1. System Administrator's Guide
  2. Setting Up the Security System

9 Setting Up the Security System

This chapter contains the following topics:

Note:

For more details on designing a security system, setting up security for adapters, managing privileges for generic visualization business areas, registering locations, and managing user groups, see Oracle Life Sciences Data Hub Implementation Guide and Oracle Life Sciences Data Hub User's Guide.

About Security in the Oracle Life Sciences Data Hub

Before using the Oracle Life Sciences Data Hub, you must set up Oracle LSH security.

You can continue to add to and modify security components as necessary over time. The basic tasks for setting up security are:

  • Create a user account for each user and assign one or more application roles to each user account. Application roles allow access to part or the whole of the Oracle LSH user interface or grant blinding privileges. See Setting Up User Accounts.
  • Assign specialized administrative roles to a few users. Each of these administrators must then perform a specific task: set up the classification system, create Domains to contain and organize objects, grant blind break and unblind privileges, or add users to user groups. See Setting Up Specialized Administrators.
  • Set up a security system for defined objects and outputs. See "Designing a Security System" in the Oracle Life Sciences Data Hub Implementation Guide for information on how to design a security system for the contents of the Life Sciences Data Hub: defined objects, outputs, and through them, data. Instructions are included in this chapter for creating the necessary subtypes, user groups, and object roles, and assigning roles to subtypes and user groups. See Setting Up Object Security.

Figure 9-1 shows how these tasks relate to each other.

This section contains the following topic:

  • Required Roles
    To perform most of the tasks described in this chapter, you must be assigned either the LSH Security Administrator role or one of its component roles: LSH Function Security Administrator (for assigning administrative or other application roles to users) or LSH Data Security Administrator (for setting up object security).

Parent topic: Setting Up the Security System

Required Roles

To perform most of the tasks described in this chapter, you must be assigned either the LSH Security Administrator role or one of its component roles: LSH Function Security Administrator (for assigning administrative or other application roles to users) or LSH Data Security Administrator (for setting up object security).

Information on assigning these roles is included in the "Create System Administrator and Security Administrator Users" section in the chapter on installing Oracle Life Sciences Data Hub in the Oracle Life Sciences Data Hub Installation Guide.

Creating user accounts is done through a standard Oracle Applications UMX user interface, and you need the UMX sysadmin role to create user accounts.

Figure 9-1 Flowchart of Security Administrator Tasks

Description of Figure 9-1 follows
Description of "Figure 9-1 Flowchart of Security Administrator Tasks"

Parent topic: About Security in the Oracle Life Sciences Data Hub

About Security in Oracle Health Sciences Data Management Workbench

Oracle Health Sciences Data Management Workbench (Oracle DMW) is installed on top of Oracle LSH and uses its security system, which is itself based in part on the Oracle Applications (Oracle E-Business Suite) security system.

For introductory information, see the chapter on administration in the Oracle Health Sciences Data Management Warehouse User's Guide.

To set up Oracle DMW security:

  • Assign specialized administrative roles to a few users to create Domains to contain and organize studies, grant blind break and unblind privileges, and add users to user groups. See Setting Up Specialized Administrators.
  • Create user accounts for all users, including application roles for all users; see Creating User Accounts and Assigning Application Roles
  • Create user groups; see Creating and Maintaining User Groups.
  • Assign object security roles to user groups. You can use shipped roles created for use with Oracle DMW or modify them as required.

    See the appendix "Predefined Roles" in the Oracle Health Sciences Data Management Warehouse User's Guide for more information.

  • Assign users to object security roles within user groups; see Adding Supported Roles to User Groups
  • Assign user groups to objects in Oracle DMW; see the Oracle Health Sciences Data Management Warehouse User's Guide.

Parent topic: Setting Up the Security System

Setting Up User Accounts

This section contains the following topics:

  • About Users
    Every person who uses Oracle Life Sciences Data Hub or Oracle Health Sciences Data Management Workbench must have a user account. A user account includes:
  • Creating User Accounts
    System Administrators and Security Administrators can create user accounts in the system.
  • Maintaining User Accounts
    In the User Maintenance screen, search for the user you want to update and click the corresponding Update icon.
  • Assigning Application Roles
    To ensure security, assign roles based on the minimum privileges needed for users to complete their tasks. To assign an application role to a User:

Parent topic: Setting Up the Security System

About Users

Every person who uses Oracle Life Sciences Data Hub or Oracle Health Sciences Data Management Workbench must have a user account. A user account includes:

  • The user's name and other information; see Creating User Accounts.
  • One or more application roles. These predefined roles determine which parts of the Oracle LSH or Oracle DMW user interface a user can see and manipulate. See Assigning Application Roles.

