Database and User Accounts

You can use normal Oracle Life Sciences Data Hub security by assigning Oracle LSH user accounts to user groups and assigning user groups to Business Area instances, but if your users do not need Oracle LSH user accounts for other purposes, you can use simplified security requirements that apply only to Generic Visualization Business Area instances.

Users must log in using an Oracle LSH database account. Database accounts can have the following privileges directly assigned, either by the Business Area Definer with Manage BA DB privileges on the Business Area instance or by an Administrator:

• Read Data allows the user to see nonblinded and dummy data. All database accounts to be used to access a Generic Visualization Business Area intance should have this privilege.
• Read Unblind allows the user to see unblinded data.

Users who should be able to read data that was never blinded, dummy data in blinded Table instances and, optionally, data that has been unblinded, can log in using a database account that has the required privilege(s) directly assigned. They do not need an Oracle LSH user account.

Users who should be able to view currently blinded data must have their own Oracle LSH database account and a linked Oracle LSH user account with the privileges normally required for blind breaks, including:

• LSH Data Blind Break User application role
• Blind Break privileges on every Table instance whose Blinding Status is Blinded and that is mapped to one of the Business Area instance's Table Descriptors
• The user account must be assigned to a user group that is assigned to the Business Area instance

When a user logs in, which requires an Oracle LSH database account, the Initialization API checks for a linked Oracle LSH user account. If there is one, the API uses that account's privileges to determine what data the user can view. If there is no linked Oracle LSH user account, the user has access only to the data to which the database account has access.

To assign privileges to database accounts in the Business Area instance user interface itself, the Definer selects Manage DB Privileges from the Actions drop-down. The security administrator can do the same for any Business Area instance in the Security user interface, BA DB Privilege Access tab. All the database accounts defined in the Oracle LSH instance are available for assignment.

See the Oracle Life Sciences Data Hub System Administrator's Guide for information on creating Oracle LSH user and database accounts and the Oracle Life Sciences Data Hub Implementation Guide for an explanation of Oracle LSH security.