R12 Surprises in User Management: Susan Behn

R12 Surprises in User
Management
Revised July, 2014
Susan Behn
Agenda
Understanding User Management Principles
User Management Layers

Role Based Access Control Overview
Building Blocks for User Management
Modeling Security Policy Basic Example
Surprises
Read only diagnostics

Access to integration repository
Grant worklist access
Cash Management Security Wizard for Bank Account Management
Access to concurrent reports
Access which bypasses UMX
Flexfield Value Set Security (New in 12.2)
Additional Topics if Time Allows
What modules use UMX Security Reports
Disable subscription which grants AMW-Internal Controls Manager roles
(if time allows)
References
2
Copyright 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
Gold
Partner
User Management Layers

Core security levels 1 2 is accomplished through
AOL or with grants and permissions

Core security level 3 is required for some apps
Administrative features levels 4 6 are optional
6 User access requests with AME
Approval Processes
5 Registration processes
4 Administer functions/data for
specific groups
3 Grant access to roles that
include function/data security
2 What data can a user see
1 What can a user do
3
Gold
Partner
Role Based Access Control

RBAC The RBAC standard supports the mapping of
user access control based upon a users role in the

organization rather than their unique identity
Roles a grouping of all the responsibilities, lower level
permissions (functions), permission sets, and data

security rules that a user requires to perform a specific
task
Role Categories Organize roles into groups
4
Gold
Partner
Components by Responsibility
System Administrator Responsibility
Manage responsibilities and menus; Create users
User Management Layers 3 and up
Functional Administrator Responsibility

Function Security Layer
Functional Developer Responsibility

Data Security Layer
5
Gold
Partner
User Management Building Blocks

Objects
Define data to be secured a table or view
Stored in FND_OBJECTS, FND_OBJECTS_TL
Object Instance Sets
The WHERE clause for an object
Stored in FND_OBJECT_INSTANCE_SETS,
FND_OBJECT_INSTANCE_SETS_TL
Managed in Functional Developer Responsibility
6
Gold
Partner

Permissions 2 types function and data
Function Security Permissions control access to
abstract functions
Examples
Executable function is access to User Management Roles &
Role Inheritance Form

Abstract functions are defined as role permissions
Create Role
Assign Role
Manage Role
Revoke Role
Data Security Permissions control access to objects

Data limited by where clause
Stored in FND_FORM_FUNCTIONS,
FND_FORM_FUNCTIONS_TL
7
Gold
Partner

Permission Sets
Grouping of permissions
Example: All User Administration Privileges
A permission set can contain other permission sets

Stored in FND_MENUS, FND_MENUS_TL,
FND_MENU_ENTRIES, FND_MENU_ENTRIES_TL
8
Gold
Partner

Grants
Provide permissions for actions on a specified object
Attach function permissions and data permissions (data
security polices) to grantee
Grantee
Who gets the grant
A role or group
A specific user
All Users
Data Security Policy

Grant that includes both an object and permission set
Stored in FND_GRANTS
9
Gold
Partner
STACKING UP THE BUILDING

BLOCKS
Modeling Security Policies

Step 1 Assign access to user management to
appropriate users
Step 2 Identify or create permissions/permission sets
that group functions (function security)
Step 3 Identify or create product seeded objects /
object instance sets (data security)
Step 4 Identify seeded grants / create grants
Step 5 Assign role
11
Gold
Partner
Grant access to user management

to appropriate user(s)
12
Gold
Partner
Managing Users Step 1

By default, only Sysadmin has access to User
Management
Assign a user management role to the appropriate user
Search
for user
13
Click
pencil to
edit
Gold
Partner

Click the Assign Roles button to add a role
Click assign roles and

then click the apply
button
14
Gold
Partner

Search for the Security Administrator Role, check the
box and click select

Customer Administrator manage users with party type =
customer
Partner Administrator manage users with party type =
partner
Other seeded security roles
include Customer
Administrator and Partner
Administrator
15
Gold
Partner

Enter a justification and click Apply
User Management
responsibility is inherited
by assigning this role
16
Gold
Partner

