This topic describes how the e-records stored as XML documents in the database are a repository of critical information that can be queried for reasons ranging from internal users viewing information to regulatory authorities inspecting process records.
The information contained in these e-records can be confidential and critical to the nature of the business. Therefore, access to these e-records must be restricted so that any unauthorized entry is prevented.
Access to e-records must be based on the contents of the e-records. For example, you can restrict access to all e-records having any reference to a particular formula ingredient.
This chapter covers the following topics:
The technical requirements fulfilled by the security model are:
You cannot delete an e-record once it is created.
The view access is contingent on the content of the e-record and the event for which the e-record was created.
Before a security rule can be created using a particular XML element it has to be identified as a secure element, the XML element must be indexed, and its usage must be defined as a secure element.
Refer to Setting Up Indexed XML Elements in the “Implementing Oracle E-records” chapter.
Once the secure elements are created, you can create security rules.
There are two modes of operation that a user can configure at the site level. These modes are determined by the profile option EDR: Security High, set at the Site level. This value can be set to Yes or No and has a default value of No.
Warning: Do not change this setting once security configuration is complete.
In this mode, access to e-records is granted by default and users or responsibilities can be restricted as required. This is the default mode.
In this mode, access to e-records is restricted by default and users or responsibilities are granted access to specific values.
Refer to Enabling Profile Options in the “Implementing Oracle E-records” chapter.
A security rule creates a restriction or grant statement such as:
Allow user James (user id: JASDE) to access e-records for event Formula Approval having value Yeast for Formula Ingredient
In this example, Formula Ingredient is the secure element for the event Formula Approval. Access to the value Yeast is granted to user id JASDE. Similarly, access to a particular user can also be restricted for a specific value.
Using these security rules, access to the e-records for specific events is restricted based on the contents of the e-records; specifically the value of the secure elements identified at the time of secure element creation.
The comprehensive set of security rules supported by the security model lets you provide content based security as follows:
Grant a user access to an e-record based on its content.
Grant a responsibility access to an e-record based on its content.
Restrict a user's access to an e-record based on its content.
Restrict a responsibility's access to an e-record based on its content.
Grant a responsibility, but restrict a particular user within the responsibility, access to an e-record based on its content.
Restrict a responsibility, but grant a user within the responsibility, access to an e-record based on its content.
Navigate to the Security Rules window.
Click Create Security Rule. The Create Security Rule window displays.
Enter the information for the security rule:
Secure Element displays the name of the secure XML elements. Required.
Event Name displays the name of the event.
Secure Value displays the value of the secure element. In addition, you can use special characters when creating the secure value. Required.
User displays the user associated to that secure element.
Responsibility displays the responsibility associated to that secure element.
Access displays whether the element can be accessed or is restricted by default. Required.
Start Date displays the date the security becomes active. Required.
End Date displays the date security is no longer active. This can be NULL, leaving security active indefinitely.
Click Apply. A confirmation displays that the Security Rule is successfully created.
Run the E-records Security Policy Administration program.
Refer to Running the E-records Security Policy Administration Program for details.
The e-record security rules are used to restrict or grant access to e-records based on their content. You can search, view, create, delete, and update security rules.
The search criteria is not case sensitive and handles trailing wild cards. For example, searching for abc returns all matches for abc% and ABC%.
Navigate to the Security Rules window.
Enter search criteria, which can include one or many of the following:
Secure Element displays any indexed XML event that has been set up with a secure usage.
Event Name displays all active events.
User displays all system users.
Responsibility displays any responsibilities set up in the system.
Click Go. The search results display. You can sort the information by clicking on any heading that is active. The following information displays for each record:
Secure Element displays the name of the secure XML elements.
Event Name displays the name of the event.
Secure Value displays the value of the secure element.
User displays the user associated to that secure element.
Responsibility displays the responsibility associated to that secure element.
Access displays whether the element can be accessed or is restricted by default.
Details lets you drill down into the details of that record.
Update lets you update the record.
Delete lets you delete the record.
You can view the security rule details. You cannot change any information about the security rule from this window.
Navigate to the Security Rules window.
View the detail information.
Click Back to return to the previous window.
Security rules can be updated from this window. After security rules are changed, you must run the Security Policy Administration program for these changes to take effect.
Click Update from the Security Rules window. The Update Security Rules window displays.
Update the desired information. You cannot update Secure Element, Event Name, Secure Value, User, and Responsibility. You can update the following:
Access displays whether the element can be accessed or is restricted by default. Required.
Start Date displays the date the security becomes active. Required.
End Date displays the date security is no longer active. This can be null, leaving security active indefinitely.
Click Apply.
Run the E-records Security Policy Administration program. Refer to Running the E-records Security Policy Administration Program for details.
You can delete all security rules from this window.
Click Delete from the Security Rule window. The message Are you sure you want to delete this Security Rule? displays.
Click Yes to delete the rule, and No to cancel the delete.
Run the E-records Security Policy Administration program.
Refer to Running the E-records Security Policy Administration Programfor details.
You must run this program to enable security on the Evidence Store.
Navigate to the Submit Request window.
Enter E-records Security Policy Administration in the Name field. The Parameters dialog box displays. The Action field is set to either Add or Drop.
Click OK. The Submit Request window displays.
Complete the fields on the Submit Request window and click Submit.
View or print the report.