7 Advanced Security
While the default Security settings are adequate for most sites, there are several additional Advanced Settings that can be configured to support a wider range of security requirements. This section outlines the various security settings available and the configurations supported.
Menu Security Guidelines
By default, a menu option is displayed whenever a user has access to the underlying Application Service definition attached to objects that are indirectly linked to a menu entry. While this behavior is enough for most needs, it is possible to place an override on an individual menu item to override the lower level security levels. This is particularly useful where implementations intend to replace base-supplied menu items with custom menu items.
By linking a menu item to a new service that can reference the underlying objects and specifying an Application Service (optionally also including an Access Mode) would override the permissions on the underlying objects.
See Defining Menu Options in the online help provided with your service for information about managing menu security.
Security Types
By default, users have full access to the objects via the access methods specified in their user groups. If the implementation plans to implement additional levels or rules, then the Application Service must use Service Types. The Service Type definition allows additional tags to be attached to service definitions and then code written to detect and take advantage of the presence of the tag to limit security access to specific object data. For example, whether data is masked or not or some limit is placed on values of data.
See Defining Security Types in the online help provided with your service for information about managing security types.
Default Generic Application Services
By default, all sets of Application Services are defined against base functions. In line with Data Ownership Rules, some of these records can be altered and new functions added. A set of generic Application Services are also shipped with Oracle Utilities Cloud Services to provide a mechanism for defining new zones, new objects, or new menu items for rapid deployment.
The following generic Application Services (optional use) secure objects, zones, and menu items:
- F1-DFLTS - This secures business objects and supports the Add, Modify, Delete, and Inquire access methods.
Data Masking Support
Oracle Utilities Cloud Services can mask data within objects in an appropriate fashion. Oracle Utilities Cloud Services do not store the data in masked fashion, it is configured to be displayed in a masked format for users using Security Types.
Oracle Utilities Cloud Services supply the F1-MASK internal algorithm type, which performs basic data masking.
See User Interface Masking in the online help provided with your service for information about data masking.
Secure Online Debug Mode
Oracle Utilities Cloud Services' online debug mode provides the ability to diagnose issues, solve problems, and trace code. As an Oracle Utilities Cloud Service feature, this is security-controlled.
To use the function on any of the user groups, a user must include Inquire access to the F1DEBUG Application Service, which enables the debug facility from the URL.
Secure Online Cache Management
Oracle Utilities Cloud Services' online cache management function resets the online cache to force new values to be loaded. As an Oracle Utilities Cloud Service feature, this is security-controlled.
To use the function on any of the user groups, a user must include Change access to the F1ADMIN Application Service, which enables the cache management facility from the URL.
Groovy Support
Oracle Utilities Cloud Services support Groovy for extensions via the script engine, and augments the Java and Scripting support to provide alternatives. The implementation of Groovy has some limitations for security reasons:
- Groovy APIs with direct access to operating system functions have been block listed for security reasons and therefore cannot be used. Alternative functions are provided to provide safe access to selected operating system functions.
- Access to Groovy syntax is governed by an allowlist that defines the valid subset of Groovy classes available for the Oracle Utilities Cloud Service. Refer to the allowlist on the Sidebar zone of the Script maintenance function for more information about the supported classes.
Oracle Cloud Object Storage Support
By default, use of the FILE-BATCH variable was restricted to local mounted storage where it is possible to use network storage via mapped directories. It is now possible to use Oracle Cloud Object Storage as a source of import files or locations to write files.
To use this feature, Oracle recommends the following:
- Create or edit a lookup value for the F1-FileStorage extendable lookup for each cloud service used with the following Connection Details:
Connection Details Notes File Adapter Use Oracle Cloud Object Storage REST Endpoint URL Cloud storage’s endpoint URL. Exclude the Service Name or Container Name from the URL User Name The cloud username to use Password The corresponding password for the cloud username - To use the definition, use the parameter in the FILE-PATH variable in the Batch Control definition or batch configuration file for relevant batch controls with the
file-storage://<ExtendableLookupValue>/<serviceName>format, where<ExtendableLookupValue>is the name of the lookup value configured in F1-FileStorage and<serviceName>is the service name for the Oracle Cloud Object Storage service.
SYSUSER Account
By default, the Oracle Utilities Cloud Service installation supplies an initial SYSUSER account. This account is defined in the default security realm of the provided templates, provided as the initial User object in the authorization model, and used as default user in some transactions.
You cannot physically remove the SYSUSER account as this is used by the initial installation and owned by the Oracle Utilities Cloud Service. You can deactivate this account under the following conditions:
- Alternative identities have been configured for the authentication and authorization components of Oracle Utilities Cloud Service.
- Every facility in the implementation that uses the SYSUSER account as the default identity has been changed to an alternative to prevent misconfiguration of the facility.
Note:
Oracle recommends that you use the appropriate alternatives for transactions instead of the SYSUSER account.
The Batch Control facilities use the SYSUSER account as the default identity. Replace SYSUSER in batch control configuration files, batch edit configuration files, or Oracle Scheduler configuration when using the account for batch control submission.
You can deactivate the SYSUSER account by:
- Removing SYSUSER from configured security realms for authentication, preventing the user from authenticating.
- Setting the User Enable attribute (SYSUSER user object) to Disable, deactivating the account from any unauthorized activity in Oracle Utilities Cloud Service.
SCIM 2.0 Provisioning
By default, it is possible to provision users from the Oracle Cloud Infrastructure Identity and Access Management (IAM) using a pre-built adapter. It is also possible to directly provision users from a SCIM 2.0 compliant security repository. Refer to the online documentation provided with your service for more details of the SCIM 2.0 support.
IP Allowlist
Inbound and outbound communications from the service can be controlled via IP Address Allow Listing. The security infrastructure assess inbound and outbound communications with the allowlist, and allows or prevents traffic.
Allowlists for inbound and outbound traffic is managed via Oracle Cloud Infrastructure Identity and Access Management (IAM) using network perimeters.