1Security Infrastructure

This chapter contains the following:

Security Components: How They Fit Together

Oracle Fusion entitlement management secures access to all three tiers at the service-oriented architecture (SOA) layer, which is supported by Oracle Platform Security Services (OPSS). That means that rather than having every application with its own entitlement layer, access is managed as a centralized service shared by all applications.

The figure shows elements of Oracle Fusion Applications security and supporting structures in the Web, application, middle, and data tiers.

Image shows components of Oracle Fusion Applications,
Fusion Middleware, and the applications and OIM databases.

Security Components

The following components of an Oracle Fusion Applications deployment participate in security.

Component Does what?

Oracle HTTP Server (OHS)

Takes all incoming HTTP requests

Oracle Access Manager (OAM)

Performs single sign on (SSO)

Web Gate (OAM component)

Intercepts requests and checks for user credentials

Web Pass (OAM Web server plug-in)

Passes information between the Web server and OAM's Identity Server

OAM Policy Manager

Supports managing single sign on (SSO), and URL-based authentication and authorization policies

Oracle Identity Management (OIM)

Handles user provisioning

Oracle Web Services Manager (OWSM)

Provides infrastructure for Service Oriented Architecture (SOA) and Web services security

OWSM Agent

Enforces SOA and Web services security

OWSM Policy Manager

Supports setting up policy configuration for SOA and Web services security

Oracle Platform Security Services (OPSS)

Provides framework to manage policies, identity, and audit services across the enterprise

Oracle Virtual Directory (OVD)

Virtualizes data sources in Lightweight Directory Access Protocol (LDAP) stores

Identity Governance Framework (IGF)

Manipulates users, groups, and policies in LDAP

Authorization Policy Management (APM)

Supports managing authorization policies

Enterprise Manager (EM)

Supports managing deployed components, services, and applications

Oracle Virtual Private Database (VPD)

Protects personally identifiable information (PII) attributes in the database from unauthorized access by privileged users such as database administrators (DBA)


OAM policies have no relationship with OPSS policies.

Oracle Fusion Applications accesses policies through the services of WebLogic Servers. OPSS populates the Java authorization (JAZN) file with policies for transfer to Lightweight Directory Access Protocol (LDAP) and distribution to applications using WebLogic services.

Security Across Multiple Tiers

The components of the Oracle Fusion Applications security approach span all tiers of a deployment technology stack.

  • Data

  • Middleware

  • Applications

  • Web

Installation typically sets up Oracle Fusion Applications in predefined WebLogic Server (WLS) domains. that correspond to product families, such as Financials or Human Capital Management (HCM). A WLS domain is a group of servers working together in the middle tier to serve the Java Platform, Enterprise Edition (Java EE) applications in the applications tier with the data in the database of the data tier.

In the data tier the database manages the data for Oracle Fusion Applications. Data security policies are stored in Oracle Fusion Data Security (FND_GRANTS). Function security policies are stored in the LDAP policy store.

Oracle Internet Directory serves as an LDAP store. If your enterprise is using a different LDAP store, use Oracle Virtual Directory to connect to your LDAP store.

In the middle tier, the WLS contains the business components and user interface faces of the Application Development Framework (ADF) instances that run Oracle Fusion Applications. The middle tier also contains other essential components of an Oracle Fusion Applications deployment that are relevant to security.

  • Enterprise Scheduler Services for executing processes

  • Oracle WebCenter for managing tags, Watchlists, and Oracle Fusion Search

  • Service Oriented Architecture for managing Web services

  • Oracle WebCenter Content for managing documents and attachments

  • Oracle Identity Manager (OIM) for user provisioning

  • Oracle Access Manager (OAM) for authentication and authorization

  • Oracle Business Intelligence Foundation Suite for Oracle Applications (OBIFA) and BI Publisher for analytics and reports

All of these components use OPSS to communicate with the applications and Web tiers. OPSS controls abstractions of the pages and widgets that appear in Oracle Fusion applications

Authorization Policy Management defines entitlements using OPSS. LDAP such as Oracle Internet Directory repositories store job roles and users. Oracle Identity Management manages job roles and users.

In the applications tier, Enterprise Manager handles the functional setup and features of your deployment.

In the Web tier, Oracle WebCache, the HTTP Server, and load balancers manage client interactions.

