Oracle E-Business Suite Security Guide

Contents

Title and Copyright Information

Send Us Your Comments

Preface

Authentication and Authorization

Introduction to Authentication and Authorization

Access Control in Oracle E-Business Suite

Oracle User Management

Oracle Application Object Library Security

Access Control with Oracle User Management

Overview

Function Security

Data Security

Role Based Access Control (RBAC)

Delegated Administration

Provisioning Services

Self-Service and Approvals

Access Control With Proxy Users

      The Proxy User Feature

Oracle User Management Setup and Administration

Setup Tasks

      Defining Role Categories

      Creating and Updating Roles

      Security Wizard

      Assigning Permissions to Roles

      Searching For Assigned Roles

      Diagnostics for User-Role Assignment

      Creating Instance Sets and Permission Sets

      Defining Delegated Administration Privileges for Roles

      Defining Data Security Policies

      Defining Role Inheritance Hierarchies

      Creating and Updating Registration Processes

      Configuring the User Name Policy

Delegated Administration Tasks

      Maintaining People and Users

      Creating, Inactivating, and Reactivating User Accounts

      Resetting User Passwords

      Unlocking Locked User Accounts

      Assigning Roles to or Revoking Roles from Users

      Fine Grained Access Control for Role Administration

      Managing System Accounts

      Registering External Organization Contacts

      Registering User Accounts

      Managing Proxy Users

Self Service Features

      Self-Service Registration

      Requesting Additional Application Access

      Login Assistance

Security Reports

      Home Page

      Listing Functions for a User

      Listing Data Security and Business Objects for a User

      Listing Roles and Responsibilities for a User

      Listing Users With a Given Role

      Listing Functions That Can Be Accessed From a Given Role

      Listing Objects for a Given Role

      Listing Users for a Given Function

      Listing Roles and Responsibilities for a Given Object

Oracle Application Object Library Security

Overview of Oracle E-Business Suite Security

      HRMS Security

      Enterprise Command Center Security

Oracle E-Business Suite User Passwords

Guest User Account

User Session Limits

Defining a Responsibility

      Additional Notes About Responsibilities

Defining Request Security

Oracle Applications Manager Security Tests

Overview of Security Groups in Oracle HRMS

      Defining Security Groups

Overview of Function Security

      Terms

      Executable Functions vs. Non-executable Functions

      Functions, Menus, and the Navigate Window

      Menu Entries with a Submenu and Functions

      How Function Security Works

Implementing Function Security

      Defining a New Menu Structure

      Notes About Defining Menus

      Menu Compilation

      Preserving Custom Menus Across Upgrades

Overview of Data Security

      Concepts and Definitions

      Implementation of Data Security

Responsibilities Window

Security Groups Window

Users Window

Form Functions Window

Menus Window

Menu Viewer

Objects

      Find Objects

      Update Object

      Create Object

      Object Detail

      Delete Object

Object Instance Sets

      Manage Object Instance Set

      Create Object Instance Set

      Update Object Instance Set

      Delete Object Instance Set

      Object Instance Set Details

Grants

      Search Grants

      Create Grant

      Define Grant

      Select Object Data Context

      Define Object Parameters and Select Set

      Review and Finish

      Update Grant

      Define a Grant

      View Grant

Functions

      Search

      Create Function

      Update Function

      Duplicate Function

      View Function

      Delete Function

Navigation Menus

      Search for Menus

      Create Navigation Menu

      Update Menu

      Duplicate Menu

      View Menu

      Delete Menu

Permissions

      Create Permission

      Update Permission

      Duplicate Permission

      View Permission

      Delete Permission

Permission Sets

      Create Permission Set

      Update Permission Set

      Duplicate Permission Set

      View Permission Set

      Delete Permission Set

Compile Security Concurrent Program

      Parameter

Function Security Reports

Users of a Responsibility Report

      Report Parameters

      Report Heading

      Column Headings

Active Responsibilities Report

      Report Parameters

      Report Heading

      Column Headings

Active Users Report

      Report Parameters

      Report Heading

      Column Headings

Disable and Enable Inactive FND Users Based on Security User Type

Reports and Sets by Responsibility Report

      Report Parameters

      Report Headings

Oracle Application Object Library REST Security Services

Cookie Domain Scoping

Allowed Resources

Allowed Redirects

Single Sign-On Integration

Overview of Single Sign-On Integration

Introduction to Enterprise User Management

Integration Actions and Options

Enterprise User Management

Deployment Scenario 0: E-Business Suite + SSO and Oracle Directory Services

User Management Options

End-User Experience

Session Timeout Behavior

User Management Options

      Critical Implementation Decisions

Implementation Instructions

Deployment Scenario 1: Multiple Oracle E-Business Suite Instances + Central SSO and Oracle Directory Services Instance

