Skip Headers
Oracle® Clinical Development Analytics User and Administrator Guide
Release 2.0.0.3 for Standard Configuration

Part Number E22699-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

6 Implementing Security

This chapter contains the following topics:

About Security in Oracle Clinical Development Analytics

Oracle Clinical Development Analytics (OCDA) spans several applications: Oracle Clinical and Oracle's Siebel Clinical are the data sources, and Informatica ETL Execution Plans and transform Oracle Clinical and Siebel Clinical data structures into the star schemas required by Oracle Business Intelligence Enterprise Edition (OBIEE), which reads from the star schemas and provides the user interface where end users can view and analyze data through dashboards and reports.

OCDA security includes:

Figure 6-1 Study and Study Site Security Implementation

Description of Figure 6-1 follows
Description of "Figure 6-1 Study and Study Site Security Implementation"

Example

This document describes how to set up security for the following basic types of users as an example.

  • OCDA End Users are people who can view Oracle Clinical and Siebel Clinical data in OCDA through dashboards and reports. The specific dashboards and reports they can view is determined by the user groups they belong to.

  • OCDA Programmers are people who are authorized to create their own reports in the Answers component of OBIEE/OCDA, which does not require any programming skills. You can distinguish between people who can simply create ad hoc reports and those who can save the reports they create to a dashboard so that other people can use them.

  • INFA Programmers are people who can modify the functionality of OCDA by modifying the predefined ETL Programs that OCDA uses to transform transactional source data in Infa repository for use in OCDA. They may also create new ETL Programs to support custom dashboards and reports in OCDA.

  • OCDA Schedulers are people who schedule OCDA jobs, including the data loading job and the user data access jobs. They need privileges similar to INFA Programmers.

  • DAC/INFA Administrators are people who set up DAC, including Informatica Setups, and grant privileges to other users.

Setting Up User Authentication

DAC handles creation and maintenance of users for ETL administration of OCDA. OBIEE handles reports related user authentication for OCDA .

Creating User Accounts in DAC

You can create user accounts in the following ways:

  • Create users in DAC. For more information, refer to the Oracle® Business Intelligence Data Warehouse Administration Console Guide.

  • If you have an Oracle LDAP Directory, migrate users to Oracle Applications. For more information, refer to My Oracle Support (ID 1508321.1).

Setting Up User Authorization in OBIEE

When a user logs in, OBIEE verifies that they have valid credentials and populates the OBIEE Group session variable with a list of the user groups the user belongs to.

Authorization at the OBIEE level determines which parts of OCDA's OBIEE user interface, users can access. The tasks required to set up user authorization are:

Using Predefined User Groups in OBIEE and Creating New Ones

All OCDA End Users—people who view Oracle Clinical and Siebel Clinical data in OBIEE—must be associated with one or more OBIEE user groups. The OBIEE groups determine privileges allowed to users and allow access to the shipped OCDA dashboards and reports. To associate users with an OBIEE user group, you assign their OBIEE account to an OBIEE user group.

OCDA provides a set of predefined OBIEE user groups. You can create additional groups as needed.

Note:

To perform administrative tasks in OBIEE, you must be a member of OBIEE's predefined Administrator group.
Predefined OBIEE User Groups

OCDA includes predefined OBIEE user groups (called groups in OBIEE) to allow OCDA end users access to predefined dashboards. Each dashboard allows access to a predefined set of reports. For more information about predefined reports, refer to Appendix A, Dashboards and Reports.

The predefined user groups allow dashboard access as follows:

  • OCDA-StudyManager: CO - Document Management, CO - Site and Recruitment Overview, CO - Study and Region Overview, and CO - Subject Retention

  • OCDA-CRA: CRA EDC , CO - Document Management, CO - Site Recruitment Overview, CO - Study and Region Overview, and CO - Subject Retention

  • OCDA-DataEntryManager: CO - Document Management, CO - Site Recruitment Overview, CO - Study and Region Overview, and CO - Subject Retention

  • OCDA-DataManager: DM EDC, DM Paper, CO - Document Management, CO - Site Recruitment Overview, CO - Study and Region Overview, and CO - Subject Retention

  • OCDA-ProjectManager: CO - Document Management, CO - Site Recruitment Overview, CO - Study and Region Overview, and CO - Subject Retention

  • OCDA-Site: CO - Document Management, CO - Site Recruitment Overview, CO - Study and Region Overview, and CO - Subject Retention

The last two user groups are predefined, but if you want to use them you must associate the groups with dashboards.

For more information, refer to Assigning OBIEE User Groups to Dashboards and Reports.

Note:

OCDA ships with both the Presentation catalog and Repository groups for each predefined user group.
Creating User Groups in OBIEE

You can create additional user groups in OBIEE as needed; for example:

  • If you create new dashboards or reports, you may need new user groups to manage access to them.

  • To create new dashboards and reports you must allow some users—OCDA Programmers in the example—access to the OBIEE Answers component, for which they need to be in a user group with access to Answers.

