Tracking User, Authority, and Password Updates
Overview: Order Management System tracks updates to users, and user classes, and external payment service settings in the User Audit table, and tracks user password changes in the Password Audit table.
User Audit table: The User Audit table tracks activity that has taken place in creating or changing user records, user classes, and user authority. The table also tracks changes to external payment services. The activities that trigger updates to the User Audit table include:
• Creating, changing, or deleting a user through the User Control screen, available through Advanced Commands
• Creating, changing, or deleting a user in Work with Users (WUSR), including updates to:
- Company authority
- Menu option authority
- Secured features
- Tickler group assignment
• Creating, changing, or deleting a user classes in Work with User Classes (WUCL), including updates to:
- Company authority
- Menu option authority
- Secured feature authority
- Vendor authority
• Changes to user or user class authority for order hold reasons (WOHR)
• Changes to user or user class authority for return disposition value codes (WRDV)
• Creating, changing, copying, or deleting a secured feature (WSYS or NSEC)
• Updating a user’s email address (MUEE)
• Updating a user’s default menu (pressing F17 at a menu screen)
• Creating or changing information at the Work with External Service screen (WASV)
Password Audit table: The Password Audit table tracks password changes for users if the IDCS_ENABLED property is not enabled, including the user ID and name of the person who performed the update. The table does not include the actual passwords.
Reporting: Use the Print User Security Audit Reports (PUSA) menu option to generate reports of the activity tracked in the User Audit and Password Audit tables.
Purging the audit tables: The PURGEUA periodic function (Program name = PFR0215) purges User Audit and Password Audit records based on date.
Use the Parameter field for the periodic function to specify the number of days old a User Audit or Password Audit record must be to be eligible for purge. If the Parameter is blank or 0, records must be 365 days old to be eligible for purge.
In this chapter:
• Fields Used by Updated Table (User Audit)
• Print User Security Audit Reports (PUSA)
- User Authority Change Report
The updates to the User Audit table, based on updates to users, user classes, and secured features, are described below. See the Fields Used by Updated Table (User Audit) for a listing of the fields updated in the User Audit table for each updated source table.
Field |
Attributes |
Description |
Common Fields The following fields are populated for all records in the User Audit table. |
||
Numeric, 7 positions (CYY/MM/DD format) |
The date when the change occurred. Always populated. |
|
Numeric, 6 positions (HHMMSS format) |
The time when the change occurred. Always populated. |
|
Alphanumeric, 1 position |
Indicates whether the record reflects: • A = The record after the activity. • B = The record before the activity. Change: A change to an existing record creates both an A and a B audit record. Addition: Creation of a new record creates just an A audit record. Deletion: Deletion of an existing record creates just a B audit record. Always populated. |
|
Alphanumeric, 1 position |
The type of action that took place: • A = add • C = change • D = delete Always populated. Note: Creating a new user results in audit records for the User and Users tables, as well as the User Extended table if you specify an email address. Additional table updates take place as you work with different types of user authorization, such as assigning authority to a company and then setting that company as the user’s default. |
|
Alphanumeric, 25 positions |
The table updated by the activity. See the Fields Used by Updated Table (User Audit) for a listing, including the activities that create each type of audit record and the included fields. All fields populated: All fields that are populated in the updated table are populated in the audit record. For example, a user record includes a default company and a default output queue. If you make any change to the user record, the default company and default output queue are included in the before and after records, even if these settings have not changed. However, the User Authority Change Report includes fields only if they have been updated. Certain activities update multiple tables: For example, deleting a user also deletes the User Extended record, the Auth User Company record, and other dependent records. Always populated. |
|
Alphanumeric, 10 positions |
The ID of the user who performed the activity. Always populated. |
|
Alphanumeric, 30 positions |
The name of the user who performed the activity at the time of the update. From the User record. Always populated. |
|
Alphanumeric, 10 positions |
The record affected by the activity. Possible authority entries: • a user ID when the user is created, changed, or deleted, or when an external payment service is changed • a user class when the user class is created, changed, or deleted • a secured feature code when the company-level secured feature is created, changed, or deleted Always populated. |
