This chapter describes the architecture and configuration of security for Oracle Workflow.
This chapter covers the following topics:
The ability to control user access to Web and application content and to protect your site against people breaking into your system is critical. This chapter describes the architecture and configuration of security for Oracle Workflow.
For additional information about security, refer to the following documents:
The Overview of Oracle E-Business Suite Security, Oracle E-Business Suite System Administrator's Guide - Security provides information about Oracle E-Business Suite security.
The Oracle Database Security Overview provides information about Oracle Database security.
The Oracle Application Server Security Guide provides an overview of Oracle Application Server security and its core functionality.
The Oracle Identity Management Concepts and Deployment Planning Guide provides guidance for administrators of the Oracle security infrastructure.
This section describes the Oracle Workflow security model.
Oracle Workflow uses a password-based security model to protect Web and application content. Oracle Workflow is part of the Oracle E-Business Suite security model in which users' privileges and access to functionality are based on responsibilities.
For purposes of accessing Oracle Workflow Web pages, Oracle Workflow defines two classes of users: Workflow administrators and Workflow users.
Access to Oracle Workflow administrator features is controlled both by responsibilities, which determine what pages a user can access, and by the workflow administrator role defined in the Workflow Configuration page, which determines what administrative operations a user can perform. To perform administrative operations, users must both have a responsibility that includes Oracle Workflow administrator Web pages and be associated with the workflow administrator role. If users have an appropriate responsibility but are not associated with the workflow administrator role, then they can only view the administrator Web pages. Users must also have an appropriate responsibility to access the Oracle Workflow self-service user Web pages. In some cases users who are associated with the workflow administrator role can perform additional administrative operations in the self-service Web pages as well.
Workflow administrators - Oracle E-Business Suite users who have an Oracle Workflow administrator responsibility and are associated with the workflow administrator role, can:
Access the Oracle Workflow Administrator Home page.
Set global workflow preferences and their own individual user preferences.
View and respond to any user's notifications through the Worklist pages.
Define rules to handle notifications automatically in a user's absence.
View and update any user's processes in the administrator Status Monitor.
View Workflow item type definitions and launch test processes.
Manage business events and event subscriptions.
Define worklist flexfields rules and perform rule simulations. Access to worklist flexfields rules functionality requires only an Oracle Workflow administrator responsibility.
Workflow users - Oracle E-Business Suite users who have an Oracle Workflow user responsibility, can:
Access the Oracle Workflow Self-service Home page.
Set their own individual user preferences.
View and respond to their own notifications through the Worklist pages.
Define rules to handle their own notifications automatically in their absence.
View and respond to notifications for other users who have granted access to their worklists.
View their own processes in the self-service Status Monitor. Users who are associated with the workflow administrator role can also reassign notifications or cancel workflows in the self-service Status Monitor.
Additionally, administrators who manage Oracle Workflow must have the Oracle E-Business Suite System Administrator responsibility to access Oracle Applications Manager, or must have an Oracle Workflow administrator responsibility that includes direct access to the Workflow Manager component within Oracle Applications Manager.
Also, administrators and developers who need to run Oracle Workflow scripts and programs or save workflow item type definitions to the database must have the password for the Oracle Workflow schema in the database.
Oracle Workflow also allows users to be assigned specialized workflow monitoring privileges with restricted access to workflow data. Such users act as specialized workflow administrators only within the Status Monitor, and can only view workflows and perform administrative actions as specified in their grants. See: Assigning Specialized Workflow Monitoring Privileges.
Oracle Workflow provides security to protect the following resources.
Oracle Workflow Web pages - Oracle E-Business Suite users must log into Oracle E-Business Suite before they can access Oracle Workflow Web pages.
Workflow Manager - An Oracle E-Business Suite system administrator must log into Oracle Applications Manager in order to access the Workflow Manager component.
Oracle Workflow Builder - No login is required to run the Oracle Workflow Builder development tool on a client PC. However, in order to view or save item type definitions in the database using Oracle Workflow Builder, a developer must provide the Oracle Workflow schema name and password.
Administrative scripts and programs - An administrator must provide the Oracle Workflow schema name and password in order to run Oracle Workflow administrative scripts, the Workflow Definitions Loader, or the Workflow XML Loader. Additionally, an Oracle E-Business Suite system administrator must log into Oracle E-Business Suite or Oracle Applications Manager before running Oracle Workflow concurrent programs.
