security administration in oracle e-business suite: overview of oracle user management leon tu...

<Insert Picture Here>

Security Administration in Oracle E-Business Suite: Overview of Oracle User Management

Leon TuApplications Technology GroupOracle Corporation

Business Needs for User Management

• Unified approach to create and maintain users

• Improved Security

• Easier User Administration

• Provide Delegation Capabilities

Oracle User Management

Function Security

Data Security

Role Based Access Control

Delegated Administration

Provisioning Services

Self Service Features

Function Security

Function Security

• Functions represent basic entry points / operations / secured resources that do not have any data context, for example:

• “Page X”• “Region Y”• Typically done using responsibilities in Ebusiness suite

Employee HRSelf Service

Manager HRSelf Service

Hiring / Firing

Transfers

Promotions

Compensation

Personal Info

Job Posts

Pay Slip

Function Security

Data Security

Data Security

• What business objects / documents hold sensitive data & need to be secured• For example: Expense Reports, Employees

• What secured operations can be performed on each object• For example: update, delete, reject, approve, escalate• Secured operations are represented as privileges aka

permissions• Authorization Policy: grant [someone] access to perform [a set of

operations] on a given [set of business documents]:• [Managers] can • [view, approve, reject, update]• [expense reports]• [filed by their direct reports]

• Sets of business documents are identified through Object(instance sets (SQL predicates))

Data Security Grants

• Data security grants are only in effect when working on records which meet a filter criteria.

• Data filter types:• Single instance (ad-hoc)

• Applies to a specific instance of an object• "John may manage project 123"

• Instance set (policy)

• Applies to rows which match a WHERE clause• "Employees may view public projects“

• “Where project_status_flag = ‘PUB’”

Function Security

Data Security



• RBAC standard (ANSI INCITS 359-2004)• A role consists of

• Other roles (via inheritance)• Responsibilities (via inheritance)• Permissions• Function Security Policies• Data Security Policies

• A user can be assigned with several roles• A role can be assigned to several users

EBS RBAC Model - Users

User

User

User

User

User

User

User

User

Users can be:• Humans

• Internal: Employees• External: Customers

• Systems• Internal: integrated applications (A2A)• External: trading partners (B2B)

EBS RBAC Model - Roles

User

User

User

User

User

User

User

User Role

Role

Role

Role

Role

Roles can be:• EBS Responsibilities• HR Positions• TCA Groups• LDAP Roles• UMX Access Roles• Hierarchical

EBS RBAC Model - Permissions

Permission

Permission

Permission

Permission

Permission

Permission

Permission

Permission

User

User

User

User

User

User

User

User Role

Role

Role

Role

Role

Permissions can be:

• Screens/Flows• APIs/Services• Data Operations

EBS RBAC Model - Permission Sets

Permission

Permission

Permission

Permission

Permission

Permission

Permission

Permission

Set

Set

Set

Set

User

User

User

User

User

User

User

User Role

Role

Role

Role

Role

Permission Sets are defined using the Menu structure

EBS RBAC Model - Grants

Permission

Permission

Permission

Permission

Permission

Permission

Permission

Permission

Set

Set

Set

Set

Grant

Grant

Grant

Grant

User

User

User

User

User

User

User

User Role

Role

Role

Role

Role

EBS RBAC Model - Grants

• Gives a role access to a set of permissions• With optional context restriction

• Responsibility• Organization• Data set

• Some permissions are "context independent"

• Grants represent security policies• "Employees have access to expense reporting"• You should not to worry about navigation menus when

defining security policy...

Case Study

• Grant access to a set of Sales Managers• Need access to:

• HR Self Service• Manager + Employee access

• Sales Online • Sales Manager access

• Expenses • Manager + Employee access

• iProcurement• Manager + Employee access

Access Control before..

Expenses Mgr



iProcurementMgr

Sales OnlineMgr

Users directly assigned Responsibilities

Responsibility

ExpensesEmployee

iProcurementEmployee

..With RBAC: Basic Approach

Sales Manager

Employee

Sales Rep Manager

Expenses



iProcurement

Sales Online

Role Inheritance

Role

RBAC Benefits

• Reduces / Simplifies Administration• Mass updates via single operation• Coexists with existing Security Setups • Basic Approach: Try it now!

• Consolidate your existing Responsibilities into Roles

• Advanced Approach• Reduces # Responsibilities and Menus• “Principle of Least Privilege”

D E M O N S T R A T I O N

RBAC

Function Security

Data Security




• Workflow based Provisioning Engine• Handles all Self Service and Administrator initiated requests for

new User Accounts and Roles / Responsibilities

• Reserve, Release, Activate Pending Accounts

• Temporary Storage of Registration Data

• “Registration Process” - Metadata that define:• Approval Policies (in Oracle Approval Management)

• Eligibility Policies

• Email Verification (Account Requests only)

• Notification Workflows

• Business Logic

• Registration UI’s

Account Provisioning Flow

Enter InfoRegister SubmitRequest

RaiseBusiness

Event

InvokeRegistration Engine

ReserveUser Name

Verify Identityvia Email

CreatePerson Party

ActivateUser Account

AssignRoles

EmailTo Approver(s)

Approved!

ConfirmationEmail

WriteRegistration Data

EventObject

EventObject

EventObject

EventObject

EventObject

EventObject

EventObject

EventObject

EventObject

EventObject

Confirmed!