Setup and Runtime Components

The following components must be present at setup and runtime.

  • Oracle Database

    • Oracle Text

    • PL/SQL

    • SQL*Loader

    • Oracle Data Integrator (ODI)

  • Oracle Database Enterprise Edition

  • Oracle Identity Management

    • Identity Governance Framework (IGF)

  • WebLogic Server and selected subcomponents

    • Application Development Framework (ADF)

    • ADF Data Visualizations (DVT)

    • Groovy (in ADF business components (ADFbc))

    • Java Architecture for XML Binding (JAXB)

    • Java API for XML Web Services (JAX-WS)

    • Java Transaction API (JTA)

    • Service Component Architecture (SCA)

  • SOA Suite and business process management (BPM) Suite selected components

    • Approval Management System (AMX)

    • Business Process Execution Language (BPEL)

    • Business Rules

    • Oracle Enterprise Scheduler

    • Events Delivery Network (EDN)

    • Oracle Content Server (using Oracle WebCenter Framework) with full Oracle WebCenter Content suite

    • Oracle Human Workflow

    • Oracle Mediator

    • Oracle Web Services Manager (OWSM)

    • Oracle WebCenter Framework

  • Oracle Single Sign-On Server

  • Oracle Virtual Directory

  • Oracle Business Intelligence Foundation Suite for Oracle Applications (OBIFA) selected components

    • BI Publisher, including Marketing Segmentation Server

    • Oracle BI Answers

    • Oracle BI Dashboards

    • Oracle BI Delivers

    • Oracle BI Presentation Server

    • Oracle BI Server

  • Other components

    • Extended Spread Sheet Database (ESSbase)

    • Oracle Real-Time Decisions (RTD)

    • Enterprise Crawl and Search Framework (ECSF)

    • Any LDAP server (such as, but not limited to, Oracle Internet Directory (OID)).


OID is the LDAP server that supports provisioning by default, but Oracle Fusion Applications supports third-party servers directly.

Access Components: Explained

Access components safeguard against unauthorized use at all levels of an Oracle Fusion Applications deployment infrastructure.

Users and provisioning components illustrate how access components interact in an Oracle Fusion Applications deployment.


Access components support securing all types of users.

  • Internal users on trusted devices

  • Remotely located users on trusted devices

  • Partners

  • Web site users

The following graphic shows Oracle Fusion Applications running on the Web services of Oracle Fusion Middleware and subjecting internal and external users to authentication and authorization as defined by the security policies and identities stored in a Lightweight Directory Access Protocol (LDAP) store. Access to sensitive data is further protected by safeguards such as Oracle Database Vault and Oracle Virtual Directory.

Figure shows internal and external users relative to
a DMZ and the secured enterprise. Through Oracle Identity Management,
access undergoes authentication and authorization using the policy
and identity stores of the LDAP which provides access to sensitive
applications data through privacy safeguards.


Non-repudiation is handled either through audit trails within Oracle Fusion Applications or through Oracle Web Services Management (OWSM) support for signatures using WebServer security.

Provision Components

Provisioning components additionally safeguard against unauthorized access.

The following diagram shows Oracle Fusion Applications provisioning and reconciliation for accounts, roles, and HR and Oracle Fusion Trading Community Model identity. User and account provisioning uses Oracle Virtual Directory. Oracle Internet Directory is an LDAP repository.

Single sign on triggers authentication in LDAP so a user
can be authorized to access Oracle Fusion Applications based on policies
and provisioned roles reconciled in Oracle Identity Management.

Security Principles: How They Are Applied

Understanding how Oracle Fusion applies common security principles may be helpful in planning your Oracle Fusion Applications deployment.

Standard Security Principles

Oracle Fusion Applications applies the following standard security principles:

  • Least privilege

  • Containment and no write down

  • Transparency

  • Assured revocation

  • Defense in depth

Adherence to these principles enhances Oracle Applications Cloud security.


Changes and customizations required by your enterprise may reverse the protections provided by these principles.

How Security Principles Are Applied

Oracle Applications Cloud applies security privileges using a specific implementation of features and various supporting tools.

Least Privilege

Oracle Applications Cloud roles carry only required privileges. Application roles define duties that entitle access to only the functions and data necessary for performing the defined tasks of that duty.

