1. AWARDS
  2. System Management
  3. Administration Module
  4. System Setup

Business Rules

The System Setup module Business Rules feature is used to configure global and program-level system rules for specific types of data entry, and for use of the system as a whole.  Rules set using this feature are as follows:

Required Permissions

Use of the Business Rules feature requires placement in the "Executive Officer" or "System Administrator" user groups - OR - ONE of the following permissions:

  • Display Executive Administration Buttons
  • Permissions Data Entry
  • Permissions Data Entry for All Staff and Layers

- AND -

  • Program Chart Access (required to configure program-level business rules such as e-signature and note/contact editing rules)
  • Business Rules Data Entry (required to open or configure agency-level business rules such as the application timeout value and two-factor authentication)

In addition, if you are working in a divisional database, you must be configured as "Continuum Staff" in the Human Resources module Staff Information feature (using the Payroll Group "Agency" selection list) in order to access and configure global business rules.

Permissions are assigned using thePermissions Maintenance feature.  If you do not have access to that feature and need a permission listed here, please contact your supervisor or your local Help Desk for assistance.

Setting Business Rules

Client Transfers Rules

For agencies using the optional Transfers functionality, transfers can, by default, be dated within the last 14 days or between today's date and the client's admission date if fewer than 14 days ago.  Users with the "Backdated Client Transfers Data Entry" permission can backdate a transfer within the last 45 days by default (or to the admission date, if earlier).  This backdating window can be extended using the Client Transfers Rules feature for the program the client is leaving.  To do so, complete the following steps from the AWARDS Home screen:

  1. Click Administration from the left-hand menu, and then click System Setup.  The System Setup fly-out menu is displayed.

  2. Click Business Rules.  The Business Rules Menu page is displayed.

  1. Click the Program drop-down arrow and select the program for which the client transfers rules are to be set.

  2. Click Client Transfers Rules. The Client Transfers Rules page is displayed.



 

Included at the top of this page is read-only "Rule Entered By" information reflecting the last user to make a change to the transfer backdating window.

  1. In the Backdate Permit Max field, make changes to the current backdating window as needed.  The default value is 45 days.

  2. Click CONTINUE. The client transfers backdating rules are saved, the rule entered by information is updated, and a read-only report version of the page is displayed.

To make additional changes to the client transfers rules at this time, click DATA ENTRY to return to the Client Transfers Rules page.

The process of setting backdated client transfers rules is now complete.

External Email Functionality Rules

The External Email Functionality rules in AWARDS enable administrators to limit external email communications from AWARDS to specific types of email addresses - work, personal, or either.

 

IMPORTANT! These settings apply to uses with employee logins only.  They are not relevant for consumer logins.   Employee email addresses are entered and updated from within the Staff Information, Password & Security, and Notifications features.  These business rules do not limit which types of email addresses can be recorded, but will limit which ones are allowable for various purposes, and will impact which addresses are required during data entry.

To set or make changes to the external email functionality rules for your AWARDS database, complete the following steps from the AWARDS Home screen:

  1. Click Administration from the left-hand menu, and then click System Setup.  The System Setup fly-out menu is displayed.

  2. Click Business Rules.  The Business Rules Menu page is displayed.

  3. In the "Global Settings for All Programs" portion of the page click External Email Functionality.  The External Email Functionality page is displayed.

  1. Configure or make changes to the rules on this page as follows:

  • Allowable Email Address for Forgot Username or Password - Controls what type of email address can be used when automatic email messages are generated using the Forgot username or Password links on the AWARDS Login page.

  •  

    Allowable Email Address for External Notifications - Controls what type of email address can be used when external notification versions of internal audit messages are automatically generated by AWARDS based on the user's Notifications settings.

Available selections are "Work," "Personal," and "Either."  The default value is "Either."

  1. When all changes are complete, click UPDATE to save.  A read-only confirmation page is displayed when the current rules and updated "entered by" information.

    To make additional changes to the rules at this time, click External Email Functionality to return to data entry mode.

    At this time read-only rules information is also updated within the Password & Security and Notifications features so users are aware of the allowable email addresses when they adjust their settings for those items.  Email field requirements within those features are also adjusted for employee logins accordingly; for example, if you limit notifications to staff "Work" email addresses, each staff member who updates his/her notifications settings will be required to enter a work email address.

The process of setting external email functionality rules is now complete.

