7Location Based Access

This chapter contains the following:

Overview

You can use location based access to control user access to tasks and data based on their roles and computer IP addresses.

Let's take an example to understand how location based access is useful. You want your users to have complete access to tasks or features when they're signed into the application from your office network. But you want to restrict the access if the users are signing in from a home computer or an internet kiosk. To control the user access, you need to enable location based access and register the IP addresses of your office computers on the Security Console. Users have complete access to the tasks or features if they sign in from office computers. If they sign into the application from an unregistered computer, they can view and access only the generic tasks that aren't tied to any particular role. From an unregistered computer, they can't access the role-based tasks, which they could access from office.

Who Can Enable Location-Based Access

You must have the IT Security Manager role to enable location based access and make a role public. You can make a role public only when location based access is enabled. To enable location based access, you must register the IP addresses of computers from which the users usually sign in to the application.

What Happens When You Enable Location-Based Access

When you enable location based access, users signing into the application from registered IP addresses have complete access to all tasks. On the other hand, users signing in from unregistered IP addresses have no access to their role-based tasks and data. However, you can grant complete access to these users too, when required. You can also grant public access (access from all IP addresses) to certain roles. The users associated with those roles can access all tasks, no matter which IP address they sign in from.

How Location-Based Access Works

Location-based access combines the registered IP addresses of the computers and public roles to control access to the application.

Scenarios

To understand how location-based access works, consider the following scenarios and their effect on user access.

To avoid any access-related issue, carefully examine the given scenarios and plan well before you enable location-based access.

Scenario Impact on User Access

You disable location-based access.

All users signing into the application from their respective computers continue to have the same level of access as they had earlier.

You enable location-based access and register few IP addresses, but don't grant public access to any role.

  • Users who sign into the application from the registered IP addresses have access to their tasks as usual.

  • Users signing in from unregistered IP addresses can access only the generic tasks that aren't tied to any particular role.

You enable location-based access, register a few IP addresses, and grant public access to certain roles.

  • Users signing in from the registered IP addresses have complete access.

  • Users signing in from unregistered IP addresses can't access any role-based tasks unless you grant public access to those roles. If you have made a role public, users can access all the tasks tied to that role.

You enable location-based access, but don't register any valid IP address, and don't grant public access to any role.

All users are locked out. No one can sign in.

Caution: Try and avoid this scenario. Register at least one valid IP address and grant public access (access from all IP addresses) to IT Security Manager role when you enable location-based access.

Enable and Disable Location-Based Access

You can enable location-based access so that you can allow users to access tasks and data based on their roles and registered IP addresses. By default, location-based access is disabled.

Before You Start

Configure location-based access in a test environment and try it out before you configure it in a production environment. You must have the IT Security Manager role to enable location-based access. Additionally, you must:

  • Set up a valid email address. When required, the location-based access control reset or recovery notification is sent to that email address.

  • Add yourself to the user category for which the notification template ORA Administration Activity Requested Template is enabled.

  • Keep the list of valid IP addresses ready.

Enable Location-Based Access

  1. Click Navigator > Security Console.

  2. On the Administration page, click the Location Based Access tab.

  3. Select Enable Location Based Access.

  4. In the IP Address Whitelist text box, enter one or more IP addresses separated by commas. For example, 192.168.10.12, 192.168.10.0. To indicate a range of IP addresses, you may follow the Classless Inter-Domain Routing (CIDR) notation, such as 192.168.10.0/24.

    Note: You can enter the IP address (IPv4 only) range suffix only up to 32 in the IP Address Whitelist text box. For example, 168.1.192.0/32 to 168.1.192.32/32.
    Tip: Your computer's IP address appears on the page. Add that IP address to the list so that your access to the application remains unaffected when you sign in from that computer.
  5. Click Save.

  6. Review the confirmation message and click OK.

After you enable location-based access, make the IT Security Manager's role public to access Security Console even from an unregistered IP address.