System Administrator User Define
User Management is shown as an indirect responsibility
17
Gold
Partner
STEP 2
IDENTIFY SEEDED
PERMISSIONS
CREATE PERMISSIONS
Permissions
To demonstrate function security, Approvals
Management will be used as the example

A user will be given access to perform all functions in
approvals management
To gain familiarity with permissions available
Go to Functional Administrator Permissions to search
for seeded permissions
19
Gold
Partner
Permissions
There are 16
permissions
available for
AME
Click the
update
button to
examine the
AME Action
Create
Permission
20
Gold
Partner
Permissions
This permission belongs to one permission set with the
same name as the permission
21
Gold
Partner
Permission Set
In our example, we want the user to have access to
ALL functions the transaction type AP Invoice

Approval
Go to the permission set tab to see the permission set
for all AME functions which is AME All Permission
Sets
Note that this permission set includes other permission
sets
Other
Permission
sets
included in
set
22
Gold
Partner
STEP 3
SEEDED OBJECTS
Seeded Objects
To demonstrate data security, Approvals Management
will be used again as the example

A user will be given access to manage the approval
process for the payables invoice approval
Go to Functional Developer Objects to search for
available seeded objects
If an object is not available, you can create objects
24
Gold
Partner
Seeded Objects
Tip: Query by
responsibility to get
familiar with what is
seeded
Click update to
view details but
avoid changing
seeded objects
25
Gold
Partner
Seeded Objects
Two columns are included which can be used to limit
access
Note the Object

Instance Sets Tab
and Grants Tab
26
Gold
Partner
Seeded Objects
Click on the Object Instance Set tab for this object to
view the where clause

The predicate
allows the user to

enter the
parameters to
select the
application and
transaction type in
the grant
27
Gold
Partner
STEP 4
IDENTIFY SEEDED GRANTS
CREATE GRANTS
Grants
Create the grant to allow sbehn to perform all AME
function for the payables invoice approval transaction

type
Click on grants tab
Notice this takes you to the same form as you see in the
Functional Administrator responsibility

We are going to enter an object to establish a Data
Security Policy
29
Gold
Partner
Grants
Enter name,
description,
grantee
type,
grantee
Enter the
object name
Click Next
30
Gold
Partner
Grants
Choose the context to limit rows
For this example, choose instance set
31
Gold
Partner
Grants
We already determined there was an AME Transaction
Type Instance Set

Chose this value and Click Next
32
Gold
Partner
Grants
Now enter the values for
the parameters we saw

earlier in the object instance
set
The predicate is displayed
for reference
Parameter 1 is the
application
Parameter 2 is the AME
transaction type
33
Gold
Partner
Grants
Scroll down and choose the functions the grantee will
be allowed to execute for this group of data by

selecting the permission set AME All Permission Sets
34
Gold
Partner
Grants
The final page is a review page
Click finish and the confirmation page will appear
Now you have access to data and functions you can
perform on that data

Click OK
35
Gold
Partner
Role Based Access Control

In step 1, we gave someone access to user
management
In step 2, we identified the AME All Permission Sets
to provide function security
In step 3 we identified the AME Transaction Types
object to provide data security
In step 4 we joined the function and data security
together in a grant to allow SBEHN to perform all
functions for AME for Payables Invoice Approvals
Butthe user still doesnt have access yet to the
responsibility used to manage AME
36
Gold
Partner
STEP 5
ASSIGN RESPONSIBILITIES
TO ROLES
Assign Roles
Assign AME roles to SBEHN the same way we
assigned the Security Administrator role

Query the user and click the pencil
38
Gold
Partner
Assign Roles
Click the Assign Roles button
39
Gold
Partner
Seeded Roles
Choose the Approvals Management Administrator role
and provide justification

Grants multiple roles shown in the hierarchy below and
two responsibilities having a code starting with

FND_RESP
Responsibility
40
Gold
Partner
Seeded Roles
Below is a partial list of products with seeded roles; This
changes frequently
Approvals Management
Diagnostics
Learning Management
Territory Management
User Management
Integration Repository
iReceivables
iSetup
Integrated SOA Gateway (New)
To see whats new after patches, look for roles in User
Management responsibility or query WF_ALL_ROLES_VL

