User Management Guidelines: Use of Generic Accounts and Passwords
(Doc ID 2322072.1)
Last updated on JUNE 01, 2019
Applies to:Oracle Health Sciences InForm
Oracle Health Sciences User Management Tool
Information in this document applies to any platform.
In an effort to standardize and help secure the approach to Trial User Management, we issued (during March 2016) the following policies and guidelines for your information and observance. As a refresher we are re-issuing the guidance.
Use of Generic Accounts and Passwords
As a reminder, Oracle HSGBU no longer creates or supports the use of generic accounts / user names and/or passwords within InForm studies. (A “generic” account / user name is one that is not associated with a unique individual or is one that is shared or known to more than one user.) All user accounts for UAT or Live studies hosted by Oracle will therefore need to be associated to a specific named user and have a unique password for each named user.
For UAT testing, we have created an automated process which creates test users to support business needs and conform to Oracle security requirements. The accounts created use the following form: “firstinitiallastname_environment_role” (e.g., JSmith_uat_cra, JSmith_uat_crc, JSmith_uat_pi). This process takes the form of a General Action Request ticket that you can submit through the Extranet *. A CSV file containing the list of users should be placed in an sFTP location and the path to the file should be referenced in the ticket created. This document will be processed in an automated fashion and account details will be communicated via email directly to the users from this automated process. Each individual receiving user accounts will receive a temporary password via email that must be changed when logging into the system for the first time with each account. This process will also automatically disable generic system accounts. Additional information on the process can be obtained by clicking the Request Documents button on the Extranet**. Live InForm studies must also exclude the use of generic accounts or shared passwords.
(Note: For TRN (training) studies, a simplified process allows for shared account access at the study level which requires a unique, study specific, customer defined password. For Single Sign On (SSO) studies, the user management for your UAT trial is performed within UMT.)
Creation of users through MedML files (Non-SSO trials only)
Although the use of the User Management Tool (UMT) for account management is highly advised, it is still possible to create users through the use of MedML files for non-SSO trials. NOTE: all new InForm 6.1 trials should use SSO. The policies above still apply, however, and such user accounts will need to be associated with specific named users and may not be generic in nature. These users must have valid email addresses and unique, strong passwords.
Customers using this method must make appropriate updates to their tools and processes to generate the MedML files in accordance with the guidelines stated above. NOTE: it is also required that under no circumstance should customer generated MedML contain account information for any Oracle users for any purposes whatsoever.
General User Management Guidelines
Oracle strongly discourages the use of any account that has “system creator”, “system level” or “super user” rights or privileges. The use of these types of accounts can be used to by-pass the separation of duties functionality (e.g. User Manager, User Activator, CDC, CRC) that has been intentionally created to conform to good clinical practices or specific regulations.
We would also like to remind you that if your study uses the User Management Tool (UMT), all user creation and modification should be performed within that tool to preserve a history and audit trail of any changes.
Finally, if you are a customer that manages your own users, trials, etc and there are Oracle users present in these studies for software support purposes, we ask that you do not perform any modification to their rights, roles or privileges without consulting your Oracle Project Manager or Service Delivery Manger.
*In the future when HSGBU Support Cloud becomes the method of submitting tickets, a ticket should be submitted in HSGBU Support Cloud under the category ‘User Account Setup/Change/Terminate’.
** In the future when HSGBU Support Cloud becomes the method of submitting tickets, refer to the Documents & Request Forms section in HSGBU Support Cloud
Please read and abide by the above policy and guidelines.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document