For each new user group you need, you must create identically named user groups in three places:

  • Create a new group in the Presentation catalog: Log in to OBIEE, click Settings > Administration > Manage Presentation Catalog Groups and Users. For more information, refer to the Oracle Business Intelligence Presentation Services Administration Guide.

  • Create a new group in the OBIEE Repository. If you wish, you can use the group to provide increased security at the RPD level. For more information, refer to the Oracle Business Intelligence Server Administration Guide.

Note:

The OBIEE Presentation catalog and Repository user groups must all have exactly the same name.
Assigning OBIEE User Groups to Dashboards and Reports

To use a group to allow users access to particular dashboards or reports, you must assign the new group to one or more dashboards or reports.

Log in to OBIEE, click Settings > Administration > Manage Interactive Dashboards. For more information, refer to the Oracle Business Intelligence Presentation Services Administration Guide.

Example To support the example user types, create these user groups:

  • OCDA End User Groups: These correspond to the predefined OBIEE user groups or other OBIEE user groups you create to allow access to dashboards and reports.

  • OCDA Programmer Group: This group is for people who have access to the Answers component of OBIEE.

  • DAC/INFA Administrator Group: You do not need this group unless you want to allow INFA Programmers to modify some ETL Programs but not others.

Setting Up Study and Study Site Data Access for Users

This section contains the following topics:

You can set two variables to either allow all users access to data from all studies and study sites or you can require each user to have explicit access to particular studies and study sites. For more information, refer to Setting the Systemwide Access Variables.

In OCDA:

This means that if you set the variables to require explicit access:

Note:

If a user has access to multiple, but not all, sites in a study, the totals displayed in OCDA reports reflect the totals for the sites to which the user has access, not the totals for all sites in the study. For more information, refer to Study-Site Access Example.

Setting the Systemwide Access Variables

The following static repository variables determine whether explicit access to study or study site data is required for all users:

  • Enable_Study_Access_Sec: If set to Y, all users must have explicit access granted to study-level data for a particular study in order to see that data. If set to N, all users can see study-level data for all studies.

  • Enable_Study_Site_Access_Sec: If set to Y, all users must have explicit access to a particular study site in order to see site-level data for that study site. If set to N, all users can see site-level data for all study sites.

    The default value for both variables is N.

    Note:

    If you set these variables to Y you must populate a set of tables with user access data. For more information, refer to Importing Study and Study Site Data Access Privileges.

    Oracle recommends that you set both variables to the same value.

To change the value for either variable:

  1. Stop the BI Server and the BI Presentation Server Services.

  2. Using the OBIEE Administrator tool, edit the Repository:

    1. On the Manage Menu, choose Variables.

    2. In the Variable Manager dialog, choose Repository, then Variables, then Static.

    3. Open the properties of the variable, either by double-clicking it or through the context menu.

    4. Edit the value of Default Initializer for the variable: Y enables access control; N disables access control.

    5. Exit the Static Repository Variable dialog.

    6. Exit the Variable Manager.

    7. Save the modified Repository.

  3. Start the BI Server and BI Presentation Server Services.

Data Access Tables

OCDA uses three database tables to control users' access to rows of data in the star schema fact tables that pertain to particular studies and study sites. The data access tables are:

  • W_HS_APPLICATION_USER_D contains a list of the user accounts that can have data access granted to particular studies and study sites. It must be populated from an external source. OCDA includes a sample ETL Program for this purpose. For more information, refer to Importing Study and Study Site Data Access Privileges.

  • W_HS_STUDY_ACCESS_SEC controls which users can see study-level data on which studies.

  • W_HS_STUDY_SITE_ACCESS_SEC controls which users can see study site-level data on which study sites.

Importing Study and Study Site Data Access Privileges

The data access tables must be populated with data. OCDA includes a set of template ETL programs for this purpose. The programs are called template programs because you will need to adjust them according to your particular configuration, if you are enabling access control. If you are not enabling access control, the template programs can be used as they are. The following list enumerates the degrees to which you may want to modify the template programs:

  • If you set the systemwide access variables to N, run the template ETL programs as is to populate the tables with a dummy user. All users have access to all study-level and study site-level data for all studies and sites.

  • If you set the systemwide access variables to Y, modify the ETL programs as necessary to import user access information from Oracle Clinical and Siebel Clinical. If there are people who should be able to use OCDA but do not currently have either Oracle Clinical or Siebel Clinical user accounts with privileges for specific studies or sites set, you must up create user accounts with the desired privileges in one of the source transactional systems.

  • If you set the systemwide access variables to Y, modify the ETL programs as necessary to import user access information from some other source.