Global Electronic Signature Rules

To specify whether programs using electronic signatures in AWARDS (for progress notes, service plans, or standalone FormBuilder forms) can take advantage of the advanced signature input options available to them (signature pads or touch-screen devices), complete the following steps from the AWARDS Home screen:

  1. Click Administration from the left-hand menu, and then click System Setup.  The System Setup fly-out menu is displayed.

  2. Click Business Rules.  The Business Rules Menu page is displayed.

  1. In the "Global Settings for All Programs" portion of the page, click Electronic Signatures Rules.  The Electronic Signature Rules - Global Settings page is displayed.

  1. From this page, check off one or both of the advanced signing method options; checked options are enabled, unchecked are disabled.

    IMPORTANT!  The signature pad component of the Electronic Signatures functionality is only compatible with Topaz Model T-S460-HSB SigLite 1x5 HSB.  As of 2015, however, we no longer support use of this signature pad hardware, and instead direct agencies to use touch-screen devices.

  • Signature Pad: Topaz 1x5 USB To allow for signature collection using a Topaz signature pad, check off this checkbox.  When this option is checked, confirm that the correct signature pad plug-in option is also selected:

IMPORTANT!  Whenever you switch plug-in selections in AWARDS using the options detailed here, your users must uninstall the previous plug-in from their computers and install the correct software for the new plug-in.  Those configuration steps happen outside of AWARDS, and you should switch your AWARDS plug-in option once they are complete.

  • SigWeb Plub-In (default) - The latest plug-in from Topaz (available here).  Currently recommended for agencies using Internet Explorer (no longer supported for use with AWARDS) or Chrome.  This plug-in will allow compatibility for Topaz signature pads once support for the current NPAPI plug-in is dropped in the upcoming version of Firefox and Chrome.

IMPORTANT!  Once you have downloaded and installed this plug-in on each user's computer, please visit Topaz's demo site to ensure that it's working on those machines.  If not, please contact Topaz for support before selecting the SigWeb Plug-In option here.

  • NPAPI Plug-In - This was previously the default plug-in (available here) and was used in almost all cases.  It allowed for cross-browser compatibility when using the Topaz signature pad; however, it is being phased out for browsers other than Internet Explorer (which is no longer supported for use with AWARDS), and may prevent you from effectively using signature pads with AWARDS.  When possible, use of the SigWeb Plug-in is recommended instead.
  • ActiveX Plug-In - This is a legacy option that limits use of Topaz signature pads to Internet Explorer (which is no longer supported for use with AWARDS).  It should only be used with configurations that do not work with the default NPAPI plug-in, or the most recent plug-in from Topaz (SigWeb).  If you suspect that you may need to use this option, please contact the Foothold Help Desk for confirmation.

 

  • Touch - By default, signature collection is allowed using touch-screen devices.  Using this feature signatures can be captured using a finger or stylus on touch-screen devices such as tablets, using a touchpad, or even using a mouse on devices that are not directly touch-capable.  To disable this feature, uncheck this checkbox.

Electronic signatures functionality is available for use regardless of whether either of these advanced options have been selected. In all cases, signature images may be manually uploaded and can then be used to sign records within with use of a PIN.

  1. The Allow signer to remove date and time stamp checkbox on this page is selected by default.  When checked, each user has the option to de-select the default Date and/or Time stamp options during the signing process in order to prevent the signing date and/or time from being included as part of his/her electronic signature.  When unchecked, users do not have the option to control whether the date/time stamp is a part of their e-signatures; instead, a date and time stamp is automatically applied each time a record of any kind is e-signed by any user in any program.  Check or uncheck this option as appropriate.

  2. Click CONTINUE.  The global electronic signature rules are saved and displayed on a read-only confirmation page.

The process of setting global rules for electronic signatures is now complete.

Individual Program Electronic Signature Rules

When using e-signing for progress notes, groupings, service plans, and/or discharge records, each program's individual level electronic signature rules must be configured to specify whether each type of record can be signed, by whom they can be signed, and within what timeframes.  To configure the electronic signature rules for individual programs when using e-signing for these types of records complete the following steps from the AWARDS Home screen:

This process need only be completed when using e-signing for progress notes, group notes, discharge records, and/or service plans.  The process of setting up standalone FormBuilder forms so that they can be e-signed takes place within the form configuration process discussed here, and the settings below do not apply.  Likewise, these steps do not apply to e-signatures for PlanBuilder Plans and Reviews, which are set up using the PlanBuilder configuration process.