41
Gold
Partner
R12 Surprises
42
Gold
Partner
Read-Only Diagnostics
43
Gold
Partner
Read-Only Diagnostics in 12.1.3

Function Security (outside of UMX)
Set profile option Hide Diagnostics Menu Entry to No
Assign one or more of the read only subfunctions to the
menu where this functionality is needed

Apps password will not be requested in read-only mode
44
Gold
Partner
Read-Only Diagnostics 12.1.3

Example - Payables, Vision Operations (USA)
responsibility linked to menu AP_NAVIGATE_GUI12

Leave prompt and Submenu null
45
Gold
Partner
Integration Repository
46
Gold
Partner
New Surprises: Access to Integration

Repository
Release 11i
http://irep.oracle.com/
As of March, 2014 the above link is not working
Early R12
Assign Responsibility Integrated SOA Gateway
Release 12.1+
Assign one of following roles
47
Gold
Partner
Grant Worklist Access
48
Gold
Partner

From Form
Click Worklist
Access link
To limit security
risk request
this
functionality
from system
administrators
From
Functional
Administrator
Responsibility
Grants Tab
Create Grant
49
49
Gold
Partner

Select
specific user
Data Security
object is
Notifications
50
50
Gold
Partner
Seeded instance
Set
User that
Grantee can see
Abstract
Functions
51
51
Gold
Partner
Results
52
52
Gold
Partner

By default,
notifications are
limited to active
workflows or those
in Lookup type
WF_RR_ITEM_TY
PES
To limit this access
to specific
workflow types,
enter in
parameter2
(hidden
parameter)
Note: Predicate
does not list
Parameter2
Parameter2
stores specific
workflows
53
53
Gold
Partner
Cash Management
Security Wizard
54
Gold
Partner
Cash Management Bank Account Security

Grant access to manage banks to the responsibility Cash
Management, Vision Operations (USA)

Go to User ManagementRoles & Role Inheritance
In the Type field, select Roles and Responsibilities
In the Category field, select Miscellaneous
In the Application field, select Cash Management, then
click Go
55
Gold
Partner

Click on the pencil to update for the correct
responsibility
56
Gold
Partner

Click on the security wizard button
On the next page, click the icon to run the CE UMX
Security Wizard
57
Gold
Partner

Click the button to add legal entities
Select the legal entities this responsibility will manage
58
Gold
Partner

Check the boxes for the privileges needed for this
responsibility and apply your changes
Repeat these steps for additional responsibilites
59
Gold
Partner
View Concurrent
Requests
60
Gold
Partner
New Surprises: Access to Concurrent

Requests
Profile Option Concurrent Report Access Level is
obsolete in 12.1
Allowed users to see all concurrent requests in a
responsibility
Except for View Own and System Administrator View
Logs, this functionality is replaced by RBAC

permissions
See My Oracle Support ID 737547.1
61
Gold
Partner
View Others Requests

Object Concurrent Requests
Start with the Concurrent Requests data object shown
below which is seeded
62
62
Gold
Partner
View Others Requests-Permission Set /

Permission
The Request Operations permission set includes
permissions to submit and view requests
63
63
Gold
Partner
View Others Requests-Instance Sets

Several object instance sets are seeded or you can
create your own
64
64
Gold
Partner
View Others Requests - Seeded Instance Sets

Examples of seeded object instance sets
View all my requests from any responsibility
More efficient then trying to remember where you ran a request
View my requests for the application identified by
parameter 2
65
65
Gold
Partner
View Others Requests - Create Instance Sets

From Functional Developer Objects
Query Object
Click link in Name column, then Object Instance Sets tab,
then Create Instance Set
66
66
Gold
Partner
View Others Requests-Create Instance Sets

Any user of a responsibility can see all requests in that
responsibility
Exact replacement of obsolete profile option
MOS ID 804296.1 R12: How To Configure Access To
Request Output Of The Same Responsibility
67
67
Gold
Partner
View Others Requests

Site Level Grant for All Responsibilities
Grant New Instance
Set to All Users

All users can see
requests in only in
responsibility that ran
request
68
68
Gold
Partner
View Others Requests-Operating Unit Level

