1. Administration Guide
  2. User management

5 User management

DMW's security system is based on the Oracle Life Sciences Data Hub (LSH) security system.

See also: How security works.

The following tasks are done there.

Create and set up user accounts

If Oracle DMW is installed at your company, follow these instructions. If it is hosted at Oracle, follow instructions at https://docs.oracle.com/health-sciences/ohs-iams/admin-guide/toc.htm#IAMSA102.

Parent topic: User management

Create user accounts

  1. Log in to Oracle LSH.
  2. Select User Management from the main menu on the left or from the Navigator drop-down.
  3. Click Users.
  4. In the Register drop-down, select External Organization Contact and click Go.
  5. Enter values in the following fields:

    • Email. The user's email address.

    • Name Fields

    • Organization. Enter or search for the Organization to which the user belongs.

      Note:

      You must set up the list of allowed values as a post-installation step for Oracle Applications, as described in the Oracle® E-Business Suite System Administrator's Guide - Security.

      See http://download.oracle.com/docs/cd/B53825_08/current/acrobat/121sasg.pdf.

    • Phone Number

    • Account Information--Password. If you select Generate Automatically, the system generates and emails the password to the user's email account.

      If you select Enter Manually you must type and confirm the password an inform the user what it is. The user must reset the password in either case.

      Note:

      You can set the minimum length and other requirements for passwords; see Set login-related and other profile values.

  6. Click Submit.
  7. Click OK.

Parent topic: Create and set up user accounts

Assign application roles to users

If Oracle DMW is installed at your company, follow these instructions. If it is hosted at Oracle, follow instructions at https://docs.oracle.com/health-sciences/ohs-iams/admin-guide/toc.htm#IAMSA104.

For an explanation of application roles, see:

  1. Log in to Oracle LSH.
  2. Select User Management from the main menu on the left or from the Navigator drop-down.
  3. Click Users.
  4. In the User Maintenance screen, search for the user to whom you want to assign roles.
  5. Click the user's Update icon. The Update User screen appears.
  6. In the Roles subtab, click Assign Roles. The Search and Select screen appears.
  7. Search for all Oracle LSH predefined roles by selecting Search By Role, entering LSH%, and clicking Go. The system displays all the predefined Oracle LSH application roles in the lower part of the screen.
  8. Select each role you want to assign.
  9. Click Select. The system adds the roles to the user and the Update User screen appears.
  10. Enter a justification for assigning each role to the user.
  11. Click Apply.

Parent topic: Create and set up user accounts

Create database accounts

Study configurators need a database account to create and modify studies and study components. People viewing DMW data through a visualization tool also need database accounts.

  1. Log in to Oracle LSH.
  2. Expand the Life Sciences Data Hub node in the main menu on the left or from the Navigator drop-down. Select Database Account.

    Or, if Oracle LSH is already open, go to the Administration tab and select the Database Account subtab.

  3. Click Create.
  4. Enter values in the following fields:

    • User Name. Click the Search icon and enter search criteria for the Oracle LSH user for whom you are creating a database account.

    • Database Account Name. Enter a username for the database account. The text you enter is stored in uppercase.

    • Password. Enter a password of 8 characters or more for the Definer to use with the database account.

    • Confirm Password. Reenter the password.

      Note:

      For security reasons, the user should reset the password in his or her Preferences screen.

  5. Click Apply. The system returns you to the Database Account screen.

Parent topic: Create and set up user accounts

Use or create object security roles

A role consists of a name, description, and a set of operations allowed on object subtypes. Users in a user group that have access to a particular object will be able to perform the operations on the types of objects specified by the role(s) they have in the user group.

Parent topic: User management

Use predefined object roles

Predefined object roles cover most non-administrator users for the lifecycle stage(s) they will be working in:

  • DMW_STUDY_DEVELOPER (Development lifecycle stage) Only this role allows the creation of clinical data models, transformations, and validation checks. These are study configuration tasks.

  • DMW_STUDY_QC (Quality Control lifecycle stage) This role is intended for people who will do formal testing of clinical data models, transformations, and validation checks in a study.

  • DMW_STUDY_PROD (Production lifecycle stage) This role is intended for users who need to view and act on production data. (Users needing only View access should have the DMW_STUDY_INST_ACCESS role.)

Note:

These roles are sample roles provided for illustrative purposes only and are not intended to be used for production needs.