You use the Oracle Applications UMX interface for creating user accounts and assigning application roles.

To reach the User Management screens, log in to Oracle LSH as sysadmin and then select the User Management responsibility. For further information see "Create System Administrator and Security Administrator Users" in the chapter on installing Oracle LSH in the Oracle Life Sciences Data Hub Installation Guide.

Note:

Parent topic: Setting Up User Accounts

Creating User Accounts

System Administrators and Security Administrators can create user accounts in the system.

To register a user:

  1. Log in as the system administrator.
  2. Select User Management from the Navigator drop-down or from the Home page, then click Users. The Oracle User Management User Maintenance screen appears.
  3. In the Register drop-down, select External Organization Contact and click Go.
  4. Enter values in the following fields:

    • Email. The user's email address. Oracle Life Sciences Data Hub uses this address for corresponding with the user to reset passwords and send notifications.

    • Name Fields. Enter the name of the user in the fields. The First Name and the Last Name are mandatory. Prefix, Middle Name and Suffix are optional.

    • Organization. Enter or search for the Organization to which the user belongs.

      Note:

      You must set up the list of allowed values as a post-installation step for Oracle Applications. See the Oracle® E-Business Suite System Administrator's Guide - Security at http://download.oracle.com/docs/cd/B53825_08/current/acrobat/121sasg.pdf.

    • Phone Number. The telephone contact details of the user.

    • Account Information--Password. If you select Generate Automatically, the system generates and emails the password to the email account you specified for the user.

      If you select Enter Manually you must type and confirm the password an inform the user what it is. The user will have to reset the password in either case.

      Note:

      You can set the minimum length and other requirements for passwords; see Setting Profile Values.

  5. Click Submit. The Confirmation screen appears.
  6. Click OK. The system creates the user and returns to the User Management screen.

Parent topic: Setting Up User Accounts

Maintaining User Accounts

In the User Maintenance screen, search for the user you want to update and click the corresponding Update icon.

After you make the relevant changes, click Apply to save them or click Cancel to discard the changes.

This section contains the following topics:

  • Name Fields
    Type the name of the user in the fields.
  • Email Address
    The user's email address.
  • Active From
    The date the user account becomes active.
  • Active To
    The date the user account becomes inactive and the user can no longer use Oracle Life Sciences Data Hub.
  • Roles
    You can assign Oracle LSH and Oracle DMW application roles.
  • Contact Information
    You can only view the user's contact information.

Parent topic: Setting Up User Accounts

Name Fields

Type the name of the user in the fields.

The First Name and the Last Name are mandatory. Prefix, Middle Name and Suffix are optional.

Email Address

The user's email address.

Oracle Life Sciences Data Hub uses this address for corresponding with the user.

Active From

The date the user account becomes active.

Active To

The date the user account becomes inactive and the user can no longer use Oracle Life Sciences Data Hub.

Leave this field blank to keep the user account active indefinitely. Enter an end time when the user leaves the company.

Roles

You can assign Oracle LSH and Oracle DMW application roles.

For more information, see Assigning Application Roles.

Contact Information

You can only view the user's contact information.

Assigning Application Roles

To ensure security, assign roles based on the minimum privileges needed for users to complete their tasks. To assign an application role to a User:

  1. In the User Maintenance screen, search for the user to whom you want to assign Roles.
  2. Click the Update icon corresponding to the User. The Update User screen appears.
  3. In the Roles subtab, click Assign Roles. The Search and Select screen appears.
  4. Search for all Oracle Life Sciences Data Hub predefined roles by selecting Search By Role, entering LSH%, and clicking Go. The system displays all the predefined Oracle LSH application roles in the lower part of the screen.

    For an explanation of application-type application roles required for using Oracle LSH, see Oracle Life Sciences Data Hub Application Roles and Oracle Health Sciences Data Management Workbench Application Roles. For an explanation of administrative-type application roles, see Setting Up Specialized Administrators.