***Same as previous
example but limited by

operating unit
Grant New Instance
Set to Specific
Operating Unit or
responsibility
Repeat for each
desired Operating Unit
Still can only see
requests in
responsibility that ran
request
69
69
Gold
Partner
View Others Requests - User Level

Recommended
only for help

desk/support
users who have
limited
responsibilities in
Production
Can see any
request
regardless of
what
responsibility
currently using
AccesstotoAll
Allto
Access
Requests
to
Specific
User
Specific User
70
70
Gold
Partner
Diagnostic Permission sets

Permission sets are available now for all Diagnostic
menu items starting in R12.1.3.
71
Gold
Partner
Setup Profile Options

R12.1.3+
Utilities: Diagnostics
Set to Yes (not secure)
RBAC create role
with permission set
FND Diagnostics
Personalizations
Menu and assign as
needed
72
Gold
Partner
Security Hole
74
Gold
Partner
Access to Menus screen can bypass UMX

function security Security hole
Access to Menus form allows
user to bypass UMX function

security
Grant flag can be clicked and
then responsibility assignment

displays menu
Menus can be duplicated with
grant flag checked
If the user then has access to
create data security grants

through the Functional
Developer responsibility, you end
up with a major security gap
75
75
Gold
Partner
Flexfield Security
Required in 12.2
76
Gold
Partner
Flexfield Value Set Security FNDFFMSV

12.2
Upon upgrade,
users will not

have access to
any records in
this form
Many ways to
get to this
formour
example
GLSetup
FinancialsF
lexfieldsVal
idationValu
es
77
77
Gold
Partner
Function and Data Security

Must set up function security to define what the user
can do in the form

Grant by flexfield, report or value set
Grant to application, user, group
Must set up data security to define which values can be
queried
Affects Independent and Dependent value sets.
Affects what privileges users have in the Segment
Values form.
Note: Even if you create a new value set, you still wont
be able to assign values to that set until security is set
up
78
Gold
Partner
Patch for 12.2.2

Apply this patch for 12.2.2 (not needed for 12.2.3)
Oracle Support Document 1589204.1 (Release 12.2.2
Flexfield Value Set Security Documentation Update for
Patch 17305947:R12.FND.C) can be found at:
https://support.oracle.com/epmos/faces/DocumentDisplay
?id=1589204.1
79
Gold
Partner
Grant access to the data

Functional AdminstratorGrants
This example General Ledger, Vision Operations
(USA) responsibility needs to see GL value sets for

Vision Operations Accounting Flexfield
80
Gold
Partner
Data Security - Instance Set

Flexfield Value Set Security Object
Key Flexfield Structure by app id, key flexfield code and
structure number
81
Gold
Partner
Other Instance Sets
82
Gold
Partner
Permission set for allowable actions

For this example, I chose to allow insert or update
Seeded permission sets for flexfield security
83
Gold
Partner
Results
Now I have access to all the value sets for the
accounting flexfield
84
Gold
Partner
Time Check for Next 3

topics
85
Gold
Partner
Where is UMX
Applicable?
86
Gold
Partner
Where is UMX applicable?

Not all products have adopted data security in their
UIs. If a customer is considering data security in a

particular module, it is advisable to first check with the
product development if that module has the
infrastructure for data security in place otherwise, their
data security policies will not be honored by the product
UIs. Data Security policies can only be defined for
applications that have been written to utilize the Data
Security
MOS ID 553290.1 Introduction to the Grants Security
System and Data Security

Self research what objects and/or permissions has
Oracle defined
87
87
Gold
Partner

MOS ID 1162403.1 How Find Out Which Oracle
Application Products Have Adopted Data Security

Policies
Use following select statement to find objects / created
by
88
88
Gold
Partner

Use the following query to find seeded instance sets
89
89
Gold
Partner

Permissions are indicative that UMX will work and
usually provide hint to the Object