Function Security

Data Security





System Administrator

Local AdministratorAmericas

Local AdministratorEurope

• System Administrator• All Users & Roles

• Local Administrator• Subset of Users & Roles


• Fine Grained Admin Policies based on Data Security• Defines who can:

• [query, create, update, reset pwd] a given set of users

• Examples:• Internal / External Users• Location• Organization• Or anything else derived using SQL

• Granted to Admin Roles

• Leverages Provisioning Services (if set up)• RBAC is not required (except for Admin Roles)

Delegated Admin Benefits

• Decentralized Administration• Administrators closer to the users they manage• System more likely to be up to date• Improved response time


Delegated Admin

Function Security

Data Security






• End Users can request• New User Accounts

• New Roles and Responsibilities• From the “Access Requests” page (Preferences menu)

• Password Reset• From AppsLogin page (set “Local Login Mask” profile)

• Leverages Provisioning Services• Does not require RBAC

R12 Enhance for User Management

• Proxy User• ICM (Separation of Duties – SoD) Integration• Enhanced Forget Username/Password• New Registration Process Type for Administrator Role

Assignment• Security Wizard Infrastructure• Search Enhancement for List of Value’s (LOV)

Proxy User Description

• Proxy User Framework• Provide the delegator the ability to grant/revoke the proxy privilege

to individuals• Provide a mechanism throughout the application’s framework

where the user can access the proxy switcher feature• Provide a mechanism throughout the application’s framework

which indicates to the user that they are acting as a proxy• Provide the ability to track the delegate’s actions within the system,

while the delegate is acting on behalf of the delegator (Audit)

Proxy User Process - How to grant proxy privileges

• Grant proxy privileges to a user under Preferences -> Manage Proxies

• Example: SYSADMIN grants proxy privileges to KWALKER

Proxy User Process – How to switch to proxy user - I

• “Switch User” link appears for the delegated user KWALKER

Proxy User Process – How to switch to proxy user - II

• Clicking on “Switch User” allows the user to select which user to act as proxy for

Proxy User Process – Framework chrome for proxy user

• All UI screens show the updated chrome for proxy user

• “Return to Self” link allows to switch back to regular user session

ICM (SoD) Integration Description

• Separation of Duties integration - ICM• Oracle User Management (UMX) provides SoD (Segregation of

Duties) functionality through integration with Oracle Internal Controls Manager (ICM)

• Preventative enforcement of SoD constraints• At assignment time (admin flows)• With Notifications (self service flows)

• Function security based constraint override for administrators

ICM (SoD) Integration Benefits

• Improve Regulatory Compliance• Allows for preventative enforcement of separation of duties

constraints as defined by regulatory requirements (SOX)

Enhanced Forgot Username/Password

• Forgot Username / Password Enhancements• Centralized “Forgot Username/Password” capability• Improved implementation by coupling of username and password

retrieval (or reset) process• “Forgot username” functionality introduced• Enhanced “forgot password” functionality – allowing user to reset

password• Ability to query on either lost “username” or lost “password”

• Enter email address if lost username• Enter username if lost password

New Registration Process Type for Administrator Role Assignment

• New Registration Process Type• New registration process of type “Administrator Assisted Additional

Access” • Different policies (registration processes) can be used as

administrative actions vs. self service requests for

• Approval Routing

• UI

• Notifications

• Business Logic

New Registration Process Type Benefits

• Reduce complexity • Simpler registration processes can be created for self-service and

administrator flavors

• Increase flexibility• Support alternative approvals for administrator role assignment

Security Wizard Infrastructure

• Security Wizard Infrastructure• Infrastructure for product teams to create their own security

wizards in context of a role

• Product teams create their wizards and seed relevant information

• These wizards appear in list of security wizards available to the administrator when creating/updating role information

• New User Interface for Delegated Administration

• Existing functionality(11.5.10) of delegated administration setup implemented using wizard infrastructure

• Wizard guides the user through what options they can set for a delegated administration

Security Wizard Infrastructure Benefits

• Increase Ease of Use• Wizard framework for managing security information

• Improved flexibility• Wizard to guide user through delegation setup

Security Wizard Infrastructure Setup – Add function to wizard menu

• Seed the function for their wizard in the wizard menu - UMX_ROLE_WIZARD_LINKS_MENU

Security Wizard Infrastructure Setup – Create grant for their function

• Create grant for the function seeded in previous step for all the administrator roles that the wizard should be available to

Security Wizard Infrastructure Process – How to use the feature

• Security wizard can be launched from create/update role page

Security Wizard Infrastructure Process – How to use the feature

• Wizard launcher page lists available wizards to the logged in user

• Clicking on the icon launches the wizard in context of the role

Security Wizard Infrastructure Process – Delegated Admin Wizard

• UMX delegated admin wizard launched from the wizard launch page

Search Enhancements Description

• List of Values Search Enhancements• Search Enhancement for LOVs (List of Values)• All LOVs in User Management (UMX) searchable by

• Role• Responsibility• Both• Internal Code

• A type included in the results – to differentiate roles and responsibilities

Search Enhancements Benefits

• Reduce Ambiguity• Returning a type to reduce ambiguity between roles and

responsibilities

• Increase Ease of Use• Common LOV can be used to search roles, responsibilities or both

Search Enhancements Process - How to use the feature

• Search by name or code for role, responsibility or both

UMX Homepage

• http://www-apps.us.oracle.com:1100/umx/home/overview/

security administration in oracle e-business suite: overview of oracle user management leon tu...

Documents