Deployment Scenario 2: New Oracle E-Business Suite Installation + Existing Third-Party Identity Management Solution

End-User Experience

User Management

      Critical Implementation Decisions

Implementation Instructions

Deployment Scenario 3: Existing Oracle E-Business Suite Instance + Existing Third-Party Identity Management Solutions

Critical Implementation Decisions

Implementation Instructions

Deployment Scenario 4: Multiple Oracle E-Business Suite Instances with Unique User Populations

Advanced Features

Single Sign-On Profile Options

Configuring Directory Integration Platform Provisioning Templates

Administering the Provisioning Process

Changing E-Business Suite Database Account Password

Manual Subscription Management With Provsubtool

Migrating Data Between Oracle E-Business Suite and Oracle Directory Services

Enabling and Disabling Users

Synchronizing Oracle HRMS with Oracle Directory Services

Supported Attributes

FND_SSO_UTIL Procedures

References and Resources for Single Sign-On

Glossary of Terms

Secure Configuration

Overview of Secure Configuration

About Oracle E-Business Suite Secure Configuration

System-Wide Advice

Differences Between Oracle E-Business Suite Releases

Oracle TNS Listener Security

About Oracle TNS Listener Security

Hardening

Network

Authorization

Audit

Oracle Database Security

About Oracle Database Security

Hardening

Authentication

Authorization

Oracle Application Tier Security

About Oracle Application Tier Security

Hardening

Authorization

Network

Oracle E-Business Suite Security

About Oracle E-Business Suite Security

Hardening

Network

Authentication

Authorization

Desktop Security

About Desktop Security

Hardening

Operating Environment Security

Overview of Operating Environment Security

Hardening

Network

Authentication

Authorization

Maintenance

Secure Configuration Console

Overview

Using the Secure Configuration Console

Guidelines for Auditing and Logging

Introduction to Guidelines for Auditing and Logging

About Auditing and Logging

Why Audit?

Auditing and Logging Features in Oracle E-Business Suite

Overview of Features

Recent and Current Activity

Historical Activity

Unexpected Events

Oracle E-Business Suite Auditing Scripts

Using Oracle E-Business Suite Application Auditing and Logging Features

Introduction

Unsuccessful Login Attempts

Data Changes Tracked with Who Columns

Sign-On Audit

Enabling Sign-On Audit

Disabling Inactive Sessions

Purging Session Information

Purging Sign-On Audit Data

Sign-On Audit Reports

Session Audit Information

Page Access Tracking

Database Connection Tagging

Debug Logging (Unexpected Logging)

Oracle E-Business Suite Audit Trail

Oracle E-Business Suite Technology Stack Auditing and Logging Features

Introduction

Application Tier Technology Stack

Format of the Listener Log Audit Trail

Database Alert Log

Database Auditing

Optional Oracle Technology Integrations

Enabling Oracle E-Business Suite Audit Trail

Overview

Steps to Enable Audit Trail

Audit Trail Shadow Tables, Triggers, and View

Purging Audit Trail Records

Disabling an Enabled Audit Trail

Restarting an Audit

Tables

Reporting on Audit Data

Implications of Upgrading an Audit Trail

Disabling Audit Trail

Additional Audit Trail Reporting

      Audit Industry Template

      Audit Hierarchy Navigator

      Audit Query Navigator

      Audit Report

Monitor Users Window

Audit Installations Window

Audit Groups Window

Audit Tables Window

Audit Trail Search Pages

Running Web Scanning Tools

Overview

Preparing Your Oracle E-Business Suite System for the Web Scan

Reviewing the Results

Database Schemas Found in Oracle E-Business Suite

Table of Database Schemas in Oracle E-Business Suite

Processes Used by Oracle E-Business Suite

Table of Processes Used by Oracle E-Business Suite

Ports Used by Oracle E-Business Suite

Table of Ports Used by Oracle E-Business Suite

Table of Ports Used by WebLogic Server

Security Checklist

About the Security Checklist

Overview

Oracle TNS Listener Security

Oracle Database Security

Oracle Application Tier Security

Oracle E-Business Suite Security

Desktop Security

Operating Environment Security

Sign-On Audit Concurrent Manager Reports

About Sign-On Audit Concurrent Manager Reports

Sign-On Audit Concurrent Requests Report

Sign-On Audit Forms Report

Sign-On Audit Responsibilities Report

Sign-On Audit Unsuccessful Logins Report

Sign-On Audit Users Report

Additional References

References

Security Features for Earlier Oracle E-Business Suite Releases

Overview

FND: Security Resource Logging Profile Option Values for Earlier Releases

Obsolete Secure Configuration Console Checks

Index