We just had an update to RE 7.91.36.  One of the updates is that the workstation will automatically log out after 15 minutes of inactivity. I have had several people ask me if we can choose whether or not to allow this to happen. i have looked through Administration and Configuration and could not find any kind of option for this. Is this something we can control or not? Thank you for your help.

Hi Susie,

I discovered the same thing.  Unfortunately, BB told me that it is out of our control.  Sorry.  I find it most annoying, too.  I don't work on Raiser's Edge exclusively, I have many other job functions.  So it is very frustrating to have to login again.

See info below:

Thanks so much for the quick response. I thought that was the case. Maybe they will include this as an option in future versions... we can only hope! thanks again!

There's a long discussion on Blackbus about this issue.  Of interest to me is that the timed lockout has more to do with PCI compliance and does NOT free up a user license.  We have more users than licenses so this is beyond frustrating.

We have this same issue in our Patient Database. I belive it has to do with Privacy Laws and security in some places and Hipaa in the Helathcare Industry. The only Issue I could see with this is if you are running reports, an export or other process and it doesn't register as 'activity' and times out during that function. I haven't heard that to be true at this point though.

I can't believe this, we have a computer that only does scanning in Raiser's Edge at our front desk. At times it will sit idle till next person logs in.  This will be a big issue with this machine if we can remove the lock feature after 15 minutes.

I can certainly understand your frustration with the automatic inactivity lock out feature. We implemented this feature to comply with PCI DSS rule 8.5.15, which states "If a session has been idle for more than 15 minutes, require the user to re-enter the password to reactivate the terminal." You can view this rule and the rest of the PCI compliance rules at https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf

Even if the user is locked out due to inactivity, any current processes (Reports, Mailings, Exports, etc.) will continue to run, and a user license will still be used. This period of inactivity does not completely log a user out of The Raiser's Edge; it will only lock a user out of Raiser's Edge, similar to the way you can lock a workstation when you are away from it.

I can certainly appreciate Blackbaud doing it's best to offer these types of safeguards to allow organizations to be compliant with all PCI DSS rules.  I do believe, though, that this feature should be optional for the organization to choose whether to activate it or not.

We are a health organization and already have an automatic computer lock in place to safeguard all information.  If we leave our desk, we are already required to lock our workstation (or it will automatically lock after 5 mins of inactivity).  Now, when we return to our desk, we will not only have to sign back into our network, but also RE.  This seems excessive.

Also, we do not keep ANY credit card information in RE.  The PCI DSS rule, if I'm not mistaken, only applies to safeguard credit card information.  If any organization, like ours, does not maintain that type of information, this feature would, again, be more troublesome then helpful.

I may consider not upgrading RE until Blackbaud offers the option to turn this "safeguard" off.

Count me and my staff among those who find this feature extremely frustrating.  We do not use RE to process or store credit card info.   We have no plans for doing so in the future.  So why does our software have to be compliant with these standards?!?!   Shouldn't the folks at Blackbaud have given us a choice of whether or not we wanted this? 

I agree. We do not store information about credit cards either.  I have users who do not like the system already and are using this as more ammunition against using it.  Very frutstrating.

 At this point I should just keep my mouth shut but here goes ....

 We don't keep credit card info in RE and we've removed SSNs however we do have addresses, birthdates, phone numbers and other info that should be kept secure (anyone want their personal giving history as general knowledge; or as I put it to the complainers here, non-giving history ). While BB has put this in place to allow us all to be PCI compliant, it also keeps ALL of our data more secure. My school has implemented a "15 minute of inactivity and the pc locks" policy and it's installed on everyone's pc. It can be a pain (and trust me, I understand about sign in pcs) but  we all need to do a better job of keeping data confidential. I know we all say no one can get past the front door to get to a pc that is unlocked but is that really true? And yes, if someone heads off to a meeting, doesn't log out of RE and is tying up a license for hours, it's a royal pain. So, you send them a nasty email. Even if they are the VP. They can also be disconnected by the back end. Someone in your organization should be able to do that, probably IT or with that level of access. It needs to be done through the server.

 And with that said, I wasn't sure I liked the idea of this feature (we haven't installed it yet, next week). But I've learned to live with it and feel a bit better about the security of the data.

 Just my 2 cents (and I don't work for nor ever have nor have anyone related to me working for BB )

laura

Thanks for speaking up Laura.  I was debating throwing in "my 2 cents" also.

Given, the extra lock-out at times will be / is frustrating.  I agree.

But...

I, as a prospective constituent in an organization's database, am surprised at the level of frustration many are 'sharing.'  Do I want my personal bio data, giving history, notes, etc  left up indefinitely on someone's workstation screen or accessible because they forgot to log out?  No, even if it's not my credit card info. 

I agree with Laura in that we all need to do a better job keeping data confidential.  To me, It's our moral and ethical responsibility to our donors/constituents. 

Also, Blackbaud is not the only fund development software dealing with this requirement. 

Hey Everybody,

I know this thread's been quiet for awhile, but I wanted to let you know that based on your feedback, the inactivity timeout is now optional for non-Supervisor users in The Raiser's Edge 7.91.5056, which was released November 18.

A Supervisor user is a user who logs in as Supervisor, logs in as a user with Supervisor rights, or who belongs to a user group that has rights to Security. These users will still be automatically logged out of The Raiser's Edge after 15 minutes of inactivity in accordance with the Payment Card Industry Data Security Standard (PCI DSS).

To enable or disable this feature for non-Supervisor users:

1. Go to Configuration, Business Rules, System access options.
2. Mark or unmark the option to 'Disable inactivity timeout for all non-Supervisor users'.

This information is also in Knowledgebase solution BB700189, and you can also check out Laurel Kenerson's blog post on the subject.