IMPORTANT!  As of February 2019, progress note e-signature configuration maintenance has been replaced by the E-Signatures Configurations feature.  E-signature configuration for progress notes should only be maintained using this legacy Business Rules feature until you have switched over to the new configuration process.

  1. Click Administration from the left-hand menu, and then click System Setup.  The System Setup fly-out menu is displayed.
  2. Click Business Rules.  The Business Rules Menu page is displayed.
  3. At the top of the page, click the Program drop-down arrow and select the program for which you would like to configure electronic signatures rules.
  4. Click Electronic Signatures Rules (from the "Program" portion of the page).  The Electronic Signatures Rules data entry page is displayed.

This page is broken into four tabs - one for rules regarding electronically signing progress notes (displayed by default), the others regarding electronically signing service plans, group notes and discharge records, respectively.  (Click each tab to view and work with its respective signing rules.)  You have the option of configuring the rules for any combination of the four.  You can also choose not to set any signing rules for a program if that program does not require the Electronic Signatures functionality.

  1. On the Progress Notes tab, begin by clicking the Signing available to checkbox next to each type of individual who should be allowed to electronically sign notes in the selected program.

    Skip ahead to step 7 if you will not be configuring the program to use electronic signatures for progress notes.

Available signing type options are:

  • Client's Primary Worker - When checked, the primary service coordinator of a client in the selected program (as of the date on which the progress note was written) can electronically sign progress notes for that client in the program.

    Primary worker (service coordinator) information is maintained using the Services module Service Coordinators feature.
  • Note Writer When checked, users who have written progress notes in the selected program can electronically sign those notes.
  • Note Writer's Work Supervisor When checked, work supervisors can electronically sign progress notes written by their supervisees in the selected program.

    Work supervisor information is maintained using the Human Resources module Staff Information feature.
  • Program Director and Deputy Program Directors When checked, the program director and deputies of the selected program can electronically sign the progress notes written in that program.

    Program director/deputy assignments are maintained using the System Setup module, Agency Program Information, Configure Administration feature.
  • Client When checked, the client for whom a progress note was written in the selected program can electronically sign the note.

    If this is the only progress note "signing available to" option set, clients will only have the ability to sign progress notes if they have AWARDS logins. In order for clients without logins to e-sign, at least one staff member role must also be set up for electronic signatures so that there is a staff person to assist clients with the signing process. 
  1. Next, for each type of signer selected on the "Progress Notes" tab, enter a value in the corresponding Signing Window field, if needed.  The signing window is the number of days within which progress notes can be electronically signed, based on their note dates.  Once a note's date is no longer within the signing window specified here, it cannot be electronically signed by the type of signer for which the window was set.
  2. Click the Service Plans tab, and then click the Signing available to checkbox next to each type of individual who should be allowed to electronically sign plans in the selected program.

    Skip ahead to step 10 if you will not be configuring the program to use electronic signatures for service plans.     

    Available signing type options are:
  • Client's Primary Worker When checked, the primary service coordinator of the client as of a plan's done date can electronically sign that plan.

    Primary worker (service coordinator) information is maintained using the Services module Service Coordinators feature.
  • Service Plan Reviewer When checked, the employee who has been set as the reviewer of a plan in the selected program can electronically sign that plan.

    Reviewer assignments are set using the Update Schedule feature located on the Service Plans index.
  • Service Plan Reviewer's Work Supervisor - When checked, work supervisors can electronically sign a plan in the selected program if one of their supervisees is set as the reviewer of that plan.

    Work supervisor information is maintained using the Human Resources module Staff Information feature.
  • Program Director and Deputy Program Directors - When checked, the program director and deputies of the selected program can electronically sign the plans written in that program.

    Program director/deputy assignments are maintained using the System Setup module, Agency Program Information, Configure Administration feature.
  • Client - When checked, the client for whom a service plan was written in the selected program can electronically sign the plan.

If this is the only progress note "signing available to" option set, clients will only have the ability to sign service plans notes if they have AWARDS logins. In order for clients without logins to e-sign, at least one staff member role must also be set up for electronic signatures so that there is a staff person to assist clients with the signing process. 

