Creating Users
There are several ways to set up users in Tendo, depending on the type of user that is being enabled. This is a general guide to doing so that may involve using not just the Tools app, but also the Admin app.
IN THIS ARTICLE
Creating Users in the Admin app
The simplest method to create a user is to use the Admin app. You must have an administrator role to create users. To get this role assignment, healthcare organization employees can contact their IT admin, who will work with Tendo Customer Engagement to set up their role. Tendo employees can contact Tendo Support to set up this role.
Step 1 - Navigate in Admin to Users on the left side navigation bar.
Step 2 - At the top of the Users list, click the Add button to launch the flow to add a new user. This flow will create the User and Person Records, grant access permissions by associating a Role with the User record, link the internal domain to the User record, and set up the Identity Account and Auth0 account that links the Identity Account to the User record.
An Add User modal will appear. Type in the user’s email. When you click Next, the system will check for a person record in the system with that email.
If a record doesn’t exist, a person information page will appear in the modal so you can add the first and last name of the user. This will be used to create the person record.
If a record does exist, the system will use the person record, and this step will be skipped.
If the person record already has a User associated with it, an error will display that says that the person already has a user.
Click Next. Select a role for the User. Click Add. This creates and links the user and person records, assigns the role, and sets the domain. An identity account is established with Auth0 login credentials, and the user can now log in to Tendo and use apps and sections of apps that they have permissions for.
Internal Users
These typically are employees of a healthcare system and other providers who have been given access to organization’s internal systems such as their Electronic Health Record (EHR). These users are granted access to Tendo apps for specific functions that the users need in order to do their work.
These users will have access to all of this data:
- User Record - Collects all of the Identity and Access Control data for a user.
- Person Record - Personally identifiable information for the user.
- Internal Domain - The Internal Domain (
atrium.apps) defines the possible points of entry for the user, including internal applications and resource access for the tenant. - Identity Account - Defines user information for login and verification.
- Role Assignment Records - Associates the sets of permissions (Roles) the user has been granted.
For example, Angus Dunn is a provider at Grove Canyon Healthcare who uses Tendo to view his patients' records, and to discuss their care with his team. These are the records of data that are needed for him to have access.
- User Record associates the Domain of access, permissions or roles, and person that this user is. Some important fields include:
Field |
Field Type |
Description |
Data Example |
|---|---|---|---|
| Domain | Reference | A reference to the domain record defining the access point. This is the Internal Domain record for the tenant. | Points to atrium.apps Domain record |
| Person | Reference | A reference to the person record for this user. The personally identifiable data is in the person record. | Points to the Angus’s Person record with:
|
| Role Assignments | Virtual | This virtual reference allows for direct access to the Role Assignment Records. The role assignment records are maintained in the Role Assignment object which can be directly uploaded. | |
| Status | Value Set | Either Active and Inactive. Only Active users can access the system. | Active |
- Person Record contains personally identifiable information. Some important fields include:
Field |
Field Type |
Description |
Data Example |
|---|---|---|---|
| Given Name | Text | The first name of the person | Angus |
| Family Name | Text | The last name of the person | Dunn |
| The person’s email. | adunn@nghc.com | ||
| Patient | Reference | This field is used for patient users only. | |
| Provider | Reference | If the internal user is a provider, this will be set to their Provider record. | References Angus’s provider record |
| Users | Virtual | A virtual reference maintained by the system to facilitate quick access to the user records associated to this patient. Virtual fields are not available in Data Loader. |
- Role Assignments define the sets of permissions a user has been granted. This record connects a role to the User. A user can have one or multiple roles. The full set of the user’s permissions is the superset of all roles that have been assigned. Some important fields are:
Field |
Field Type |
Description |
Data Example |
|---|---|---|---|
| User | Reference | Reference to the user record that the assignment is for. | Reference to Angus’s User record |
| Role | Reference | Reference to the role record that the assignment is for. Roles are sets of permissions. | Reference to the assigned role record |
| Status | Value Set | Either Active or Inactive. Only Active role assignments will be used at runtime. | Active |
- Identity Account represents a global identity used to authenticate the user during login. An identity account contains a reference to the tenant User record so that at runtime, the system knows what user in which tenant is logging in. Identity account also contains a link to the Auth0 account where login credentials are maintained. The identity account is set up through one of the Tendo user setup processes and is not directly viewable in the system.
In the example above, Angus has an identity account record that references his user record and his Auth0 account where his username (adunn@gchc.com) and password are kept. When Angus logs into Tendo, the system will verify his login credentials with Auth0. If the login is successful, the system will use the User record associated with the Identity account to securely give Angus access to the tenant through the associated Tenant Internal Domain. Associated Roles provide him the permissions he needs to access portions of the system so he can do his work.
