|Oracle Workflow Administrator's Guide|
Part Number B10283-02
The ability to control user access to Web and application content and to protect your site against people breaking into your system is critical. This chapter describes the architecture and configuration of security for Oracle Workflow.
For additional information about security, refer to the following documents:
This section describes the Oracle Workflow security model.
Oracle Workflow uses a password-based security model to protect Web and application content.
For purposes of accessing Oracle Workflow Web pages, Oracle Workflow defines two classes of users: Workflow administrators and Workflow users.
In addition to being associated with the role specified in the Workflow Administrator global preference, administrators who manage Oracle Workflow must have the Oracle Application Server administrator role to access the Workflow Manager component within Oracle Enterprise Manager for standalone Oracle Workflow, or have the Oracle Applications System Administrator responsibility to access the Workflow Manager component within Oracle Applications Manager for Oracle Applications.
Also, administrators and developers who need to run Oracle Workflow scripts and programs or save workflow item type definitions to the database must have the password for the Oracle Workflow schema in the database.
Oracle Workflow provides security to protect the following resources.
Users are prompted for a username and password in order to access Oracle Workflow Web pages and Oracle Enterprise Manager or Oracle Applications Manager. In Oracle Applications, users must additionally be assigned a responsibility that includes Oracle Workflow Web pages before they can access these pages.
Users must provide the Oracle Workflow database schema username and password to run administrative scripts and programs and to access workflow definitions in the database through Oracle Workflow Builder.
For information about authorization and validation of e-mail notification responses, see: E-mail Notification Security.
Oracle Workflow leverages Oracle HTTP Server authentication to control access to Oracle Workflow Web pages. In standalone Oracle Workflow, a PL/SQL Database Access Descriptor (DAD) is created for the Oracle Workflow Web pages during installation. You can use either the HTTP or HTTPS protocol. HTTPS, which is HTTP over Secure Sockets Layer (SSL) is recommended. For instructions on configuring SSL with Oracle HTTP Server, please refer to the Oracle HTTP Server Administrator's Guide.
For information about use of Oracle HTTP Server by Oracle Applications, see: Administering Oracle HTTP Server, Oracle Applications System Administrator's Guide.
For standalone Oracle Workflow, you can choose one of two predefined directory service implementations during installation.
In Oracle Applications, an Oracle Workflow directory service based on users and roles from the unified Oracle Applications environment is automatically implemented for you during installation. For information about setting up Oracle Applications to use Oracle Internet Directory and single sign-on, see: Implementing Single Sign-on for Oracle Applications 11i with Login Server Authentication Using Oracle Internet Directory, Oracle Applications System Administrator's Guide.
This section describes configuration considerations in Oracle HTTP Server for standalone Oracle Workflow. For Oracle Applications, see:
Oracle9i Application Server and Oracle Applications, Oracle Applications System Administrator's Guide.
If you choose to implement OID and single sign-on integration in the Workflow Configuration Assistant, the DAD created for Oracle Workflow in Oracle HTTP Server is automatically protected in the mod_osso configuration file during installation. For more information, see the installation documentation for your installation of Oracle Workflow.
You can configure the following options in Oracle Workflow to take advantage of the security features you want.
You can set the following global workflow preferences related to security.
See: Setting Global User Preferences.
For information about configuring e-mail notification security options, see: E-mail Notification Security.
During installation of standalone Oracle Workflow, the Workflow Configuration Assistant lets you enter LDAP preferences in order to integrate with OID. If you do choose to integrate with OID, the Workflow Configuration Assistant automatically installs the appropriate version of the Workflow PL/SQL security package, called WFA_SEC, and a directory service implementation based on OID.
OID integration also enables Oracle Workflow to participate in Oracle Application Server single sign-on.
If you choose to integrate with OID, you must perform the following steps:
See: Integrating an Oracle Workflow Directory Service with Oracle Internet Directory and Synchronizing Workflow Directory Services with Oracle Internet Directory.
If you do not enter LDAP preferences in the Workflow Configuration Assistant during installation, then a directory service implementation based on Oracle Database users and roles is automatically installed, along with the appropriate version of the Workflow PL/SQL security package, called WFA_SEC.
In this case, you should modify the default directory service views to add e-mail addresses for the database users if you want them to be able to receive e-mail notifications. See: Integrating an Oracle Workflow Directory Service with Oracle Database Users.
Note: You can also implement a custom version of the WFA_SEC security package, if you want to implement your own application-specific security. However, note that only the predefined versions of the WFA_SEC security package provided by Oracle Workflow are supported by Oracle. See: Oracle Workflow Support Policy, Oracle Workflow Developer's Guide.
If you are using the version of Oracle Workflow embedded in Oracle Applications, directory service views for users and roles from the unified Oracle Applications environment are automatically implemented for you during installation. In Oracle Applications, Oracle Workflow uses a directory service model in which denormalized information is maintained in the Workflow local tables for performance gain. The local Workflow directory service tables store user and role information originating from various other Oracle Applications modules, as well as ad hoc users and roles, so that the Workflow directory service views can access this information with good performance. You should maintain synchronization between the user and role information stored in application tables by the source modules and the information stored in the Workflow local tables. See: Setting Up a Directory Service for Oracle Workflow Embedded in Oracle Applications.
Also, in Oracle Applications, you can optionally give users access to the Worklist, Advanced Worklist, and Personal Worklist Web pages from any responsibility you choose. To make a Worklist available from a particular responsibility, you must add the appropriate function to the menu associated with that responsibility. Then you can assign that responsibility to your users. See: Adding Worklist Functions to User Responsibilities.