The DMW_STUDY_DEVELOPER, QC, and PROD roles allow the following privileges in the corresponding lifecycle stage:

  • Loading data.

  • Reviewing nonblinded and unblinded data and creating and managing discrepancies.

  • Half the privileges required to view currently blinded data (blind break) or to unblind data. Application roles are required for the other half.

  • Modifying clinical data models, transformations, validation checks, and custom listings.

For a list of all operations included in these roles, see Predefined object security roles.

Parent topic: Use or create object security roles

Create object security roles

  1. Log in to Oracle LSH.

  2. Expand the Life Sciences Data Hub node in the main menu on the left or from the Navigator drop-down. Select Roles.

    Or, if Oracle LSH is already open, go to the Security tab and select the Roles subtab.

  3. Click Create.

  4. Enter values in the following fields:

    • Role Name. Enter a unique name for the role to be displayed in the Oracle LSH user interface.

    • Code Value. Enter a unique code for the role to be used internally by Oracle LSH.

    • Description. Enter a description of the role to help group administrators decide if they want to assign the role to a particular user in their user group.

  5. Click Apply. The Manage Roles screen appears. You can query for the role by name to check that it was created successfully.

  6. Set it to Active so that it is available for use:

    1. In the Manage Roles screen, query for the role. The role appears.

    2. Click the icon in the Update column. The Update Role screen appears.

    3. Select Is Active and click Apply. You can assign subtype operations only to Active roles.

Next: Assign roles to operations

Parent topic: Use or create object security roles

Assign roles to operations

Users assigned to a role within a user group will be able to perform the operations you assign to the role.

To assign roles to operations, go to the Subtype subtab of the Security tab and do the following:

  1. Log in to Oracle LSH.
  2. Expand the Life Sciences Data Hub node in the main menu on the left or from the Navigator drop-down. Select Subtypes.

    Or, if Oracle LSH is already open, go to the Security tab and select the Subtypes subtab.

  3. From the View Subtype By drop-down, select Operation.
  4. Expand the node (+) of the object type. All the subtypes appear.
  5. Expand the node (+) of the object subtype. All the subtype's operations appear.
  6. Click the icon in the Manage column of the operation to which you want to assign or remove a role. The Add Role(s) to Operation screen appears.
  7. Double-click on a role in the Available Roles column to move it into the Selected Roles column to assign it to the role. Or move it from Selected Roles to Available Roles to remove the assignment.

    Note:

    • Select multiple roles using Shift+Click or Control+Click and move them by clicking the arrows.
    • To promote an input clinical data model to QC or Production, a user must have a role with the "Modify Val Status to QC" or "Modify Val Status to PROD" operation on load sets as well as on data models.
  8. Click Apply. The system assigns the role(s) to the operation on the subtype and the Manage Subtype screen appears.

Parent topic: Use or create object security roles

Create and develop user groups

A user has access to an object only if he or she belongs to a user group that is assigned to the object, either explicitly or through inheritance.

Plan your user groups based on which objects they will be assigned to and whether the assignment will be for Metadata, Development, QC, or Production.

This section contains the following topics:

Parent topic: User management

Create user groups

  1. Log in to Oracle LSH.
  2. Expand the Life Sciences Data Hub node in the main menu on the left or from the Navigator drop-down. Select User Groups.

    Or, if Oracle LSH is already open, go to the Security tab and select the User Groups subtab.

  3. Click Create.
  4. Enter values in the following fields:

    • Group Name

    • Description

    • Is Active. If selected, a study configurator can assign the user group to an object.

  5. Click Apply.

Next: Add users to user groups.

Parent topic: Create and develop user groups

Add users to user groups

The roles you add to a user group are available for the Group Administrator to assign to users within the group.

  1. Log in to Oracle LSH as the system administrator.
  2. Expand the Life Sciences Data Hub node in the main menu on the left or from the Navigator drop-down. Select User Groups.

    Or, if Oracle LSH is already open, go to the Security tab and select the User Groups subtab.

  3. Enter the name of the user group for which you want to add roles in the user group box.

    Or, to see all user groups, enter %.

  4. Click Go.
  5. Click the required user group.
  6. Click Add and Remove Role.
  7. Double-click on a role in the Available Roles column to move it into the Selected Roles column.

    You can also select multiple Roles by using Shift+Click or Control+Click and use the arrows to move one, a few, or all at once to the column in the shuttle.