E-mail notifications - Oracle Workflow supports sending e-mail notifications to users and processing e-mail responses to update workflow processes. Ultimately, the security of e-mail notifications and responses depends on the security of your e-mail application. Oracle Workflow also provides several features to validate e-mail responses and protect application content from unauthorized updates. For more information, see: E-mail Notification Security.
Notifications - Oracle Workflow supports electronic signatures for users' responses to notifications. You can optionally require notification responses to be authenticated by either a password-based signature or a certificate-based signature. See: #WF_SIG_POLICY Attribute, Oracle Workflow Developer's Guide.
Users are prompted for a username and password in order to access Oracle Workflow Web pages and Oracle Applications Manager. Users must additionally be assigned a responsibility that includes Oracle Workflow Web pages before they can access these pages.
Users must provide the Oracle Workflow database schema username and password to run administrative scripts and programs and to access workflow definitions in the database through Oracle Workflow Builder.
For information about authorization and validation of e-mail notification responses, see: E-mail Notification Security.
For information about use of Oracle HTTP Server by Oracle E-Business Suite, see: Administering Oracle HTTP Server, Oracle E-Business Suite System Administrator's Guide - Configuration.
An Oracle Workflow directory service based on users and roles from the unified Oracle E-Business Suite environment is automatically implemented for you during installation. For information about setting up Oracle E-Business Suite to use Oracle Internet Directory and single sign-on, see: Oracle Single Sign-On Integration, Oracle E-Business Suite System Administrator's Guide - Security.
You can configure several options in Oracle Workflow to take advantage of the security features you want.
You can set the following global workflow preferences related to security.
Workflow administrator, which defines the role that has administrator privileges in accessing Oracle Workflow Web pages.
LDAP preferences, if you are integrating with Oracle Internet Directory. LDAP preferences include LDAP host, LDAP port, LDAP password, LDAP changelog base directory, and LDAP user base directory. LDAP password values are masked as asterisks in the display and are stored in encrypted form.
See: Setting Global User Preferences.
For information about configuring e-mail notification security options, see: E-mail Notification Security.
Directory service views for users and roles from the unified Oracle E-Business Suite environment are automatically implemented for you during installation. Oracle Workflow uses a directory service model in which denormalized information is maintained in the Workflow local tables for performance gain. The local Workflow directory service tables store user and role information originating from various other Oracle E-Business Suite modules, as well as ad hoc users and roles, so that the Workflow directory service views can access this information with good performance. You should maintain synchronization between the user and role information stored in application tables by the source modules and the information stored in the Workflow local tables. See: Setting Up a Directory Service for Oracle Workflow.
Also, you can optionally give users access to the Advanced Worklist, Personal Worklist, and Notification Search Web pages from any responsibility you choose. To make a page available from a particular responsibility, you must add the appropriate function to the menu associated with that responsibility. Then you can assign that responsibility to your users. See: Adding Worklist Functions to User Responsibilities.
Similarly, you can give users access to the Workflow Monitor Test Application from a responsibility that you choose. To make the Workflow Monitor Test Application available from a particular responsibility, you must add its menu to a top-level menu for that responsibility. Then you can assign that responsibility to your users. See: Testing Status Monitor Access.
You can use a special message attribute with the internal name #WF_SIG_POLICY to require that a user's response to a notification be authenticated by an electronic signature. Otherwise, the response will not be considered valid.
If you define a notification to require a password-based signature, users must confirm their response by entering their Oracle E-Business Suite user name and password.
If you define a notification to require a certficate-based signature, users must sign their response with a valid X.509 certificate issued by a certificate authority.
See: #WF_SIG_POLICY Attribute, Oracle Workflow Developer's Guide.
Additionally, a user can grant access to his or her worklist to another user. That user can then act as a proxy to handle notifications on the owner's behalf. The worklist access feature lets one user allow another user to handle his or her notifications without giving the second user access to any other privileges or responsibilities that the first user has in Oracle E-Business Suite. However, note that a user who has access to another user's worklist can view all the details of that user's notifications and take most actions that the owner can take on the notifications. Ensure that your users take all necessary security considerations into account when they choose to grant worklist access to another user. See: Worklist Access, Oracle Workflow User's Guide.