  5. Select each role you want to assign by selecting its check box.
  6. Click Select. The system adds the roles to the user and the Update User screen appears.
  7. You must enter a justification for assigning each role to the user.
  8. Click Apply. The system assigns the roles to the user and returns to the User Maintenance screen.
See the following topics for details on the application roles:

Parent topic: Setting Up User Accounts

Oracle Life Sciences Data Hub Application Roles

Users need one or more of the predefined application roles to perform their work in Oracle LSH. The predefined nonadministrative Oracle LSH application roles follow. For descriptions of the administrative roles, see Setting Up Specialized Administrators.

This section contains the following topics:

LSH Application User

The role on which all other application roles are based.

LSH Consumer

Users assigned the LSH Consumer role have access to the Home and Reports tabs in the user interface. Assign this role to users who need to retrieve information from Oracle LSH and/or run Oracle LSH applications to load and transform data. Oracle LSH object security determines which operations these users are allowed to perform on particular applications and reports.

LSH Definer

Users assigned the LSH Definer role have access to the same tabs as the LSH Consumer, plus the Applications tab. Assign this role to users who must build, test, or validate Oracle LSH applications. Oracle LSH object security determines which operations these users are allowed to perform on particular defined objects and outputs.

LSH Data Blind Break User

Only the LSH Data Blind Administrator can assign this role to users. This role does not provide access to any tabs in the user interface. Users assigned to this role typically also have the LSH Consumer role.

Users with this application role can do the following, if they have normal object security access and the blinding-related object security privilege noted:

  • Run a job on Tables with a Blinding Status of Blinded that displays the real data, not the dummy data (also requires an object security role with the Blind Break operation on Table instances)

  • View the output(s) generated by a job run on real, blinded data (also requires an object security role with the Blind Break operation on outputs)

LSH Data Unblind User

Only the LSH Data Blind Administrator can assign this role to users. This role does not provide access to any tabs in the user interface. Users assigned to this role typically also have the LSH Consumer role.

Users with this application role can do the following, if they have normal object security access and the blinding-related object security privilege noted:

  • Permanently unblind data in Table instances (also requires an object security role with the Unblind operation on Table instances)

  • Change the status of an output from Blinded to Unblinded (also requires an object security role with the Unblind operation on outputs)

Note:

The LSH Data Unblind User application role is not required in conjunction with the Read Unblind operation on either Table instances or outputs. Users can have an object security role that includes the Read Unblind operation on Table instances (to run a job on unblinded Table instances) and/or outputs (to view the results of such a job) without having the LSH Data Unblind User application role as well.

XMLP Roles

You can assign the BI Publisher roles (XML Publisher is the old name for Oracle BI Publisher) to Oracle LSH Definers to enable them to create or use Oracle LSH BI Publisher Programs. See "Assigning Application Roles in Oracle Life Sciences Data Hub" for more information.

Note:

These predefined roles and composite roles should be sufficient for your needs. However, it is possible to create custom composite roles. See the Oracle® E-Business Suite System Administrator's Guide - Security at http://download.oracle.com/docs/cd/B53825_08/current/acrobat/121sasg.pdf.)

Oracle Health Sciences Data Management Workbench Application Roles

Each user must have at least one of the following application roles to access the Oracle DMW user interface.

This section contains the following topics:

DMW_STUDY_MANAGER

is intended for users who run data loads, transformations, and validation checks. It provides access to the Home, Study Configuration, Listings, and Discrepancies pages.

Users with this role can create, modify, and remove studies in the Home page.

DMW_STUDY_CONFIG

is intended for users who set up studies by defining models, transformations, and validation checks. It provides access to the Home, Study Configuration, Listings, and Discrepancies pages.

Users with this role can create, modify, and remove studies in the Home page.

Note:

There is no functional difference between the application roles DMW_STUDY_MANAGER and DMW_STUDY_CONFIG.

DMW_STUDY_CONSUMER

is intended for users who need to review data and raise discrepancies. It provides access to the Home, Listings, and Discrepancies pages.

DMW_LIB_ADMIN

is intended for users who create and modify library models and code lists. It provides access only to the Library page.

DMW_SYS_ADMIN

is intended for users who do administrative tasks including setting up data sources and defining objects used across studies, such as categories, flags, and tags. It provides access only to the Administration tab.

Note:

In addition, some Oracle DMW users should have blinding-related privileges in order to view blinded data and/or unblind data. This requires both a blinding-related application role-- LSH Data Blind Break User or LSH Data Unblind User --and blinding-related object security privileges through a role in a user group assigned to the object, plus normal object security access to the object. For more information about blinding data in Oracle LSH, see the Oracle Life Sciences Data Hub Implementation Guide and the Oracle Life Sciences Data Hub Application Developer's Guide.