  1. Next, for each type of signer selected on the "Service Plans" tab, enter a value in the corresponding Signing Window field, as needed.  The signing window is the number of days within which service plans can be electronically signed, based on their done dates.  Once a service plan's done date is no longer within the signing window specified here, it cannot be electronically signed by the type of signer for which the window was set.

If no value is entered in the Signing Window field for a selected signer type, there is no limitation on the number of days within which discharge records must be signed by that type of signer.

  1. By default service plans must have been marked as done and a done date must have been entered for them in order for them to be electronically signed by any staff member or client.  To override this default so that permitted users can e-sign plans that are not yet specified as being done, click the Allow Signatures on Plans not yet marked Done checkbox.

    If a user or client e-signs a plan before it is marked as done, the plan itself and all previously plans will be locked, but users with the ability to update the plan schedule will be able to access the schedule in data entry mode, mark it "Done," and enter a Done Date.  Once the updated schedule is saved, those fields will be locked from future editing.

    IMPORTANT!  When this option is selected, any plan signing windows set in step 6 are no longer applicable for plans not yet marked as one, as those windows count the number of days that service plans can be e-signed based on the plan done dates.  In such cases, any user of a role that has permission to sign can sign the plan regardless of date.
  1. Click the Group Notes tab, and then click the Signing available to checkbox next to each type of individual who should be allowed to electronically sign group notes in the selected program.

    Skip ahead to step 12 if you will not be configuring the program to use electronic signatures for group notes.

    Available signing type options are:
  • Note Writer When checked, users who have written group notes in the selected program can electronically sign those note.
  • Note Writer's Work Supervisor When checked, work supervisors can electronically sign group notes written by their supervisees in the selected program.

    Work supervisor information is maintained using the Human Resources module Staff Information feature.
  • Program Director and Deputy Program Directors When checked, the program director and deputies of the selected program can electronically sign the group notes written in that program.

    Program director/deputy assignments are maintained using the System Setup module, Agency Program Information, Configure Administration     feature.
  • Co-Leader - When checked, the co-leader(s) specified for a group during group note data entry can electronically sign the note for that group.

    This option is only available for programs configured to collect co-leader information for group notes.
  1. Next, for each type of signer selected on the "Group Notes" tab, enter a value in the corresponding Signing Window field, as needed.  The signing window is the number of days within which group notes can be electronically signed, based on their note dates.  Once a note's date is no longer within the signing window specified here, it cannot be electronically signed by the type of signer for which the window as set.
  2. Click the Discharge tab, and then click the Signing available to checkbox next to each type of individual who should be allowed to electronically sign discharge records in the selected program.

Skip ahead to step 14 if you will not be configuring the program to use electronic signatures for discharge.

Available options are:

  • Discharge Processed By - When checked, the individual who processes the discharge of a client in the selected program (using the Discharge module's Process Discharge feature) can electronically sign the discharge record for that client in the program.
  • Discharged Processed By's Work Supervisor - When checked, the work supervisor of the individual who processed a discharge in this program (as of the date on which the discharge is processed) can electronically sign that discharge record.

    Work supervisor information is maintained using the Human Resources module Staff Information feature.
  • Primary Worker - When checked, the primary service coordinator of a client in the selected program (as of the date on which the discharge was processed) can electronically sign the discharge record for that client in the program.

    Primary worker (service coordinator) information is maintained using the Services module Service Coordinators feature.
  • Primary Worker's Work Supervisor - When checked, the primary worker's work supervisor (as of the date on which discharge is processed) can electronically sign discharge records processed for clients on their supervisee's workloads in the selected program.

    Work supervisor information is maintained using the Human Resources module Staff Information feature.
  • Program Director and Deputy Program Directory - When checked, the program director and deputies of the selected program at the time of discharge can electronically sign the discharge records for that program.

    Program director/deputy assignments are maintained using the System Setup module, Agency Program Information, Configure Administration feature.
  • Client - When checked, the client for whom a discharge was processed in the selected program can electronically sign the discharge record.

IMPORTANT!  In order for clients to e-sign, at least one staff member role must also be set up for discharge electronic signatures so that there is a staff person to assist clients with the signing process.

  1. Next, for each type of signer selected on the "Discharge" tab, enter a value in the corresponding Signing Window field, as needed.  The signing window is the number of days within which discharges can be electronically signed, based on their discharge dates.  Once a discharge record's date is no longer within the signing window specified here, it cannot be electronically signed by the type of signer for which the window as set.

