Ranu Srivastava
Collection of System Administration Articles
http://apps2fusion.com
Core Security now includes a Role Based Access Control model that builds on the existing Function
Security and Data Security models.
Key features of Oracle User Management include
Role Based Access Control (RBAC)
Delegated Administration
Registration Processes
Self Service Requests and Approvals
Oracle Application Object Library security is primarily comprised of two parts, Function Security and Data
Security. Function Security restricts user access to individual menus of functions, such as forms, HTML
pages, or widgets within an application. Data Security restricts the access to the individual data that is
shown once a user has selected a menu or menu option.
The Sign-On Audit feature allows you to track your users activities. AuditTrail lets you keep a history of
changes to important data: what changed, who changed it, and when.
�Ranu Srivastava
Collection of System Administration Articles
http://apps2fusion.com
Administration Privileges
Administration Privileges determine the users, roles and organization information that
delegated administrators (local administrators) can manage.
User Administration Privileges.
Role Administration Privileges.
Organization Administration Privileges.
Registration Processes
The role(s) assigned after the user successfully completes the process.
An optional registration user interface for collecting account or additional information.
A workflow for approval, confirmation, rejection, and identity verification notifications.
The Approval Management Transaction Type. A transaction type represents a set of approval routing
rules that are interpreted at runtime.
The set of users that are eligible to sign up for additional access (only applicable for Request for
Additional Access registration processes).
Whether identity verification is required. Identity verification confirms the identity of a requester before
the registration request is processed, by sending an email
Self-Service Account Requests Commonly referred to as Self Service Registration, self-service account
requests provide a method for persons to request a new user account.
Requests for Additional Access Users can request additional access through the Oracle User
Management Access Request Tool (ART,) available in the Global Preferences menu. Requests for
Additional Access uses the same Oracle User Management infrastructure and processing logic as Self
Service Account Requests.
Registration Engine
The Oracle User Management registration engine uses a workflow to define the business logic that drives
the registration process once a request has been submitted. The name of the workflow is User
Management Registration Workflow (UMXREGWF).This process:
Raises business events (oracle.apps.fnd.umx.rolerequested, oracle.apps.fnd.umx.accountrequested)
�Ranu Srivastava
Collection of System Administration Articles
http://apps2fusion.com
Provides temporary storage of registration data
Provides identity verification
Includes the integration point with Oracle Approval Management
Activates user accounts
Reserves and releases user names
Assigns roles
Maintains registration status in the Oracle User Management schema
Launches notification workflows
AOL Security
Dening Application Users
Responsibilities Dene Application Privileges
HRMS Security
Data Group
Request Security Group
Responsibility, Menu
Function and Menu Exclusions
Request Security Group
�Ranu Srivastava
Collection of System Administration Articles
http://apps2fusion.com
User Session Limits
ICX:Session Timeout
ICX: Limit time
ICX: Limit connect
Overview of Data Security Data Security allows administrators to control user access to specific data, as
well as what functions users can apply to that data.
Data Security uses the concept of an Object to define the data records that are secured. Data security
permissions are managed on objects. Business entities such as Projects and Users are examples of
objects. An object instance is a specific example of an object, such as Project Number 123 or User JDOE.
An object instance set is a group of related object instances within an object. A set is specified as a
predicate on the keys or attributes of an object, expressed as a SQL "WHERE clause". All instances that
satisfy the predicate are considered members of the object instance set. For example:STATUS = ACTIVE
Privileges given to users and groups determine their access to secured objects. Users are individuals who
have access to software applications at a particular enterprise. Users can belong to Groups. The grouping
can come from position or organization relationships modeled in applications such as Oracle Human
Resources. A function is the smallest unit of securable product functionality. A permission is the smallest
unit of securable actions that can be performed on the system. Functions are grouped into related sets so
that administration of these functions can be performed in higher-level business terms. A grant authorizes
�Ranu Srivastava
Collection of System Administration Articles
http://apps2fusion.com
a particular user to perform a specified action (function) on a specified object instance (or object instance
set). Granting any function to a user on an object instance also gives the user the ability to query that
object instance. An object function is a function that is performed on an object. An object function is
associated with an object. For example, "Accept Purchase Order - PO_ACCEPT", "Decline Purchase
Order - PO_DECLINE", and "Cancel Purchase Order - PO_CANCEL" are object functions associated with
the Purchase Order object. Object functions are also referred to as simply "functions".Function sets are
sometimes called "object roles".
