2 Oracle Clinical Menu-Based Security

This section includes:

Predefined Database Roles
Creating and Modifying Database Roles
Adding Menu Items to Oracle Clinical

You control which users have access to which menu items in the Oracle Clinical Navigator (see Figure 2-1) by assigning database roles to users.

Oracle Clinical includes a set of predefined database roles that allow access to a predefined set of Oracle Clinical menu items, including second- and third-level menu items (see Figure 2-2). You can enforce security by assigning users only the database roles they need to do their work, preventing them from seeing other parts of the system and taking actions they are not authorized to take.

For information about predefined database roles, see "Creating an Administrator User Account", "About the Add User Script", and "Granting Additional Database Roles to User Accounts".

If necessary, you can modify the menu items associated with the predefined database roles or create entirely new database roles.

Figure 2-1 Oracle Clinical Navigator with Top-Level Menu Items Displayed

Although each company distributes Oracle Clinical tasks differently among its personnel, following is a guideline for which users need which menu items:

Administrators need some or all of the Admin menu.
Study designers need some of the Admin menu and the Plan, Design, and Definition menus. They may also need Glib (Global Library), or you may have people who use only the Global Library.
Data Managers need the Conduct, Data Entry, and Labs menus. They may also need some or all of the Definition menu.
Data entry operators need the Data Entry menu.
Programmers who write validation and derivation Procedures and data extract macros need parts of the Definition menu.

For information about the tasks in each menu, see the following Oracle Clinical user documentation:

The Oracle Clinical Administrator's Guide has information on the Admin menu.
Oracle Clinical Creating a Study has information on the Plan, Design, Global Library, Definition, and Labs menus.
Oracle Clinical Conducting a Study has information on the Conduct, Data Entry, and Labs menus.

In many cases, there are two menu items for the same form associated with different database roles. In this way you control user's privileges through menu access. Menu items based on the same form may differ as follows:

Query and Read-Write Versions: One menu item allows read-only privileges and the other allows write privileges as well. If a user has access only to the Query version of the form, he or she cannot view the data there but cannot make any changes.
Provisional and Active Definitions. Definitional objects can have a status of Provisional or Active. Some menu items allow the user read and write access only to Provisional objects, while a different version of the same form allows access to Active objects, which may be currently in production use, as well.
Test and Production Patient Data. One menu items allows read and write access to test data and the other allows read and write access to production data.

Figure 2-2 Oracle Clinical Navigator with the Definition DCIs Menu Displayed

2.1 Predefined Database Roles

To see a complete list of the predefined database roles and the menu items to which they allow access, run the Menu Roles report in the Developer's Toolkit.

To run the Menu Roles report, navigate to DTK, then Menu Roles. To see the Developer's Toolkit (DTK menu item) you must have the DTK_ADMIN database role. See "Granting Additional Database Roles to User Accounts".

If you create custom roles for your Oracle Clinical database and set up menu security for these roles, you can run the Menu Roles report to confirm that you have set up these roles correctly. The Menu Roles report describes, for both default and custom roles, the menu items to which each role gives a user access. This report applies to the current database only.

Note:

If the Menu Roles report does not show a custom role you have defined, you may not have defined a record for that role in the OPA_MENU_ROLES codelist. See "Adding a Custom Role to OPA_MENU_ROLES".

2.2 Creating and Modifying Database Roles

To modify menu security, you must access the Developer's Toolkit (DTK) menu in the Oracle Pharmaceutical Applications Navigator window. Entries on the DTK menu are accessible only to those database accounts granted the DTK_ADMIN role. The DBA should grant this role to those accounts with the responsibility for maintaining Oracle Clinical roles. This section assumes that your account has the DTK_ADMIN role.

This section includes:

Viewing Menu-Role Associations
Modifying Menu-Role Associations
Creating Custom Database Roles
Associating Roles with Menus
Adding a Custom Role to OPA_MENU_ROLES
Granting a Custom Role Access to a Custom Module

2.2.1 Viewing Menu-Role Associations

This section includes:

Organization of the Menu Module Tree
Navigating the Menu Modules

To view the activities covered by a particular database role, from the Navigator, expand Developer's Toolkit and select Maintain Menu Modules. In the form, press the Query by Role button for a list of values. Choosing a role causes a display of all activities associated with that role. A complete list of database roles and their relation to menu items can be generated by running the Menu Roles report from the Developer's Toolkit.

