This action might not be possible to undo. Are you sure you want to continue?
PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.
Page 1 of 89
Internal use only -- U. S. Firm use only
Oracle System Administration Practice Aid Table of Contents
1. Engagement Tools..............................................................................................................................3
B. ORACLE ENGAGEMENT CONSIDERATIONS ...................................6 C. ORACLE APPLICATION HIGHLIGHTS............................................7
1. Application Structure...........................................................................................................................7 2. Oracle Application Release History.....................................................................................................9 3. Overview of System Administration...................................................................................................10
1. Flexfield Types..................................................................................................................................14 2. Key Flexfield Components.................................................................................................................16 3. Descriptive Flexfield Components.....................................................................................................21
1. Oracle Auditing Methods...................................................................................................................23 2. Non-Audit based Change Control......................................................................................................25 Configuration/Functionality Changes with iSetup..................................................................................25
F. END USER ACCESS...................................................................26
1. Responsibility and Security Group Management...............................................................................26 2. User Management.............................................................................................................................37 3. Password Management.....................................................................................................................47 4. Identity Management.........................................................................................................................49 5. Multi organization access control.......................................................................................................52
G. APPLICATION SUPPORT RESPONSIBILITIES AND USERS .............56
1. Support Responsibilities....................................................................................................................56 2. Application Support User IDs ............................................................................................................64 3. APPS Database ID............................................................................................................................64
H. SYSTEM PROFILE OPTIONS......................................................70
1. Site-Level .........................................................................................................................................70 2. Application-Level ..............................................................................................................................70 3. Responsibility-Level ..........................................................................................................................70 4. User-Level ........................................................................................................................................71 5. Key Profile Options............................................................................................................................72
I. SEGREGATION OF DUTIES CONCEPTS.........................................78 J. RESTRICTED ACCESS/SEGREGATION OF DUTIES .........................80
1. Application Setups.............................................................................................................................80 2. Standing Data ...................................................................................................................................80 3. Segregation of Duties........................................................................................................................80
K. RELEVANT MODULES...............................................................84
1. iSetup................................................................................................................................................84 2. AME..................................................................................................................................................85
L. FORMS THAT ACCEPT SQL ENTRY.............................................86 M. GLOSSARY.............................................................................89
1. Key Oracle Functionality....................................................................................................................89
PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved. Page 2 of 89
Internal use only -- U. S. Firm use only
This Practice Aid and the associated tools (Work Program(s) and GATE) are for INTERNAL USE ONLY. As management is responsible for designing and implementing a system of internal control, this Practice Aid and its associated tools should not be distributed to our clients. These tools are intended to be used by PwC Oracle specialists performing an audit, attestation or consulting engagement involving the review of the client's Oracle application. For individuals intending to use this Practice Aid and / or related tools, they must have sufficient technical skills to conduct such work. It is highly recommended that at least one member of the team has specific training or experience in the ERP wherever practicable.
1. Engagement Tools
The Tools noted below provide a general overview of the Oracle application, along with its related control risks and common application controls. When these tools are utilized, the following important caveats and reminders should be considered prior to the use of these tools: • Refer to PwC Audit Guide for policy on understanding, evaluating and validating internal controls. This Practice Aid and related tools are not a substitute for PwC Audit. • This Practice Aid and its related tools should only be used in conjunction with proper risk-based engagement planning and scoping. The relevance and importance to the engagement of transaction processing, risks and controls associated with the noted modules of Oracle should be clearly understood before work is begun, and the tools should be tailored to each client environment. • This Practice Aid and its associated Work Program(s): o May not present all control risks associated with your client's use of Oracle o Are not intended to address all possible relevant application controls in the process(es) supported by the modules noted herein within Oracle ; o Do not address Information Technology General Controls (ITGCs); o Are focused primarily on automated, not manual, controls; and o Do not present all possible key controls and do not represent the minimum nor maximum level of key controls that must exist. o May have particular functionality or controls referenced as "key". This term indicates that this control / functionality might be important to the client's control environment. However, the identification of a key control for a client's environment will vary based on the client's unique risk circumstances, control environment and / or the client's use of the application. • This Practice Aid and its associated tools are based on a standard installation of the ERP package. Clients often customize their applications. Since each ERP implementation is unique, our work should be based on an understanding of the client's actual systems and processes, as implemented, not on a generic/sample process or system configuration. • Because inherent functionality and controls can be affected by system customizations, practitioners should discuss any customizations and the approach to testing inherent functionality with engagement management. • Each practice aid is specifically written for Oracle Release 12. Use with any other versions should be done with careful consideration, as there are differences between each Oracle release.
1.1. Practice Aid
PwC's Oracle Practice Aids are documents designed to give a user a broad understanding of Oracle's associated applications, their functionality, and control considerations. These documents are not intended to provide comprehensive general guidance on this process in non-Oracle environments.
PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.
Page 3 of 89
Internal use only -- U. S. Firm use only
For guidance on other modules within Oracle for which there is no PwC Practice Aid, please refer to appropriate Oracle User guides for further details. These can be found at http://www.oracle.com/technology/documentation/index.html Each practice aid is specifically written for Oracle's Release 12 and is divided into 5 main sections, as outlined below: 1.1.1. Introduction/Engagement Approach The Introduction section of each practice aid outlines potential tools and engagement approaches that may be used when conducting an assessment of an Oracle ERP system. In addition, this contains important Risk and Quality-related caveats and reminders that should be followed for every Oracle engagement. 1.1.2. Business Setups In this section, key set-ups and configurations that are generally only configured upon installation, upgrades, or major business events are discussed. Definitions of the key configurations are provided to give the practitioner a basic understanding of the setups. 1.1.3. Standing Data Within the Standing Data section, key configurations that are subject to periodic changes are discussed. Along with functionality definitions, this section outlines how standing data is generally entered into the application. In addition, the linkages between the standing data and business setups are outlined. 1.1.4. Transactions This section outlines the key transactions within the business process. This includes the definition of the transactions, how transactions are generally entered into the system, as well the data flow between transactions, standing data, and business setups. 1.1.5. Access and Segregation of Duties This section outlines the typical access and segregation of duties risks within the Practice Aid's business process. Within the Standing Data and Transactions sections of the Practice Aid, "Control Considerations" are also outlined. Each Control Consideration section is broken into 4 parts, as outlined below: o Business Process Variables: These discuss the most common configurations/transactions that may be set up or used differently depending upon the client's use of Oracle's functionality. o Control Dependencies: This section outlines how configurations or transactions are dependent upon each other or other settings within the application. o Control Limitations: This section outlines how system configurations or transactions may be overridden. In addition, this section highlights common misconceptions about how the configuration or transaction operates. o Testing Notes: This section provides suggestions on how a practitioner might test or assess configurations and/or transactions. The controls considerations section of the Practice Aid focuses solely on high-level concepts. For a listing of controls, refer to the module's work program. This Practice Aid does not list all Oracle standard reports that exist for this cycle. For a complete list of this module's standard Oracle Reports, refer to the Oracle user guide at http://www.oracle.com/technology/index.html. However, for the SA functionality the user guide does not cover all existing reports.
PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.
Page 4 of 89
Internal use only -- U. S. Firm use only
validation procedures. For individuals intending to use GATE. The output from these queries is uploaded to the GATE server and queries can be run against the server to obtain information about how the client's Oracle Application is configured. Work Program The Work Program outlines the typical automated controls within the Oracle application. For the purposes of an audit of financial statements. 1. Page 5 of 89 Internal use only -. S. this document provides a typical control description. All rights reserved. a series of SQL queries are run against the client's environments to pull data from Oracle database tables. and expected results.7 and later. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. For each control. Oracle Application navigation path. teams should consider those controls which have been classified as Financial in nature. The work program is currently available through the Knowledge Gateway in the US (accessible through Knowledge Curve) or Guardian (http://guardian. GATE Oracle GATE is a proprietary web-based tool developed to assist in the analysis of Oracle configuration and security.U.com) in other territories. For Oracle releases 11. discuss with the client and obtain verbal consent. control objective. The tool may be used in an audit of financial statements. an audit of internal controls over financial reports or an integrated audit. To use Oracle GATE. information processing objectives.pwcinternal. audit of internal controls over financial reporting or a consulting non-attest review of the Oracle application. The Oracle GATE tool can be accessed at oraclegatev2. Oracle GATE can assist with segregation of duties analysis and module configuration. Each processes' work program is specifically designed for a particular release of the Oracle Application.5. financial statement assertions. they must have sufficient technical skills to conduct such work.1. business risk. Note: Prior to running any command or script on a client system.3.pwcinternal.com. Firm use only .2. Written consent is also recommended to the extent that this may be obtained.
U. Operating Units and Modules in scope within each Oracle instance. 10) Based upon the knowledge gained regarding the client's environment. 6) Ascertain the approximate size of the user population and number of responsibilities. Check the version against the compatibility table in the "Application Highlights" section of this Practice Aid. databases and network). consider both the mitigating/compensating controls. All rights reserved. 11) When documenting any test results and resulting risks. 8) Discuss the relevant business processes with the client. Page 6 of 89 Internal use only -. 9) A fresh copy of the Practice Aid and its related Work Program(s) should be downloaded for each new engagement to ensure the most up-to-date version is used for tailoring. Request a list of these customizations to assess the effect. and reports (customized or normal) that the client relies upon. 12) If needed. contact the key contacts shown in the Contacts section of this for additional guidance regarding complex technical situations that may arise during the engagement. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. S. functionality.B. 4) Confirm the number of Ledgers. This role/ group should enable the practitioner to have read-only access to all menus and programs in the in-scope Oracle application. to ensure the appropriate Practice Aid is utilized. tailor the Work Program to match the client's business processes and specific risk profile. 7) Approach the security manager and request that a user is created for the practitioner. 2) Inquire of the client's business owners and system administrator if any customizations to the standard software have been made. ensuring an understanding of the application version. Firm use only . or a consulting non-attest review of the Oracle application. 5) Interview the systems administrator or other suitable IT personnel to gain knowledge and understanding of the system design (linkage with external applications. 1) Determine which version of the software your client is using. 3) Confirm the number of instances (separate Oracle databases environments) that the client maintains. an audit of internal controls over financial reporting. and manual processes that may impact an automated environment. Oracle Engagement Considerations Practitioners may want to consider the following items during an audit of financial statements.
