Securing PSUB
In this section:
- OCPSUB Proxy Database Account
- File Security for Most PSUB Jobs
- File Security for PSUB Jobs with Input Files
- Windows Only
Parent topic: Managing Batch Jobs
OCPSUB Proxy Database Account
Users who need to submit PSUB jobs must have access to the login database using a proxy user, the ocpsub database account, to run PSUB jobs. The ocpsub account's credentials are stored in the Oracle Wallet created during the Oracle Clinical Database Server installation; the Oracle Clinical Database Installer prompted for the Wallet's location.
You must change the password for ocpsub before it expires; see Changing the Password for the OCPSUB or RXC_DISC_REP Account and Setting Password Requirements for User Accounts.
Parent topic: Securing PSUB
File Security for Most PSUB Jobs
You must create a directory to temporarily store PSUB log and output files and enter its path as the long value of the PSUB_LOGS_DIR value in the OCL_STATE local reference codelist. The first time a user runs a PSUB job in Oracle Clinical Release 5.0 or later, the system automatically creates a subdirectory under this directory for the user and places the generated log and output files there before writing them to a database table where they are stored permanently. When the user views or prints the files, the system displays or prints them directly from the database. Users have access only to files for jobs they submitted.
Although users have their own subdirectories, only the opapps account has access to the directories; the system checks the user account name against the user-specific directory name at runtime to grant access to the files. The system checks only the portion of the username that does not include OPS$ (if the username includes OPS$) because the OPS$ prefix is no longer required.
Parent topic: Securing PSUB
File Security for PSUB Jobs with Input Files
Each type of batch job that uses input files requires that you set up a directory to contain these files; see Creating Directories for Input and Output Files of Certain Job Types. For these you have the option to manually create user-specific subdirectories or to have users share access to a single directory. Unless you have very few PSUB users and they all have the same data access privileges, you should create individual subdirectories to ensure that users can see only files for jobs they submitted.
If the OCL_STATE reference codelist setting USERDIRS is set to Y, indicating that you have user-specific subdirectories, PSUB looks for the input or generates the output file in any directory at or below JOBTYPE_ROOT/user, where user must match the database account ID—minus the OPS$ string, if any—of the Oracle Clinical user who submitted the job.
Parent topic: Securing PSUB
Windows Only
The Windows server that runs the PSUB service must belong to the same domain as the Windows server that runs the Oracle database.
This Oracle database security feature prevents unauthorized users from logging in over a network connection. For information on database security, see the Oracle® Database Security Guide 11g Release 2 (11.2).
Parent topic: Securing PSUB