Setting Up Specialized Administrators

As part of setting up Oracle Life Sciences Data Hub, the Security Administrator needs to assign the following administrative application roles to users.

Each of these administrators has special privileges and responsibilities as follows:

  • LSH Adapter Security Admin
    The LSH Adapter Security Admin role is required to see the Adapter Security subtab of the Security tab and to assign user groups to Adapter Domains and Adapter Areas.
  • LSH Classification Admin
    The Classification Administrator creates and maintains classification hierarchies and terms.
  • LSH Data Blind Admin
    The Data Blind Administrator is responsible for assigning the Blind and Unblind application roles to users.
  • LSH Data Security Admin
    The Data Security Administrator sets up security for defined objects.
  • LSH Checkin Admin
    The Checkin Administrator can check in objects checked out by any user, provided he or she also has the Modify object security privileges for the object.
  • LSH Function Security Admin
    The Function Security Administrator assigns functional roles to users.
  • LSH Groups Admin
    Users with this role can be designated the Group Administrator of a user group.
  • LSH Security Admin
    The Security Administrator role includes both the LSH Function Security Admin role's functions and the LSH Data Security Admin role's functions.
  • LSH Security Bootstrap Admin
    This Administrator is responsible for creating Domain and assigning user groups to the Domains.
  • LSH System Admin
    The LSH System Administrator can run the post-installation job and define service locations and services.
  • LSH Super User
    The LSH Super User has access to all user interface tabs in LSH: Home, Applications, Reports, Classification, Security, and Administration, as well as the Oracle Applications user and role screens.
  • XMLP Admin
    The XMLP Admin has administrative privileges in Oracle BI Publisher.

Parent topic: Setting Up the Security System

LSH Adapter Security Admin

The LSH Adapter Security Admin role is required to see the Adapter Security subtab of the Security tab and to assign user groups to Adapter Domains and Adapter Areas.

See Setting Up Adapters to External Systems for further information.

Parent topic: Setting Up Specialized Administrators

LSH Classification Admin

The Classification Administrator creates and maintains classification hierarchies and terms.

See Setting Up the Classification System for more information.

Parent topic: Setting Up Specialized Administrators

LSH Data Blind Admin

The Data Blind Administrator is responsible for assigning the Blind and Unblind application roles to users.

See "LSH Data Blind Admin" in the Oracle Life Sciences Data Hub Implementation Guide for more information.

Parent topic: Setting Up Specialized Administrators

LSH Data Security Admin

The Data Security Administrator sets up security for defined objects.

Parent topic: Setting Up Specialized Administrators

LSH Checkin Admin

The Checkin Administrator can check in objects checked out by any user, provided he or she also has the Modify object security privileges for the object.

This is required if the user who has checked out the object becomes unavailable for some reason. Note that a Checkin Administrator can install Reports Sets, and Work Areas that contain objects checked out by other users.

Parent topic: Setting Up Specialized Administrators

LSH Function Security Admin

The Function Security Administrator assigns functional roles to users.

Parent topic: Setting Up Specialized Administrators

LSH Groups Admin

Users with this role can be designated the Group Administrator of a user group.

This role allows them to see the Groups Administration subtab under the Security tab, which is required for assigning users to user groups. See Creating User Groups for more information.

Parent topic: Setting Up Specialized Administrators

LSH Security Admin

The Security Administrator role includes both the LSH Function Security Admin role's functions and the LSH Data Security Admin role's functions.

Instructions for setting up the first user with this role are included in the "Create System Administrator and Security Administrator Users" section in the chapter on installing Oracle Life Sciences Data Hub in the Oracle Life Sciences Data Hub Installation Guide.

Parent topic: Setting Up Specialized Administrators

LSH Security Bootstrap Admin

This Administrator is responsible for creating Domain and assigning user groups to the Domains.

See instructions for creating Domains in "Applications User Interface" of the Oracle Life Sciences Data Hub Application Developer's Guide.

Parent topic: Setting Up Specialized Administrators

LSH System Admin

The LSH System Administrator can run the post-installation job and define service locations and services.

Instructions for setting up the first user with this role are included in the "Create System Administrator and Security Administrator Users" section in the chapter on installing Oracle Life Sciences Data Hub in the Oracle Life Sciences Data Hub Installation Guide.