Once onto the application tier. therefore.2. Firm use only . Application Structure The Oracle E-Business Suite (EBS) Enterprise Resource Planning (ERP) system is an integrated software solution that runs off an Oracle database instance. concurrent processing servers. Some modules are used for system-wide support. manufacturing. administration servers) Oracle Database Server Tier 3 . a web-based model via the End User Tier mentioned in further detail below. From the URL address. All rights reserved. There are several key servers that may exist within this layer some of which are detailed below: PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. The Oracle EBS system is a three-tier system that consists of the End Users Desktop. users enter a user name and password (previously defined at the application tier). or in the case of Self-Service modules.U. Most modules hold transactional data for each business process area (financials.Application Tier Web Servers (optional) Optional Optional Application Servers (Forms servers. ` Tier 1 – End-User Tier Tier 2 . Users access the application via their own computers and a URL address. An ERP consists of applications or “modules”. 1. information is seamlessly integrated. user access is governed by responsibilities assigned to the user. Each module is linked to each other via the database. screens and administrative tasks within the system. Application Tier The application layer. etc. which grants them access to the application tier. Application Servers and Database Servers. Oracle Application Highlights 1. End User Tier The end user tier is the path by which users gain access to the application tier. Users access functions either via a forms-based model. S. human resources. customer relationship management.Database Tier 1.C.1. Page 7 of 89 Internal use only -. supply chain management. or middleware.). contains the key application programs as well as programs to support web use.
Firm use only . etc. The version numbers of the database do not correspond with the Oracle applications version numbers. recovery.4. test.3. the Oracle DBMS is considered the highest risk of the three tiers. Database Tier The database environment allows for storage and retrieval of user and administrative data and of other application programs and components.4. 1. and therefore managed more easily. prod. The forms server interfaces directly to the Database tier. With instance-specific data files separated into dedicated directories. entering and posting of journal entries).2. Concurrent processing is managed through a scheduling system that controls when updates occur. upgrades and migrations should be more easily controlled.dev. All rights reserved. which interfaces directly to the Database tier. 1.1. Since the Oracle DBMS contains all Oracle-related financially-significant data. Oracle has now provided an instance-specific directory(s) to support each unique environment . Within Oracle EBS. 1.e. • PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.2. File System Oracle has made a primary change to the file structure supporting the applications in Release 12. S. as log files may contain sensitive data that should not be accessible to general users. In addition. startup and shutdown. Reports and other requests are executed by this server. Concurrent Processing The Concurrent Processing's primary purpose is to load balance the system and enhance performance. The new instance home model supports two key concepts: • The base configuration directories APPL_TOP and ORACLE_HOME can be read-only to support change control. It is also used to provide batch processing capability.1. it provides statistical information on system use and performance.2. Web Server (Oracle Portal) The Portal manages access to Oracle ‘Forms’ (note that this is the definition Oracle uses to describe screens or windows displayed on the monitor). Administration Server This server interfaces directly to the Database tier and provides operational support such as backup. Releases of Oracle DBMS are intended to operate with specific versions of Oracle applications.2. Along with the scheduling system. all data (master. Page 8 of 89 Internal use only -. Oracle Enterprise Database Management System (DBMS) is the only DBMS that will work with Oracle applications. security and transactional) are stored in the Oracle DBMS. Common application files are not touched for instance-specific modifications. Another advantage of employing the concept of an Instance Home is that log files can be stored centrally for an instance.2. 1. 1.U.3. This is also where the application and some administrative functions reside (i. concurrent processing can prioritize activities based on transaction importance. standing. Forms Server The forms server stores the format of the Oracle forms. This is particularly significant from a security perspective.
8. 11. -Limited system audit capabilities -Full character based -Corrected Y2K deficiencies -Included client / server environment -Introduced GUI Interface -Enhanced performance -Web based -Expansion in Web based and workflow functionality -Significant changes in System Administration module.6 -Supported by Oracle 11.5.U. Oracle Application Release History Version Rele ase date 1998 1999 Market Prevalence Functionality Changes Practice Aid and Work Program Applicability No No OASIS/ GATE Compatibility OASIS OASIS 10.5. Firm use only . All rights reserved.3 -Rare.7) 2005 -11. 11. S.22.214.171.124.8 use limited (buggy) Broad use Yes Yes GATE GATE Yes GATE 12 2007 Latest release. and infrastructure. General Ledger. Yes GATE PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. 2000 -Limited Use 11.7 11. 11i Environment 11.0. -Limited.5.7. Page 9 of 89 Internal use only -.The following picture depicts the structure of the Oracle EBS file system: 2. including limited introduction of Role Based Access Control. -Full support by Oracle.10 2002 (5. -Limited support by Oracle corporation. -Significant changes in System Administration module.7 & 126.96.36.199 in broad use -11.9 11.
3. The following key functions are performed within the AOL module: • Flexfields • Auditing and Change Control • User Management • System Profile Options • System Reports NOTE: Internally at PwC. A diagram outlining the relationship between users. or segments. the System Administration module is used to store the Oracle responsibility (user profile) definitions.e. functions and request security groups). what. when. menus. Please see the Auditing section of this Practice Aid for further discussion. or forms accessed by a user are noted. • Ledger name/Legal entity. functions and modules is below: PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. and the final approval by management to implement the change in production. The application comes with a number of default responsibilities. In addition. 3.3. Key flexfields are stored codes (or values) used system-wide for general ledger accounts. Oracle uses two types of flexfields: key flexfields and descriptive flexfields. the testing procedures and their outcomes. data groups. 3. part numbers. The iSetup functionality available from 11i can support the change management process. A record of change control includes who.1. refer to the Flexfields section below. responsibilities. flexfields are flexible fields made up of sub-fields.3. S. terminals. All rights reserved. the expected results from the change. Flexfields As the name suggests. It enables administrators to extract. Firm use only . transform and migrate setup data in a controlled way and compare setup data with available standard reports. On the other hand. User Management In addition to the AOL module. Descriptive flexfields provide customizable "expansion space" on Oracle forms to track unique to the company's business. Overview of System Administration The Application Object Library (AOL) module is the gateway to all functionality in Oracle applications. • Restricted list of windows.2. where and why. Responsibilities can be defined to allow access to the following areas: • Specific applications/modules. For a more detailed discussion of flexfields. • Reports in specific application. the application can be enabled to monitor successful and unsuccessful user logons and the responsibilities. There are various objects/settings assigned to a responsibility within the application that allow a User ID the ability to perform activities within Oracle (i.U. • Restricted list of functions. Auditing and Change Control Auditing can be enabled to monitor changes made either through the application or directly to the database rows. and other business entities. Change control monitors who requested the change. Page 10 of 89 Internal use only -. we refer to the AOL and System Administration module together as System Administration (SA). but a company can customize responsibilities to suit their business needs and restrict access to various tasks as appropriate.
superseded by Application.U. and finally User. Responsibility. Using MOAC. Application. The security administrator (through the System Administrator responsibility) must assign a User ID with responsibilities for the user to be granted abilities to perform tasks/functions within Oracle. Page 11 of 89 Internal use only -. or User level. Security type profile options can be configured according to the needs of the user community. as they can be set at the Site. Practitioners are mainly concerned with Security type profile options that affect the operation of Oracle Applications. For further details on MOAC please refer to the section on Multiple Organization Access Control. Security profile options are generally maintained by the Application System Administrators and may be set at more than one level: Site has the lowest priority. The security system profile options hierarchy is documented below in the diagram. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved. Due to the newly introduced functionality multi-organizational access control (MOAC) functionality. then Responsibility. users can access multiple operating unit (OU) data either within or across business groups from a single responsibility.Oracle End Users User 1 User 2 Oracle Role (available in 11. which serves different operating units. 3. Please see the System Profile Options section of this Practice Aid for more details.4. Firm use only . multiple operating units are assigned to a security profile. A typical usage would be responsibility in a shared service centre.5. System Profile Options System Profile Options can be grouped into three types: Security. Organization.10) Oracle Responsibility Oracle Forms / Functions GL Controller AR Inquiry AP Payment Supervisor GL Forms / Functions AR Forms / Functions AP Forms / Functions Oracle Modules Oracle General Ledger Oracle Accounts Receivables Oracle Accounts Payables There is no default user access that is granted just by being given an account in Oracle EBS. This security profile is then assigned either to responsibilities or directly to users. Higher profile option settings will override lower level options. and Server types. S.
5. Firm use only .3. All rights reserved. System Reports The following table lists key default reports that can be used for the assessment of Oracle System Administration when the Oracle GATE Application is not being utilized: Reports Active Responsibilities and Users (Application Object Library) Active Users Description The report of responsibilities linked to the users assigned to the responsibility All the usernames that are both currently active and have at least one active responsibilities Concurrent Request to Force All Applications Users To Change their Password CP SQL*Plus Expire FND_USER Passwords Workflow Directory Services User/Role Validation (Application Object Library) Validates the user/role information in Workflow Directory Services PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.U. Page 12 of 89 Internal use only -. S.
U. Page 13 of 89 Internal use only -. S. All rights reserved. Firm use only .Sample report: Active Responsibilities and Users Report PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.
Here is a table listing all the key flexfields in Oracle Applications. where each segment has both a value and a meaning. 1. • Rely upon application to validate the values and the combination of values that are entered in intelligent fields. Flexfields are generally created and maintained by a System Administrator via the Applications Object Library (Sys Admin) module. • Configure data fields to your meet your business needs without programming. • Configure applications to capture data that would not otherwise be tracked by the application. Each flexfield is made up of segments (i. Note that other modules. HR codes such as job and position codes. item/product codes. The following sections describe the types of flexfields available and how these flexfields are structured. 1.D. • Have the structure of an intelligent field change depending on data in the form or application data. ordered by the application that "owns" the key flexfield. Owner Oracle Assets Oracle General Ledger Oracle Human Resources Name Asset Key Flexfield Category Flexfield Location Flexfield Accounting Flexfield (changes within the Flexfield) Grade Flexfield Job Flexfield Personal Analysis Flexfield Position Flexfield Soft Coded KeyFlexfield Account Aliases Item Catalogs Item Categories SalesOrders Stock Locators System Items Bank Details Cost Allocation People Group Sales Tax Location Oracle Inventory Oracle Payroll Oracle Receivables (Penaki) PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.U. Flexfield Types There are two types of flexfields in Oracle: Key flexfields (such as a job flexfield) and Descriptive flexfields (additional order hold approval information). • Have "intelligent fields" that are fields comprised of one or more segments. S.e.1. who do not "own" the flexfield. item numbers. Key Flexfields Key flexfields provide a flexible way for the Oracle Applications to represent objects such as accounting codes. and some key flexfields are required. while others are optional. and more. • Query intelligent fields for very specific information. Page 14 of 89 Internal use only -. All rights reserved. Flexfields Flexfields are Oracle's main method of storing data. Firm use only . may have access to define and/or use the flexfield. Key flexfield definitions are seeded within Oracle forms. subfields) for which data entry and validation procedures may be easily completed without programming. Flexfields provide clients with flexible features needed to satisfy the following business needs: • Configure applications to conform to current business practice for accounting codes. job descriptions. and other codes.
