5 User management
DMW's security system is based on the Oracle Life Sciences Data Hub (LSH) security system.
See also: How security works.
The following tasks are done there.
Create and set up user accounts
If Oracle DMW is installed at your company, follow these instructions. If it is hosted at Oracle, follow instructions at https://docs.oracle.com/health-sciences/ohs-iams/admin-guide/toc.htm#IAMSA102
.
Parent topic: User management
Assign application roles to users
If Oracle DMW is installed at your company, follow these instructions. If it is hosted at Oracle, follow instructions at https://docs.oracle.com/health-sciences/ohs-iams/admin-guide/toc.htm#IAMSA104
.
For an explanation of application roles, see:
- Log in to Oracle LSH.
- Select User Management from the main menu on the left or from the Navigator drop-down.
- Click Users.
- In the User Maintenance screen, search for the user to whom you want to assign roles.
- Click the user's Update icon. The Update User screen appears.
- In the Roles subtab, click Assign Roles. The Search and Select screen appears.
- Search for all Oracle LSH predefined roles by selecting Search By Role, entering
LSH%
, and clicking Go. The system displays all the predefined Oracle LSH application roles in the lower part of the screen. - Select each role you want to assign.
- Click Select. The system adds the roles to the user and the Update User screen appears.
- Enter a justification for assigning each role to the user.
- Click Apply.
Parent topic: Create and set up user accounts
Create database accounts
Study configurators need a database account to create and modify studies and study components. People viewing DMW data through a visualization tool also need database accounts.
Parent topic: Create and set up user accounts
Use or create object security roles
A role consists of a name, description, and a set of operations allowed on object subtypes. Users in a user group that have access to a particular object will be able to perform the operations on the types of objects specified by the role(s) they have in the user group.
Parent topic: User management
Use predefined object roles
Predefined object roles cover most non-administrator users for the lifecycle stage(s) they will be working in:
-
DMW_STUDY_DEVELOPER (Development lifecycle stage) Only this role allows the creation of clinical data models, transformations, and validation checks. These are study configuration tasks.
-
DMW_STUDY_QC (Quality Control lifecycle stage) This role is intended for people who will do formal testing of clinical data models, transformations, and validation checks in a study.
-
DMW_STUDY_PROD (Production lifecycle stage) This role is intended for users who need to view and act on production data. (Users needing only View access should have the DMW_STUDY_INST_ACCESS role.)
Note:
These roles are sample roles provided for illustrative purposes only and are not intended to be used for production needs.
The DMW_STUDY_DEVELOPER, QC, and PROD roles allow the following privileges in the corresponding lifecycle stage:
-
Loading data.
-
Reviewing nonblinded and unblinded data and creating and managing discrepancies.
-
Half the privileges required to view currently blinded data (blind break) or to unblind data. Application roles are required for the other half.
-
Modifying clinical data models, transformations, validation checks, and custom listings.
For a list of all operations included in these roles, see Predefined object security roles.
Parent topic: Use or create object security roles
Create object security roles
-
Log in to Oracle LSH.
-
Expand the Life Sciences Data Hub node in the main menu on the left or from the Navigator drop-down. Select Roles.
Or, if Oracle LSH is already open, go to the Security tab and select the Roles subtab.
-
Click Create.
-
Enter values in the following fields:
-
Role Name. Enter a unique name for the role to be displayed in the Oracle LSH user interface.
-
Code Value. Enter a unique code for the role to be used internally by Oracle LSH.
-
Description. Enter a description of the role to help group administrators decide if they want to assign the role to a particular user in their user group.
-
-
Click Apply. The Manage Roles screen appears. You can query for the role by name to check that it was created successfully.
-
Set it to Active so that it is available for use:
-
In the Manage Roles screen, query for the role. The role appears.
-
Click the icon in the Update column. The Update Role screen appears.
-
Select Is Active and click Apply. You can assign subtype operations only to Active roles.
-
Parent topic: Use or create object security roles
Assign roles to operations
Users assigned to a role within a user group will be able to perform the operations you assign to the role.
To assign roles to operations, go to the Subtype subtab of the Security tab and do the following:
Parent topic: Use or create object security roles
Create and develop user groups
A user has access to an object only if he or she belongs to a user group that is assigned to the object, either explicitly or through inheritance.
Plan your user groups based on which objects they will be assigned to and whether the assignment will be for Metadata, Development, QC, or Production.
This section contains the following topics:
- Create user groups
- Add users to user groups
- Assign a group administrator
- Add users and assign roles
- Clear the Oracle Applications cache
- Copy user groups with or without users
Parent topic: User management
Add users to user groups
The roles you add to a user group are available for the Group Administrator to assign to users within the group.
Next: Assign a group administrator.