Containment and No Write Down

Secured information cannot move from more to less secure stores, such as the unsecured search index, data warehouse, or a test database. Oracle Applications Cloud enforces security policies consistently across tools, access methods, and the entire information life cycle from data at rest and in transit to clones and backups.

Oracle Applications Cloud does not write sensitive information from an environment that applies restrictions to gain access to that sensitive information to one that does not. For example, Oracle Applications Cloud does not write personally identifiable information that is sensitive and private, such as national identifiers or home contact details, from Oracle Fusion Human Capital Management Cloud (Oracle Fusion HCM Cloud) to the Lightweight Directory Access Protocol (LDAP) stores. This policy extends to attachments.


Function and data security policies are readable in plain language wherever policies are viewed or managed. Oracle Applications Cloud provides view access to implemented roles and security policies through Oracle Identity Management (OIM) and Authorization Policy Manager (APM), as well as security reference manuals and business analysis consoles.

Assured Revocation

Revoking one security policy revokes all implementations of that policy across all tools in production.

Defense In Depth

Personnel, technology, and operations are secured with multiple layers of defense across the life cycle of the information in motion, while at rest, and when accessed or used. In Oracle Fusion Applications, authentication and password security, encryption, and logging and auditing are mechanisms of redundant defense that enforce protection. A comprehensive defense-in-depth approach to protecting private and sensitive data includes securing sensitive data at rest or stored in database files and their backups, as well as in transit.

Security Processes: How They Are Applied

Processes used to secure Oracle Fusion Applications during implementation and when deployed deliver an integrated security approach.

Security Processes Used By Oracle Fusion Applications

The following processes support security across Oracle Fusion Applications

  • Authentication

  • Federation

  • Authorization

  • Provisioning and reconciliation

  • Content Management

  • Monitoring and diagnostics

How Security Processes Are Used

Security processes in the Oracle Fusion Applications environment prohibit unauthorized access without requiring settings to be changed manually.


Authentication manages who is allowed into a network or application. Once in the network or application, an entitlement of privileges manages what may be done.

Authentication works in tandem with managing identities in Lightweight Directory Access Protocol (LDAP) stores or other user directories to verify that a user is who they say they are. Password security is a primary authentication mechanism. Biometrics could be another. Authentication can be further refined by levels of demilitarized zone (DMZ) or security zones. Authentication is available as an embedded or external process using Java Authentication and Authorization Service (JAAS). For example, JAAS authenticates identities in an LDAP store or through Single Sign On in the Oracle Access Manager of Oracle Identity Management.

A user signs on and establishes an authenticated session to access secured functions, which in turn provides access to data based on entitlement granted to roles that have been provisioned to the user.


Oracle Fusion Applications supports anonymous sessions, weak authentication (remember me), multi-level authentication, and global session identifiers.

The authentication mechanisms used in Oracle Fusion Applications are negotiated by the secure socket layer (SSL). User sign in can be deferred to an external authenticator using Single Sign On in the Oracle Access Manager. Authentication successes and failures are recorded in audits.


Federation enables identities and their relevant roles (entitlement) to be propagated across security domains, within and among multiple organizations.

For example, enterprises implement identity federation within their portals. Acme Inc. and Beta Corp. are business partners. Acme is a national computer parts distributor, and Beta is a computer manufacturer that makes the parts that Acme resells. Beta has several inventory and production applications within its portal, and it wants the employees of Acme to access these applications, so that Acme can operate more efficiently. Using federation, Acme provides identity information that it owns, and Beta authorizes access and serves up applications that it owns. Federation manages the credentials, profiles, and sign ins of each Acme employee that accesses Beta's applications. If an Acme employee quits or is fired and Beta is not told, that ex-employee is automatically locked out of Betas systems as soon as the user leaves Acme Inc.


Authorization is the permission for an entity to perform some action against some resource. For example, a user's enterprise role membership authorizes access to all Oracle Fusion Applications resources needed to enable the user to fulfill the duties described by that job or abstract role. OPSS controls the authorization processes on functions and Oracle Fusion Data Security, as well as in some cases application code, control the authorization processes on data.

Segregation of duties is a type of authorization constraint that defines violations that could result in misuse of information.

Provisioning and Reconciliation

Security related provisioning involves provisioning roles and identities or people.

Human approvals secure a task using both grants and roles. Administrators and implementation consultants apply the RBAC standard in Oracle Fusion Applications to the requirements of their enterprise using provisioning tools.