    You can change the order of the Roles using the Up and Down arrows on the right.

  8. Click Apply.

Next: Assign a group administrator.

Parent topic: Create and develop user groups

Assign a group administrator

The Group Administrator is responsible for adding and removing users to a particular user group, and changing users' role assignments within the group.

You must have the LSH Security Admin or LSH Function Security Admin role to assign the LSH Group Admin role to a user.

To assign a Group Administrator to a user group:

  1. Log in to Oracle LSH.
  2. Expand the Life Sciences Data Hub node in the main menu on the left or from the Navigator drop-down. Select User Groups.

    Or, if Oracle LSH is already open, go to the Security tab and select the User Groups subtab.

  3. Enter the name of the user group for which you want to add roles in the user group box.

    Or, to see all user groups, enter %.

  4. Click Go.
  5. Click Expand All.
  6. Click the Add User icon corresponding to the LSH Group Administrator role. The Search and Select Users to Add to Role screen appears.
  7. Search for and select the users who need to be LSH Group Administrators for this User Group.
  8. Click Select. The system assigns the LSH Group Administrator role to the selected users and the Group screen appears.

    Note:

    Group Administrators must have the Group Admin application role assigned. See Assign application roles to users.

Parent topic: Create and develop user groups

Add users and assign roles

The group administrator adds users to a group, at the same time assigning the user to one or more roles within the group.

  1. Log in to Oracle LSH.
  2. Expand the Life Sciences Data Hub node in the main menu on the left or from the Navigator drop-down. Select User Groups.

    Or, if Oracle LSH is already open, go to the Security tab and select the User Groups subtab.

  3. In the user group box, type the name of the user group to which you want to assign users.

    If you are not sure of the name, you can use % as a wildcard.

  4. Click Search. The system displays all the groups you administer that match the search criteria.
  5. Click the required user group. The Group screen appears.
  6. Click the plus (+) icon to see the roles assigned to the user group.
  7. Find the role you want to assign to the user you are adding, and click its Add User icon.
  8. Type the user name, first name, and/or last name of the user.

    If you are not sure of the name, you can use % as a wildcard.

  9. Click Search. All the users matching the search criteria appear.
  10. Select one or more users you want to assign to the role.
  11. Click Select. The system assigns the selected user(s) to this role within this user group and returns to the User Group screen.
  12. Repeat until you have added all the users and given each user all the roles he or she needs within the group.
  13. When you finish, see Clear the Oracle Applications cache.

Parent topic: Create and develop user groups

Clear the Oracle Applications cache

Every time you change user assignments to a user group, clear the Oracle Applications cache so that users logging into Oracle LSH see only the appropriate options. (Note that if you do not clear the cache, users may be able to see the wrong options but they cannot actually do them.)

  1. Log in as an Oracle LSH user with the Functional Administrator responsibility. See Assign application roles to users for instructions on granting this responsibility.

    The Security tab's Grants screen appears.

    Note:

    You can also log in as the sysadmin user if you do not want to assign the Functional Administrator responsibility only for the purpose of clearing cache.

  2. Click the Core Services tab from the Grants screen. The Lookup Types screen appears.
  3. Click Caching Framework from the list of secondary tabs. The Overview screen opens.
  4. Click Global Configuration from the left panel. The Global Cache Configuration screen opens.
  5. Click Clear All Cache. A warning appears.

    Click Yes.

Parent topic: Create and develop user groups

Copy user groups with or without users

You can create copies of a user group in two ways. Either you can duplicate only the user group definition with its supported roles or you can duplicate the definition with its supported roles and also the users assigned to it and their role assignments. When you duplicate a user group, the system appends 'Copy of' to the name of the user group.

  1. Log in to Oracle LSH.
  2. Expand the Life Sciences Data Hub node in the main menu on the left or from the Navigator drop-down. Select User Groups.

    Or, if Oracle LSH is already open, go to the Security tab and select the User Groups subtab.

  3. Enter a search string—the name of the user group you want to duplicate in the User Group box or text with the wildcard %, or leave blank to retrieve all user groups.
  4. Click Go. All the user groups matching the search criteria appear.
  5. Click the Select checkbox corresponding to the required user group.
  6. Click Duplicate with Roles or Duplicate with Roles, Users.