The following screenshot illustrates the drilldown from an accounting flexfield on a journal entry window to its individual segments and segment values. or as context-sensitive fields that appear only when needed.com/technology/index. please refer to that module's Practice Aid and/or Oracle User Guide at http://www. a key flexfield appears on the form as a normal text field with an ellipsis prompt at the end of the field.html. bringing users to a list of values These segments and combination of values (segment values) represent the object. the General Ledger uses a key flexfield to represent accounting codes throughout Oracle Applications. S. Firm use only . Code Combination Segment Values for Account Segment Segments For more information on the components of flexfields. refer to the following sections. A descriptive flexfield appears on the form i. Page 15 of 89 Internal use only -. All rights reserved. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. screen as a twocharacter-wide text field with square brackets [ ] as its prompt. For information on how each key flexfield is used within its "owner" application.2.e. The following screenshot illustrates a descriptive flexfield called “Reconciliation Headers” used to capture additional data that would not normally be required in a journal entry window. This prompt function has a drill down.U.oracle. 1.Owner Oracle Service Oracle Training Administration Name Territory Oracle Service Item Training Resources To an end user. Descriptive Flexfields Similarly. descriptive flexfields provide a flexible way for Oracle to provide configurable "expansion space" or additional fields in forms. For example.
Asset Flexfield. 1. Key Flexfield Components 2. Firm use only . Control Considerations Refer to each module's practice aid for control considerations pertinent to that's module's specific flexfields. S.3. Then.1. All rights reserved. The following sections discuss the setup steps required to configure these flexfields. Below. such as an Accounting Flexfield. the Accounting Flexfield named Operations_Accounting (the structure) is created. without programming.U. or Item Catalog. they must create the structure. Page 16 of 89 Internal use only -. Flexfield Structure To create a key or descriptive flexfield.e.Both types of flexfields described above enable clients to customize Oracle Application features through simple configuration setups i. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Flexfield structures provide the framework for all of the flexfield's components and tie the Key Flexfield to the Application. clients must first select the type of structure. 2.
The cross-validation concepts discussed there apply to other key flexfields. Page 17 of 89 Internal use only -.1. Firm use only . For more information on Dynamic Insertion. 2.1. Segment Separator This character is used to separate flexfield segment values or descriptions whenever the application displays concatenated segment values or descriptions. 2. Cross-validation rules are used to define valid combinations using the Cross-Validation Rules window.2. users are prevented from modifying rollup groups using the Segment Values form. 2. These actions cause flexfields to compile automatically in order to improve on-line performance. S. Value sets govern the type of content that can be entered into a segment and what validation needs to occur for each segment. Freeze Flexfield Definitions Once the structure's setup has been completed (or modified).5. Allow Dynamic Inserts Dynamic Inserts are used for General Ledger Key Flexfield to allow dynamic insertion of new valid account code combinations into the GL code combinations table. Structures cannot be deleted from this window because they are referenced elsewhere in the system.1. All rights reserved.Each Key flexfield can be set with the following configurations. Cross-validation rules The Cross-Validate Segments check box is selected if clients want to cross-validate multiple segments using cross-validation rules.2.4. sub-fields) to determine the data structure and they want to use and in what order they want them to appear.1. 2.3. For a detailed discussion of cross-validation rules in the context of the General Ledger key accounting flexfield.6.1. If this is enabled.U.1. The available values are 2. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.1. A structure must be enabled before it can be used. Freeze Rollup Groups Used to indicate whether rollup group definitions are to be frozen. 2. Refer to the General Ledger practice aid for more information on rollup groups.e. Enabling Flexfield Structures The Enabled check box is checked so that structures may be used in key flexfields. Value Sets Oracle uses the concept of segments (i. refer to the General Ledger practice aid. 2. please refer to the General Ledger Practice Aid. the flexfield definition must be frozen and saved. This box is unchecked if clients want to disable any existing cross-validation rules. but they can be disabled at any time.
In the accounting flexfield each segment is separated by a hyphen and represents a different characteristic. in the screenshot below the different segments are Company. Account. Firm use only . Flexfield Segment Definition For a key flexfield. Sub-Account. 2. a segment's definition usually describes a particular characteristic of the entity identified by the flexfield. They can also be thought of as "containers" for segment values. Please also consider the new color scheme Oracle has added. and Product.Note: This screen was modified with the addition of the usages button. Department. Flexfield Segments A segment is a single sub-field within a flexfield. Flexfield Segments can have two components.1.U. Flexfield Segments PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. The usages button is used to view which flexfield segment or concurrent program parameter uses a particular value. S. the segment definition and a segment qualifier. 2. Page 18 of 89 Internal use only -. All rights reserved.3.3.
Oracle General Ledger needs the flexfield qualifier to determine which segment is being used for natural account information.U. their appearance and meaning as well as the validation of segment values. if values are designed to be 6 characters long ranging from 000001. the Oracle General Ledger product needs to be able to identify which segment in the Accounting Flexfield contains balancing information and which segment contains natural account information. etc. When an Accounting Flexfield is defined. the account segment is assigned a value set “Operations Account” which restricts the range of values that can be defined for the account segment to a maximum size of 4 alphanumeric characters.2. All rights reserved. Flexfield qualifiers can be thought of as "identification tags" for a segment. the value set would be defined to accept only values with “Right-Justify Zero-fill” set to “Yes” and other validation parameters set accordingly as illustrated below. In the example below. For example. For example. Firm use only . PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. However. Flexfield qualifiers serve this purpose. 2. Page 19 of 89 Internal use only -. Because the conditions specified for value sets determine what values can be used for them. both value sets and values should be defined at the same time. S. Since the Accounting Flexfield can be configured so that segments appear in any order with any prompts. the application needs a mechanism other than the segment name or segment order to use for segment identification.The following window is used to configure the number of segments. 2. since a key flexfield can be configured so that segments appear in any order with any prompts. if required. 000002 to 999999 instead of 1. Usually an application needs some method of identifying a particular segment for some application purpose such as security or computations.3. flexfield qualifiers that apply to each segment must be specified as illustrated below. Flexfield Segment Qualifiers A flexfield qualifier identifies a particular segment of a key flexfield.
1.Other applications.U. Total Assets (account 1000). In the example below. such as Oracle Human Resources.4. Page 20 of 89 Internal use only -. also use flexfield qualifiers. Definition of Segment Values Segment values are individual values contained within the segment that further define the segment definition. Firm use only . Oracle Human Resources uses flexfield qualifiers to control who has access to confidential information in flexfield segments.4. Cash (account 1110) and Payroll Cash Accounts (account 1120) are individual values within the 'Account' Segment: PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. 2. All rights reserved. S. Flexfield Segment Values There are 3 key concepts to consider regarding Flexfield Segment Values: • Definition of Segment Values • Segment Value Qualifiers • Segment Value Combinations 2.
2. In the Oracle Applications. Control Considerations Refer to each module's practice aid for control considerations pertinent to that's module's specific flexfields. only the Accounting Flexfield uses segment value qualifiers. and Segment Values. It is easy to confuse the two types of qualifiers. All rights reserved. The difference with descriptive flexfield is that they use columns that are added on to a database table. refer to the General Ledger practice aid.U.2.4. and a segment qualifier is used to tag its values and is only applicable to the Oracle General Ledger accounting flexfield. Because the GL Accounting Flexfield is the only Oracle Applications key flexfield that uses the parent. rollup group. and this value can be used in budgeting and posted transactions. Page 21 of 89 Internal use only -. S. a Vendors table would contain columns for standard vendor information such as Vendor Name. 3.2. including Structure. Segment Value Qualifiers A segment value qualifier identifies a particular type of value within a single segment of a key flexfield. A segment value qualifier can be thought of as an "identification tag" for a value. A flexfield qualifier is used by the whole flexfield to tag its pieces i. The descriptive flexfield columns provide ”blank” columns that you can use to store information that is not already stored in another column of that table. The table contains any columns that its entity requires. segment value qualifiers determine whether detail posting or budgeting are allowed for a particular value. Descriptive Flexfield Components Descriptive Flexfields (DFFs) use the same concepts as Key Flexfields. For example. A descriptive flexfield requires one column for each possible segment and one additional column in which to store structure PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. clients need only enter this information for values that are associated with the Accounting Flexfield. Segments.e.5. For more information on such account hierarchies. In the Accounting Flexfield. segments. and Vendor Number. the Cash Account is defined as an Asset account. hierarchy level and segment qualifier information illustrated above. Address. Firm use only . In the example below. such as a primary key column and other information columns.
A context–sensitive segment appears when the appropriate context information is entered in a related field. Control Considerations Refer to each module's practice aid for control considerations pertinent to that's module's specific flexfields. The following screenshot illustrates a descriptive flexfield called “Reconciliation Headers” used to capture additional data that would not normally be required in a journal entry window. Descriptive flexfields have two different types of segments. regardless of context (any other information in your form). All rights reserved. that you can decide to use in a descriptive flexfield structure. Page 22 of 89 Internal use only -. S. compiled and frozen.Once the DFF's structure is defined. Note that fields in a descriptive flexfield pop-up window are also referred to as segments even though they do not necessarily make up meaningful codes like the segments in key flexfields.U. Oracle Applications submits a concurrent request to generate a database view of the table that contains the descriptive flexfield segment columns. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. 3.1. Firm use only . global and context–sensitive. A global segment is a segment that always appears in the descriptive flexfield pop–up window.
Together. Oracle Auditing Methods 1.E. including login activities and which forms have been accessed by users. The system profile option Sign-On: Audit Level is used to support this method of auditing. The size of the audit trail created by this setting (site/form) will vary Page 23 of 89 User Responsibility Form Application None / blank User Responsibility Form PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Auditing for the specific application is enabled to identify which users and responsibilities access the application. Responsibility and Form. The size of the audit trail is dependent on the active user population. the audit trail will be twice the size of the audit trail created by selecting the value user. these two methods provide only a partial picture of the activity or changes to the system. Activity Based Auditing Activity-based auditing focuses on the actions by individuals or groups of individuals. those features will not function unless this profile option is enabled. Even though many audit features might be configured.U. Much like other system profile options. All rights reserved. S. 1. The AuditTrail: Activate system profile option is required to be enabled for Oracle-based auditing to function. these two methods provide for a deeper understanding of the activity and changes to the system. Oracle will default to the sitelevel value. responsibility and user level. At a minimum. Global auditing is enabled to track when users sign-on to the system. Firm use only . Auditing for the specific application is enabled to identify which users access that application through any responsibility. Global auditing is enabled to not only identify when users sign-on to the system but also the responsibilities selected. application.activity-based auditing and data-based auditing. User. The values for this system profile option are None. Auditing is enabled that identifies the forms / screens the user accesses within the application.1. Auditing Oracle EBS supports two fundamental methods of auditing -. Individually. Global auditing is enabled that identifies the forms / screens the user accesses while signed on in the system. Internal use only -. The size of the audit trail created by this setting (site/form) will be significant. Oracle EBS can track the actions of users. this profile option can be set at the site. Level Site Profile Option Value None Audit Trail Impact No global auditing is enabled to track when users signon to the system. No auditing is specifically enabled to track when users sign-on to the system.