|
Alphanumeric, 1 position |
The authority type affected by the activity. Possible types: • U = user ID (this code is also used for external auth service updates) • C = user class • F = secured feature Always populated. |
|
Alphanumeric, 30 positions |
The name of the user, user class, or secured feature related to the activity. Always populated. User name: Populated with a user name by a change related to the user, when the Updated Table is User, Users, User Extended, Auth User Company, Auth User Feature, Auth User Menu Option, User Field Authority, or User Tickler Group. In the case of an External Payment Service update, this is the user who performs the update. From: • the User name set up through the User Control screen available through Advance Commands if the activity updates the Users table, even if the update took place through the Work with Users option. Fields in the Users table but also accessible through the Work with Users option include: - Advanced commands - All jobs authority - Status - Rank • the Name set up through Work with Users for any other activity related to the user. User class: Populated with the user class name by a change related to the user class, when the Updated Table is User Class, Auth User Class Company, Auth User Class Feature, Auth User Class Option, User Class Field Auth, or User Class Vend Auth. In this case, the Name/description is the same as the User class description. Secured feature: Populated with the secured feature description, when the Updated Table is Secured Feature. In this case, the Name/description is the same as the Secured feature desc. |
|
Alphanumeric, 512 positions |
Lists the settings of any changed fields: • Before record: Lists the affected field settings before the activity • After record: Lists the affected field settings after the activity Example: You changed the default company for a user from 12: After: Default Company: 3 Before: Default Company: 12 This information is listed on the User Authority Change Report or on the generated spreadsheet file if the information’s length exceeds the available space on the report. |
|
Additional Fields Each remaining field in the User Audit table is populated only if the corresponding source table includes the same field, and it is populated in the source table. For example, only the User table includes the CTI user type field, so this field can be populated in the User Audit table only for an audit record of a User record that has a CTI user type specified. |
||
Numeric, 3 positions |
The Company related to the update. Populated for the following tables by: • User: Changing or deleting a user if a Default company was assigned. Not populated by adding a user, because you first need to assign company authority for a user before setting the default company. • Auth User Company: Changing a user’s company authority, or deleting a user who had company authority. When you delete a user with authority to multiple companies, a separate audit record is created for each authorized company. • Auth User Feature: Adding or changing secured feature authority for a user. • User Class: Adding, deleting, or changing the default company for a user class. • Auth User Class Company: Adding or deleting company authority for a user class. • Auth User Class Feature: Adding, changing, or deleting secured feature authority for a user class. • Auth User Class Vendor Auth: Deleting authority to a vendor for a user class. • Secure Feature: Creating, changing, or deleting a secured feature at the company level. • User Field Authority: Adding, changing, or deleting authority to a hold reason code or a return disposition value for a user. • User Class Field Auth: Adding, changing, or deleting authority to a hold reason code or a return disposition value for a user class. • External Auth Service: Updating any settings at the Work with External Authorization Service screen. |
|
Alphanumeric, 1 position |
The CTI user setting for the created, changed, or deleted user. Possible settings: • Y = CTI user • N = User does not have fast path authority Populated only for User table updates. |
|
Alphanumeric, 1 position |
The CTI user type setting for the created, changed, or deleted user. Optional field. Possible types: • 1 = Receive inbound only • 2 = Initiate outbound only • 3 = Inbound and outbound Populated only for User table updates. |
|
Alphanumeric, 1 position |
The CTI default screen setting for the created, changed, or deleted user. Optional field. Possible settings: • 1 = Always display CTI screen • 2 = Display CTI screen with call Populated only for User table updates. |
|
Alphanumeric, 4 positions |
The CTI telephone extension setting for the created, changed, or deleted user. Optional field. Populated only for User table updates. |
|
Alphanumeric, 10 positions |
Populated for the following tables by: • User: Creating, updating, or deleting a user with a User class assigned. Optional field. • User Class: Creating, updating, or deleting a user class. • Auth User Class Company: Changing the company authority for a user class, or deleting a user class. • Auth User Class Feature: Deleting or changing the feature authority for a user class. • Auth User Class Option: Changing user class menu option authority, or deleting a user class. • User Class Vendor Auth: Deleting vendor authority for a user class. • User Class Field Auth: Adding, changing, or deleting authority to a hold reason code or a return disposition value for a user class. |