If no value is entered in the Signing Window field for a selected signer type, there is no limitation on the number of days within which discharge records must be signed by that type of signer.

  1. Click CONTINUE.  The electronic signature rules are saved and displayed on a read-only confirmation page.

Each time electronic signature rules are saved for a program, the rules tabs for that program are updated to reflect who entered the current rules and when. This information appears in both data entry and report modes.

  1. Repeat the above steps until the electronic signature rules are set for all programs that will be using the e-sign functionality.

The process of setting individual program rules for electronic signatures is now complete.

 

Service Records Editing Rules

The System Setup module's Service Records Editing Rules feature is used to set note and contact writing and editing, group activities, and reception desk attendance rules for each program, including default editing windows, backdating windows, and locking rules.

To set the service records editing and sign off rules for a specific program, complete the following steps from the AWARDS Home screen:

  1. Click Administration from the left-hand menu, and then click System Setup.  The System Setup fly-out menu is displayed.

  2. Click Business RulesThe Business Rules Menu page is displayed.

  1. Click the Program drop-down arrow and select the program for which the service records rules are to be set.

    To set the rules for multiple programs at once, select one of the "All" program groups as needed, instead of an individual program.

  1. Click Service Records Editing Rules.  The Service Records Editing Rules page is displayed.



    If a program group was selected in step 3, each program in that group is listed separately on this page.  Complete the steps that follow to adjust the business rules for each individual program as needed.

  1. In the Standard Window field, type the number of days during which a note, contact, activity record, or attendance can be entered or edited.  (For example, if the standard window is set to ten days, users can enter and edit notes/contacts dated with today's date or dates in the past ten days, or enter group activities or reception desk program attendance entries going back ten days.)

  2. In the Backdate Permit Max field, type the number of days during which a note, contact, activity record, or attendance can be entered or edited if the user has a backdated data entry permission. 

  1. Click one of the Additional Editing Rules (for Progress Notes Only) radio buttons to indicate whether notes should ever be closed and locked from further editing, and if so, when.  Available options are:

    IMPORTANT!  These rules are distinct from electronic signatures which result in a note being locked from further edits at the time it is signed by a specific staff person.  For information on setting electronic signature rules, click here.  For information on signing notes electronically, click here.

  • No Automatic Locking When selected, progress notes are never locked automatically.  They are only locked when a staff member manually selects the "Lock progress note" option during the progress notes data entry process, or when the note is electronically signed.

    This feature is a global optional enhancement that is turned on by default.  If you would like it to be turned off so that it is no longer available on the note and contact editing rules page, please contact the Help Desk for assistance.
  • Lock Progress Note Immediately When selected, progress notes are locked immediately after they are written and saved, and they can no longer be edited after that time.

    This rule applies to progress notes and contacts log entries that contain notes, regardless of the location from which those notes are entered (the Employment module Progress Notes feature or the Services - Individual module's Progress Notes or Contacts Log features).

  1. Click the Strike Through drop-down arrow and select "Yes" or "No" to indicate whether strike through is allowed on locked progress notes.  When this option is set to "Yes," a "Strike Through Original Note Text" option is available for amendment purposes when writing a progress note with the same writer, consumer, date, time, note type, and service type of an existing progress note.

    This rule applies to progress notes only, but it does NOT apply to electronically signed progress notes.

  1. Click APPLY RULES.  The service record editing/writing rules are saved and a read-only report version of the rules are displayed on the Service Records Editing Rules Applied As Shown page, along with updated "Rule Entered By" information.

    To make additional changes to the editing/writing rules at this time, click DATA ENTRY to return to the Service Records Editing Rules page.

The process of setting service records editing/writing rules is now complete.



Password Policy Rules

The Password Policy Rules feature in the AWARDS System Setup module's Business Rules component enables management to set agency-wide password rules for logins within their database.  These rules include password expiration settings, requirements for password changes after having a password reset, password composition requirements, and lockout rules. 

To enter or update agency password rules, complete the following steps from the AWARDS Home screen:

  1. Click Administration from the left-hand menu, and then click System Setup.  The System Setup fly-out menu is displayed.
  2. Click Business Rules.  The Business Rules Menu page is displayed.
  3. Under "Global Settings for All Programs" click Password Policy Rules.  The Password Policy Rules page is displayed.