Setting Up Providers
Providers and other internal users are often users in other internal systems such as EHRs. Often, provider data is loaded to Tendo in a batch to streamline setup.
The Person and Provider object records are usually loaded through a one-time initial load using data loader in Tendo > Tools > Data > Loader. Over time, these records are updated and maintained by Customer Engagement through an integration with the EHR.
The Person records need emails in order to complete setup, and so that users can use them for the username for login credentials.
New Tenant Setup and the Tendo Owner
When a new tenant is created for a customer, a user known as the Tenant Owner is automatically added to the tenant. The Tenant Owner has the broadest access privileges of any user, including full access to all data and permissions across the platform. To set up the tenant, the Tenant Owner typically first sets up other users, System Administrators, to help configure the system and set up other users.
The customer provides Tendo with the name and email of the designated person within their organization who will serve as the Tenant Owner. This information is essential for configuring the environment.
The Tenant Owner can’t be changed by other users. If it needs to be changed, the customer must contact Tendo to request the change.
The Tenant Owner is a special role that gives a user unlimited access within the system. Because of the broad access it provides, care should be taken as to who can use it and how it is used. This role is assigned to multiple users in addition to their current roles, but with restrictions on how it is used.
A user with this role can choose to use the role, which elevates their permissions while using it. The UI will clearly mark when they are using this role, so that they are aware that they are acting with elevated permissions.
As a Tenant Owner, you can click on your avatar at the bottom left of a page, and click Switch To Tenant Owner when you want elevated permissions, or Switch From Tenant Owner when you want to turn them off.
Only a Tenant Owner can assign the role to another user or remove the role from another user. They can’t remove it from their own user, to ensure that there is always at least one active Tenant Owner in the system.
A user with a Tenant Owner role can’t be deactivated, so another Tenant Owner needs to remove the Tenant Owner role from the user before that user can be deactivated.
Tenant Owners are listed in the identity database so that they are discoverable. This is important for Support, which may need to contact tenant owners within a customer environment.
Setting Up Administrators
There can be many different types of administrators in the system. Some have targeted, narrow access to a certain feature set, while others have broad access. System Administrator is a role that is entrusted with extensive access capabilities, including the ability to create custom roles and manage users.
Once a new environment is established, the Tenant Owner typically appoints one or more system administrators to assist in configuring the environment and managing other users. Any user who has been given full Manage User permissions can set up any other user or change their permissions. Only trusted users should be granted Manage User and/or Manage Roles permissions as they are critical security access rights.
External Users
Patients get access to Tendo by signing up for the Patient Care Journey App through the Patient Care Domain.
When fully set up, the user has all the following data:
- User Record - Collects all the Identity and Access Control data for a user
- Person Record - Personally identifiable information for the user
- Patient Record - Defines the patient and associates all their medical records
- Patient Care Domain - Linked in the user record, this domain (
care.tendo.com) defines their possible points of entry (Patient Care Journey app) and scope of resource access. This record is seeded and maintained by Tendo. - Identity Account - Defines user information for login and verification
- Role Assignment Records - Associates the sets of permissions (Roles) that the user has been granted.
Here is an example of a patient, Jerry Cardenas, who uses the Patient Care Journey app to manage his care. These records of data are needed for him to access Tendo’s system.
- User Record associates the Domain of access, the permissions or roles, and person that this user has. Some important fields include:
Field |
Field Type |
Description |
Data Example |
|---|---|---|---|
| Domain | Reference | A reference to the domain record defining the access point. For patient users, this is the Patient Care Domain. | Points to care.tendo.com Domain record |
| Person | Reference | A reference to the person record for this user. The personally identifiable data will be in the Person record. Any Patient records associated with this Person record will be accessible to the user through this reference. | Points to Jerry’s Person record which has his given and last names, email, birthdate, and other personal information. |
| Role Assignments | Virtual | This virtual reference allows for direct access to the Role Assignment Records. The role assignment records are maintained in the Role Assignment object which can be directly uploaded. | |
| Status | Value Set | Either Active or In Active. Only Active users can access the system. | Active |
- Person Record contains the personally identifiable information as well as providing the bridge to the patient records. Some important fields include:
Field |
Field Type |
Description |
Data Example |
|---|---|---|---|
| Given Name | Text | The first name of the person | Jerry |
| Family Name | Text | The last name of the person | Cardenas |
| The email of the person used as the username of the user for login, and to find the correct person record when setting up a patient user. | jcardenas@email.com | ||
| Patient | Virtual | A virtual reference maintained by the system to facilitate quick access to the user records associated with this patient. Virtual fields are not available in the Loader. The Person field on the Patient object is the reference field that forms the relationship. | |
