In the Self-Service Portal (SSP) application five roles are pre-defined with their own sets of permissions. An individual can be assigned to more than one role (e.g. DP Manager and Certificate Manager).

User Manager (manager)

The User Manager provides access to all organizations using the HD4DP 2.0 installation within their network (where applicable). This role can create new organizations (groups) and add members to organizations. They can also define the roles of these members.

⚠️ There should be at least 1 user manager per HD4DP 2.0 installation. The initial User Manager is appointed internally and shared credentials with by the healthdata.be services.

⚠️ This role may not manage certificates for installations, unless they are also defined as a Certificate Editor.

⚠️ The User Manager defines and creates organizations within the SSP and assigns DP Managers to them.

DP Manager (dp_manager)

This role allows for adding new members to the organizations of which they are the DP Manager. The DP Manager is defined by the User Manager in the process of adding a member to an organization.

⚠️ A member could be a DP Manager of one organization, but a regular member of another organization.

⚠️ Unless a DP Manager is also defined as a Certificate Editor, they are not allowed to manage certificates for installations.

Certificate Manager (certificate_editor)

This role allows a member to manage the p12 certificates for an organization. The Certificate Manager is defined by the User Manager or DP Manager in the process of adding a member to a group.

CSV Upload Manager

This role allows a member to export data from HD4DP2.0. This is currently only available for BCFR but in the future this will be available for more registrations. This will be accessible to a limited number of members as all the data within the DP will be available to be downloaded.

NIPPIN Manager

This role allows a member to validate if the mycarenet message is delivered at the NIC without any issues. This will be accessible to a limited number of members as they are assigned tohave access to all the data of the specific registries

How to log in

Go to https://<hd4dp_url>/ssp on your local server. The following screen appears:

User Manager login

For the first login the User Manager needs to use the username and the temporary password that was posted to him by the healthdata.be Service Desk as described here.

Consult the process here to change the temporary password.

Other roles login including DP Manager / Certificate Editor/...

For the first login, both the other roles, including DP Manager, Certificate Editor and others, need to use the username and the temporary password posted by the User Manager / DP Manager. Consult the process here to change the temporary password.

After clicking on the Log in button, you will be directed to the HD4DP2 Self-Service Portal page. You will notice that the portal already has been auto populated with available organizations. In a few steps you can further add the required organizations, members and roles to get your portal working.

If there is no User Manager known or created within the Organization concerned, the person appointed for this function within the organization needs to file a ticket with the Support service of healthdata.be at Jira Service Management (JSM) portal. This allows for an e-mail to be sent with username and initial password.

Appoint the User Manager

The initial User Manager for an organization with HD4DP installed needs to be created upfront in coordination with the healthdata.be service desk. It is then the task of the User Manager to create the required organizations (Groups) and members, and to define the member roles.

Create organizations for the installation

In order to create Organizations, go to the "Groups" tab, select "List" and then click on "Add groups".

In the Add Data Provider screen, the Title and Org Nihdi fields are required. The Revision log message field is optional.

Click on the Create Data Provider button to create the organization. Once all organizations are created, the User Manager can add members to them.

On this page we describe how User Managers and DP Managers add members and their role(s) for the relevant Organization(s).

In order to have an overview of all Organizations (Groups), click on Manage, then on the "Groups" tab ans select "List".

Select an Organization in the list to which members need to be added. The following screen appears:

Go to the Members tab and click on the Add Member button to add a new or existing member to the organization. Adding an existing member means that the member is known to the Self-Service Portal (e.g. member of another Organization), but not added to the list of the current organization.

The next screen shows a simple form in which the member's email address needs to be entered.

Two scenarios are possible:

• If the member already exists, you’ll be shown a form with roles, but without a password field. Check the role you want this member to perform within the organization.

• If the member does not exist yet, you’ll also have to provide an inital password for this member.
  
  Select the role of the new member in the Add member screen and copy the initial password that is displayed in the relevant field. Share this password with the user in order for them to be able to login to the SSP.

Check the box with the role you want this member to perform within the organization.

After the creation of the new member, the User Manager or DP Manager will then be redirected to the members overview and can add another member easily.