  4. Configure the fields and options on this page as needed:
  • Require password change on first login - Click this drop-down and select "Do Not" or "Do" to indicate whether a user should be prompted to update his or her password after they successfully log in for the first time (the first time the password is ever used).  The default selection is "Do."

    This does not apply to existing users that log in for the first time after password policy rules are set.
  • Require password change following admin password reset - Click this drop-down and select "Do Not" or "Do" to indicate whether a user should be prompted to update his or her password after it has been reset by a system admin or supervisor.  The default selection is "Do."
  • Require both upper and lower case letters - Click this drop-down and select "Do Not" or "Do" to indicate whether passwords in the database should be required to contain both upper and lower case letters.  The default is "Do."

    When this option is changed from "Do Not" to "Do," existing passwords are grandfathered in and users will not be prompted to update passwords to meet this requirement until they expire or are reset via other methods.

    By default, AWARDS passwords must be between 12 and 64 characters long and contain both letters and numbers.  They are case sensitive and may contain special characters; however, they may not contain the user's login ID or the agency name (in a multi-agency database).

    Special characters include: ! @ # $ % ^ & * ( ) _ + = | < > ? : ;
  • Require special character - Click this drop-down and select "Do Not" or "Do" to indicate whether passwords in the database should be required to contain a special character.  The default is "Do."  Allowed special characters include ! @ # $ % ^ & * ( ) _ + = | < > ? : ;
  • User must change password at least every ___ days - In this field, enter the number of days after which a user's password should expire.  Users will be prompted to change their password upon logging in once the set timeframe is reached, before accessing other AWARDS screens.  The default value is 180.  A value of 0 (indicating that passwords will not expire) is not allowed.
  • Warn user for ___ days before password expires If a value is set in the option above, in this field enter the number of days before a user's password expires.  They will receive a warning letting them know their password is about to expire.  The warning appears after a user logs in and states, "Your password will expire in __ days.  Change your password soon."  The default value is 5.
  • User may change password at most ___ times per day In this field, enter the maximum number of times per day a user should be allowed to update his or her password.  The default value is 3.  A value of 0 (which would allow unlimited password changes each day) is not allowed.

    Administrative password resets (those completed by an AWARDS administrator or supervisor) are not counted toward the daily password change total.
  • New password must be different than previous ___ passwords - If a users' new password should not be the same as a previously used password, click this drop-down and select 1, 2, 3, or 4 to indicate how many of the previous passwords should be unique.  The default value is 3.  A value of 0 (which would allow for immediate reuse of the previous password) is not allowed.
  • Lockout user after ___ failed attempts for ___ minutes - By default, AWARDS locks out a user after 10 failed attempts for 10 minutes.  Use these fields to adjust either the number of failed attempts before a user is locked out and/or the number of minutes they are locked out.

    Administrative     password resets (those completed by an AWARDS administrator or supervisor) reset the lockout clock.
  1. Click UPDATE.  The Password Policy Rules confirmation page is displayed.

The process of entering password rules is now complete.

 

Application Timeout Value

As part of its security functionality, the AWARDS system will "time out" a user after a set period of inactivity, causing him or her to "re-authenticate" (sign on to the application again).  The Set the Timeout Value feature is used to set or change the amount of time the system is inactive before it times out the user.

After the user is timed out, he or she is asked to login again when next clicking a button in AWARDS.  Once re-authentication is complete, the user is returned to the previous page with his or her data still intact.

To set the application timeout value, complete the following steps from the AWARDS Home screen:

  1. Click Administration from the left-hand menu, and then click System Setup.  The System Setup fly-out menu is displayed.
  2. Click Business Rules.  The Business Rules Menu page is displayed.
  3. Click Set the Timeout Value.  The Inactivity Time Out Setting page is displayed.



  1. In the Time Out Value field, enter the timeout value in minutes.  The time out value entered here applies to all programs within the agency or continuum.
  2. Click SAVE.  The timeout value is saved and the updated Inactivity Time Out Setting page is displayed.

The process of setting the application timeout value is now complete.

 

Two-Factor Authentication Rules

The AWARDS Two-Factor Authentication Rules feature, configured within the database's Business Rules, adds another layer of security to complex passwords and good user behavior by creating a token on a personal iOS or Android mobile device that must be used to log in.  If, with two-factor authentication enabled in your AWARDS database, a password was compromised and an attacker attempted to log in, they would be unable to generate the required code without access to the associated mobile device.