Profile Option Value
Audit Trail Impact based on the application selected and the amount of activity in that application. No auditing is specifically enabled to track when responsibilities are accessed. Oracle will default to the application and site-level values. Auditing for the specified responsibility is enabled to identify which users access that responsibility. At the responsibility level, this setting appears to be redundant with the User value. Auditing is enabled that identifies the forms / screens the user accesses from within the responsibility. The size of the audit trail created by this setting (site/form) will vary based on the responsibility selected and the amount of activity performed by that responsibility. No auditing is specifically enabled to track when a specified form is accessed. Oracle will default to the responsibility, application and site-level values. Auditing is enabled that identifies which user access a specified form. Auditing is enabled that identifies which responsibility via any user accesses a specified form. At the form level, this setting appears to be redundant with the Responsibility value.
None / blank
None / blank
1.2. Data Based Auditing
Oracle EBS also supports auditing based on changes to data. These features in Oracle are called Audit Groups and Audit Tables. Standing or master data can be monitored to identify changes to specific fields. Audit groups assist the administrator in managing the various Audit Tables being used.
1.3. Control Considerations
1.3.1. Business Process Variables o Oracle's auditing functionality is generally not enabled at clients because it consumes significant computing resources. o A balance between monitoring too much and too little should be established. Clients who have set Sign-On: Audit Level at the site level with a value of Form is recording voluminous information that probably is not providing the audit or control benefit intended. Clients using this setting have not performed a risk-based assessment to determine the sensitive areas, users and responsibilities within EBS that should be monitored. o For the most efficient auditing, a risk-based approach should be used to identify the high risk transactions and/or users.
PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.
Page 24 of 89
Internal use only -- U. S. Firm use only
1.3.2. Control Dependencies o None 1.3.3. Control Limitations o None 1.3.4. Testing Notes o PwC staff reviewing Oracle-based auditing should consider the client's requirements for monitoring. Oracle-based auditing should compliment those requirements. o Additionally, PwC staff should consider the relationship between activitybased auditing and the data-based auditing that the client has enabled, if any.
2. Non-Audit based Change Control
Without the auditing feature turned on, Oracle only maintains a minimal audit trail. When auditing is not enabled, only the record creation date, record creator and the record's last modification date are recorded. Oracle does not automatically store any changes made between the creation of the record and the last update, and Oracle does not record what data was changed during the last update (only that the form was changed). Because change control is not maintained within the application, it can only be controlled manually or via a third-party application. Since a comprehensive list of changes to the application is not available within the application; clients often use a third party tool to track versions and movement of the code. Tools and controls used to support a change control environment could include: • Application versioning using tools such as PVCS from Serena, or Oracle Enterprise Manager • Change request / ticket management using tools such as Remedy from BMC. • Operating system security controlling access to production files and folders. • Server change monitoring tool such as Tripwire from Tripwire, Inc. Oracle EBS: This audit trail only includes a time/date stamp and the user responsible for the last update to the record. This audit trail will show a history of changes or the elements that were changed, only when the last update occurred and who performed that update. Please see the Auditing section in this Practice Aid for further information. Related topics are the new file structure and the usage of iSetup. iSetup is a data management product that helps in automating migration and monitoring of EBS setup data. iSetup helps in the migration of data between different instances of the EBS functionality. However iSetup might not be used widely in the marketplace, especially for this purpose. iSetup is a two-part application:
iSetup Configurator runs on the web and provides an interactive questionnaire to capture an organization's business requirements and configurations. iSetup Migrator is the load functionality that populates the application setup tables with the requested parameter values.
Configuration/Functionality Changes with iSetup
iSetup Migrator: Hierarchical Selection Sets
PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.
Page 25 of 89
Internal use only -- U. S. Firm use only
Hierarchical Selection Sets capture functional dependencies between items scheduled for migration. iSetup is able to remember and enforce these dependencies when migrating configurations / data. Upload Extracts New functionality includes the ability to upload an iSetup Extract from the user’s desktop. Once uploaded successfully, the extract can be re- used for reporting or the load process. Comparison Reporting iSetup now allows user to compare the snapshot files. These snapshot files can be data from a single instance across a timeline or from two different instances. Users can view the generated report online or download the report in PDF, RTF or Excel format.
2.1. Control Considerations
2.1.1. Business Process Variables o None 2.1.2. Control Dependencies o None 2.1.3. Control Limitations o None 2.1.4. Testing Notes o None
F. End User Access
1. Responsibility and Security Group Management
Users having access to Oracle EBS only have access to application functionality through the use of responsibilities. A responsibility is a collection of menus that are, in essence, navigation paths. Each menu, or sub-menu, is a collection of Oracle forms (screens) and functions (transactions). In addition to these application features, groups of programs are assigned to responsibilities via a request security group. In version 11.5.10, responsibilities could be grouped together under roles. A role can be configured to consolidate the responsibilities, permissions, function security and data security polices that users require to perform a specific function. This is accomplished with a one-time setup, in which permissions, responsibilities, and other roles are assigned to a single role. For more information on Role Based Access Control (RBAC) refer to section 2.3 in this practice aid. The following illustration identifies and briefly describes the elements required to create a responsibility.
PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.
Page 26 of 89
Internal use only -- U. S. Firm use only
Responsibility Name -- Unique User-created name for the responsibility Application -- selected application (module) in which the responsibility resides Responsibility Key -- User-created
*Effective Dates -- range of dates between which the responsibility is active.
Data Group -Name - Selected data group for the responsibility. Note: This element corresponds to the security group on the Users form. Application - The module used in conjunction with the data group name.
Menu -- selected main menu for the responsibility.
Menu Exclusions, Excluded Items, Securing Attributes -- additional configurable elements that further restrict the responsibility's access
Request Group -Name - selected request security group associated with the responsibility Application - The module used in conjunction with the specified request security group.
PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.
Page 27 of 89
Internal use only -- U. S. Firm use only
this name is called the "function". o User Function Name: This name appears in the end users Navigator window.1.1. and non-form functions. 1. Firm use only . This name is also used when assigning functions to menus. even though within the database. Also known as the "database name". Oracle refers to a form function as a form. All rights reserved. a form function is called a form.From a functional perspective. Page 28 of 89 Internal use only -. both are just instances of functions. Forms and Functions are defined within the System Administration module with the following characteristics. this may be used when calling your function programmatically. For clarity. and the non-form function (or sub function) is called a function. a responsibility. and a non-form function as a sub function. For example. invoices can be entered into the Invoices (form)>Invoices (function) screen or via Invoices (form)>Invoice Batches (function). PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. or excluding it from. From an end-user perspective.U. Within PwC's GATE tool. Together. Within Oracle There are two types of functions: form functions. or functions. the function is the window (or screen) in which data is entered into the application. A function is a part of an application's functionality that is registered under a unique name for the purpose of assigning it to.1. However. S. are the lowest level of access. these two values form the navigation path to the screen in which data is entered. Forms and Functions Menu Functions. Description o Function: Users do not see this unique function name. Within PwC's GATE tool. this would be indicated by: Responsibility Form Function Submenu Access 1.
Page 29 of 89 Internal use only -. Sub functions are added to menus (without prompts) to provide security functionality for forms or other functions. All rights reserved. A function's type is passed back when a developer tests the availability of a function.1. Functions used for some products in the Oracle Self-Service Web Applications. Even if it is not register a form function with a type of FORM. Properties o Type: Type is a free-form description of the function's use. Firm use only . Oracle Applications treats it as a form if a valid Form Name/Application is specified. OA Framework JSP portlet. S.1. The developer can write code that takes an action based on the function's type. Functions used for some products in the Oracle Self-Service Web Applications.U.2. Standard function types include the following: Form Type FORM SUBFUNCTION JSP WWW or WWK WWR or WWL WWJ Description Oracle Applications form functions are registered with a type of FORM. These are typically PL/SQL functions. Functions used for some products in the Oracle Self-Service Web Applications. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. These are typically JSP functions.
For a form function.4. Functions are assigned to menus. Menus A menu is a hierarchical arrangement of functions and menus of functions. S. Web provider portlet. Menus are composed of the following: PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. The function is controlled by the user's organization (ORG_ID).3. Firm use only .1.2. Types of context dependence are: Context Responsibility Organization Security Group None Description The function is controlled by the user's responsibility (RESP_ID/RESP_APPL_ID (includes ORG_ID)). Host and Region.1. 1.Form Type SERVLET DBPORTLET WEBPORTLET Description Servlet functions used for some products in the Oracle Self-Service Web Applications. All rights reserved. The function is controlled by the user's security group (service bureau mode) There is no dependence on the user's session context.U. Form o Form/Application: This field is where the function is linked to a form. The Region section's fields are for future releases of Oracle. Web HTML. if the parameter is QUERY_ONLY=YES. the form opens in query-only mode. and those responsibilities to specific users. 1. o Context Dependence: Some functions are controlled by profile options that affect what the user can perform within the current context. Database provider portlet. this value is referred to as the "form". Values are not required here if the functions are based on Oracle Forms Developer forms. which can in turn be assigned to one or more menus. Finally. o Parameters: Parameters determine is a form is query only or entry. In the PwC GATE tool. The fields in the Web HTML and Web Host are only required if your function will be accessed from Oracle Applications Framework. Page 30 of 89 Internal use only -. menus are assigned to responsibilities. 1.
PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. • Description: Appears in a field at the top of the Navigate window when a menu entry is highlighted. End users see this menu prompt in the hierarchy list of the Navigator window. Note: Oracle uses the term "submenu" to define any menu that is assigned to another menu. All rights reserved. Page 31 of 89 Internal use only -. form functions) and their associated menus of sub functions. there is no technical distinction between a menu and submenu. this function is automatically enabled for the user. S. However. • Grant: If enabled.• Sequence: Specifies where a menu entry appears relative to other menu entries in a menu. However. Outlined below is a graphic illustration of how menus are compiled: • The function "invoice actions" is assigned to the AP_APXINWKB submenu. • Function: A function included in the menu. A menu entry with a lower sequence number appears before a menu entry with a higher sequence number. • Navigator Prompt: This is a user-friendly. Oracle does not recommend that a form be disassociated from its developer-defined menus of sub functions. • Submenu: Links another menu to the menu and allows end users to select menu entries from that menu. Firm use only . A form function (form) appears in the Navigate window and allows access to that form. intuitive prompt the menu displays for the menu entry. If this is not checked then the function must be enabled using additional data security rules.U. a submenu must be defined before it can be called by another menu.. However. Other non-form functions (sub functions) allow access to a particular subset of form functionality from this menu. Custom menus can be created using predefined forms (i.e.
• menu. Page 32 of 89 Internal use only -.U. The AP_INVOICES_ENTRY_GUI12Menu is assigned to the AP_INVOICES_GUI12 PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.• The AP_APXINWKB Menu is assigned to the AP_INVOICES_ENTRY_GUI12 Menu. Firm use only . S.
• The AP_INVOICES_GUI12 menu is assigned to the AP_NAVIGATE_GUI12 menu.U. Page 33 of 89 Internal use only -. S. All rights reserved. Firm use only . • The AP_NAVIGATE_GUI12 menu is assigned to the Payables Manager Responsibility. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.
the Payables Manager can enter data into the Invoice Actions function. The Process Navigator Tab within Oracle is a little-used feature that presents a heightened risk of segregation of duties and sensitive access violations by indirectly granting access not intended for specified users and not intentionally designed into their responsibilities.3. S.4. they can potentially increase the risk of SoD conflicts. Firm use only . The Functions tab is where users (end users and support personnel) spend a majority of their time. This feature contains the menus and navigation paths to the various forms and functions granted to the responsibility. Page 34 of 89 Internal use only -. This feature also allows support individuals a better view of the transaction and where problems might exist during troubleshooting exercises.U. there is an additional method by which users can be assigned functions .permission sets.Because of all the submenus attached to the AP_NAVIGATE_GUI12 menu. Permission sets are granted independently of responsibilities and can be used to augment access assigned through responsibilities. or grants. This default or seeded request security group contains all reports/updateable programs defined in the system. Process Navigator Tab The first tab on an Oracle EBS form is the Functions tab. All rights reserved. However. 1. 1. Common to Oracle EBS is the use of the "All Reports" Request Security Group for each module. Requests are grouped and assigned to responsibilities via Request Security Groups. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. A permission set is a grouping of functions that can be assigned directly to a user through permission assignments. This Oracle feature is intended to give the user an overview of a business process and walk them through each step. Request Groups Oracle EBS requests not only include paper-based reports but also other programs that perform transactions such as automatically creating invoices. Because permission sets are granted independently of responsibilities.
Example 1: Application Developer access to purchase order processing The Process Navigator Tab is an optional 3rd tab on the primary transaction By launching this node of the process. users can create and approve purchase orders. Page 35 of 89 Internal use only -. Firm use only . Example 2: Application Developer access to vendor management. will have access to many different sensitive and conflicting functions through the Process Navigator Tab. process invoices. S.U.The next two examples will show how the Application Developer responsibility. Launching these specific nodes of the process will display the appropriate forms to enter the transaction. and process payments. All rights reserved. that does not have access to transactions in the Functions tab. invoice and payment processing The 1099 Reporting process assigned to Application Developer by default gives the user the ability to: create vendors. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.
The risk introduced in this method of creating responsibilities is that weaknesses in one responsibility will be re-introduced in the new responsibility. Business Process Variables o Clients should have a defined process for developing and updating responsibilities.5. 1. Clients should follow an appropriate naming convention so that effective responsibility management can be supported. revenue recognition) manipulate financial data. o Clients should not use seeded or default responsibilities in the production environment. Processes available to the responsibility can be added and removed. Please refer to the Process Navigator Tab section in this Practice Aid for further discussion on this Oracle feature. Clients that modify the seeded responsibilities and menus for increased security will lose these customisations and will increase their risk of unauthorised activity being performed in Oracle EBS. Clients should not use the "All Reports" request security group. Page 36 of 89 Internal use only -. o The presence of the Process Navigator Tab does not necessarily represent a control deficiency in the client's environment. Clients tend to copy seeded or default responsibilities in order to develop new ones. access to concurrent processes (reports) should be assigned to complement the online access granted to responsibilities.5.5. Responsibility design focused solely on responsibility functionality and flexibility will introduce conflicting and excessive access. Additionally. Responsibilities named 'view' or 'inquiry could actually update and initiate transactions.U. The responsibilities shipped with Oracle provide excessive and conflicting access to users. Responsibility design focused solely on segregation of duties might increase the cost of performing transactions.4. 1. Testing Notes o To test Security Groups using GATE: Run the GATE Responsibility Report "Responsibilities by Request Groups" to identify the various request security groups defined and to which responsibilities they are assigned. Control Limitations o Because some concurrent processes (auto post journals. Control Dependencies o None 1."All Reports Request Group" PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. A specific report focusing on the "All Reports" request security group is also available -. For example. Firm use only .3. A balance between flexibility and segregation of duties should be established. This process "resets" seeded responsibilities and menus to their original configuration.1. Better control practice is that the Process Navigator Tab is not enabled in any responsibility. run the report "Reports within Request Groups" to identify which reports are associated with each request security group.5. as it contains all reports and processes. the Process Navigator Tab is enabled for many seeded or default responsibilities and will be enabled in new responsibilities unless the client actively manages this feature.2. S.1. o An additional argument for not using seeded responsibilities (and even forms) is to support upgradeability. o The functionality of a responsibility is independent of the naming convention of that responsibility. of which access could pose an increased risk of excessive access and segregation of duties violations. Upgrades and patches to Oracle EBS will frequently overwrite seeded functionality. This increased cost is due to the additional time introduced into the business process to separate conflicting activities. All rights reserved. Control Considerations 1.5.
S. a user can be set up with a password expiration date that is used with the "permanent" password. To run the report. Once the user logs into the application for the first time.1. Page 37 of 89 Internal use only -. should work with the client to identify where it is being used.1. refer to the Password PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.o To test Security Groups using online testing: Effective online testing of reports and request groups has not been identified. The database administrator should be able to identify the "AZN" menus and potentially the responsibilities with which they are associated. 2.U. User Name (required) This is a freeform text field in which the clients can enter a value. (For more information regarding passwords.1.1. Oftentimes companies use standard a naming convention to link the Oracle user name to the individual (jsmith. PwC should be aware of this feature and. programs. the following can be entered: 2. 2.An effective way for testing the AZN menus by reviewing online in the client's system has not been identified. Defining Users Entry and maintenance of users is completed in the User form. o To Process tab access using Manual Testing -. User Management 2. they will be required to enter a new "permanent" password. In addition. whose navigation path is Security / User / Define menu path. Firm use only . o GATE does not pick up menu exclusions and therefore online testing is required in a recent copy of PROD.2. o Function and menu exclusion rules should be defined to restrict the application functionality accessible to a responsibility. When creating a new user ID. o To test Process Tab access using Oracle GATE Responsibility Reports: PwC should run the GATE report "Responsibilities with the Process Tab" to determine whether the process tab is enabled throughout the client's environment. Password and Password Expiration (required) The password entered in the password field is a temporary password which will expire upon first use. There is an Oracle report titled "Reports and Sets by Responsibility" that identifies which reports. etc). and request sets are included in a request security group available for a given responsibility. All rights reserved. This is the user name the end users will enter when accessing the Oracle application. when they identify its use. you must have the Application and Responsibility names you want to analyse.
1. The security administrator will supply an end-date to disable the User ID. Page 38 of 89 Internal use only -. This is done by selecting a value in the person field. 2. will have their access removed automatically on a certain date. This security profile is then assigned either to responsibilities or directly to users. respectively. purchasing) requires that a User Name have a person assigned to the User record.7.) Note: the option to set password expiration to "NONE" will result in the user's password to never expire 2. such as temporary users or contractors. When employee A logs onto the iExpense. external suppliers. The effective to date indicates which date the Responsibility is no longer valid for the user. The same Users form (identified above) is used. Indirect Responsibilities (new to 11.1. as some users may need access who are not employees (temporary workers. 2. S. they can choose to enter expenses for either themselves or for employee "B". Direct Responsibilities In order for a user to access the application.5. Using MOAC. those responsibilities are "end-dated". Firm use only .10) A user may "inherit" an indirect responsibility through membership in a group to which the responsibility has been assigned. Indirect responsibilities are used with Oracle User Management only.1.9. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. etc). some functionality (workflow. This date can be in the future so that the User ID is disabled at a predetermined time. users can access multiple operating unit (OU) data either within or across business groups from a single responsibility.8. multiple operating units are assigned to a security profile.Management section of this practice aid. Using the new MOAC functionality.U. effective dates control when the User ID is active. This is not required.1. 2. self-service users can be limit or to add to the information they see by assigning security attributes to their user record. so that users.4. and the security administrator will select a responsibility from the active responsibilities defined within the responsibilities table. Employee "A" can be assigned to securing attributes for Oracle iExpense for Employee "B". Essentially. When Responsibilities are removed from users. The security group automatically assigned to the user. Supplier and Customer (optional) An Oracle user name can also be linked to a supplier or customer as defined in the supplier and customer master. based upon the responsibility selected. 2.5.1. a responsibility needs to be assigned to a user. However. For example.6.3.1. 2. Effective Dates (required) When user accounts are created. These dates can be in the future. Person (optional) An Oracle user name can be linked to a person (employee) listed within the HR tables. Securing Attributes Securing attributes are used by Oracle HTML-based applications (Self Service) to allow rows (records) of data to be visible to specified users or responsibilities based on the specific data (attribute values) contained in the row. For more information on Responsibilities and Security Groups. MOAC The Multiple Organization Access Control (MOAC) is a new functionality with R12. This can be enabled in order to facilitate external supplier and customer access to the application (refer to the Procure to Pay and Oracle to Cash practice aids for more information). All rights reserved. 2.1. refer to the Responsibility section of this practice aid.
