18. Authentication

clearPath controls access through three layers:

Users — the individual accounts that log in.
Roles — the permission sets that say what a user can do.
Auditor Groups — optional groupings that let you report on observations by the team of auditors that recorded them.

Plus a security add-on that applies across all three:

Two-Factor Authentication — a second sign-in challenge for users you want to protect more strongly.

18.1. Password Requirements

Every user account is protected by a password that must meet your account’s password policy. The policy is made up of a minimum length and a set of character-class rules. The defaults are:

Minimum length: 8 characters.
At least one uppercase letter (A – Z).
At least one lowercase letter (a – z).
At least one number (0 – 9).
At least one symbol (for example !, @, #, $, %).

Administrators can tighten these rules for their account. Raising the policy does not invalidate existing passwords; users are held to the new rules the next time they change their password.

18.1.1. Password Strength Meter

As a password is typed, clearPath scores it and shows a strength indicator using one of five bands:

Very Weak
Weak
Good
Strong
Very Strong

The score combines the password’s length, the mix of character types used, and the absence of obvious weak patterns such as long runs of repeated characters or simple sequences. A password that only just clears the minimum requirements may still score low — aim for Good or higher.

Tips for a strong password:

Use a passphrase of three or more unrelated words instead of a single word with substitutions.
Mix uppercase, lowercase, numbers, and symbols.
Avoid names, dates, and words that appear in your profile.
Do not reuse a password from another service.

Passwords are never stored in a form anyone can read. For details on how they are protected, and for the full set of security features (two-factor authentication, failed-login auto-blocking, the blocked IPs list, and the threat map), see Security.

18.2. Users

To open the Users list, go to Account | Users | User Accounts.

Each row is one user account with the columns you would expect (name, username, email, role, status, last sign-in).

18.2.2. User Editor

Click a user (or pick Edit from the row menu) to open the editor. Information is grouped into tabs.

18.2.2.1. General

Basic profile information — name, title, email address, role, facility and unit assignment.

18.2.2.3. Certification

Records the user’s certification as an auditor: the certification date, expiry, and any renewal notes. Reports and the Hand Hygiene Sessions list read this information when reporting on certified vs. non-certified observations.

18.2.2.4. Kiosk

Configures the user as a kiosk-only account that can show the dashboard on a shared screen but cannot otherwise change data.

18.2.2.5. Dates

Account start and end dates, used together with the role’s Auto Expire setting to automatically disable users whose term has ended.

18.3. Roles

clearPath controls what a user can do through Roles. Every user is assigned exactly one role; the role’s permissions and unit assignments decide the pages, actions, and units the user can reach.

Typical out-of-the-box roles:

HH Administrator — full access to hand-hygiene configuration, reporting, and auditing.
HH Observer — can record audits but cannot change configuration.

You can define as many additional roles as you need.

To open the Roles list, go to Account | Users | Roles.

18.3.1. Row Action Menu

Click the three-dot icon at the end of any row:

Edit — opens the Role Editor.
Delete — permanently removes the role after a confirmation prompt. A role with users still assigned to it cannot be deleted until those users are reassigned.

18.3.2. Role Editor

The role editor is organized into six tabs.

18.3.2.1. General

Active Role — toggle the whole role on or off. Disabling a role prevents every user in it from signing in. Useful for seasonal contractor accounts.
Role Type — Standard (recommended for auditor-only accounts) or Administrator. Administrator roles can reach configuration pages that Standard roles cannot.
Auto Expire Accounts — automatically disables users in this role once the expiry date on their profile passes.
Allow Logins — if disabled, nobody in this role can sign in. Used to lock out a role without disabling each user individually.
Allow Audit Backdating — lets users in this role enter a previous date when starting an audit in cp2go.

Warning

Set auditor-only roles to Standard. Standard roles are restricted to the features an auditor actually uses and cannot change configuration.

18.3.2.2. Display / Notifications / Hand Hygiene

Per-role visual preferences, notification preferences, and hand hygiene workflow options. These apply to every user in the role unless overridden in the user’s individual profile.

18.3.2.3. Permissions

The permission matrix lists every feature in clearPath. Tick each feature the role should have access to; leave the rest unchecked. Permissions are additive — if the matrix does not grant access, the role cannot reach that feature.

18.3.2.4. Unit Assignments

Limit a role to specific units. Tick each unit the role is allowed to audit; leave the rest unchecked. A role with no units ticked can audit in every unit (the default); a role with at least one unit ticked is restricted to the ticked set.

Click Submit to save any changes across the tabs, or Cancel to discard them.

18.4. Auditor Groups

Auditor Groups let administrators bundle auditors together so their observations can be reported or charted as a single dataset — for example Infection Prevention and Control auditors vs. Hand Hygiene Champions.

To open the list, go to Account | Users | Users Group.

18.4.1. Creating a Group

Click Add a User Category from the action menu, then:

Name the group and give it a description.
Toggle Active on.
Tick Include in Dashboard if you want observations from this group to appear on the dashboard.
Save.

Users are added to the group from their individual User Editor.

18.4.2. Default Group

One group can be marked as the default. Any new user who isn’t explicitly assigned to another group is assigned to the default. clearPath creates and maintains a Default User Category if none exists.

18.4.3. Deleting a Group

Disable the group first (untick Active) — the trash icon is only available on disabled groups. Deleting moves every assigned auditor back into Uncategorized.

18.4.4. How Groups Are Used

Reports — any report definition that scopes by user category.
Dashboard — the Compliance by Group widget reads from this list.
Filtering — the audit-session list filters by auditor group.

18.5. Two-Factor Authentication

clearPath supports time-based one-time-password (TOTP) two-factor authentication (2FA) for user accounts. When 2FA is enabled for a user, sign-in requires the account password plus a six-digit code generated by an authenticator app on the user’s phone (for example Google Authenticator, Microsoft Authenticator, Authy, or 1Password).

18.5.1. Enabling 2FA for a User

Administrators turn 2FA on or off from the User Editor Login tab. With 2FA enabled:

On the user’s next sign-in, clearPath shows a setup screen with a QR code.
The user scans the QR code with an authenticator app, which then generates a fresh six-digit code every 30 seconds.
The user enters the current code to confirm the pairing and finish sign-in.

18.5.2. Signing In with 2FA

After entering your username and password you are taken to the 2FA prompt. Enter the current six-digit code from your authenticator app. If the code matches, sign-in completes and you are taken to the dashboard.

18.5.3. Lost Device / Reset

If a user loses access to their authenticator (for example when replacing a phone), an administrator can disable 2FA from the user’s editor. The next time the user signs in they are prompted to pair a new authenticator.

18.6. LDAP / Active Directory

LDAP and Active Directory sign-in is available with clearPath Ultimate edition for on-premise deployments. Contact support@clearpathhealthsolutions.com for configuration help.