Parent topic: Setting Up Specialized Administrators

LSH Super User

The LSH Super User has access to all user interface tabs in LSH: Home, Applications, Reports, Classification, Security, and Administration, as well as the Oracle Applications user and role screens.

The Super User role does not include the Bootstrap role or the blinding-related roles.(Optional)To <manage/change/do something>:
To create an Administrator:
  1. Log in as the Security Administrator.
  2. Create a user account. See Creating User Accounts.
  3. Assign one of the administrative application roles (listed above) to the user. See Assigning Application Roles.

Parent topic: Setting Up Specialized Administrators

XMLP Admin

The XMLP Admin has administrative privileges in Oracle BI Publisher.

Assign this role to an Oracle Life Sciences Data Hub Administrator who needs to perform administrative tasks (manage /delete reports and folders) in Oracle BI Publisher.

Parent topic: Setting Up Specialized Administrators

Setting Up Object Security

Your company must design a security system that meets its particular needs. For information, recommendations, and examples of security system design, see the Oracle Life Sciences Data Hub Implementation Guide.

Your company must design a security system that meets its particular needs. For information, recommendations, and examples of security system design, see the Oracle Life Sciences Data Hub Implementation Guide.

Each time a user tries to perform an operation on a defined object, the system runs a check that compares the security privileges of the user with the security requirements of the object.

A user can operate on an object only if both these conditions are met:

  • The user belongs to an active user group that is assigned to that object, either explicitly or through inheritance.
  • The user has a role in that user group that permits the operation on the object's subtype.

The Oracle Life Sciences Data Hub Implementation Guide has information on designing an appropriate set of object subtypes, roles, and user groups to meet your company's needs.

This section contains the following topics:

  • Creating and Maintaining Object Subtypes
    Oracle Life Sciences Data Hub includes a set of predefined object types, such as Tables, Programs, Report Sets, and Variables. Each of these object types has a predefined set of all possible operations that can be performed on objects of that type.
  • Creating and Maintaining Object Security Roles
    A role consists of a name, description, and a set of operations allowed on object subtypes. Users in a user group that have access to a particular object will be able to perform the operations on the types of objects specified by the role(s) they have in the user group.
  • Assigning Subtype Operations to Roles and Modifying Assignments
    Subtype operations are predefined. They are the same as the predefined operations on their object type. You must assign at least one role to each operation; if no roles are assigned to the operation, no one will be able to perform the operation on objects of that subtype.
  • Creating and Maintaining User Groups
    User groups control the access of users to objects and outputs (and through them, to data). A user has access to an object only if he or she belongs to a user group that is assigned to the object, either explicitly or through inheritance. For more details on user groups, see the Oracle Life Sciences Data Hub Implementation Guide.

Parent topic: Setting Up the Security System

Creating and Maintaining Object Subtypes

Oracle Life Sciences Data Hub includes a set of predefined object types, such as Tables, Programs, Report Sets, and Variables. Each of these object types has a predefined set of all possible operations that can be performed on objects of that type.

To allow you greater flexibility as you set up your security system, Oracle LSH bases object security on subtypes rather than the predefined object types. You can define different subtypes—for example, Clinical and Financial—for one or more object types and define different classification and security requirements for each subtype of the same object type. Object subtypes have the same predefined set of operations as their object type. Oracle LSH ships with one default subtype for each object type. If you do not wish to add the flexibility (and complexity) of subtypes to your design, you can use the predefined subtype only.

Defining additional subtypes is optional.

When a Definer creates an object, he or she must select an object subtype on which to base the object. The object has the classification and security requirements defined for the selected subtype.

When the Definer creates an object, the system checks the subtype of the parent object and, if a subtype with the same name is defined for the new object, uses that subtype for the new object. If the new object does not have a subtype with the same name, the system uses the predefined Default subtype. The Definer can change it as necessary.

For further information, see the Oracle Life Sciences Data Hub Implementation Guide. For information on using subtypes in classification, see Assigning Levels to Object Subtypes.

This section contains the following topics:

Parent topic: Setting Up Object Security

Creating Object Subtypes

To create a new object subtype, go to the Subtype subtab of the Security tab and do the following:

  1. In the Manage Subtype screen, choose either Operation or Role from the View Subtypes drop-down list.

    • Choose Role if you have created a new role and want to add multiple operations to it at the same time. This is the more common situation.

    • Choose Operation if you want to add multiple roles to a single operation on the subtype at the same time.

