To comply with regulatory standards for clinical researchers working with sensitive data, Terra offers a feature that logs a user out after 15 minutes of idle time. This article outlines the steps to enable this feature and what you can expect from the timeout.
How to enable the timeout
Clinical groups can enable the timeout feature by following the steps below.
Step 1: Create a group in Terra (or choose an existing group)
You will need to create or choose a group that contains the Terra users you want to be automatically signed out after 15 minutes of inactivity. For the example below, a clinical lab creates a managed group called "my-15-minute-signout-group". To learn about managed groups in Terra, see our article Managing access to shared data and tools with groups.
1.1. In Terra, click the three lines menu at the top-left. Click on your name and choose the Groups option.
1.2. Click on "Create a New Group" at the top left of the Groups page
1.3. Give your group a name (only letters, numbers, underscores, and dashes allowed)
1.4. Select the "Create Group" button
Notes about groupsBy default, you will be the Admin of any group you create.
We highly recommend adding at least one other Admin so the group still has someone who can manage permissions if you leave your position.
Step 2: Have Terra Support set up security logout
2.1. Contact firstname.lastname@example.org with the group name and inform them that you need the 15-minute timeout enabled for your group. In this example, the group would be "my-15-minute-signout-group".
2.2.You'll receive a reply from Terra Support when your group has been added to the timeout access list and the 15-minute timeout is enabled for all group members
You can add any additional Terra users to the group within the "Main menu" --> "Profile" --> "Groups" page.
What to expect during a security logout
Terra keeps track of idle time for recognized clinical users. Much like a bank (and for similar security reasons), the system will automatically log out after 15 minutes of idle time. This limits how long sensitive information remains visible on the screen for someone else to see. Read on for details of this feature.
1. One or two minutes before the 15-minute idle period is up, you'll get a warning screen asking if you want to extend the session:
2. If you choose to extend your session, you will be brought back to the screen you were originally viewing.
3. If you don't extend, you’ll be logged out and data will no longer be visible on the screen.
4. A dialog box will inform you that your session has expired.
Security timeout when working in multiple tabs or windows
If you have multiple tabs or multiple windows open, the one that is most recently active drives the timer.
If you close your tab at any time, the timer will continue and you will be logged out after a total of 15 minutes. For example, if you close a tab after it was idle for ten minutes, you'll get logged out after five additional minutes.
How timeout works if you have multiple Google accounts
Note that you will be logged out of all Google accounts you are logged into in the browser and you will have to relog into all accounts. To avoid being logged out of other Google accounts, we recommend using one of the following options:
- Using a private browsing session (incognito mode) when logging into a clinical account in Terra.
- Using separate browser profiles for Google accounts. You can read about how to set up browser profiles in Google Chrome in this article Use Chrome with multiple profiles. Firefox and other web browsers offer similar functionality.
NIST security requirements
This functionality covers NIST AC-11 and AC-12 requirements (session lock and session timeout).