Parent topic: Create and develop user groups
Assign a group administrator
The Group Administrator is responsible for adding and removing users to a particular user group, and changing users' role assignments within the group.
You must have the LSH Security Admin or LSH Function Security Admin role to assign the LSH Group Admin role to a user.
To assign a Group Administrator to a user group:
Parent topic: Create and develop user groups
Add users and assign roles
The group administrator adds users to a group, at the same time assigning the user to one or more roles within the group.
Parent topic: Create and develop user groups
Clear the Oracle Applications cache
Every time you change user assignments to a user group, clear the Oracle Applications cache so that users logging into Oracle LSH see only the appropriate options. (Note that if you do not clear the cache, users may be able to see the wrong options but they cannot actually do them.)
Parent topic: Create and develop user groups
Copy user groups with or without users
You can create copies of a user group in two ways. Either you can duplicate only the user group definition with its supported roles or you can duplicate the definition with its supported roles and also the users assigned to it and their role assignments. When you duplicate a user group, the system appends 'Copy of' to the name of the user group.
Parent topic: Create and develop user groups
Assign user groups to custom programs and study groupings
You can assign user groups to:
-
Custom programs and functions. If you assign a user group to the DMW_UTILS domain, its users have access to all custom programs and functions. If you assign a user group to an application area in the DMW_UTILS domain, its users have access to all programs and functions in that application area.
This is the only way to grant access to custom programs and functions. Programmers writing the programs and functions and study configurators using them in transformations and validation checks need access.
-
Study groupings. If you assign a user group to a study grouping domain, users in the group have access to all studies and library objects, in all lifecycle stages, within the grouping. Study configurators can explicitly remove user groups from studies, objects, and lifecycle stages, and assign other user groups.
-
Navigate to the study grouping or application area:
-
Log in to Oracle LSH.
-
Expand the Life Sciences Data Hub node in the main menu on the left or from the Navigator drop-down. Select Applications.
Or, if Oracle LSH is already open, go to the Applications tab.
-
Click the Search icon next to the Select Domain field.
-
Select Search By Domain Name, enter either:
-
DMW_DOMAIN
for study groupings.-
DMW_UTILS
for custom programs and functions.Click Go.
-
Click the Quick Select icon for the domain.
-
Click the domain or application area you want.
-
-
From the Actions drop-down, select Apply Security and click Go.
-
Click Assign User Group.
-
To see all user groups, enter
%
and click Search.Or, enter part of a user group name and click Search.
-
Select one or more user groups to assign and click Apply.
Parent topic: User management
Assign user groups to adapters for technology privileges
To do certain tasks in DMW that involve an integrated application or technology, users must be in a user group assigned to an adapter or adapter family (adapters grouped by application/technology).
Users with the DMW_STUDY_DEVELOPER, QC, and PROD predefined object security role need to be in a user group assigned to adapters.
Parent topic: User management
List of adapters
DMW uses the following adapters. Other adapters appear in the Oracle LSH UI, but they are used only in LSH.
-
The InForm Family Adapter includes:
-
InForm Data is required for users to set up an InForm clinical data model, including loading data from InForm and scheduling data loading.
-
InForm Metadata is required for users to set up an InForm clinical data model, including loading InForm metadata.
-
-
Oracle Export is required for users to create, modify, or install a clinical data model that is set up for exporting data in an Oracle Export file. It is also required to run the job to create the Oracle Export file.
-
The Oracle Family Adapter is not required.
-
Oracle Tables and Views is not supported in this release.
-
PLSQL This adapter is used internally. Users do not need access to it.
-
-
SAS Export is required for users to create, modify, or install a clinical data model that is set up for exporting data in a SAS file. It is also required to run the job to create the SAS file.
-
The SAS Family Adapter includes:
-
SAS is required for users who upload SAS files to create table metadata in clinical data models.
-
SAS Program is required to upload SAS programs or to run a transformation or validation check that uses a SAS custom program.
-
-
Text Export is required for users to create, modify, or install a clinical data model that is set up for exporting data in a text file. It is also required to run the job to create the text file.
-
The Text Family Adapter/Text is required for users who create an input file clinical data model of type Text.
-
The Visualization Adapter/Generic Visualization is required to view data using a visualization tool.
Parent topic: Assign user groups to adapters for technology privileges
How security works
Studies, clinical data models, transformations, and validation checks are all objects. Users are allowed to perform an operation on an object when they:
-
Belong to a user group that is assigned to the object either explicitly or by inheritance. For information on inheritance, see Object ownership.
-
Are assigned to a role within that user group that allows the operation on the object.
-
Have an application role that allows access to the required part of the user interface.
-
To either view blinded data or to unblind data, both an object privilege and an application role are required.
Parent topic: User management