  2. Click the node (+) icon in the Manage column of the object type for which you want to add a Subtype. The Create Subtype screen appears.
  3. Enter a name for the Subtype (required, maximum 60 characters). You do not need to include the name of the Object Type in the Subtype name.
  4. Click Apply. The system creates the Subtype and the Manage Subtype screen reappears. The new Subtype is automatically created as:
    • Not Active; not available for use in object definition.
    • Not the Default; when a Definer creates an object of this type, this Subtype is not the default Subtype of the new object. See Default Subtype Behavior below for further information.

    To change either the Active or Default setting, click the pencil icon in the Update column.

    This section contains the following topic:
  • Default Subtype Behavior
    The subtype you set as the default here is not necessarily the one that all new objects of this type default to.

Parent topic: Creating and Maintaining Object Subtypes

Default Subtype Behavior

The subtype you set as the default here is not necessarily the one that all new objects of this type default to.

The subtype you set as the default here is not necessarily the one that all new objects of this type default to. Instead, when a user creates a new object, the system reads the subtype of the object's parent, and if the new object has a subtype with the same name as the parent's, the system creates the new object with the same subtype as its parent. If not, the system uses the default subtype.

For example, if a user creates a new Program instance in a Work Area, and the Work Area's subtype is Clinical, the system checks whether there is a Program instance subtype called Clinical. If there is, the system creates the new Program instance with a subtype of Clinical. If Program instances do not have a subtype called Clinical, the system creates the new Program instance with the subtype defined as the default for Program instances.

The user can change the subtype manually.

Parent topic: Creating Object Subtypes

Modifying Object Subtypes

To modify a Subtype, click the corresponding Update icon in the Manage Subtype screen.

You can modify the following Subtype characteristics:

  • Name
  • Is Active. If selected, this Subtype is available for use during definition of objects of this Object Subtype.
  • Is Default. If selected, this is the default Subtype for objects of this Object Subtype.

Creating and Maintaining Object Security Roles

A role consists of a name, description, and a set of operations allowed on object subtypes. Users in a user group that have access to a particular object will be able to perform the operations on the types of objects specified by the role(s) they have in the user group.

Predefined roles intended for use with Oracle Health Sciences Data Management Warehouse (Oracle DMW) are shipped with Oracle Life Sciences Data Hub. These roles appear in the Oracle LSH Manage Roles page. Although they were created for use with Oracle DMW, you can also use these roles in Oracle LSH user groups either as they are or with any modifications you choose. Additional privileges are required to perform Oracle LSH tasks on objects that do not exist in Oracle DMW.

You can also define your own roles for either Oracle LSH or Oracle DMW. See the Oracle Life Sciences Data Hub Implementation Guide for information on designing a set of roles.

This section contains the following topics:

Parent topic: Setting Up Object Security

Creating Object Security Roles

To create a Role:

  1. In the Security tab, click Roles. The Manage Roles screen appears.
  2. Click Create. The Create Role screen appears.
  3. Enter values in the following fields:
    • Role Name. Enter a unique name for the role to be displayed in the Oracle Life Sciences Data Hub user interface.
    • Code Value. Enter a unique code for the role to be used internally by Oracle LSH.
    • Description. Enter a description of the role to help group administrators decide if they want to assign the role to a particular user in their user group.
  4. Click Apply. The Manage Roles screen appears. You can query for the role by name to check that it was created successfully.
  5. Set it to Active so that it is available for use.
    1. In the Manage Roles screen, query for the role. The role appears.
    2. Click the icon in the Update column. The Update Role screen appears.
    3. Select Is Active and click Apply. You can assign subtype operations only to Active roles.
  6. Assign operations on object subtypes to the role. Users assigned to the role within a user group will be able to perform the operations you specify on the object subtypes you specify. See Assigning Subtype Operations to Roles and Modifying Assignments for instructions.
Modifying Object Security Roles

In the Manage Roles screen, click the corresponding Update icon to modify a particular Role.

After you make the relevant changes, click Apply to save them or click Cancel to discard the changes.

You can modify the following characteristics:

  • Role Name. You can change the name of the role that appears in the Oracle Life Sciences Data Hub user interface.
  • Description. You can change the description that appears in the Oracle LSH user interface.
  • Is Active. If selected, you can assign the role to operations on object subtypes and a user group administrator can assign the role to a user in his or her user group.