11.2 Proxy users Functionality for management of the Proxy Users has been introduced covering the following functions: o Setting up Proxy Users o Delegating Proxy User Privileges o Acting as a Proxy User o Running the Proxy User Report 2.1. Please compare for the implication the chapter about Role Based Access (RBAC). The objective of personalization is to declaratively tailor the user interface (UI) look-and-feel.U. the usage of roles is widened.2.1 Usage There are a number of business scenarios in which users of Oracle EBS need to grant delegates the ability to act on their behalf (act as proxy users for them) when performing PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.1. • Tailor the order in which table columns are displayed. layout or visibility of page content or a user preference. Oracle EBS users can also maintain user functionalities like role assignment and functionalities as role inheritance through the usage of the user Management Module. Usage of roles With Release 12.10. S. Personalization examples are: • Tailor the color scheme of the UI. This might mainly used for the maintenance of Roles. Personalisation The personalization functionality is accessibly for end-user via the diagnostic functionality. However maintenance features like reset of passwords or end dating of users can be done via this module. 2. Firm use only . All rights reserved.2. • Tailor a query result 2. Page 39 of 89 Internal use only -.
auditable access to accounts such as SYSADMIN that might otherwise have to be shared and therefore harder to audit. All rights reserved.specific EBS functions. The Proxy User mechanism allows such users to obtain limited.2. The ability for users to access the proxy feature is controlled by a Security Administrator role. Firm use only .U. The new mechanism was designed to enable limited. Users with this role determine which set of users can create delegates who can act on their behalf. 2.3. so that help desk staff can investigate problems and provide assistance. Following screenshots depicts the functionality. Page 40 of 89 Internal use only -. Examples of Delegation Executives allowing their assistants to access selected business applications on their behalf Similarly. The first picture shows how to assign proxies as a separate role and then how to run the report in the user management module: PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. S. but for a more limited duration. managers may need to grant peers or subordinates limited authority to act on their behalf while they are out of the office Users may need to grant help-desk staff limited duration access to their EBS accounts. auditable delegation of privilege from delegators to their delegates.
the concept of roles is introduced. however. 2.3.5. Roles are a convenient way to group privileges into a bundle that can later on be assigned to users.10 (and earlier with patch FND. edit and perform certain actions on an object is determined by the user's role on that object. The user can give this role to various people on individual item instances. and responsibilities can be assigned to roles. Roles are granted to users by the owner of the object. Roles provide the client tools to better align access to the functional job responsibilities of their employees. and they can in turn view item and view item people list. A role is a collection of privileges. Firm use only . All rights reserved. roles can be assigned to roles. Responsibilities cannot be assigned to responsibilities. or by someone who has the privilege to add people. S. Roles are object-type specific. For example.H installed). Roles are a grouping of access rights at a level higher than responsibilities.2. the role Item Reviewer contains the privileges View Item and View Item People List. Page 41 of 89 Internal use only -. RBAC is a layer that builds upon the data and function security models of previous releases tive nistra Admi dures proce Core ity secur rv Self se es servic ioning tion Provis inistra Adm egated ion Del rol rat ministaccess cont Ad ed as Role b curity ata Se D rity n Secu o Functi als approv ic e & ity Secur PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.3 Role Based Access (RBAC) In Oracle EBS 11.1.U. RBAC Functionality The user's ability to view.
assigning the top level responsibility to a user will result in all inherited responsibilities also being automatically assigned to the user. while the Manager role provides access to menus that should only be accessible by managers. When responsibilities are structured in the form of a hierarchy. some roles such as "Employee" or "Manager" are assigned general permissions for a given function. function security and data security polices that users require performing a specific function Roles can be included in role inheritance hierarchies that can contain multiple subordinate roles and superior roles. To consolidate the responsibilities. or the Support application. With role inheritance hierarchies. or Support Manager and Support Agent. Because the Employee role is to subordinate to the Manager role.U. such as Sales Manager and Sales Representative. Responsibilities are also a type of role and the same principal with regards to inheritance hierarchies as detailed above applies to responsibilities. These roles may provide access to job-specific menus and data such as the Sales Forecasting menu. When this occurs it has the effect that it will not PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.Role Based Access Control (RBAC) is an ANSI standard (ANSI INCITS 359-2004) supported by the National Institute of Standards & Technology (NIST). Hierarchies within the roles functionality is granted via the Oracle user management application. a superior role inherits all of the properties of its subordinate role. Page 42 of 89 Internal use only -. One of the effects of this is that if the top level responsibility assignment is end-dated for a specific user. anyone assigned the Manager role automatically obtains the permissions associated with the Employee role. S. For example. All rights reserved. the Employee role may provide access to menus generally available to all employees. all lower level responsibilities will also be end-dated. The following example illustrates this: In this example. permissions. Other roles in this example pertain to more specific job functions. as well as any of that role's own subordinate roles. Firm use only .
2. S.be possible to directly assign any of the lower level responsibilities to the user without either dismantling the hierarchy or assigning the top-level responsibility to the user again. yet the three work together to provide the complete set of abilities for the delegated administrator. For example.U. and organization. The administrative privileges that can be delegated could be of the following privilege categories: o User Administration Privileges o Role Administration Privileges o Organization Privileges Delegation policies are defined as data security policies.3. Firm use only . See the following screens in the user management module. Each privilege is granted separately. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. users. Supporting functionality: Delegated Administration Delegated Administration is a privilege model that builds on the RBAC system to provide organizations with the ability to assign the required access rights for managing roles and user accounts. where you can see the search function and an example of a delegated administration function. The set of data policies that are defined as part of delegated administration are known as Administration Privileges. Administration Privileges determine what users and roles the delegated administrator can manage. With delegated administration. The set of data policies that are defined as part of delegated administration are known as the Administration Privileges. an organization can create local administrators and grant them sufficient privileges to manage a specific subset of the organization's users and roles. Delegation policies are defined as data security policies. These privileges can be defined along with the role definition in the Role & Role Inheritance user interface in Oracle User Management. organizations could internally designate administrators at division or even department levels. and then delegate administration of external users to people within those (external) organizations.2. Page 43 of 89 Internal use only -. All rights reserved. There are three aspects to administration privileges: roles. instead of relying on a central administrator to manage all its users. more granular level of security. This provides organizations with a tighter. and the ability to easily scale their administrative capabilities.
In addition. Oracle User Management provides support for displaying different registration links on the login page based on the application tier login page that provides access. User management tool The functionality was established in the version 11. Page 44 of 89 Internal use only -. Consider a case where customers may need to register before they can purchase an item from an online store. User Name Policies PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.4. and for new. Self-Service Account Requests Commonly referred to as Self-Service Registration.3. The registration link can contain additional parameters that are not known at design time.2. 2. These additional parameters can be used later during the registration process. Firm use only . self-service account requests provide a method for individuals to request a new user account.Example of delegated administrative functionality how it is assigned within the role administration 2.4. 2.10. 2. Using country code as an example. or capture additional information specific to their applications. Once the registration process has been completed. are able to extend or create their own registration UIs and business logic. but was not mentioned in the Practice aid. such as the country code. This release of Oracle User Management provides sample Self-Service registration UIs for internal employees. Requests for additional access use the same Oracle User Management infrastructure and processing logic as Self Service Account Requests.4. S.4. available in the Global Preferences menu. a registration process could route the approval requests to the most appropriate approver. Request for additional access Users can request additional access through the Oracle User Management Access Request Tool (ART).U.5. all those who request an account from Norway could be routed to a Norwegian account approver.1. external individuals. Therefore. the customer obtains both a user account and the necessary role(s) for accessing some portion of the web site in which they registered. Organizations can copy these sample Self-Service registration and extend them based on their own requirements. organizations that wish to support other types of users.
Oracle User Management reserves the specified user name for the duration of the approval process. 2.4.5. a constraint (created using a set of ICM UIs) can be defined such that no user is allowed to have "Role A" and "Role B" at the same time.5. If the user does not reply to the email notification within a specified time. UMX integration with ICM is enabled according to the setting of site-level profile option "UMX: Enable ICM Validation". These can include such formats as email address. the request is automatically rejected. The application assembles the components necessary to document. and is enabled or disabled for each registration process. the administrator will see Apply and Cancel buttons on the constraint violation dialog page. and assign Role B to the user despite the warning. Oracle User Management sends the requester an email notification when the requester has completes the registration flow. employee number. For example. Clicking Apply will override the constraint. Email verification is only applicable to Self-Service account requests. detection. S. 2. Email Verification Oracle User Management provides a mechanism for verifying the identity of the requester before the registration request is processed. "firstname. Page 45 of 89 Internal use only -.lastname" (or an abbreviated version).Oracle User Management enables organizations to define their own user name policies for new users. if he has the "AMW: Allow SOD Violation Override" permission granted to him. This is implemented as a configurable infrastructure that organizations can easily customize to suit their specific needs. In such a case. test and monitor internal controls and compliance. Control Considerations 2. When the account request is submitted. enforcement.4. or some other meaningful information. ICM is used to document and test internal controls and monitor ongoing compliance.U. Override the constraint violation. It provides a workbench for managing tasks like define the business processes of the enterprise.1.4. Business Process Variables PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.5. the administrator can take one of two actions: o o Go back to the role assignment page and remove the assignment that is causing the violation. social security number. Clicking Cancel will cancel the save operation without granting Role B to the user. manage the process Risk Library. manage process documentation. With this permission. All rights reserved. 2. At this point. The default value is "Yes". Note: Oracle recommends that when building self-service registration UIs with identity verification enabled. ICM Integration: Functionality for integration of the role assignment and revocation processes with Oracle Internal Controls Manager is described below: Oracle User Management is now integrated with Oracle Internal Controls Manager (ICM) for the prevention. Oracle User Management ships with a default user name policy that identifies users by their email address. an organization should indicate in the UIs and confirmation messages that a response is required to process the user's request. Identity verification is based on the email address provided by the requester. Firm use only . an administrator attempting to assign Role B to a user who already has Role A will be presented with a dialog page displaying the constraint violation information. and resolution of separation-of-duties constraints during the assignment of roles by administrators to users.