Disable Location-Based Access

To disable location-based access, deselect the Enable Location Based Access check box. The existing IP addresses remain in a read-only state so that you can reuse the same information when you enable the functionality again. At that point, you can add or remove IP addresses based on your need.

FAQs for Location Based Access

What is whitelisting?

Whitelisting is the process of granting trusted entities access to data or applications. When you enable location based access and register the IP addresses of computers, you're storing those IP addresses as trusted points of access. In other words, you're whitelisting those IP addresses. Users signing in from those computers will be considered as trusted users and have unrestricted access to the application.

Why can't I see the Location Based Access tab on the Administration page?

To prevent any incorrect configuration, the profile option Enable Access to Location Based Access Control associated with the Location Based Access tab is perhaps disabled. As a result, the tab isn't visible. Contact your Application Implementation Consultant or Administrator to enable the profile option so that the Location Based Access tab appears on the Administration page.

How can I make a role public?

On the Security Console, identify the role that you want to make public. Except duty roles, you can make all roles public. On the Edit Role page, select the option Enable Role for Access from All IP Addresses and save the changes. All users associated with that role will have access to the role-based tasks, no matter which computer they're using to sign into the application.

Note: You can make a role public only if location based access is enabled.

How can I ensure that I always have access to the Security Console?

If location based access is enabled, you must add your computer's IP address to the whitelist. Also ensure that the IT Security Manager role is granted public access. Even if you have to sign in from an unregistered computer, you can still access the Security Console and other tasks associated with the IT Security Manager role.

How can I disable Location-based Access when I am not signed in to the application?

You want to disable location-based access but you're locked out of the application and can't sign in to the Security Console. You must request access to the Administration Activity page using the URL provided to the administrators.

Make sure you have the following privileges:

  • ASE_ADMINISTER_SSO_PRIV

  • ASE_ADMINSTER_SECURITY_PRIV

After you request access to the Administration Activity page, you get an email at your registered email ID containing a URL with the following format:

https://<FA POD>/hcmUI/faces/AdminActivity

Click the URL and you're directed to a secure Administrator Activity page. Select the Disable Location Based Access option and click Submit. You receive a confirmation that location-based access is disabled. Immediately, you're redirected to the Oracle Applications Cloud login page where you can sign in using your registered user name and password, and gain access to tasks and data as earlier.

How can I disable Location-based Access when I am locked out of the application?

If you're locked out of the application for some reason, use the following Administration Activity URL to disable location-based access:

https://<FA POD>/hcmUI/faces/AdminActivity

Only an administration user with the IT Security Manager job role can perform this unlock operation.

Ensure that the following email notification templates are enabled:

  • ORA Administration Activity Requested Template

  • ORA Location Based Access Disabled Confirmation Template

How many IP Addresses can I enter in the IP Address Whitelist text box?

Ensure that the number of characters of the IP Address list that you enter in the IP Addresses Whitelist text box doesn't exceed 10000 characters. If you want to include more IP addresses beyond the 10000 characters limit, then you must enable the profile option ASE_EXTEND_LOCATION_BASED_ACCESS_CONTROL_IP_STORAGE.

Here's how you enable the profile option:

  1. In the Setup and Maintenance work area, open the task Manage Administrator Profile Values.

  2. Search the following Profile Option Code:

    ASE_EXTEND_LOCATION_BASED_ACCESS_CONTROL_IP_STORAGE

  3. In the Profile Value drop-down list, select Yes.

  4. Click Save and Close.

If your organization has a huge network of computers, then you can import a .csv file containing the list of IP addresses. If the number of characters in the file doesn't exceed 10000 characters, the import is successful. If the number of characters exceed the limit, the import completes with a warning.

Do these steps:

  1. In the Setup and Maintenance work area, select All Tasks from the Show drop-down list in the Initial Users section.

  2. Click Actions for the task Manage Applications Security Preferences.

  3. Click Import from CSV File, Create New.

  4. Click Browse to select the file.

  5. Click Submit.

    If the number of characters doesn't exceed 10000, the file is imported successfully. Else, the import completes with a warning.