Assigning Subtype Operations to Roles and Modifying Assignments

Subtype operations are predefined. They are the same as the predefined operations on their object type. You must assign at least one role to each operation; if no roles are assigned to the operation, no one will be able to perform the operation on objects of that subtype.

Users who are assigned to a particular role can perform operations on the subtype that are assigned to the same role, if the user is assigned to the role in the context of an active user group assigned to the object.

See the Oracle Life Sciences Data Hub Implementation Guide for information on how Oracle Life Sciences Data Hub security uses Roles and Operations.

In the Subtypes subtab in the Administration tab, you can see the relationship of roles to object operations two ways. Make your choice in the View Subtype By drop-down list:

  • Choose Operation to add a new role to operations or to add multiple roles to a single operation on a subtype at the same time.
  • Choose Role if you have already assigned the role to operations and want to view or modify the role's assignments.

This section contains the following topics:

Parent topic: Setting Up Object Security

Assigning Roles to Operations

To assign roles to operations, go to the Subtype subtab of the Security tab and do the following:

  1. Select Operation from the View Subtype By drop-down list.
  2. Expand the node (+) of the object type. All the subtypes appear.
  3. Expand the node (+) of the object subtype. All the subtype's operations appear.
  4. Click the icon in the Manage column of the operation to which you want to assign or remove a role. The Add Role(s) to Operation screen appears.
  5. Double-click on a role in the Available Roles column to move it into the Selected Roles column and assign it to the role. Or move it from Selected Roles to Available Roles to remove the assignment.

    You can also select multiple roles by using Shift+Click or Control+Click and use the arrows to move one, a few, or all at once to the column in the shuttle.

    You can change the order of the operations using the Up and Down arrows on the right. The display order has no functional effect.

  6. Click Apply. The system assigns the role(s) to the operation on the subtype and the Manage Subtype screen appears.
Modifying Operation Assignments to Roles

To modify assignments, go to the Subtype subtab of the Security tab and do the following:

  1. Select Role from the View Subtype By drop-down list.
  2. Expand the node (+) of the object type. All the subtypes appear.
  3. Expand the node (+) of the object subtype. All the roles currently assigned to any operation on the subtype appear.
  4. Click the icon in the Manage column of the role whose assignments you want to modify. The Add Operation for Role screen appears.
  5. Double-click on an operation in the Available Operations column to move it into the Selected Roles column and assign it to the role.

    You can also select multiple operations by using Shift+Click or Control+Click and use the arrows to move one, a few, or all at once to the column in the shuttle.

    You can change the order of the operations using the Up and Down arrows on the right. The display order has no functional effect.

  6. Click Apply. The system adds the operations to the role for the subtype and the Manage Subtype screen appears.
Notes on Particular Object Types

Some object types require some explanation:

  • Execution Setups. To delete or modify an Execution Setup, a user must also have Modify privileges on the object instance that owns the Execution Setup. Therefore, any role you assign to Remove or Modify Execution Setups, you should also assign to Modify the type executable object whose Execution Setup it can remove or modify.
  • Adapter Domains and Adapter Areas. These include all the same operations that Domains and Application Areas have. However, only view operations on some objects are required; see Creating Roles with the Required Operations for Adapters.

Creating and Maintaining User Groups

User groups control the access of users to objects and outputs (and through them, to data). A user has access to an object only if he or she belongs to a user group that is assigned to the object, either explicitly or through inheritance. For more details on user groups, see the Oracle Life Sciences Data Hub Implementation Guide.

A user group definition consists of a name, description, and a set of object security roles supported by the group (available for assignment to users within the group). Each group must also have an assigned Group Administrator.

You may require the same or very similar user groups, with the same or different users, assigned to different objects. For example, you might have a Study01 user group assigned to your Study01 Application Area. Study02, which has its own Application Area, might require a user group with exactly the same set of roles as Study01. Oracle Life Sciences Data Hub allows you to copy a user group either with or without users. You can then modify the name or roles assigned as necessary. The Group Administrator can add and remove users and/or change their roles within the copied group.

You can find group Administrator tasks, adding roles to a group and assigning users to a group and to roles within the group, in the Oracle Life Sciences Data Hub User's Guide.

This section contains the following topics:

Parent topic: Setting Up Object Security

Creating User Groups

To create a new user group:

  1. In the Security tab, click User Groups. The Manage User Groups screen appears.
  2. Click Create. The Create User Group screen appears.
  3. Enter values in the following fields:
    • Group Name
    • Description
    • Is Active. If selected, you can assign the user group to an object subtype.
  4. Click Apply. The Manage User Group screen appears.