2.2.1.1 Organization of the Menu Module Tree

This section describes the internal structure of the Navigator's menus, and the roles and role associations provided by Oracle Clinical.

2.2.1.1.1 Internal Menu Module Structure

All activities accessible through the Navigator are organized in a tree, with the root "OPA". Descending from OPA, a node exists for each installed application. For your installation, there will, at a minimum, be nodes for OCL (for Oracle Clinical activities), OPA (for menus and activities generic to all products of Oracle Health Sciences, formerly known as Oracle Pharmaceutical Applications), and DTK (for the Developer's Toolkit). In turn, each of node is the parent of other menu nodes, and ultimately of leaf nodes, which correspond to executable modules.

Figure 2-3 Maintain Menu Modules Window

Description of ''Figure 2-3 Maintain Menu Modules Window''

Many executable modules can perform more than one task, so to completely define an activity, there is also a task name and a query-only flag. For instance, the same form module, RXCRCMAI, performs both query and maintenance of local, installation, and system reference codelists. Consequently, there are six leaf nodes for this module — one for each combination.

The concatenation of nodes, starting at OPA, ending at the leaf node, and including the task and the query mode, is the internal analog of the Navigator menu path to the activity. For instance, the menu path OC, then Data Entry, and Initial Log-In, plus Entry corresponds to the series of nodes OPA:OCL:OCL_DATA_ENTRY:RXCDEMLI, plus the task name INITIAL LOG-IN AND FIRST-PASS ENTRY, and a clear ("no") query-only flag.

2.2.1.1.2 Role Association Structure

The access an application user has to each node in the menu-module tree is determined by the database role. Each node of the menu tree has associated with it one or more database roles that are allowed access to that node. A user that is not associated with the appropriate role cannot view its corresponding menu or module. The following examples illustrate how the role associated with a user account affects the access the user is given to different menus:

To view the OCL application menu, a user's Oracle account must be granted the OCL_ACCESS role. This is typically an automatic grant when an Oracle Clinical account is created, along with CONNECT, RESOURCE, RXCLIN_READ, RXCLIN_MOD, and RXC_ANY.
When Oracle-defined menu-role associations have not been modified, to see the Data Entry menu option of OCL your account must have one of these roles: RXC_DE; RXC_DE2; RXC_DMGR; RXC_SUPER; or RXC_SUPER_NOGL.
The Initial Log-In and Entry activity requires the same roles, according to the module-role association created in the database by Oracle. Therefore, to run Initial Log-In and Data Entry, your account needs at least two roles: OCL_ACCESS, and one of: RXC_DE, RXC_DE2, RXC_DMGR, RXC_SUPER, RXC_SUPER_NOGL.

Figure 2-4 Menu Entries for Module Window

Description of ''Figure 2-4 Menu Entries for Module Window''

2.2.1.2 Navigating the Menu Modules

To view or modify the roles permitted access to the Oracle Clinical menus and activities, navigate to DTK, then Maintain Menu Modules. A Maintain Menu Modules window opens, as shown in Figure 2-4, "Menu Entries for Module Window", with one entry per top-level menu node in the OPA Navigator menu. The record with a blue mark to its left has focus. Change focus by clicking once anywhere on the record of the node you want to examine.

To drill down into the menu nodes from the currently selected node, click Menu Entries, or double-click anywhere in the node's record. Doing this from

Figure 2-5 Security for Task Dialog Box

Description of ''Figure 2-5 Security for Task Dialog Box''

The Maintain Menu Modules window brings up a new window, as in , with a title bar naming the parent node, and with records describing the child nodes of that parent. You can continue to drill down within this window until you reach a leaf. If the record that has focus is a module, you have reached a leaf of the tree and the Menu entries button is disabled, as in .

2.2.2 Modifying Menu-Role Associations

At any node of the menu-module tree, you can see or modify the database roles associated with the node by pressing the Roles button. This button brings up a Security for task dialog box where the roles enabling access to this node are listed and can be modified. Figure 2-5, "Security for Task Dialog Box" illustrates this process for Initial Log-In and Entry.

