Not every case should be open to every staff member. High-profile deaths, active litigation, law enforcement investigations, and cases involving public figures all carry elevated risk if accessed by the wrong person at the wrong time. Zeph's access-request workflow gives supervisors and administrators the control they need — without leaving staff stranded with a cryptic "access denied" message.
The Problem with Binary Access
Traditional role-based access control is binary: either a user has permission to view a case type, or they don't. That works well for routine records but breaks down for sensitive or time-limited scenarios. An investigator covering a vacancy shouldn't have to call a supervisor to unlock a file manually. A compliance officer shouldn't have to grant permanent elevated privileges just to review a single document.
What's needed is a process — a formal, auditable way for staff to request temporary access and for supervisors to grant or deny it on a case-by-case basis.
How the Zeph Access-Request Workflow Works
When a staff member encounters a case they don't have permission to view — either because it's marked sensitive or it's under a legal hold — Zeph displays a clear, actionable banner instead of a generic error. The banner shows:
- The reason access is restricted
- The current status of any pending request
- A form to submit a new request with a business justification
The moment a request is submitted, Zeph notifies every supervisor and administrator in the same office — including Medical Examiner supervisors, Compliance Officers, and Toxicology Supervisors — via in-app notification and (if configured) email. The notification includes the requester's name, the case number, and their stated reason.
Supervisor Review in the Approvals Tab
Supervisors and administrators see pending access requests directly in the case's Approvals tab. Each request shows:
- Who requested access and when
- The business justification provided
- Buttons to Approve or Deny with a free-text reviewer note
Once a decision is made, the requester receives an immediate notification. If approved, their access is granted for a configurable window (default: 48 hours) after which it lapses automatically. Every request, approval, and denial is written to the case audit log with a timestamp, the reviewer's identity, and their notes.
What This Covers
The access-request workflow applies to any case protected by Zeph's
cases:view_protected permission scope, which includes:
- Sensitive cases — flagged by an administrator or automatically by case type
- Legal-hold cases — cases locked pending litigation or public-records review
- High-profile cases — marked at intake or escalated post-creation
Cases not in a protected scope are unaffected — staff with the appropriate role see them normally. The workflow adds zero friction to routine work.
Why This Matters for HIPAA and CJIS
Both HIPAA's Minimum Necessary standard and CJIS Security Policy Section 5.6 require that access to protected records be limited to those with a demonstrated need. An informal "just ask your supervisor" process is difficult to defend in an audit because it leaves no paper trail. Zeph's workflow produces a structured, timestamped record of every access request and every decision — exactly what auditors and legal counsel need.
The audit trail entries capture: requester, case, timestamp, stated justification, reviewer, reviewer notes, and outcome. They are written to the same tamper-evident audit log that all other case events use, and they are included in any audit export.
Customization Points
Administrators can tune several aspects of the workflow without code changes:
- Reviewer roles: By default, Admins, Compliance Officers, and ME/Toxicology Supervisors are notified. The notification target list can be extended via the Permissions admin tab.
- Grant duration: Approved access defaults to a 48-hour window. Office policy can adjust this down to hours or up to days.
- Email alerts: Supervisor notification emails can be toggled per-user in their notification preferences, the same as every other notification type.
Part of a Broader RBAC Story
The access-request workflow sits on top of Zeph's existing zero-trust RBAC layer — seven built-in roles, custom permission groups, field-level visibility control, and section-level tab configuration. It's one piece of a system designed so that the right people see the right information at the right time, and that every access decision is documented.
If your office is evaluating case management software and sensitive-case governance is a priority, we'd be glad to walk through the full security model in a demo.