The following article outlines recommended user accounts best practices for XVWeb.
🔐 1. Use Single Sign-On (SSO) or Individual User Logins When Available
- If compatible, enable SSO integrations to streamline access and improve security.
- Configuring Google SSO
-
Configuring AD FS SSO
- We do not currently support direct integration with Entra ID, but here's some documentation from Microsoft explaining how you can leverage a physical AD FS Server to allow an indirect integration of Entra ID with XVWeb.
Microsoft Entra Connect and federation - Microsoft Entra ID | Microsoft Learn
- We do not currently support direct integration with Entra ID, but here's some documentation from Microsoft explaining how you can leverage a physical AD FS Server to allow an indirect integration of Entra ID with XVWeb.
- If not compatible, some Practice Management Software provide the ability to save separate user credentials for XVWeb in the user settings in the Practice Management Software. If SSO is not an option, this a solid alternative option.
👤 2. Non-SSO Sites/Shared Office-level Accounts (Denticon best-practice)
- Denticon Users: Denticon only allows one user account to be configured for automatic login in Denticon. As such, below outlines the best practice for integrating Denticon with XVWeb today.
-
Use shared accounts on a per-location basis when SSO is not available.
- Individual user accounts are preferred for accountability and auditability, but in practice, they are only feasible where SSO (Single Sign-On) is supported. IT departments typically do not manage individual XVWeb accounts manually, so shared accounts per location are necessary to ensure operational continuity—especially for bridge functionality and password resets.
- Give each location a user account with a unique username, email address, and password.
- Give the user account the least privileges that are necessary.
- This is to reduce impact when passwords expire, or an account unlock is needed.
- Use clear, location-based naming conventions for shared accounts to simplify management and auditing.
🛡️ 3. Limit Admin Access
Grant administrative privileges in XVWeb only to users who absolutely need them. Typically, this includes at least two administrators per organization:
- A clinical decision-maker
- An IT decision-maker who can also support password resets
- You may also choose to grant admin rights to your IT support team to assist with user account management, password resets, account unlocks, location management, and technical troubleshooting.
- For customers with 10 or fewer locations, assigning one admin per location—such as the Practice Manager—may be appropriate, especially in environments without centralized IT support. However, as the number of locations increases, it becomes more difficult to coordinate changes and avoid conflicts when multiple admins are managing XVWeb independently.
Admin accounts should never be shared.
Each admin must have their own individual user account to ensure accountability and auditability.
- Regularly review all user accounts with admin roles and adjust access as needed to maintain security and minimize risk.
🔁 4. Practice Good Password Hygiene
- Do not reuse passwords from other systems.
- Change passwords at regular, defined intervals.
- XVWeb Administrators can modify these settings uniquely for their XVWeb URL.
- XVWeb Administrators can modify these settings uniquely for their XVWeb URL.
- Educate users on how to create strong, secure passwords.
🧾 5. Document and Manage Account Ownership
- Document and establish which internal team or user is responsible for adding/deleting/managing XVWeb User accounts.
- Avoid single points of failure where possible! If you have a small team, have at least one backup XVWeb administrator.
- Clearly document who owns each user account, especially shared or external user accounts.
- Remove or disable accounts immediately when no longer needed.
🧹 6. Maintain Clean Account Records
- Use simple, consistent naming conventions for accounts.
- Review all user accounts on a regular basis to ensure accuracy and relevance.
📚 7. Educate and Train Users
- Provide training on account security best practices.
- Encourage users to report suspicious activity or access issues promptly.
✅ Quick Checklist
- [ ] SSO enabled (if available)
- [ ] No shared accounts
- [ ] Admin access limited
- [ ] Passwords unique and rotated
- [ ] Ownership documented
- [ ] Unused accounts removed
- [ ] Naming conventions followed
- [ ] Regular reviews conducted
- [ ] Users trained on security