| Users | Virtual | A virtual reference maintained by the system to facilitate quick access to the user records associated with this patient. Virtual fields are not available in Data Loader. The Patient field on the User object is the reference field that forms the relationship. |
- Patient Record defines a patient, collecting all their medical records. Some important fields include:
Field |
Field Type |
Description |
Data Example |
|---|---|---|---|
| Person | Reference | Reference to the Person record for this patient. Through this reference, the Patient is linked to the Person which is linked to the User which sets up access for a user to their patient records. | Reference to Jerry’s Person record |
- Role Assignments define the sets of permissions a user has been granted. For patient users, the Patient role will be assigned. This assignment is maintained as a Role Assignment record connecting the Patient Role to the User. The Patient role and its permissions are defined and maintained by Tendo. Some important fields are:
Field |
Field Type |
Description |
Data Example |
|---|---|---|---|
| User | Reference | Reference to the user record that the assignment is for. | Reference to Jerry’s User record |
| Role | Reference | Reference to the role record that the assignment is for. Roles are sets of permissions. | Reference to the Patient role record |
| Status | Value Set | Either Active or Inactive. Only Active role assignments will be used at runtime. | Active |
Identity Account represents a global identity used to authentication the user. Identity Accounts are primarily used to authenticate users during login, and contain a reference to the tenant User record so that at runtime the system knows what user in which tenant is logging in. An Identity Acount also contains a link to the Auth0 account where login credentials are maintained. The identity account is set up through one of the Tendo user setup processes, and is not directly viewable in the system.
In our example above, Jerry will have an identity account record that references his user record and references his Auth0 account where his username (jcardenas@email.com) and password are kept.
Setting Up Existing Patients
The setup for existing patient users involves two steps:
Step 1 - Load the Patient and Person Records
EHR systems are the primary source of patient medical data. The Person and Patient object records are usually loaded through a one-time initial load using the data loader in the Data section of Tools. Over time, records are maintained, updated, and added through an integration with the EHR.
The person record needs the user’s email to complete setup. This will be used to locate the person record when setup is done through Self Registration or to contact the user when setup is done through Patient Invites and registration. The email also is used for the username for login.
Step 2 - Patient User Setup Processes
Once person and patient records are loaded, they can be set up as users through one of the setup processes.
Self Registration
Self Registration allows a user to set up their own user record and log in through a link in the Patient Care Journey app. The self-registration feature allows patients to self -register through the login page. When self-registering, the patient needs to know their health system and matching data in the health system’s EHR that is used to verify their identity.
This is the self-registration flow:
- Sign Up Link - On the login screen of the Patient Care Journey app, the patient can click the Sign Up link to start the self-registration process.
Select their health system - The patient is asked to find their health system by inputting its name in the search field.
- Submit Email Address - The patient is directed to submit their email. It must be the email that they have on file with the healthcare system’s EHR. The email they input will be used to find the Person and Patient records that verify that they are a patient and can self-register. They then click Sign Up.
- Email Verification - After verification that a person record exists with the email address, an email will be sent to the user. It contains a link with a token that is used to verify that the user has access to the email that they submitted. They must click the Call to Action button on the email to continue.
- Verify Identity - At this point, the app has verified that the token is valid with the Identity System, allowing the patient to proceed. They are redirected to the Patient Care Journey app to complete the registration process. They are asked to input some information to verify some data on file with the EHR. Their input must match the EHR records, including:
- First and Last Name
- Date of Birth
- Mobile Number
- Registration Complete - Once they click continue, they have completed the self-registration process, and are a Tendo user.
Enabling Self-Registration for a New Tenant User
To set up self-registration for a tenant on the healthcare organization side, the system must be added to the list of health systems. This can currently be done only by engineering, but Customer Engagement must submit a request to the engineering team.
Invite Registration
Invite Registration allows an administrator to directly invite users into Tendo’s system. Features such as Outreach use Invite Registration as part of outreach messaging campaigns to offer patients access to Tendo. Invites are useful when an administrator is inviting groups of patients to use Tendo.
Guest Users
Guest user access is a useful way to give patients temporary access to the Patient Care Journey app without requiring them to sign up for it. Generating a guest user session requires that the person already exist in Tendo.
Guest users are generally used to provide a targeted segment of patients who are in a customer’s EHR with access to the Patient Care Journey so that they can schedule an appointment, such as an annual wellness visit or a check up for an at-risk diagnosis.
Lists of a targeted segment of patients typically are provided by customer healthcare organizations for a campaign. Customer Engagement loads the list of patients in a csv format into Tendo via Loader, and this list is used to create a segment for an Outreach messaging campaign. As part of the campaign, the patients receive a message or messages encouraging them to schedule an appointment and providing them a link to the app, where they can schedule.