Parent topic: Create and develop user groups

Assign user groups to custom programs and study groupings

You can assign user groups to:

  • Custom programs and functions. If you assign a user group to the DMW_UTILS domain, its users have access to all custom programs and functions. If you assign a user group to an application area in the DMW_UTILS domain, its users have access to all programs and functions in that application area.

    This is the only way to grant access to custom programs and functions. Programmers writing the programs and functions and study configurators using them in transformations and validation checks need access.

  • Study groupings. If you assign a user group to a study grouping domain, users in the group have access to all studies and library objects, in all lifecycle stages, within the grouping. Study configurators can explicitly remove user groups from studies, objects, and lifecycle stages, and assign other user groups.

  1. Navigate to the study grouping or application area:

    1. Log in to Oracle LSH.

    2. Expand the Life Sciences Data Hub node in the main menu on the left or from the Navigator drop-down. Select Applications.

      Or, if Oracle LSH is already open, go to the Applications tab.

    3. Click the Icon is a magnifying glass.Search icon next to the Select Domain field.

    4. Select Search By Domain Name, enter either:

      - DMW_DOMAIN for study groupings.

      - DMW_UTILS for custom programs and functions.

      Click Go.

    5. Click the Icon includes a down arrow.Quick Select icon for the domain.

    6. Click the domain or application area you want.

  2. From the Actions drop-down, select Apply Security and click Go.

  3. Click Assign User Group.

  4. To see all user groups, enter % and click Search.

    Or, enter part of a user group name and click Search.

  5. Select one or more user groups to assign and click Apply.

Parent topic: User management

Assign user groups to adapters for technology privileges

To do certain tasks in DMW that involve an integrated application or technology, users must be in a user group assigned to an adapter or adapter family (adapters grouped by application/technology).

Users with the DMW_STUDY_DEVELOPER, QC, and PROD predefined object security role need to be in a user group assigned to adapters.

  1. Log in to Oracle LSH.
  2. Expand the Life Sciences Data Hub node in the main menu on the left or from the Navigator drop-down. Select Adapter Security.

    Or, if Oracle LSH is already open, go to the Security tab and select the Adapter Security subtab.

  3. Click the Icon is a padlock.Apply Security icon for the adapter family or individual adapter to which you want to assign a user group. To see individual adapters, expand the node of the adapter family. See the List of adapters.

    Tip:

    If you assign a user group to a family adapter, it grants access to all the adapters within the family adapter.

  4. Click Assign Group.
  5. To see all user groups, enter %.

    To find a particular user group, enter part of its name.

  6. Click Search.
  7. Select each user group you want to assign to the adapter or adapter family, and click Apply.

Parent topic: User management

List of adapters

DMW uses the following adapters. Other adapters appear in the Oracle LSH UI, but they are used only in LSH.

  • The InForm Family Adapter includes:

    • InForm Data is required for users to set up an InForm clinical data model, including loading data from InForm and scheduling data loading.

    • InForm Metadata is required for users to set up an InForm clinical data model, including loading InForm metadata.

  • Oracle Export is required for users to create, modify, or install a clinical data model that is set up for exporting data in an Oracle Export file. It is also required to run the job to create the Oracle Export file.

  • The Oracle Family Adapter is not required.

    • Oracle Tables and Views is not supported in this release.

    • PLSQL This adapter is used internally. Users do not need access to it.

  • SAS Export is required for users to create, modify, or install a clinical data model that is set up for exporting data in a SAS file. It is also required to run the job to create the SAS file.

  • The SAS Family Adapter includes:

    • SAS is required for users who upload SAS files to create table metadata in clinical data models.

    • SAS Program is required to upload SAS programs or to run a transformation or validation check that uses a SAS custom program.

  • Text Export is required for users to create, modify, or install a clinical data model that is set up for exporting data in a text file. It is also required to run the job to create the text file.

  • The Text Family Adapter/Text is required for users who create an input file clinical data model of type Text.

  • The Visualization Adapter/Generic Visualization is required to view data using a visualization tool.

Parent topic: Assign user groups to adapters for technology privileges

How security works

Studies, clinical data models, transformations, and validation checks are all objects. Users are allowed to perform an operation on an object when they:

  • Belong to a user group that is assigned to the object either explicitly or by inheritance. For information on inheritance, see Object ownership.

  • Are assigned to a role within that user group that allows the operation on the object.

  • Have an application role that allows access to the required part of the user interface.

  • To either view blinded data or to unblind data, both an object privilege and an application role are required.

Parent topic: User management