You must assign at least one role to a user group. See Step 5 of Adding Supported Roles to User Groups.

Adding Supported Roles to User Groups

The roles you add to a user group become available for the Group Administrator to assign to users within that user group.

To add roles to a user group:

  1. In the Security tab, click User Groups. The Manage User Groups screen appears.
  2. Type the name of the user group for which you want to add roles in the user group box.
  3. Click Search. All the user groups matching the search criteria appear.
  4. Click the required user group. The Group screen appears.
  5. Click Add and Remove Role. The Add a Default Role to Group screen appears.
  6. Double-click on a role in the Available Roles column to move it into the Selected Roles column.

    You can also select multiple Roles by using Shift+Click or Control+Click and use the arrows to move one, a few, or all at once to the column in the shuttle.

    You can change the order of the Roles using the Up and Down arrows on the right.

  7. Click Apply. The system assigns all the roles displayed in the Selected Roles column to this user group and returns to the Group screen.

Note:

You must assign a Group Administrator to every user group. See Assigning a Group Administrator to the User Group.

Assigning a Group Administrator to the User Group

The Group Administrator is responsible for adding and removing users to a particular user group, and changing users' role assignments within the group.

You must have the LSH Security Admin or LSH Function Security Admin role to assign the LSH Group Admin role to a user.

To assign a Group Administrator to a user group:

  1. Select the Life Sciences Data Hub responsibility in the navigator and click the Users Groups subtab. The Manage User Groups screen appears.
  2. Search for and select the required group.
  3. Click Expand All. All the supported roles appear.
  4. Click the Add User icon corresponding to the LSH Group Administrator role. The Search and Select Users to Add to Role screen appears.
  5. Search for and select the users who need to be LSH Group Administrators for this User Group.
  6. Click Select. The system assigns the LSH Group Administrator role to the selected users and the Group screen appears.

    Note:

    Group Administrators must have the Group Admin application role assigned. See Assigning Application Roles.

Duplicating User Groups

You can create copies of a user group in two ways: Duplicate only the user group definition with its supported roles or duplicate the definition with its supported roles and also the users assigned to it and their role assignments.

When you duplicate a user group, the system appends 'Copy of' to the name of the user group. For example, if you duplicate a user group named Study01 User Group, the system names the new user group Copy of Study01 User Group.

This section contains the following topics:

Parent topic: Creating and Maintaining User Groups

Duplicate Definition with Roles Only

To duplicate only the user group definition with its roles:

  1. In the Security tab, click User Groups. The Manage User Groups screen appears.
  2. Enter a search string—the name of the user group you want to duplicate in the User Group box or text with the wildcard %, or leave blank to retrieve all user groups.
  3. Click Go. All the user groups matching the search criteria appear.
  4. Click the Select check box corresponding to the required user group.
  5. Click Duplicate with Roles. The system creates a copy of the user group and the Manage User Groups screen appears.

Parent topic: Duplicating User Groups

Duplicate Definition with Roles Only

You can create copies of a user group in two ways.

(Optional)To <manage/change/do something>:
  1. In the Security tab, click User Groups. The Manage User Groups screen appears.
  2. Enter a search string—the name of the user group you want to duplicate in the User Group box or text with the wildcard %, or leave blank to retrieve all user groups.
  3. Click Go. All the user groups matching the search criteria appear.
  4. Click the Select check box corresponding to the required user group.
  5. Click Duplicate with Roles. The system creates a copy of the user group and the Manage User Groups screen appears.

Parent topic: Duplicating User Groups

Modifying User Groups

How to modify user groups

In the Manage User Groups screen, click the corresponding Update icon to modify a particular User Group. After you make the relevant changes, click Apply to save them or click Cancel to discard the changes.

You can modify the following characteristics:

  • Group Name
  • Description
  • Is Active. If selected, you can assign the User Group to an Object Subtype.

You can also add and remove Roles from the User Group; see Adding Supported Roles to User Groups.

Granting Security Access to APIs

In order to run any of the public APIs for Oracle Life Sciences Data Hub from outside Oracle LSH, a user must have the Execute privilege granted on the API package cdr_pub_api_initialization.

To grant this privilege to a user, do the following:

  1. Log in to SQL*Plus on the Oracle LSH database.
  2. Enter:

    Grant execute on cdr_pub_api_initialization to user_name;

Parent topic: Setting Up the Security System