Security context refers to the context of the data in which the user is working. For example, data context
could be the organization or responsibility with which the user is logged in. For Oracle HRMS, data can be
partitioned into separate security groups, Each security group can contain unique configuration data, and
multiple security groups can exist in the same installation.
Implementation of Data Security
Implementing data security can involve two distinct tasks:
Creating a data security policy, in which you secure access to an object
Granting access to a set of functions (either a navigation menu or a permission set) to a user or group of
users
Data security policies can reflect access to:
A specific instance (row) identified by a primary key value
All instances (rows) of an object
An instance set defined by a SQL predicate (WHERE clause)
�Ranu Srivastava
Collection of System Administration Articles
http://apps2fusion.com
�Ranu Srivastava
Collection of System Administration Articles
http://apps2fusion.com
Indirect responsibilities are used with Oracle User Management only. A user may "inherit" an indirect
responsibility through membership in a group to which the responsibility has been assigned.
Securing Attributes : For example, to allow a user in the ADMIN responsibility to see rows containing a
CUSTOMER_ID value of 1000, assign the securing attribute of CUSTOMER_ID to the ADMIN resp. Then
give the user a security attribute CUSTOMER_ID value of 1000.When the user logs into the Admin
responsibility, the only customer data they have access to has a CUSTOMER_ID value of 1000.
Overview of User and Data Auditing There are two types of auditing in Oracle Applications: auditing
users, and auditing database row changes.
Auditing User Activity Auditing users is supported by:
Sign-On:Audit Level profile option setting
Audit Reports
Based on the audit level you choose, Sign-On audit records usernames, dates, and times of users
accessing the system, as well as what responsibilities, forms, and terminals users are using.
Auditing Database Row Changes Auditing database row changes is supported by:
From the Help menu, About This Record ...
AuditTrail:Activate profile option setting
Audit forms
Enabling Sign-On Audit ProfileUse the System Profile Values form to enable Sign-On Audit.
Form,Resp,User
Who: Display Type profile option(Set it to display detailed Who info on Application -> about this record)
Notifying of Unsuccessful Logins thru profile Sign-On:Notification
Selecting Audit Levels The Sign-On:Audit Level profile option allows you to select a level at which to
audit users who sign on to Oracle Applications. Four audit levels provide increasing levels of monitoring:
None, User, Responsibility, and Form.
Auditing level None is the default, and tracks:
No activities by any users who sign on to Oracle Applications
Auditing at the User level tracks:
Who signs on to your system The times users log on and off The terminals in use
Auditing at the Responsibility level performs the User level audit functions and also tracks:
The responsibilities users choose
How much time users spend using each responsibility
Auditing at the Form level performs the Responsibility and User level audit functions, and also tracks:
The forms users choose
How long users spend using each form
�Ranu Srivastava
Collection of System Administration Articles
http://apps2fusion.com
AuditTrail lets you keep a history of changes to your important data: what changed, who changed it, and
when. With AuditTrail, you can easily determine how any data row or element obtained its current value.
This program creates database triggers on the tables in your audit groups for your installations. It also
creates shadow tables, one for each audited table, to contain the audit information. If you have changed
your audit definitions or disabled auditing for an audit group, the program drops or modifies the auditing
triggers and shadow tables appropriately.
Setting Up AuditTrail You can choose to store and retrieve a history of all changes users make on a
given table. Auditing is accomplished using audit groups, which functionally group tables to be audited.
When auditing is enabled, the automatically-generated database trigger in the "After" event on the audited
table performs the auditing("_AI", "_AU" or "_AD").This trigger calls a stored procedure("_AIP", "_AUP" or
"_ADP"). to compare each column being audited to see if its value is changing. If so, the procedure saves
the previous (old) value to the shadow table. After a shadow table is created, views(_AV1, _AC1 views)
onto the shadow table are created to allow easier access to the data in the "sparse" rows. These views
simplify tasks such as querying a row/columns value on a given date and tracking changes to a
row/column over time.
Concurrent Programs for Audit :
AuditTrail Update Tables
Additional Audit Trail Reporting This section describes how to set up and manage Audit Trail Reporting
functions that are used within OPM.
Audit Industry Template
Audit Hierarchy Navigator
Audit Query Navigator
Running the Audit Report
Monitor Users Window Audit Installations Window
Audit Groups Window
Reports
Sysadmin Reports
Signon Audit Concurrent Requests
Signon Audit Unsuccessful Logins
Signon Audit Users
Active Responsibilities Active Users
Oracle Application architecture
Audit Tables Window
Signon Audit Responsibilities
Compile Security
�Ranu Srivastava
Collection of System Administration Articles
http://apps2fusion.com
