Security System

The security system controls access to everything in Oracle LSH: defined objects, data, outputs, and the user interface itself.

In the library analogy above, we see that you can allow access to different rooms or sections to different user groups. However, the actions a particular user can take in the room or section depends on his or her role within the group. Someone with the role of Librarian, for example, might be able to add new books to the collection and remove books that become outdated. Other people might be allowed to check books out, while others might be allowed only to look at books.

In Oracle LSH, you can assign user groups to containers in the organizational structure: Domains, Application Areas, and Work Areas. By default, objects inherit the user group assignments of their container. For example, a Work Area inherits the user group assignments of the Application Area. However, you can revoke the inheritance at any level and assign additional groups at any level.

The privileges a particular user in the group has on a particular object in a container depend on the role(s) assigned to the user within the group. For example, you might create a Programmer role with Create and Modify privileges for all object types in Application Areas and Work Areas, and View privileges on all object types in Domains. Any user assigned the Programmer role in a user group assigned to Domain X has all those privileges within that Domain.

In addition, Oracle LSH includes predefined application roles that give access to portions of the user interface. Every user must have at least one application role in order to use Oracle LSH. For example, everyone who needs to view reports on data in Oracle LSH must be able to see the Reports tab in the user interface, which requires the Consumer application role.

Security concepts and design issues are covered in Designing a Security System.