On this page we describe how to remove a member from their Organization.

In order to have an overview of all Organizations (Groups), click on Manage, then on the "Groups" tab and select "List".

Select an Organization in the list from which you want to remove members.

Go to the Members tab to discover the list of members for this Organization.

Go to the line of the member you want to remove and click on the down-arrow of the Edit member selection button at the relevant line. The toggle options appear.

Select Remove member. The following window pops up.

Confirm the action by clicking on Delete.

By removing the member from their Organization, they lose access to it. However, they are still able to log in to the Self-Service Portal (SSP), and can even be retrieved from the portal for adding to another organization, as they still exist.

If you want to completely remove this member from the portal, you need to cancel their account.

Roles are administered to members when they are added to an Organization. You will find the documentation here. In order to edit member roles, you follow the procedure described below.

In order to have an overview of all Organizations (Groups), click on Manage, then on the "Groups" tab.

Select an Organization in the list of which you want to edit members. The following screen appears:

Go to the Members tab to discover the list of members of this Organization.

Go to the line of the member you want to edit and click on Edit member. In the following screen you can edit the role of the member by checking the relevant box(es).

Click on Save.

On this page we describe how members of an Organization need to change their temporary password upon first login to the SSP.

The member receives a temporary password along with the request to log into the portal and immediately change the password. This step is a security measure, since the temporary password has been sent by the User Manager or the DP Manager within the organization network.

So, after opening https://<hd4dp_url>/ssp on the local server the said credentials can be used to log in.

In the following Welcome screen new members need to change their temporary password into a new one and confirm it.

Click on the Save and Login button to return to the main HD4DP2 Self-Service Portal screen.

On this page we describe how members of an Organization can change their own current password.

Click on Manage, then on Groups and select "List". Now, select your Organization in the Name column:

Select the Members tab in the Organization members screen and subsequently select your own e-mail address in the User column.

In the "Edit" tab, complete the form below with your new password. Repeat the new password to confirm it. The second password field only appears, when you start to type the new password. Select the adapted roles, if needed, and save.

Click on the Save button to perform the change.

Objective: A member whom has been given the role of Certificate Editor can add a new p12 certificate to an organization.

Only a member with the role of Certificate Editor can have an overview of the certificates in their home page (pictured below). Click on Groups, then on the Certificates tab to have an overview of the organizations and their certificates.

Click on the Certificates button in the Actions column to view the history of the certificate(s) of the relevant organization.

To add a new certificate to the Organization you only need to click on the Add Certificate button.

In the Add certificate screen you need to upload the p12 certificate file and the relevant password. Upon clicking the Add to [name organization] button, the certificate will be uploaded and validated.

Check if there are two keys inside and that the password matches. Previous versions will automatically become unpublished.

View the log of one certificate upload

The processing of the p12 file will occasionally send status updates. These can be tracked on the certificates overview, this view will always show the latest status update. When you click the status it will show the log of all previous log messages

On this page we describe how the CSV files export functionality works in the Self-Service Portal application. This is currently only available for BCFR but in the future this will be available for other registrations.

The functionality to export data from HD4DP2 requires the assignment of a CSV Upload Manager. The assignment of a CSV Upload Manager is described here.

Select your organization

Subsequently, select the Registry (Project), the DCD and its Version of the data you want to export.

Click on 'Export to CSV'.

On this page we describe how the NIPPIN reports can be exported in the Self-Service Portal application.

The functionality to export data requires the assignment of a member with the role of a "NIPPIN Manager". The assignment of a NIPPIN Manager is described here

Once you are logged in, you can select the healthcare organization on the home page.

Subsequently you can either export the submitted data by clicking the “CSV export” button or review the NIPPIN reports by clicking the “NIPPIN” button”.

A list of the registries for which a request of report can be selected. This list is composed of registries for which a reimbursement is foreseen. An overview of the list is described here.

By clicking on one of these registries, a list of records for which a CSV file was generated will appear. This list contains the validated MyCarenet messages as generated every night.

A specific period of the reported NIPPIN files can be requested by selecting the appropriate start and end date.

The Start and End date are based on the implant date.