Accounts are created as identities or people in the Lightweight Directory Access Protocol (LDAP) store. Roles are provisioned by making the identity a member of a group that is the requested role. LDAP records and serves Oracle Fusion Applications security with identities, policies, and credentials.

Oracle Fusion Applications notifies the IT security manager of all account requests, role provisioning requests, and grants to ensure role administration is always documented, authorized and auditable. Accounts are created as identities in the LDAP store.

Oracle Fusion Applications use the following tools to handle account and role provisioning with the stores, as well as Human Resources (HR) and Oracle Fusion Trading Community Model identity provisioning with the Oracle Fusion Applications schema.

  • Oracle Fusion Human Capital Management (HCM)

  • Oracle Identity Management (OIM)

Provisioning infrastructure and policies include provisioning services, temporary storage of registration data, approval and approval routing, notifications, business logic, and eligibility. Users are provisioned using the LDAP deployed for use by Oracle Fusion Applications.

Granting or revoking object entitlement to a particular user or group of users on an object instance or set of instances extends the base Oracle Fusion Applications security reference implementation without requiring customization of the applications that access the data.

Changes to identity information are reconciled to OIM (LDAP) and thereby reconciled to users. Changes to users are not reconciled to identity information in HR.

Content Management

Oracle Fusion Applications integrates with Oracle WebCenter Content using LDAP, single sign on, and web services to handle attachments. By default an Oracle Fusion Applications deployment grants no access to documents through content management user interfaces. All access is through Oracle Fusion Applications.

Oracle Fusion applications apply security to files in Oracle WebCenter Content by calling a file authorization web service to determine whether the current user has been granted access to a file. When a user tries to access a file, Oracle Fusion applications determine whether the user is permitted access and grants access for the duration of the session.

Attached documents are only accessible through Oracle Fusion Applications user interfaces, not through content management user interfaces. Attached documents that contain sensitive information are placed in document categories that require authorization when content is accessed from within Oracle Fusion Applications. Function security rules apply to content management. Access to attachments is determined by access to the owning entity, such as a table, purchase order, agreement, or supplier account, but also to the category.

For example, a role that has access to the purchase order, such as a buyer, can view attachments in the category Note to Buyer and can create, update, and delete attachments in the category Note to Receiver. The receiver of the purchase order and receipts entity can view attachments in the category Note to Buyer and Special Handling Instructions.

All workers typically have access sufficient for viewing all other workers in a public directory, but workers should not have access to any attachments for the person. Line managers have access to workers that they manage and have access to documents such as performance review notes or anything they choose to upload, but line managers do not have access to things like tax documents or visa documents. HR specialists have access to all people for whom they are responsible and can see everything that the line manager sees, as well as visa documents, but not tax documents. Payroll specialists have access to all people for whom they are responsible and can view the tax documents. Security of person documents is implemented using Document Type security profiles.

You associate attachment categories with an entity using the Manage Attachments Categories task.

Monitoring and Diagnostics

Oracle Fusion Applications security works at runtime to prevent and detect embezzlement, such as fraud, and other acts of personal gain at the expense of an enterprise. Tools and tasks that are relevant to detection include analyzing risks carried in segregation of duties violations.

System configuration is relevant to runtime processes. Administrators determine and modify system configuration based on enterprise security requirements and the particulars of their Oracle Fusion Applications deployment using diagnostics.

Security Standards: How They Are Applied

Security standards and tools used to secure Oracle Fusion Applications during implementation and when deployed deliver an integrated security approach.

SecurityStandards Used By Oracle Fusion Applications

The following standards and tools support security across Oracle Fusion Applications

  • Role-based access control (RBAC)

  • Lightweight Directory Access Protocol (LDAP)

  • Java Authentication and Authorization Service (JAAS)

These standards are complied with during Oracle Fusion Applications certification.

How SecurityStandards and Tools Are Used

Security standards and tools in the Oracle Fusion Applications environment prohibit unauthorized access without requiring settings to be changed manually.

Role-Based Access Control

The role-based access control (RBAC) standard is applied to Oracle Fusion Applications function and data security to enforce user access based on the role of the user within the organization rather than just the user's individual identity.

