a clean, attributable history of every quality action.
The whitepaper below shows how qmsWrapper manages users, roles, and permissions for medical device teams.