|
Alphanumeric, 30 positions |
The Description of the created, changed, or deleted user class. Populated only for User Class table updates. |
|
Alphanumeric, 8 positions |
Possible settings are: • *ALLOW • *EXCLUDE • *DISPLAY (menu option authority only) Populated for the following tables by: • User: Creating, changing, or deleting a user. • User Field Authority: Adding, changing, or deleting authority to a hold reason code or a return disposition value for a user. • Auth User Feature: Adding or changing secured feature authority for a user. • Auth User Menu Option: Adding, changing, or deleting menu option authority for a user. • User Class Field Authority: Adding, changing, or deleting authority to a hold reason code or a return disposition value for a user class. • Auth User Class Option: Adding, changing, or deleting menu option authority for a user class. • Auth User Class Feature: Adding or changing secured feature authority for a user class. • Secure Feature: Changing the default authority for a secured feature at the company level. |
|
Alphanumeric, 1 position |
The Log use setting for the created, changed, or deleted user. Optional field. Possible settings: • Y = Log use • N or blank = Do not log use Populated only for User table updates. |
|
Alphanumeric, 1 position |
The Security administrator setting for the created, changed, or deleted user. Optional field. Possible settings: • Y = Security administrator • N or blank = Not a security administrator Populated only for User table updates. |
|
Alphanumeric, 1 position |
The Fast path setting for the created, changed, or deleted user. Optional field. Possible settings: • Y = User has fast path authority • N or blank = User does not have fast path authority Populated only for User table updates. |
|
Alphanumeric, 10 positions |
The default Output queue for the created, changed, or deleted user. Optional field. Populated only for User table updates. |
|
Alphanumeric, 10 positions |
The Default menu setting for the created, changed, or deleted user. Optional field. Populated only for User or User Class table updates. |
|
Alphanumeric, 3 positions |
The Language for the created, changed, or deleted user. Optional field. Populated only for User table updates. |
|
Alphanumeric, 50 positions |
The user’s Email address. Populated only for User Extended table updates. |
|
Alphanumeric, 3 positions |
The code identifying the secured feature. Populated for the following tables by: • Auth User Feature: Adding or changing secured feature authority for a user. • Auth User Class Feature: Adding or changing secured feature authority for a user class. • Secured Feature: Adding, changing, or deleting a secured feature at the company level. |
|
Alphanumeric, 40 positions |
The description of the secured feature. Populated only for Secured Feature updates. |
|
Alphanumeric, 10 positions |
The code identifying the tickler group added to or deleted from the user. Populated only for User Tickler Group updates for a user. |
|
Numeric, 7 positions |
The vendor whose authority was changed for the user class. Populated only for User Class/Vendor Auth updates. |
|
Alphanumeric, 10 positions |
Not currently implemented. |
|
Alphanumeric, 2 positions |
The code identifying a: • hold reason code if the User field auth type is HR, or • return disposition value if the User field auth type is RD Populated for the following tables by: • User Field Authority: Creating, changing, or deleting user authority to a hold reason code or a return disposition value. • User Class Field Authority: Creating, changing, or deleting user class authority a hold reason code or a return disposition value. |
|
Alphanumeric, 2 positions |
The code identifying the type of user field changed. Possible values: • HR = hold reason code • RD = return disposition value Populated for the following tables by: • User Field Authority: Creating, changing, or deleting user authority to a hold reason code or a return disposition value. • User Class Field Authority: Creating, changing, or deleting user class authority a hold reason code or a return disposition value. |
|
Alphanumeric, 4 positions |
The Fast path identifying a menu option. Populated for the following tables by: • Auth User Menu Option: Adding, changing, or deleting menu option authority for a user. • Auth User Class Option: Adding, changing, or deleting menu option authority for a user class. |
|
Numeric, 5 positions |
Not currently implemented. |
|
Alphanumeric, 1 position |
Indicates if the user is flagged for LDAP authentication. This setting is always set to N since LDAP authentication is not currently implemented. Populated only for User table updates. |
|
Alphanumeric, 10 positions |
The domain to use for LDAP authentication. Populated only for User table updates. Not currently implemented. |
|
Alphanumeric, 50 positions |