About Oracle Clinical Template Programs

The template ETL programs for Oracle Clinical are:

  • SDE_OC_Application_User_D

  • SDE_OC_Study_Access_Sec

  • SDE_OC_Study_Site_Access_Sec

The Oracle Clinical table OPA.OPA_LEVEL_PRIVS stores study and study site data access information for Oracle Clinical and Oracle Clinical Remote Data Capture (RDC) Onsite users. The Oracle Clinical or RDC administrator sets these privileges in the Maintain Access to Studies and Maintain Access to Sites windows in either Oracle Clinical or the RDC Administration application.

The template OC ETL programs read data from this table and populate the data access tables in the OCDA warehouse .

OCDA uses this data to allow users access to study and study site data in OBIEE. In Oracle Clinical and RDC the concept of study and study site data access is different from OCDA's, and you can specify a variety of privileges on studies and study sites, which is not required in OCDA where all data access is view-only. The template OCDA ETL programs interpret the Oracle Clinical/RDC data as follows:

  • If a user has been granted any privileges on a study site in OPA_LEVEL_PRIVS, the programs give the user study site-level access to that study site in OCDA.

  • If a user has been given any privileges on a study in OPA_LEVEL_PRIVS, the programs give the user:

    • Study-level access to that study in OCDA

    • Study site-level access to all the study sites in that study

The template ETL programs also remove the Oracle Clinical OPS$ prefix from each user name. You will likely need to alter this translation of Oracle Clinical user name to OCDA user name. For more information, refer to Modifying the Data Access Programs.

About Siebel Clinical Security ETL Programs

The secuirty ETL programs for Siebel Clinical are:

  • SDE_SC_Application_User_D

  • SDE_SC_Study_Access_Sec

  • SDE_SC_Study_Site_Access_Sec

  • SDE_SC_Party_Parent

  • OCDA_SC_PARTY_HIERARCHY

  • SDE_SC_Study_Hierarchy

  • SDE_SC_Study_Site_Hierarchy

These programs read from the standard tables describing Siebel Clinical users and protocols, and the access that users have to studies. Review the programs, and adjust them to correspond to any changes you have made from the standard Siebel Clinical model.

The other security ETL programs are:

  • SIL_Application_User_D

  • SIL_Study_Access_Sec

  • SIL_Study_Site_Access_Sec

Modifying the Data Access Programs

You may need to modify the data access ETL programs for the following reasons:

User Name Conversion Modification You may need to edit the SDE programs to adapt the user name conversion to your input Oracle Clinical or Siebel Clinical user names and your output OCDA user names. Be careful; if the following conditions are not met, names will not match up and access control will fail.

  • The conversion performed in the all the SDE programs must be identical

  • The resultant user name must be the same as the user name used for OCDA purposes. SDE ETL programs that execute the ETL to populate the data access tables have a parameter for entering the email portion of the standard user name format.

Interpretation Logic Modification You may prefer to interpret the Oracle Clinical or Siebel Clinical privileges differently in OCDA.

Source Modification You may want to import data access information from another source.

For instructions on modifying ETL programs, refer to Customizing an ETL Execution Plan.

Running the Template Data Access Control ETL Programs

You should run your versions of these programs:

  • when you first set up OCDA

  • when new users need access

  • when new studies are added

  • when new sites are added to studies

  • when the systemwide access variable settings are modified

You must run the programs in the order in which they are listed in Importing Study and Study Site Data Access Privileges. For more information, refer to Scheduling an ETL Execution Plan.

Study-Site Access Example

In Study 012345, users U2 and U3 have study-site access defined in the OCDA data access table W_STUDY_ACCESS_STUDY_SITE_SEC as follows (note that user U1 is not in the table at all):

APPLICATION_USER_WID STUDY_WID STUDY_SITE_WID
U2 A A1
U2 A A2
U3 B B1
U3 B B2

The distribution of discrepancies by study site, as stored in the discrepancies aggregate table in the warehouse, is:

Study Study Site Number Of Discrepancies
A A1 20
A A2 15
B B1 30
B B2 10
B B3 20

A query on this data has been created and saved as a report:

Figure 6-2 OCDA User Interface

Description of Figure 6-2 follows
Description of "Figure 6-2 OCDA User Interface"

Users U1, U2, and U3 can run the report. When user U1 runs the report, nothing can be seen. U1 has no access to any study site data.

When user U2 runs the report, U2 sees the following:

Study Number of Discrepancies
A 35

And U2 drills down within Study A, the following can be seen:

Study Site Number of Discrepancies
A A1 20
A A2 15
Total   35

When user U3 runs the report, U3 sees the following:

Study Number of Discrepancies
B 40

That is, U3 sees the sum of the values for the sites U3 is entitled to see, not the sum for the study. For user U3, it is as if site B3 does not exist. Drilling down shows the same effect:

Study Site Number of Discrepancies
B B1 30
B B2 10
Total   40

Note:

A given document can pertain to study-site, a region, or a study. Ideally, there would be separate security controls for each level. However, in OCDA Release 2.0.0.3, we are applying the same security to all documents. As every region and study-site belongs to a study, we control documents at the study level.