A token is an authenticator in the form of a mobile device, where the user's interaction proves that the user physically possesses the device.  The token is used in addition to a password. It acts like an electronic key to access something confidential data.

IMPORTANT! Consumers are responsible for securing their own protected health information. Two-factor authentication only applies to STAFF logins. CONSUMER logins are exempt in order to ensure that consumers are able to access their data without requiring a mobile device for authentication purposes.

Getting Started with Two-Factor Authentication

To make enabling two-factor authentication as seamless as possible, system administrators have the ability to enable the feature ahead of enforcing it, thus ensuring users have an opportunity to configure it before potentially being locked out of AWARDS.  Further, in getting started with two-factor authentication, we recommend system administrators utilize the following workflow, allowing 1 to 2 weeks for the full process to be completed.

IMPORTANT! Steps 1 and 2 can be completed in whatever order you prefer; however, they should be completed as close to simultaneously as possible.

  • STEP 1:  Set "roll out" and "go live" dates and communicate the upcoming change with your users We recommend an initial period of 1 to 2 weeks for users to get set up with and enroll in two-factor authentication.  Choose the date on which you'll begin the roll out period, and then use the recommended timeframe to determine your go live date.  Once you have both dates chosen, communicate that and the details of the change to all staff users with AWARDS logins.  (Consumer logins are not impacted by two-factor authentication.)

Click here for a sample announcement you can customize and send to your users. 

  • STEP 2:  On the roll out date turn on two-factor authentication in AWARDS, but don't yet "enforce" it This is the kick-off to your two-factor enrollment/grace period.  Complete the configuration process, detailed under Configuring Two-Factor Authentication in AWARDS, below.  During this process, be sure to set the two-factor setting to "On - Not Enforced."  When you're done two-factor enrollment will be enabled, letting users begin to get set up; however, users who do not do the setup immediately will not be locked out of AWARDS.
  • STEP 3:  Confirm user enrollment ahead of the go live date and follow up if needed Just before the go live date we recommend checking in to see how many of your users have completed the enrollment process.  To do so, run the Employee ReportBuilder including a minimum of  "Name" and "Two-factor Configured" data variables.  (The two-factor data variable is located in the "User Login Information" portion of the ReportBuilder's options page.)  Use the ReportBuilder's filter, display, and summary options to get a detailed picture of enrollment efforts to date.  If you find that not everyone is ready for go live, some targeted follow up communication and/or reminders may be needed.

  • STEP 4:  Flip the switch / begin enforcement on your go live date Update your two-factor authentication settings in AWARDS using the process detailed under Configuring Two-Factor Authentication, below.  During this process, be sure to change the two-factor setting to "On - Enforced." From this point forward existing users will no longer be able to login to AWARDS without using two-factor and will be prompted to re-authenticate upon first login, and new users will be prompted to enroll upon first login.

That's it, you're now good to go with two-factor authentication! Congratulations on taking this important step toward further securing your AWARDS database against unauthorized access!

Looking for frequently asked questions about two-factor authentication? Click here.

Configuring Two-Factor Authentication in AWARDS

To configure two-factor authentication, whether turning it on or changing settings, complete the following steps from the AWARDS Home page:

  1. Click Administration from the left-hand menu, and then click System Setup.  The System Setup fly-out menu is displayed.
  2. Click Business Rules.  The Business Rules Menu page is displayed.
  3. Under "Global Settings for All Programs" click Two-factor Authentication Rules.  The Two-factor Authentication Rules page is displayed.

Included at the top of this page is read-only "Two-factor Configured By" information reflecting the last user to make a change to the two-factor authentication settings.

 



  1. Configure the fields and options on this page as follows:
  • Two-factor Authentication - Click this drop-down arrow and make a selection to indicate whether two-factor authentication is enabled in your AWARDS database.  Available selections are:

    IMPORTANT!  During the initial implementation period for two-factor authentication, detailed using the Getting Started workflow steps listed above, be sure to select "On - Not Enforced."  Upon completion of the startup grace period, change this selection to "On - Enforced."

    • Off - Not Enforced - The default value.  When selected, two-factor user enrollment is NOT enabled and the two-factor authentication feature is NOT enforced.  Database access is dependent ONLY on the password.