Use the following query to find permissions
90
90
Gold
Partner
Security Reports
91
Gold
Partner
Security Reports
From User Management, Security Reports
Choose Report Type - Remaining screen repaints based
on Type
MUST specify
Role/Resp
Example
Select Output
format
Choose Offline to
get underlying SQL
92
92
Gold
Partner
Security Reports
Report Status
Output click Output icon
93
93
Gold
Partner
Security Reports
For Log (and
query), click
Details, then
View Log
Partial log
shown
94
94
Gold
Partner
Security Reports
List of Users w/access to key User Management
function
Clicking Show displays

how assigned and by whom
95
95
Gold
Partner
Security Reports
List of users
with access
to view all
concurrent
requests
List of users
with access
to the user
management
role
96
96
Gold
Partner
R12.2 Disable subscription to event

oracle.apps.fnd.umx.requestapproved
Error that appears is ambiguous
Real error:
The rule function for the subscription to this event,
AMW_VIOLATION_PVT.Do_On_Role_Assigned, is a
non-existent package
Cause:
AMW-Internal Controls Manager has been replaced by
GRC-Governance Risk and Compliance in 12.2
MOS note 1303189.1
97
Gold
Partner
References
Oracle Applications System Administrator's Guide
Security
See Oracle User Management Developer Guide
My Oracle Support ID: 553547.1 Data Security
Terminology
My Oracle Support ID: 553290.1 Introduction to the
Grants Security System and Data Security
E-Business Suite User Management SIG
http://ebsumx.oaug.org/
98
Gold
Partner
Other Presentations
Create a role to administer a specific organization
Collaborate 2009: From Responsibilities to Roles: Moving
Toward the Role Based Access Control (RBAC) Model
Marquette University
Create a junior workflow administrator

Collaborate 2009: Whats New in Workflow: 11i RUP5,
RUP6 and R12
Karen Brownfield and Susan Behn
99
Gold
Partner
Collaborate 2014
UMX Sig Presentation
15330 - E-Business Suite User Management SIG at
Collaborate 14 on April 7th at 3:20 PM PST in Level 3,
San Polo 3401
Sara Woodhull - How to secure flexfields and value
sets in user management

This new feature in R12 was specifically requested by
this special interest group

We are making an impact and Oracle is listening!
100
Gold
Partner
About Infosemantics
Established in 2001
Customer Focused
People First
Global
Shared Expertise
For more information, go to
our web site at

www.Infosemantics.com
R12.1.3, R12.2, OBIEE

public vision instances
Posted presentations on
functional and technical
topics
101
Gold
Partner
Questions?
Comments
Thank You!!!
Susan Behn
Susan.Behn@Infosemantics.com
102
Gold
Partner

R12 Surprises in User Management: Susan Behn

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

R12 Surprises in User Management: Susan Behn

Uploaded by

Copyright:

Available Formats

R12 Surprises in User

User Management Layers

Read only diagnostics

User Management Layers

AOL or with grants and permissions

Role Based Access Control

user access control based upon a users role in the

Roles a grouping of all the responsibilities, lower level

permissions (functions), permission sets, and data

Functional Administrator Responsibility

Functional Developer Responsibility

User Management Building Blocks

User Management Building Blocks

Role Inheritance Form

Data Security Permissions control access to objects

User Management Building Blocks

A permission set can contain other permission sets

User Management Building Blocks

security polices) to grantee

Data Security Policy

STACKING UP THE BUILDING

Modeling Security Policies

Grant access to user management

Managing Users Step 1

Managing Users Step 1

Click assign roles and

Managing Users Step 1

box and click select

Managing Users Step 1

Managing Users Step 1

Management will be used as the example

for seeded permissions

same name as the permission

ALL functions the transaction type AP Invoice

will be used again as the example

Note the Object

view the where clause

allows the user to

function for the payables invoice approval transaction

Functional Administrator responsibility

Type Instance Set

the parameters we saw

be allowed to execute for this group of data by

perform on that data

Role Based Access Control

assigned the Security Administrator role

and provide justification

two responsibilities having a code starting with

To see whats new after patches, look for roles in User

Management responsibility or query WF_ALL_ROLES_VL

Read-Only Diagnostics in 12.1.3

menu where this functionality is needed

Read-Only Diagnostics 12.1.3

responsibility linked to menu AP_NAVIGATE_GUI12

New Surprises: Access to Integration

Grant Worklist Access

Grant Worklist Access

Grant Worklist Access

Grant Worklist Access

Grant Worklist Access

Grant Worklist Access

Cash Management Bank Account Security

Management, Vision Operations (USA)