which would not haven been there without this proxy given.5.3. These registration processes create role assignments. but they can be end-dated to have the user’s access disabled. MOAG and the proxy user. Control Dependencies o Oracle General Ledger. o Whenever a role concept is followed. S. start and end dates can be defined to limit the duration of proxy access. 2. o Enabling proxy users allow business process owners to delegate responsibility. Page 46 of 89 Internal use only -. and Human Resources have additional security methods that may restrict a user's ability to view and update data. 2. PwC should understand the requirements for securing attributes and consider testing those configurations. o A user can be assigned multiple responsibilities and responsibilities can be assigned to multiple users o Oracle EBS is highly configurable and any responsibility (even seeded responsibilities including General Ledger Super User) can be modified.4. and therefore might grant function excessively or inappropriately resulting in SoD violations.2. o Responsibilities cannot be deleted from a user’s profile. All rights reserved.5. Projects. 2. o Monitoring controls over Roles. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. this might violate the existing SOD and cause a possible conflict. which Responsibility) that should be granted. o Clients using the roles concept must monitor the granting process for role inheritance.5.. o Proxy User functionality gives all-or-nothing delegation capability. Overall proxy user related privileges should only be granted on exceptional basis. normally on a read-only basis. external organization contact and employee registration. o Clients might use the registration process that comes with Oracle user management application as there are individual user registration. Periodic review by management of all active users and their currently assigned Responsibilities should occur. it should be thoroughly considered that the roles and responsibilities do not represent a SoD conflict.U. Control Limitations o If a proxy user access is given. However.o Security may be administered in a centralized or decentralized manner. o Analyze the overall concurrence of RBAC. o Companies may create a specific user (the auditor) access to employees' EBS accounts. o Appropriately completed authorisation request forms should accompany any additions/changes to a user ID. o Two responsibilities can be assigned to a single user that when combined may create a SoD violation. o Accessing the granted proxy users enables the auditor to analyze the usage of delegated responsibilities (usage of the proxy user report). Responsibilities and user assignment throughout the period should be used to understand the nature of any temporary changes to these elements. and the account creation for an existing person. Firm use only . iExpense. or iProcurement are used. o User Administration (creating/disabling user IDs and assigning access) should be separate from business process transactions and responsibility design activities. Testing Notes o Securing Attributes could be a significant security component of the client's user population if iTime. Each method has its own risks. Please refer to these Practice Aids for more information.g. This authorisation form should clearly indicate the specific Oracle access (e.
the number of successful logins until the next password change Passwords are either case sensitive or not case sensitive Sign on Password Failure Limit System Profile Option not set Sign on Password Hard to Guess System Profile Option not set Sign on Password Length Sign on Password No Reuse System Profile Option System Profile Option 5 not set Password Expiration User Record not set Password case sensitivity Profile option disabled Functionality for “Login Assistance” self service has been introduced in place of the Forgotten Password administrative function. This is unproductive for both the user. The profile option Sign on Password Hard to Guess is used to help ensure that the password is "hard to guess.3. The minimum length of Oracle EBS user passwords can be set using the profile option Sign on Password Length. All rights reserved.the number of days between password changes Accesses . It is not uncommon for system administrators to have to reset a user's forgotten password. Firm use only . In addition.5. a user will occasionally request PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. The default is unlimited failures. • The password does not contain the username. and for the administrator. This parameter setting identifies the number of failed login attempts after which an EBS login is disabled. who cannot do any work in the meantime. custom Java classes can be used to implement these restrictions. Days . Page 47 of 89 Internal use only -. or even advise a user of the account's user (login) name." A password is considered hard-to-guess if it follows these rules: • The password contains at least one letter and at least one number. The Sign on Password Custom profile option must be set to be the full name of the java class. The minimum number of days that a user must wait before being allowed to reuse a password can be set with the Sign on Password No Reuse profile option. S. Password Management Oracle EBS provides multiple configurations to support the client's corporate security policy. • The password does not contain repeating characters. The Oracle E-Business suite password configurations are as follows: Configuration Name Sign on Password Custom Type of configuration System Profile Option Default Setting not set Description If the client has more advanced password restrictions. Note: This profile option became available in Release 11.7 or via patch 2061872.U.
set at the site level.2.U. If this configuration is used. the approach for implementing password parameters should be consistent. an inquiry clerk ID might not have any password changes enforced. 3. and the URLs employed have both an expiration time and a single-use limitation. This password option has the potential of replacing one or more of the other password options.2. This type of occurrence leads to even more time being lost. Clients tend to clone their production environment so that they may conduct application development and testing. a link to a secure page is sent to the email address of the user name defined in the system. Most of these configurations are profile options. Refer to the controls consideration section for details on how this may affect the review of the Oracle environment. enter the correct user name and then click on the "Forgot Password" button. consistency for enforcing password changes is not supported in Oracle.1. A compromise of any database account will compromise the APPS ID or any other sensitive database account.2. The identity verification process required in previous Applications releases is no longer needed. Control Dependencies o If Single Sign On (SSO) functionality is enabled. All rights reserved. individuals may be able to obtain PROD passwords within the test and PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. This flexibility does allow the client to risk rate different users and require more or less frequent password changes based on the user's functional job responsibilities For example. 3. However. or vice versa. therefore. S. o Go to the Forgot User Name section. Firm use only .the password to be reset. Business Process Variables o Not all password configurations are required to be used. The process that Oracle uses to encrypt the passwords can be reverseengineered resulting in the original clear-text password being disclosed. A new feature reduces the time spent in such administrative activities by implementing a login help mechanism that is easily accessed from the EBS Login Page. On the screen that appears.1. when it is actually the user name that has been forgotten. the user can change password immediately. If passwords are not changed when the production instance is cloned. A user simply clicks on the "Login Assistance" link located below the Login and Cancel buttons. the relevant data is stored securely in workflow tables. Instead. but an HR manager having access to sensitive employee records might be required to change the password every 30 days. You will then be emailed details of how to reset your password. Page 48 of 89 Internal use only -. The user name will then be emailed to the address specified. o Password expiration parameter is associated with each user record. 3. you can either: o Go to the Forgot Password section. enter the email address associated with the account. the password expiration is set for individual users. a good understanding of its features is suggested.1. Regardless of the client's approach. From this secure page. Control Limitations o Oracle has a known weakness with regards to the strength of the encrypted passwords. Control Considerations 3. Strong company security policies will generally require password controls that are met by using all of the password configuration settings in Oracle with the exception of "Signon Password Custom". this will influence the password management in the Oracle EBS. For security. and click on the Forgot User Name button.3.
Ensuring the client has changed the passwords for all Oracle Applications 11i seeded accounts (SYSADMIN. Identity management with non Oracle ERP`s In many environments. databases and operating systems that require their own internal authorisation mechanism as part of the overall IdM environment. 3. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. • Provisioning is the process of automatically maintaining user records in various applications.FND_USER and APPLSYS.1. which allows them access to FND_USER.) even though these accounts may be already disabled. Testing Notes o The password weaknesses and control considerations discussed in this section are applicable to the EBS but are found in the Oracle database. etc. GUEST. o The goal is to limit access to the FND_USER table and the encrypted passwords. Ensuring the passwords for Oracle EBS accounts are unique across each of the environments used in change control. updating and disabling users. Firm use only . This issue should be addressed during a database review performed in conjunction with the Oracle EBS review. Identity management is the process by which an employee is identified and managed consistently through each of the applications in use at the company. • Access control involves providing a common mechanism for allow/denying access to applications at the company. These accounts tend to be created with SELECT ANY TABLE system privilege. This can be accomplished by: Verifying the account APPLSYSPUB does not have SELECT privileges on APPS.2. just as should be done with DBA_USERS. Where a SSO solution is used. An IdM solution involves five basic components: • Directory services focuses on providing a common view of an individual regardless of what databases and applications (and associated user IDs) to which that individual has access. Large companies could easily have multiple ERP`s or other systems in place to support its businesses. WIZARD. If the system passwords are the same in a non-production environment as they are in production. managing the access granted to those user accounts. o Usage of SSO limits the existing Oracle EBS password management. are disabled. In these situations. S. Ensuring the client has created all new user accounts with strong and unique passwords. and then disabling those accounts. • Workflow is the business logic enabled that provides for the approval process and other notification activities required maintaining user accounts. then a compromise in one of these lower security environments will significantly increase the risk of a compromise in the production environments. 4. All rights reserved. APPSMGR.U.FND_USER_VIEW. Ensuring all seeded / default accounts. Oracle might not be the only application used. Identity Management 4. • User management involves providing a common mechanism throughout the company of creating user accounts. Page 49 of 89 Internal use only -.4. Often an APPSREAD or similar database account is created for support purposes or end-user query use.FND_ORACLE_USERID tables by all non-DBA accounts including any query-only accounts. Ensuring the client has limited access to the APPLSYS.development environments. the Oracle EBS password related profile options setting might be overridden by the password setting in the SSO application. an Identity Management ("IdM") solution could be used as the central point of creating. except for SYSADMIN and GUEST.
The Oracle EBS has to be registered as an instance to the OID. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Page 50 of 89 Internal use only -. for the process from OID to Oracle EBS. S.U. In principle users created in Oracle EBS are provisioned to OID (and vice versa). Firm use only . In addition there are some profile options (see profile options list).User Creation and Provisioning should be sourced at the IdM solution IdM Us Ac ers ce ss Gro up p ers rou Us sG ce s Ac Responsibilities Technical and /or monitoring controls should be enabled to promote user creation and assignment from the IdM solution System 1 Oracle ERP Users System 2 4.2. which have to be enabled and some workflow events must be activated. Identity management within Oracle EBS Oracle EBS as part of the overall Oracle identity management framework can be considered as one additional application to be included. All rights reserved.
It is important to understand how the login and synchronization process works. and redirects the browser to a predetermined Oracle Applications Release 12 page. Synchronization Phase: From Applications to OID In Applications. Authentication Phase: Validating a user's identity User attempts to access a protected page from Oracle Applications Release 12. They also provide administrators with a faster and more efficient method of creating new user accounts. Later the WF Agent will process and implement the events. Source: Oracle note ID380487. All rights reserved. as well as assigning roles. which are equivalent to RBAC policies. there might be enhanced usage of provisioning within Oracle EBS. as these Role Assignments control the actions or access for a user. the change vector is stored (changeLog). C. Firm use only . B. Here is a brief description for the simplest cases. Once the username and password have been authenticated. S. it will scan the new changeLog and will filter them using the provisioning profiles. such as requesting new accounts or additional access to the system. If user is not authenticated Single Sign-On Server displays a login page requesting a user name and password. Single Sign-On Server creates or updates the SSO cookie. Oracle Applications Release 12 will create an application session (reflected in the session cookie named <sid>_<host>). Provisioning services are modelled as registration processes that enable end users to perform some of their own registration tasks. The login page will continue to be presented until a valid username and password are provided. encrypted and signed information regarding the authentication (user name for example) is sent in the redirect. When the DIP server wakes up. Single Sign-On Server verifies if user is already authenticated (validates the cookie SSO_ID presented to this site). For changes that are first in the profile. User is redirected to Single Sign-On Server site. Registration Processes create Role Assignments. Please see the main documentation for more details. Synchronization Phase: OID to Applications When a change is made in OID. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. user information is propagated to OID using DBMS_LDAP commands Profile values are checked to verify that the user should be propagated to OID If all checks pass the changes are made to the user in OID. Along this request. the DIP server will connect to the Applications database and will use a WF interface (WF_OID) to raise corresponding WF events. A. Single Sign-On Server verifies the credentials against Oracle Internet Directory. If the decrypted information is valid. Introduction of “User Management: Security Administration Set Up” Wizard for performing the following system administration functions: o Defining User Administration Privileges for Roles o Defining Role Administration Privileges for Roles o Defining Organisation Administration Privileges for Roles The functionality of “Administrator assisted request for additional access” is added as the fourth type of user registration process. Therefore new functionalities are introduced in the new version R12.U. The browser is redirected to the original requested page.1 However with the usage of the new RBAC functionality. Only the receiving site can decrypt it. Page 51 of 89 Internal use only -.