The user name that matches the network user ID for network authentication. Used only for LDAP authentication which is not currently implemented. Populated only for User table updates. |
|
Alphanumeric, 2 positions |
The two-position code identifying the user’s locale. Possible locales: • de = German • en = English • es = Spanish • fr = French • it = Italian |
|
Alphanumeric, 3 positions |
The three-position code identifying the date format for the user. Possible date formats: • DMY = DDMMYY format • MDY = MMDDYY format • YMD = YYMMDD format Note: The current date format at the time of the change is included in the Before and After entries for each user change. |
|
Numeric, 1 position |
The user’s authority rank. Set to: • 1 = the user can see and edit all other users through the User Control option (admin-level user authority). If the All jobs flag is selected, the user also has access to other users’ documents and forms at the Document Management and Form Management screens. Note: Assign this authority only to those users whose responsibilities require it. • any value from 2 to 9 = the user can use the User Control screen only to change his or her own password if IDCS is not in use, and has access to the documents and forms of other users (through the My Docs and My Forms options) only if those users share the same rank assignment and the All jobs flag is selected. For example, a user assigned to rank 5 has access to the forms of other users who are also assigned to rank 5. Populated only for Users table updates made either through the Work with Users option, or the User Control screen available through Advanced Commands. |
|
Alphanumeric, 1 position |
Set to: • Y = user should has authority to the Advanced Commands option through My Docs, My Forms, or My Jobs • N = the user does not have authority to the Advanced Commands option through My Docs, My Forms, or My Jobs Populated only for Users table updates made either through the Work with Users option, or the User Control screen available through Advanced Commands. |
|
Alphanumeric, 10 positions |
Indicates when the password for a user expires when IDCS is not enabled. Valid values are: • *NO = the password does not expire; for security reasons, this setting is not recommended. • expiration date in MM/DD/YYYY format = If the expiration date is on or earlier than the current date, then the next time the user logs in Order Management System advances directly to the Password Expired screen. The user will need to change the password before it is possible to advance to another screen. Populated only for Users table updates through either the Work with Users option or the User Control screen available through Advanced Commands. |
|
Alphanumeric, 1 position |
Indicates the user’s authority to other users’ submitted jobs: • Y = the user can see and has authority to all other users’ jobs. Note: Assign this authority only to those users whose responsibilities require it. If this flag is selected and the User rank is: - 1: the user has access to all other users’ documents and forms. - 2 through 9: the user has access to the documents and forms of other users of the same rank. • N = the user can see and has authority only to the jobs, documents, and forms associated with the user’s own user ID. Populated only for Users table updates made either through the Work with Users option, or the User Control screen available through Advanced Commands. |
|
Alphanumeric, 10 positions |
Indicates if the user has access to Order Management System. Possible settings: • *ENABLED = the user can use Order Management System. • *DISABLED = the user cannot use Order Management System. Populated only for Users table updates made either through the Work with Users option, or the User Control screen available through Advanced Commands. |
|
Fields Used by Updated Table (User Audit)
Fields for all audit records: All records in the User Audit table use the following fields:
• B/A
• Action
Additional fields for different types of audit records: Additional fields used for the different possible updated tables are listed below:
Table |
Fields |
Ways to Update/Sample Report Entries |
|
Note: Optional fields, such as the Output queue, CTI settings, and User class, may be blank for the audit record. |
Work with Users (WUSR): • Create • Change (Note: The User Audit table is updated only if a change is made) • Delete Press F17 from a menu screen to make the current menu the default Sample entries on the User Authority Change Report: • Before: Menu: HOME2 • After: Menu: HOME |
|
Name/ description from Users table |
Work with Users (WUSR): • Create • Change (Note: The User Audit table is updated only if a change is made) • Delete The User Control screen available through Advance Commands Sample entries on the User Authority Change Report: • Before: Rank: 9 • After: Rank: 1 |
|
|
Name/ description from User table |
Work with Users (WUSR): • Create • Change (Note: The User Audit table is updated only if a change is made) • Delete Update Email Address Domain (MUEE) Sample entries on the User Authority Change Report: • Before: Email Address: • After: Email Address: tbrown@example.com |
|
|
Name/ description from User table |