  • Security administration organizes access entitlement by roles to reflect business policies

  • Role hierarchies and constraints express security polices

  • Authorization constraints, such as segregation of duties (SOD), prevent information misuse

The effectiveness of the standard is limited by roles too broadly defined with duties and provisioned to users for whom some of those duties may not be appropriate. The Oracle Fusion Applications security reference implementation provides a full range of fine grained role definitions.

Lightweight Directory Access Protocol

LDAP provides an Oracle Fusion Applications deployment with lookup and communications services on the identity and policy stores.

Java Authentication and Authorization Service

Java Authentication and Authorization Service (JAAS) is a standard interface used for integrating with internal and third party sources for authentication and authorization, including LDAP and Single Sign On.

Oracle Platform Security Services (OPSS) provides tools and services for recording, reorganizing, and reviewing features of Oracle Fusion Applications security:

  • Users across Oracle Fusion Applications

  • Enterprise roles that are provisioned to users

  • Application roles that each application provides to fulfill an enterprise role

  • Entitlement that is granted to application roles

  • Access to services, web pages, and individual widgets

Security Products: How They Are Applied

Products used to secure implementations and deployments of Oracle Fusion Applications include function and data access management through vaulting, encryption or masking, and controls.

Security Products Used By Oracle Fusion Applications

The following integrated products support security across Oracle Fusion Applications

  • Oracle Identity Management (OIM)

  • Oracle Web Services Manager (OWSM)

  • Oracle HTTP Server

Additional products are available for enhanced protections.

  • Oracle Audit Vault

  • Oracle Access Manager

  • Oracle Role Manager

  • Oracle Entitlement Server

  • Oracle Virtual Directory

  • Oracle Transparent Data Encryption (TDE)

  • Oracle Database Vault

How Security Products Are Used

Security products in the Oracle Fusion Applications technology stack establish prohibitions to unauthorized access without requiring changes to be made in applications.

  • Business intelligence

  • Policy and identity stores

  • Database protections

  • Optional database vaulting

  • Optional data encryption and masking

  • Controls

Business Intelligence

Monitoring, reporting, and analysis capabilities available through the Oracle Business Intelligence Foundation Suite for Oracle Applications (OBIFA) components of Oracle Fusion Applications support adherence to or compliance with regulations. Reports of roles by product, functional privileges by role, and data security policies by role allow security professionals to modify and adapt their deployment of Oracle Fusion Applications security. Access to BI reports is also under role-based access control.

Policy and Identity Stores

Oracle Fusion Applications policy and identity stores are implemented using the Lightweight Directory Access Protocol (LDAP) store in Oracle Internet Directory to record and serve Oracle Fusion Applications security with repositories of users, roles, identities, policies, credentials, and other security elements.

Enterprise roles are implemented as LDAP Groups.

The policy store includes function security policies. Policies define security rules in XML and can be viewed and managed using Authorization Policy Manager.

Enterprise roles and role hierarchies of the reference implementation are stored in the identity store and available to the users you add to the identity store for your enterprise. The data security policies of the reference implementation are stored in the policy store. Data security policies reference duty roles to assert exactly what a job or abstract role means.

Vaulting and Database Protections

Vaults serve to protect categories of data from improper access.

  • A database vault protects sensitive data from highly privileged users such as database administrators (DBA).

  • An audit vault secures archives of audit data with reports and alerts that notify of access to sensitive information.

  • A virtual privacy boundary on data protects personally identifiable information (PII) attribute values.

For example, Oracle Database Vault is certified for use with Oracle Fusion Applications. ODV can be used to secure sensitive data that is not PII. If Oracle Fusion Applications is deployed with ODV, the vault can protect credit card information, which reduces the risk of insider threats with separation of duty, multi-factor authorization and command rules. If Oracle Fusion Applications is deployed without ODV, Oracle Database Encryption APIs secure confidential PII attributes such as credit card and bank account numbers with controls at the column level.

Data Encryption and Masking

Encryption and masking prevents unauthorized access to sensitive data. Oracle Fusion Applications provides protections of sensitive data using encryption APIs to mask fields in production user interfaces

Oracle Fusion Applications is certified for use with the following additional products if they are included in a deployment.

  • Oracle Transparent Data Encryption (TDE)

  • Data Masking tools in Oracle Enterprise Manager

Encryption protects data as it is written to the file system against unauthorized access via that file system or on backups and archives. The data can be decrypted by applications when it is retrieved. Transparent Data Encryption enables encrypting data in columns independent of managing encryption keys.