You can also query the nodes accessible via a role through the Query by Role button, available in the Maintain Menu Modules and Menu Entries for module windows. If you click on this button, you are prompted for a role (an list of values is available). When you enter a role, all menu-module tree nodes accessible via that role are displayed. The Query Top Menus button returns you to a list of the application menu nodes ().

2.2.3 Creating Custom Database Roles

This section describes how to create a new database role. This may be required if the database roles that are supplied as part of installation do not fit or cannot be modified to fit your business model.

After you create a new database role, grant it access to menu items (see "Modifying Menu-Role Associations") and add it to a reference codelist (see "Adding a Custom Role to OPA_MENU_ROLES").

Menu and module access role names must start with the three-letter designator of the application to which they will apply and must not exceed 11 characters total. The following table list the valid prefixes for the available applications.

Table 2-1 Prefixes for Role Name, by Application

Prefix	Application
DTK	Developer's Toolkit
OCL or RXC	Oracle Clinical
OPA	Oracle Pharmaceutical Applications
TMS	Thesaurus Management System

Examples of valid role names are OCL_CRA, RXCBROWSER, and DTK_HELP. The Oracle Clinical Remote Data Capture module has no special prefix; its role names are preceded by RXC.

To create a new database role, you must create the role in the database and explicitly grant all the database privileges required for users with the role to do the tasks you intend, including privileges on the related Oracle Clinical tables.

create role role_name;
grant privilege on table to role_name;

For information on Oracle Clinical tables, see the Oracle Clinical Stable Interface Technical Reference Manual.

2.2.3.1 Creating Custom Roles for Restricting DCI Access

You may want to create additional database roles to use in restricting access to DCIs. There is only one predefined role for investigators: RXC_INV. To hide one investigator's observations from another's you need more than one investigator role, for example Neurologist (RXC_NEUR, for example) and Oncologist (RXC_ONC, for example). You can create these two roles, create CRFs that are specific to each of those types of observations, and allow one investigator role access to the DCI corresponding to one CRF and the other investigator role access to the other.

Note the following additional tasks required:

Define default DCI Access for the role; see "Changing the Default Access to DCIs". You must do this before any users assigned the role try to log in to RDC.
Assign the roles to users; see "Granting Additional Database Roles to User Accounts". Be careful not to assign roles with conflicting DCI access to the same user.

2.2.4 Associating Roles with Menus

Once a new database role has been created and is accessible, select the Maintain Menu Modules option of the DTK menu to identify those menus and activities to which the role gives a user access.

Navigate to each node in the menu-module tree (see "Modifying Menu-Role Associations") to which this role should give access, then click the Roles button. This brings up a dialog box where the roles that enable access to the node are listed. Add the new role to the list.

2.2.5 Adding a Custom Role to OPA_MENU_ROLES

Custom roles do not appear in the Menu Roles report until you add them to the OPA_MENU_ROLES installation reference codelist.

To add a custom role to this codelist:

Choose DTK, then Maintain all Codelists.
Query for the OPA_MENU_ROLES codelist.
Insert a new record, and define the short value and long value of the codelist. The long value must match the full name of the new database role exactly, and the short name must be three characters or fewer, and unique in that database. The system uses the short name of the role when it generates the Menu Roles report.

2.2.6 Granting a Custom Role Access to a Custom Module

Use these instructions if you are assigning a custom role to a custom module; see "Adding Menu Items to Oracle Clinical". This procedure allows you to grant the role access to the module as well as to the individual menu items.

Open the appropriate menu module file in Oracle Developer Forms Builder.
Connect to the database as RXC.
In the Object Navigator, highlight the RXCUSER module (not the menu).
In the Menu Security property, add the new role. Use the same name as in the database.
Assign your new role to the appropriate menu items as described elsewhere in this section.
Save, compile, and distribute the resulting .mmx file.

Note:

To assign a new role to a standard Oracle Clinical module, see "Modifying Menu-Role Associations".

2.3 Adding Menu Items to Oracle Clinical

You can add your own menu items (Developer modules) to the Admin menu, thus extending the functionality of Oracle Clinical. You can preserve changes across releases of Oracle Clinical. See the Oracle Clinical Installation Guide for instructions.

Replace the files rxcuser.mmb and rxcuser.fmb with your own menu and form, which will be what is brought up by choosing Admin.