Managing User Roles in CMDP
CMDP uses a central directory-based approach for managing user access, whereas SDWIS Prime uses application level security access management. This means that all of the features and functions used to manage user roles in SDWIS Prime reside within the system itself. In the case of CMDP, the features, functions and user access control data reside in an external application and database – USEPA’s Advanced Shared Services Portal. Like SDWIS Prime, CMDP follows a two-dimensional security model based on where you work and what you do in the data submission process.
Where you Work – Organization Type
SCS recognizes two kinds of organizations – states and submitters. In the case of CMDP, the states represent the drinking water primacy agencies and the submitters are the state laboratories, private laboratories, and public water systems (PWS) submitting data to their respective primacy agencies.
What You Do
The second dimension of user access control is the role the user plays in the data submission and CMDP user management processes in respect to the organization type they belong.
State Organization Type User Roles
User roles for a state organization type are:
- State CMDP Administrator
- State Compliance Officer
Listed in order of most to least level of access, a State CMDP Administrator has access to all available CMDP resources for their primacy agency, including resources available to the State Compliance Officer role. A user having only the State Compliance Officer role cannot act as a State CMDP Administrator. Note that these roles exist for every primacy agency.
Submitter Organization Type User Roles
As noted above, submitter organizations are PWS, private laboratories, and state laboratories reporting data to the primacy agencies (states). There are four basic tasks in CMDP; each task has a corresponding user role:
- Preparing data submissions (preparers)
- Reviewing data submissions (reviewers)
- Certifying data submissions (certifiers)
- Managing user access requests (administrators)
User roles by CMDP submitter organizations are:
The table above lists the roles from most to least privileged. For example, a user having the State Lab Administrator role for a laboratory can access all CMDP resources available to all of the user roles for that laboratory. Conversely, a user with the State Lab Preparer role is limited to using CMDP resources available to that role only.
State CMDP Administrator and State Compliance Officer User Registration
The CMDP support team, working with the EPA's Central Data Exchange (CDX) contractor, is responsible for issuing an invitation through the Advanced Shared Services Portal to the user in the drinking water primacy agency that will serve as the State CMDP Administrator. The process does not allow the user to request access as a State CMDP administrator from the SCS web portal without this invitation (this is called “closed registration”).
The first step is to contact the CMDP support team to setup your primacy agency in the the EPA's Advanced Shared Services portal. You will do this twice - for the CMDP training/test environment and for the production environment. To setup access to the production environment, your organization must first complete the process to become CROMERR certified, as described in this article, before the CMDP support team can setup your primacy agency in the CMDP production environment.
The state CMDP administrator follows a closed registration process to issue an invitation through the SCS web portal to the users that will serve as state compliance officers and backup CMDP administrators.
Registering PWS, State Lab and Private Lab Administrators
After your primacy agency has established its presence in the CMDP training/test or production environments, users can log into the Advanced Shared Services web portal and request access to CMDP as a PWS, state or private lab administrator without first receiving an invitation (this is the “open registration” process). As part of the registration process, you will be asked to approve their request for access to CMDP for your program.
User Registration for the Preparer, Reviewer, and Certifier Role
Users requesting access to CMDP as preparers, reviewers, and certifiers follow the open registration process described in the previous section. Unlike the administrator role, which requires approval from the state CMDP administrator, the state laboratory, PWS, or private laboratory administrator “sponsors” the user by reviewing and approving/disapproving their request in the EPA Advanced Service Portal. In this manner, registering these users is delegated down to the laboratory or PWS administrator. Note that as state laboratories are not subject to CROMERR, some steps are eliminated from the registration process for these users.
Users Associated with Multi-state Laboratories
There are many larger commercial laboratories providing services to water systems located in different states. Because of the way CROMERR works and CMDP is configured, multistate laboratories must establish a separate relationship in CMDP with every primacy agency for electronic reporting purposes. At a summary level, this means:
- Users have the option of using the same credentials for all primacy agencies their laboratory is reporting or separate credentials for each. Presumably, users would prefer to manage one set of credentials, as is USEPA's preference.
- Users have to repeat the registration process for each primacy agency. For a multi-state laboratory submitting data to five drinking water programs, users will to go through the registration process five times – once for each primacy agency.
- Naming conventions for multi-state laboratories may differ between primacy agencies. Therefore, there may be some variation in a laboratory name from one primacy agency to the next.
User Role Access by CMDP Functional Area
The job aid attached to this article lists the CMDP user roles by functional area.