8Managing Location-Based Access

This chapter contains the following:

Location Based Access

You can use location based access to control user access to tasks and data based on their roles and the IP addresses of the computers from where they're signed in.

Let's take an example to understand how location based access is useful. You want your users to have unrestricted access to tasks or features only when they're signed into the application from your office network. For security reasons, you want to restrict access to the application when users sign in from a home computer or an internet kiosk. To bring this restriction into effect, you enable location based access and register the IP addresses of your office computers on the Security Console. As long as users are signed in from their office computers, they have no problem in accessing the tasks. If they sign into the application from an unregistered computer, they can view and access only the generic tasks that aren't tied to any particular role. They can't view the role-based tasks to which they had access while they were at office.

Enabling Location Based Access

You must have the IT Security Manager role to enable location based access and make a role public. To enable location based access, you must register the IP addresses of computers from which the users usually sign in to the application. When location based access is enabled, users signing into the application from registered IP addresses have complete access to all tasks.

On the other hand, users signing in from unregistered IP addresses will have no access to their role-based tasks and data. However, you can override this functionality and make a provision to grant specific users complete access, even when they sign in from unregistered IP addresses. You can grant certain roles public access (access from all IP addresses) so that the users associated with those roles get complete access to the tasks, irrespective of which IP address they sign in from. This option is linked with enabling location based access. If location based access isn't enabled, you can't make a role public.

How Location Based Access Works

Location based access combines the registered IP addresses of the computers and public roles to control access to the application.

Scenarios

To understand how location based access works, consider the following scenarios and their effect on user access.

Scenario Effect on User Access

Location based access is disabled.

This is the default setting. All users signing into the application from their respective computers will continue to have the same level of access as they had earlier. There's no change in access control.

Location based access is enabled and a few IP addresses are registered, but no role is public.

Users who sign into the application from the registered IP addresses will have access to their tasks as usual. As no roles are made public, users attempting to sign in from unlisted IP addresses will have access only to the generic tasks that aren't tied to any particular role.

Location based access is enabled, a few IP addresses are registered, and a few roles are made public.

Users signing in from the registered IP addresses will have complete access. Users signing in from unlisted IP addresses will have no access to any of the role-based tasks unless those roles have been granted public access. If the role is made public, the user will have access to all the tasks tied to that role.

Location based access is enabled but no valid IP address is listed, and no role is public.

All users are locked out. No one will be able to sign in.

Caution: Try and avoid this scenario. If you are enabling location based access, ensure that at least one valid IP address is listed and at least the IT Security Manager role is granted public access (access from all IP addresses).

To avoid any access-related issue, carefully examine the given scenarios and plan well before you enable location based access.

Enable and Disable Location Based Access

By default, location based access is disabled. You can enable location based access so that you can allow users to access tasks and data based on a combination of roles and registered IP addresses.

Before You Begin

Configure location based access in a test environment and try it out before you configure it in a production environment. You must have the IT Security Manager role to enable location based access. Additionally, you must:

  • Set up a valid email address. When required, the location based access control reset or recovery notification is sent to that email address.

  • Add yourself to the user category for which the notification template ORA Administration Activity Requested Template is enabled.

  • Keep the list of valid IP addresses ready.

Enable Location Based Access

Perform the following steps.

  1. Click Navigator > Security Console.

  2. On the Administration page, click the Location Based Access tab.

  3. Select Enable Location Based Access.

  4. In the IP Address Whitelist text box, enter one or more IP addresses separated by commas. For example, 192.168.10.12, 192.168.10.0. If you want to indicate a range of IP addresses, you may follow the Classless Inter-Domain Routing (CIDR) notation such as 192.168.10.0/24.

    Tip: Your computer's IP address is displayed just above the check box. Ensure that you add that IP address to the list so that your access to the application remains unaffected as long as you sign in from this computer.
  5. Click Save.

After you enable location based access, make the IT Security Manager's role public so that you can access Security Console even when signed in from an unregistered IP address.

Disable Location Based Access

To disable location based access, deselect the Enable Location Based Access check box. The existing IP addresses remain in a read-only state so that you can reuse the same information when you enable the functionality again. At that point, you can add or remove IP addresses as per the requirement.

FAQs for Managing Location-Based Access

What is whitelisting?

Whitelisting is a the process of granting trusted entities access to data or applications. When you enable location based access and register the IP addresses of computers, you are storing those IP addresses as trusted points of access. In other words, you are whitelisting those IP addresses. Users signing in from those computers will be considered as trusted users and have unrestricted access to the application.

Why can't I see the Location Based Access tab on the Administration page?

To prevent any incorrect configuration, the profile option ASE_ADMINISTER_LOCATION_BASED_ACCESS_CONTROL associated with the Location Based Access tab is perhaps disabled. As a result, the tab isn't visible. Contact your Application Implementation Consultant or Administrator to enable the profile option so that the Location Based Access tab appears on the Administration page.

How can I make a role public?

On the Security Console, identify the role that you want to make public. Except duty roles, you can make all roles public. On the Edit Role page, select the option Enable Role for Access from All IP Addresses and save the changes. All users associated with that role will have access to the role-based tasks, no matter which computer they're using to sign into the application.

Note: You can make a role public only if location based access is enabled.

How can I ensure that I always have access to the Security Console?

If location based access is enabled, you must add your computer's IP address to the whitelist. Also ensure that the IT Security Manager role is granted public access. Even if you have to sign in from an unregistered computer, you can still access the Security Console and other tasks associated with the IT Security Manager role.