Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager can use one of the following drivers to communicate with the Oracle adapter:
-
JDBC thin driver
-
JDBC OCI driver
-
Third-party drivers
Since the Oracle Application stored procedures require unencrypted passwords to be passed to some of the stored procedures used for provisioning, you should implement encrypted communications between Identity Manager and the Oracle application resource.
Please read the Oracle publication Oracle Advanced Security Administrators Guide and your JDBC driver’s documentation to validate the level of support for encryption that your specific version of Oracle RDBMS and driver provides.
Oracle EBS Permissions
Oracle E-Business Suite requires access to the following tables and stored procedures.
Note –
The administrator must be able to run the select command for all tables. In addition, the administrator must be able to update the apps.fnd_user table.
|
Tables |
Stored Procedures |
|---|---|
|
apps.ak_attributes apps.ak_attributes_tl apps.ak_web_user_sec_attr_values apps.fnd_application apps.fnd_application_tl apps.fnd_application_vl apps.fnd_profile apps.fnd_responsibility apps.fnd_responsibility_vl apps.fnd_security_groups apps.fnd_security_groups_tl |
apps.app_exception.raise_exception apps.fnd_global.apps_initialize apps.fnd_global.user_id apps.fnd_message.get apps.fnd_message.get_token apps.fnd_message.set_name apps.fnd_message.set_token apps.fnd_profile.get apps.fnd_user_pkg.AddResp apps.fnd_user_pkg.CreateUser apps.fnd_user_pkg.DisableUser |
|
apps.fnd_security_groups_vl apps.fnd_user apps.fnd_user_resp_groups apps.icx_parameters |
apps.fnd_user_pkg.DelResp apps.fnd_user_pkg.UpdateUser apps.fnd_user_pkg.user_synch apps.fnd_user_pkg.validatelogin apps.fnd_user_resp_groups_api.assignment_exists apps.fnd_user_resp_groups_api.insert_assignment apps.fnd_user_resp_groups_api.update_assignment apps.fnd_web_sec.change_password apps.fnd_web_soc.create_user apps.fnd_web_sec.validation_login apps.icx_user_sec_attr_pub.create_user_sec_attr apps.icx_user_sec_attr_pub.delete_user_sec_attr |
Note –
The adapter might access additional tables and stored procedures. Refer to the Oracle E-business Suite documentation for additional information.
Oracle states that the Oracle EBS system, including the fnd_user_pkg stored procedures, were designed to be used to administer the ORACLE EBS system as the APPS user. Oracle does NOT recommend creating an alternate administrative user. However, if you need to manage Oracle EBS with a user other than APPS, contact Oracle for guidance.
The alternate administrative user must be granted the same access as the APPS user has to all Oracle data, including tables, views, and stored procedures.
The user will also need synonyms set up so the user will have access to the tables that the APPS user has access to. If a different user is used and the appropriate grants and synonyms have not been created for the user, the following error might be encountered:
Error: ORA-00942: table or view does not exist
Add the appropriate grants and synonyms to correct the error. A sample SQL*Plus script is located in the following directory:
$WSHOME/sample/other/CreateLHERPAdminUser.oracle.
You can modify this script as necessary and use it to create an alternative Oracle EBS Admin user. Usage instructions are documented in the comments at the beginning of the script.
For pass-through authentication only, authority is needed to run the following SQL command:
create or replace function wavesetValidateFunc1 (username IN varchar2, password IN varchar2) RETURN varchar2 IS ret_val boolean; BEGIN ret_val := apps.FND_USER_PKG.ValidateLogin(username, password); IF ret_val = TRUE THEN RETURN ’valid’; ELSE RETURN NULL; END IF; END wavesetValidateFunc1;
- © 2010, Oracle Corporation and/or its affiliates