    • On - Not Enforced - To be used during the initial two-factor authentication configuration / getting started period.  When selected, two-factor enrollment is enabled, letting users configure two-factor authentication; however, users who have not yet done the setup will not be locked out of AWARDS.

      As noted in the suggested Getting Started workflow steps listed above, we recommend using the "On - Not Enforced" option for a period of one to two weeks to give users a grace period to enroll in two-factor authentication.  After that time the setting should be changed to "On - Enforced."

    • On - Enforced The highest level of security for your database.  When selected, two-factor authentication is turned on AND enforced.  New and existing users are presented with the user setup option once, and then moving forward upon AWARDS password reset.

  • Authentication Type - Click this drop-down arrow and make a selection to indicate which two-factor authentication type is enabled in your AWARDS database. Available selections are:

    • Authenticator App - This requires your users to use Google Authenticator. This is the default selection until changed.

    • Email - This can be set as the default for your agency. Users must have their work email address entered in order for this option to be set up for them.

  • Remember Device for ___ days - In this field, type a value between 1 and 90 to set a period for which the device used to access AWARDS will be remembered.  Users who have successfully enrolled in two-factor authentication will have to re-enter authentication upon expiration of this period.  The maximum allowed value is 90 days.

  1. Click UPDATE to apply your changes.  A read-only confirmation page of the newly applied two-factor authentication rules is displayed.

    To make additional changes to the two-factor authentication rules at this time, click Return to Data Entry to re-open the page in data entry mode.

 

The process of configuring two-factor authentication is now complete.

 

Frequently Asked Questions

Business Rule Basics

  • Is there a report on which I can see all business rule settings?

No, at present business rule settings can only be reviewed from within the data entry interface and/or the corresponding confirmation pages.

  • Who can access global business rule settings in a divisional database?

Because global business rules impact every program in every agency in the database, their configuration in divisional databases is limited to individuals specified as "Continuum Staff" in the Human Resources module Staff Information feature (using the Payroll Group "Agency" selection list).

 

Two-Factor Authentication

  • Are any users excluded from two-factor authentication?

Yes, two-factor authentication only applies to STAFF logins.  CONSUMER logins are exempt in order to ensure that consumers are able to access their data without requiring a mobile device for authentication purposes.  Consumers are responsible for securing their own protected health information.

  • How are authentication devices remembered?

Devices are remembered when a user accesses AWARDS from the same browser and device.  If a user is using the same device and a different browser, or the same browser in private or incognito mode, re-authentication is required.

  • What happens if a user can't enroll in two-factor right away during the agency's roll out period?

Each time a user logs in to AWARDS on or after the roll out date set by your agency for two-factor authentication, he/she will be shown an enrollment pop-up until the enrollment process has been completed.  When the user sees this pop-up he/she can either choose to go ahead with the process, or temporarily bypass it and continue into AWARDS.  The Bypass & Proceed to AWARDS option will be available for a grace period of your agency's choosing (typically one to two weeks).  At the end of that period your agency will want to change the setting to "Enforced," in which case users will be forced to complete the enrollment process or they will not be able to login to AWARDS.

  • Why is a user being asked to authenticate again?

Authentication is required when ANY of the following are true:

  • The user has reached the number of days allowed by your agency for “remembering” your device (a maximum of 90)
  • The user has reset his/her password in AWARDS under Password & Security
  • The user's password has been reset by a supervisor or AWARDS administrator using Password Reset
  • The user cleared his/her browser's cookies
  • The user is using a different device/browser combination or using his/her browser in private/incognito mode
  • Your agency's two-factor go live date has been reached (requiring users to re-authenticate upon first login afterward)
  • What happens if a user gets a new authentication device?

In order to change the device being used for two-factor authentication a user must change his/her AWARDS password under Password & Security - OR - have an authorized staff member reset the password using Password Reset.  Once the password has been reset the user will be asked to authenticate from the new device upon logging into AWARDS.

Resetting a password using the Forgot Password feature on the AWARDS login page DOES not reset two-factor authentication setup.


Other Helpful Resources

Videos & Training Demonstrations



 

Related Documents

 

FootholdConnect Event Recordings

A quick look at commonly used hardware solutions for agencies implementing (or upgrading) electronic signatures functionality.  (November 2018)

 

Was this article helpful?
0 out of 0 found this helpful