WUSR: • Company auth (any change) • Delete Sample entry on the User Authority Change Report: After: User: TBROWN Company Authority: 299 |
|
|
Note: This is the company that was active when you changed the function authority, even if the user does not have authority to the company. Name/ description from User table |
WUSR: • Feature auth (any change) • Delete Sample entry on the User Authority Change Report: After: User: HBROWN Feature: A01 Default Company: 6 Default Authority: *ALLOW, where A01 identifies the secured feature, and the Default Company is the company where the feature authority was set |
|
|
Name/ description from User table |
WUSR: • Menu option auth (any change) • Delete Sample entry on the User Authority Change Report: After: User: HBROWN Menu Option: DABJ Default Authority: *ALLOW |
|
|
This is the company that was active when you changed the function authority, even if the user does not have authority to the company. Name/ description from User table |
Work with Order Hold Reasons (WOHR): User release auth (any change) Work with Return Disposition Values (WRDV): User authority (any change) WUSR: Delete Sample entry on the User Authority Change Report: After: User: HBROWN Hold Reason: AT Type: HR Default Authority: *ALLOW |
|
|
Name/ description from User table |
WUSR: Tickler group (assigning or deleting) Sample entry on the User Authority Change Report: After: User: SSMITH Tickler Group: BASIC |
|
|
Name/ description of the user class (same as the User class description) Note: Optional fields (the Output queue and Menu may be blank for the audit record. |
Work with User Classes (WUCL): • Create • Change (Note: The User Audit table is updated only if a change is made) • Delete Sample entries on the User Authority Change Report: • Before: Default Company: 0 • After: Default Company: 6 |
|
|
Name/ description of the user class |
WUCL: Company auth (adding or removing) Sample entry on the User Authority Change Report: After: User Class: OE Company Authority: 6 |
|
|
Name/ description of the user class |
WUCL: Feature auth (any change) Sample entry on the User Authority Change Report: After: User Class: CS2 Feature: A05 Default Company: 6 Default Authority: *EXCLUDE, where A05 is the secured feature, and Company 6 is the company where the feature was set |
|
|
Name/ description of the user class |
WUCL: Menu option auth (any change) Sample entry on the User Authority Change Report: After: User Class: CS2 Menu Option: DABJ Default Authority: *ALLOW |
|
|
Name/ description of the user who performed the update |
WASV: Enter or change any information at the Work with External Authorization Service Screen The Authentication User and encrypted Authentication Password are included if they were changed. The Auth Service code is always included. Sample entry on the User Authority Change Report: After: Auth Service: EXT Url: https://server.example.oracle.com:8008/CC-REST/cc/Test User: authUser Password: 0VXYaFBhc3N3b3JkMSE= |
|
|
This is the company that was active when you changed the function authority, even if the user does not have authority to the company. Name/ description of the user class |
Work with Order Hold Reasons (WOHR): User release auth (any change) Work with Return Disposition Values (WRDV): User authority (any change) Sample entry on the User Authority Change Report: After: User Class: CS2 Hold Reason: DH Type: HR Default Authority: *ALLOW |
|
|
Name/ description of the user class |
WUCL: Vendor auth (*EXCLUDE, deletion only) Sample entry on the User Authority Change Report: Before: User Class: CS2 Company: 6 Vendor: 2 |
|
|
Name/ description of the secured feature |
Work with System Values/Features (WSYS): Secured features: • Create • Copy • Change (Note: The User Audit table is updated only if a change is made) • Delete Process New Secure Feature Values (NSEC) Sample entries on the User Authority Change Report: • Before: Default Authority: *ALLOW • After: Default Authority: *EXCLUDE |
Overview: If Oracle Identity Cloud Service (IDCS) is not in use, Order Management System creates a record in the Password Audit table each time a user’s password changes through:
• the User Control screen available through Advanced Commands, or
• changing a password through the Password Expired screen
Password changes are not tracked when the IDCS_ENABLED property is set to true. Once IDCS use is enabled, password tracking ends; however, password audit records created before IDCS use was enabled remain in the table.
The information in the Password Audit table is listed below:
Field |
Attributes |
Description |
Change date |
Numeric, 7 positions (CYY/MM/DD format) |
The date when the change occurred. |
Change time |
Numeric, 6 positions (HHMMSS format) |
The time when the change occurred. |
User ID of password |
Alphanumeric, 10 positions |
The user ID whose password was updated. |
User name |
Alphanumeric, 30 positions |
The name of the user. From the Name set up through Work with Users. |
Updated by user |
Alphanumeric, 10 positions |
The ID of the user who performed the activity. |
Updated by user name |
Alphanumeric, 30 positions |
The name of the user who performed the activity at the time of the update. From the User record. |