Data masking prevents views of sensitive data. Data masking in Enterprise Manager overwrites sensitive data with randomly generated data in non-production instances such as for development, testing, or diagnostics. This type of masking is irreversible and the sensitive data cannot be reconstituted.


Security controls are policies, audits, and assurances. Security controlling products include the following.

  • Oracle Identity Management (OIM) centrally controls user accounts and access privileges

  • Oracle Authorization Policy Manager (APM) manages the security policies that control access based on roles

  • Oracle Virtual Private Database (VPD) applies security policies at row and column levels in the database

Each of these products, except VPD, provide user interfaces for administering security controls. VPD controls are applied by running scripts against the database.

Secured Oracle Fusion Applications Deployments: Points To Consider

Considerations in deploying secure Oracle Fusion applications include the following.

  • Baseline standalone deployment infrastructure

  • Integrations with other applications

  • Extended deployment with secured Web services

  • Secured audits

Oracle Fusion Applications security is designed to control exchanges with third party or non-Fusion deployments.

Standalone Deployment

Oracle Fusion Applications are designed to be deployed as a complete applications platform.

In the absence of integrations with legacy applications or external Web services that allow data to be loaded into Oracle Fusion applications database tables, the design and reference implementation provide standalone security.

Extending a standalone deployment of Oracle Fusion Applications involves adding new entities to the Online Transaction Processing (OLTP) database table or even configuring new attributes through flexfields. Extending Fusion Applications does not include making changes to the behavior of an application unless that change involves adding new data attributes to an existing entity object and adding any new entity objects to an application.

Where Oracle Fusion Applications need to be extended, you may additionally need to install Oracle JDeveloper.

Application Identities

Calling applications use application identities (APPID) to enable the flow of transaction control as it moves across trust boundaries. For example, a user in the Distributed Order Orchestration product may release an order for shipping. The code that runs the Pick Notes is in a different policy store than the code that releases the product for shipment. When the pick note printing program is invoked it is the Oracle Fusion Distributed Order Orchestration Application Development Framework (ADF) that is invoking the program and not the end user.

Oracle Fusion Applications stores application IDs just like individuals, but in a separate branch of the identity store directory.

Before deployment, review the Lightweight Directory Access Protocol (LDAP) identity store to verify the existence of the APPIDs.


Do not change or remove application identities or their permissions.

The following application identities are predefined.

Application Identity Code Application Identity Name


Application Toolkit User Messaging Service Application Identity


Approval Management Service Application Identity


Data Role Template Application Identity


Oracle Fusion Search Administrator Application Identity (CRM)


Business Intelligence Applications Extract Transform and Load Application Identity


Oracle Identity Manager Application Identity


Oracle Fusion Search Application Identity


Applications Development Framework Application Identity (CRM)


Applications Development Framework Business Intelligence Application Identity (CRM)


Applications Development Framework SOAP Application Identity (CRM)


Applications Diagnostic Framework Application Identity (CRM)


Enterprise Search and Crawl Framework Application Identity (CRM)


Oracle Enterprise Manager Application Identity (CRM)


Email Sending Daemon Application Identity (CRM)


Enterprise Scheduler Job Application Identity (CRM)


Enterprise Scheduler Reporting Application Identity (CRM)


Oracle Data Integrator Application Identity (CRM)


Oracle Data Integrator Supervisor Application Identity (CRM)


Applications Development Framework Self Service Application Identity (CRM)


Oracle Fusion Search Application Identity (CRM)


Web Services Application Identity (CRM)


Applications Development Framework Application Identity (Financials)


Employee National Identifiers Application Identity


Employee Matching Application Identity (Financials)


Document Management Integration Application Identity (Financials)


Web Services Application Identity (Financials)


Applications Diagnostic Framework Application Identity (FSCM)


Enterprise Search and Crawl Framework Application Identity (FSCM)


Oracle Enterprise Manager Application Identity (FSCM)


Oracle Fusion Search Application Identity (FSCM)


Applications Diagnostic Framework Application Identity (HCM)


Enterprise Search and Crawl Framework Application Identity (HCM)


Oracle Enterprise Manager Application Identity (HCM)


Enterprise Scheduler Job Application Identity (HCM)