Finally the request is initiated by clicking the “export Result” button.

The requested files will be available in the download folder.

Results

results	Info
valid	A valid status means the payload looks okay and the nippin_status is SENT or TO_SEND.
invalid	An invalid status means the payload is wrong and the nippin_status is INVALID or ARCHIVED. The issue needs to be investigated by healthdata.be. Please create a ticket in our support portal.
not_found	No nippin message was created for the localdwh message. The issue needs to be investigated by healthdata.be. Please create a ticket in our support portal.
not_sent	This status is used when a payload is not able to be delivered to MyCareNet. The communication problem needs to be resolved and the messages need to be resend to MyCareNet. Please create a ticket in our support portal.

Below is an example of the requested file.

To suggest improvement about the healthdata.be platform, you first need to log in to the HD Service and Support portal: Jira Service Management (JSM) portal.

More info concerning how to request an account is available here.

The healthdata.be service (Sciensano) processes each incident report according to a Standard Operating Procedure (SOP). A public version of this SOP "HD Incident Management Process" is also available on this portal docs.healthdata.be.

To submit an incident related to registries and applications in production and facilitated or managed by Sciensano's healthdata.be service, you must first log into the HD Service and Support portal: Jira Service Management (JSM) portal.

More info concerning how to request an account is available here.

After the login step, you will arrive at the main page of the portal

To create a ticket click on "Create a Support ticket"' on the main page.

You will see the page below. Once you have filled in all the mandatory fields, click on "Send".

WHAT IS THE PROBLEM?

Sciensano blocks e-mails from organizations if the configuration of their e-mail and/or DNS services allow potential abuse by spammers/attackers. More specifically, if the configuration enables other senders to impersonate your organization by allowing them to mimic your organization’s e-mail “Header From”.

In other words, they can send phishing and spam mails that cannot be distinguished from genuine mails from your organization.

If you’re responsible for managing your ICT infrastructure, keep reading. If not, pass this message on to your ICT department or to the ICT service that’s managing your ICT infrastructure.

HOW TO SOLVE IT?

You’ll have to verify that your configuration complies with “Sender Alignment” security requirements.
More specifically, your mail services and DNS will have to be configured according to ICT standards.

These configurations are common, well-documented and supported by hosting companies. Some useful links:

• https://dmarcian.com/alignment/
• https://mxtoolbox.com/dmarc/spf/spf-alignment
• https://o365info.com/how-does-sender-verification-work-how-we-identify-spoof-mail-the-fiveheros-spf-dkim-dmarc-exchange-and-exchange-online-protection-part-9-of-9/

We’ve noticed that this issue frequently occurs in organizations which moved their ICT infrastructure to cloud services such as Microsoft (O365), Amazon, Google, and MS Azure without properly configuring the ICT infrastructure which is not managed by these providers.

The configurations and recommendations need to be implemented on the customer’s ICT infrastructure, either internally or externally. DNS and Mail services are the main ICT platforms for these actions.

THE USE OF DIFFERENT DOMAINS IN THE MAIL SENDING PROCESS

E-mails contain an “Envelope From” and a “Header From”. Both need to match to avoid that the mail is blocked.

Some examples:

1. A public service is using its new domain name in the “Header From” and its old domain name in the “Envelope From”.

• Envelope From = noreply@publicservice.fgov.be
• Header From = noreply@publicservice.belgium.be

➔ These e-mails will be blocked.

Remark: Because it’s a noreply address, the sender will not even be aware of us rejecting the e-mail …

2. An organization is using a cloud service (Freshservice) for its helpdesk tool and the “Envelope From” has not been customised.

• EnvelopeFrom = bounces+us.3.52773-helpdesk=organisation.be@emailus.freshservice.com
• Header From = helpdesk@organisation.be

➔ These e-mails will be blocked.

3. A company uses a cloud service (Amazon SES) to send the delivery notification and the “Envelope From” has not been customized.

• Envelope From = 01020188573f374-96de6437-9134-45f4-8aa6-3e9ac18d5848-000000@euwest-1.amazonses.com
• Header From = noreply@company.be

➔ These e-mails will be blocked.