Batch Loader Enterprise Scheduler Job Application Identity (HCM)


Oracle Data Integrator Application Identity (HCM)


Oracle Data Integrator Supervisor Application Identity (HCM)


Oracle Fusion Search Application Identity (HCM)


Web Services Application Identity (HCM)


Service Provisioning Markup Language Interface Application Identity (HCM)


Web Center Forum Application Identity


Oracle WebCenter Crawl Application Identity


Web Services Manager Application Identity


Applications Development Framework Application Identity (Procurement)


Enterprise Scheduler Job Application Identity (Procurement)


Web Services Application Identity (Procurement)


Applications Development Framework Application Identity (Projects)


Enterprise Scheduler Job Application Identity (Projects)


Web Services Application Identity (Projects)


Applications Development Framework Application Identity (SCM)


Enterprise Scheduler Job Application Identity (SCM)


Web Services Application Identity (SCM)


Enterprise Scheduler Job Application Identity (Setup)

Application Identity Password Reset And Password Policy Management

As a security guideline, reset application identity passwords periodically during scheduled downtimes. For example, when moving application identities from one environment to another as part of moving an identity store, you must reset the passwords so they are unique to an environment. Reset the APPID passwords using the following command.


This command can be run only after the Oracle WebLogic Server installation for the Oracle Fusion Applications domain is set up.

Run the following command to get the list of all the entries for which the passwords need to be set:

Ldapsearch -h ldapHost -p ldapPort -D binddn -w password -b 'cn=appidusers,cn=users,namigncontext' -s sub 'objectclass=orclAppiduser'  cn >&  reset.txt
ORACLE_HOME/idmtools/bin/appidtool.sh  pwdreset -ldapHost tuvwxy0123.us.example.com -ldapPort 3060 -ldapUser cn=orcladmin -wlsHost tuvwxy0123.us.example.com -wlsPort 7001 -wlsUser weblogic -file reset.txt -userBase cn=users,namingcontext
Variable Refers to the value for:


Identity store host


Identity store port


User name for connecting to the identity store. This user should have the entitlement necessary to reset the APPID passwords.


Administration Server on the Oracle Fusion Applications domain


Administration Server port on the Oracle Fusion Applications domain


The file that contains the list of application identities for which the passwords need to be set


The user base under which the application identities exist

Integrations With Other Applications

Integrating Oracle Fusion Applications with other applications, including other Oracle Applications product lines, require decisions in the following areas.

  • Central Lightweight Directory Access Protocol (LDAP) repository

  • Data migration

  • Coordination of Oracle Fusion Applications roles to legacy function security control

For example, coordinate Oracle Fusion Applications roles to responsibilities and menu paths in Oracle eBusiness Suite (EBS) for integration between EBS and Oracle Fusion Applications.


Duty roles are not propagated or synchronized across Oracle Fusion Middleware, where they are considered to be application roles.

When implementing a system-to-system integration with an external system, you may need to identify that system in the identity store in order to grant that system permissions.

Extending Oracle Fusion Applications With a Secured Web Service

If you extend your Oracle Fusion Applications deployment with a Web service that allows external users to load data into database interface tables, consider the following requirements.

  • Implement authentication

  • Implement authorization checks; though not required, their absence allows sharing of identities, which removes your ability to audit the access.

  • Create a regular identity for the external user with the appropriate function and data security access.

For example, create a new duty role with the desired data access entitlement, privilege to submit an Oracle Enterprise Scheduler Service job, and permission to access the Web Service.

Tuning and Maintaining Deployments

Tuning and maintaining Oracle Fusion Applications security includes auditing, managing changes, and handling leaks, threats, and inappropriate access.

Tasks that consume web services exposed to Enterprise Manager (EM) require specific duty roles to be provisioned to the users performing those tasks. For example, the user connecting to the web service that EM uses to collect metrics must be provisioned with the FUN_BU_ADMIN_DUTY role.

Avoid provisioning users who are under audit with roles that are entitled to manage audits and audit results. Avoid provisioning users who are under audit with roles that entitle access to protected data the users are otherwise not permitted to access.


Avoid entitling users who configure audits from being the same users who performed the activities under audit.

For information about elevating access privileges for a scheduled job, see the Oracle Fusion Applications Developer's Guide for Oracle Enterprise Scheduler.