Multi organization access control Oracle Release 12 introduced for the first time the concept of Multiple Organization Access Control (MOAC). where the authentication starts. Testing Notes o When IdMs are in use.3. o When IdM is used. Page 52 of 89 Internal use only -. which Responsibility) should be granted. Firm use only .3. o When IdM is used. Control Limitations o None 4.. o Each new or changed user ID should have a completed authorisation request form.g. This user ID authorisation form should clearly indicate the specific Oracle access (e. controls testing related to user management procedures should focus more on the use of the IdM.4. This functionality can be leveraged in shared service environments to improve efficiency of data processing.Addition of the new field “Business Event Name” in the user registration process to record the custom business event that will be raised by Oracle User Management with context information for processing. o The risks vary depending on how the IdM is architected.g.3. Using the new MOAC functionality. the provisioning of non existing users in OEBS to most likely users). multiple operating units are assigned to a security profile. Examples of MOAC's impact on Oracle Payables are provided below. In addition.U. either via the Oracle EBS or via the OID application. o Enter invoices or batches of invoices for one operating unit. For example.3. Control Dependencies o None 4. the risk in this situation is that the IdM would never have knowledge of the new user. Control Considerations 4. o Controls testing should also include change control and testing around the IdM as it relates to integrating with Oracle. the practitioner should understand to what degree the IdM solution affects the Oracle Applications and the user provisioning process. 5. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. the practitioner should understand to what degree the IdM solution affects the Oracle Applications and the user provisioning process (e. Using MOAC. This security profile is then assigned either to responsibilities or directly to users. When IdMs are in use. 4. if users are created in the IdM and automatically sent to Oracle. S. All rights reserved. the practitioner should understand.2. users can access multiple operating unit (OU) data either within or across business groups from a single responsibility. Business Process Variables o None 4. controls testing should address gaps that might exist between the management of users in the IdM and in Oracle. and then seamlessly enter invoices for another operating unit o Select invoices across operating units for payment processing within a single pay run. is access to user provisioning in Oracle sufficiently restricted to prevent an Oracle System Administrator from creating a new user outside of the IdM? Depending on how the IdM is structured.3.3.1.
The option to use MO: Operating Unit profile option to enforce one-to-one relationship between responsibilities and business units can still be used. Even though the user can access one or more Operating Units. Firm use only . This process creates one-to-one relationship between the responsibility and the operating unit. The system administrator must set this profile option for each responsibility. All rights reserved.5.Allows the assignment of multiple operating units for the same business group. Optionally. If it is activated users with Sub-ledger access cannot enter data into any ledger. then those organizations will use MOAC. AP Subledger) if this Profile option is deactivated.MO: Security Profile MOAC provides the following two security profiles that enable users to access.Allows the assignment multiple operating units across multiple business groups. a responsibility could have access to multiple operating units from a single responsibility. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. o MO: Global Security Profile . The old model of managing multi-organization access in Oracle 11. The user must switch between responsibilities to perform updates to different business units.g. New reports in the various EBS modules are available as a result of MOAC and can be categorized by the following: o Cross Organization Reports report data for one or more Operating Units. The following profile options are relevant to MOAC: o MO: Security Profile o MO: Default Operating Unit o MO: Operating Unit (legacy functionality) o SLA: Enable data access set security in Sub-ledger The last profile option might expose the client to a specific risk. process.5. and report data in multiple operating units from a single responsibility: o MO: Security Profile . If MOAC is used. Page 53 of 89 Internal use only -. the user can only report data for one operating unit at a time. If a user wants to enter transactions or perform setup functions across several business units. o Multiple Organization Reports report data for one or more multiple operating units from a single responsibility. EBS allows a user to see only the information for that particular operating unit is assigned to the responsibility. S. Functionality In the Oracle 11i environment. Further granular access controls can be achieved through set up of Definition Access Groups covered under General Ledger module.1. With multiple organizations access control. if an organization wants to provide multiple organization access from a single responsibility. but not replaced. EBS introduces a new profile option that enables MOAC -. users may be able to enter Journals in multiple ledgers through their sub-ledger level access (e. The Reporting Level and Reporting Context determine the level a user can submit a report for.U. by the MOAC.10 has been enhanced. the E-Business Suite (EBS) uses the profile option MO: Operating Unit to link an operating unit to a particular responsibility. then that user must be assigned multiple responsibilities with access to each of the relevant business units. MO: Security Profile option controls the operating units a user can submit a report for.
5.3. The use of the Global Security Profile is currently not recommended. Within the MO: Security Profile option. 5. if the MO: Security Profile is also defined. the system will grant access based on the rules defined in the MO: Security Profile option.e. which presents an even greater risk to data and transaction security. this does not prevent the use of MO: Security Profile option. as this option allows a responsibility to access data across business groups.5. This could be compared to a scenario where a user in the US subsidiary can access data in the UK subsidiary. employees are assigned to handle data for a specific region). however. SLA: Enable data access set security in Sub-ledger See comment above Exception If a company is using journal tax functionality in GL. the MO: Security Profile option needs to be defined.3.1. Control Dependencies o Consider this functionality in relation with other enhancements like ROBAC and proxy user. the highest level of organization in the hierarchy).3. Additional considerations must be made if MO: Global Security Profile is used instead of just MO: Security Profile. MO: Operating Unit This profile option existed in 11i and prior. Business Process Variables o Take the time to understand the reason why a client might be using the MOAC model to grant a single responsibility access to multiple operating units. Firm use only ..2. MO: Default Operating Unit This profile options sets the default value of a specific operating unit for a given responsibility. If a company wants to allow access across operating units from a single responsibility. (e. All rights reserved. The MO: Security Profile option should NOT be enabled for this scenario. Page 54 of 89 Internal use only -. The MO: Security Profile will allow the user to choose from a drop-down list of operating units so the default value is not enforced. However.e. If there remains separate delegation within shared service (i. The client's IT operations should reflect a shared service environment to truly leverage the benefits of using MOAC. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. This profile option is used to establish and enforce a oneto-one relationship between responsibility and operating unit.2 Profile options MO: Security Profile This profile option needs to be set in order for the MOAC model to work. there is also a Global profile option which allows a single responsibility to access across business groups (i.U. the MO: Security Profile option will still take precedence over the MO: Operating Unit. this default value can be changed / overridden by the user. this setting would allow a user in the US Company to access the UK Company’s information. S. then the MO: Operating Unit profile option must be defined for the GL responsibility. Control Considerations 5. If both MO: Security Profile and MO: Operating Unit profile options are defined for the responsibility or user. For access purposes.g. then client should consider using the traditional 11i multi-org model where a responsibility is restricted to a single operating unit.
Then. create invoices in operating unit B. Control Limitations o N/A 5. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. within a ledger/ledger set for the GL module. which is true if a user is able to do all the above functions in a single operating unit. 5. For future details on this concept.3. For example. within an asset for the FA module. that a true segregation of duties violation exist when a user is able to have conflicting functions within an organization/operating unit for transaction modules such as AP and PO. refer to the GL practice aid for information on Data Access Sets and Definition Access Sets. understand how the MOAC module impacts the SOD environment.3. S. o Consider the impact if the sub ledger profile option is enabled. if MOAC is used to allow access to multiple operating units from a single responsibility. Based on the Gate report. depending on the Oracle module.4.U. and within a inventory org for the INV module. Page 55 of 89 Internal use only -.From a segregation of duties perspective. this might be identified as a violation of SOD rules. a user having access to create vendors in operating unit A.3. Keep in mind. Testing Notes o Begin testing by understanding what kind of Multi-Org Access Control is being used by the client. Firm use only . understand how the ledger / ledger sets are impacted based on the organization structure of the company. then in an AP review. All rights reserved. and process payment in operating unit C is not a true SOD violation.
In 11. Clients generally leverage Alerts as key components of their monitoring controls. These events are defined by client management.G.10.5.1. 1. Application Support Responsibilities and Users 1. This responsibility is used to develop and register new functionality within the Oracle EBS. Firm use only . 1. the system support features have been separated.10. Alerts can send notifications at the time of the event or simply send a periodic message about a certain type of event.5. no auditing is enabled for the system administration / support responsibilities. Oracle would come with one system-administration ID with system-wide primary responsibility. Additionally. responsibility. audit trail management Concurrent process management System-wide application configuration capabilities Workflow management System Administrator By default. Application Developer The Application Developer responsibility is a responsibility that is shipped with Oracle. All rights reserved. Alert Manager Oracle Alerts are system notifications that inform users of sensitive events occurring within Oracle. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Users having access to the Alert Manager can modify any/all Alerts and disable them if needed.2. Support Responsibilities 1. Responsibility System Administration Features • Technology/Infrastructure management • System diagnostics • • • • Security -.User. Page 56 of 89 Internal use only -. S. Application Developer can update system wide configurations. Please see the Auditing section of this Practice Aid for further information.U.3. Oracle System Administration In releases prior to 11.
implement. and run workflows in the production environment. The following example identifies how to create a new sales order through workflow: The individual selects the order entry process workflow and selects the "Run" option. S. the Workflow Administrator role must be assigned to the user. Workflow administrator capabilities are required to assign another individual this role. Workflow Administrator Workflow is the automatic routing of documents (physical or electronic) to the individuals responsible for working on them. The Oracle Workflow Administrator can build. The flow of physical documents in an organization is subject to errors and delays.The Alert Manager can enable/disable the Alert. The Alert Manager can modify what is being monitored. Workflow sets timers that ensure that documents move along at a prescribed pace and that the appropriate person processes them in the correct order. The ability to view and update anyone's workflow has significant implications. Firm use only . 1. If an individual had access to the workflow administrator role. All rights reserved. sensitive transactions could be initiated directly in workflow. however.4. is generally limited to the user's own workflows. This powerful access. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. To impact system-wide workflows. Workflow also provides the information required to support each step of the business cycle. Page 57 of 89 Internal use only -. The Oracle Workflow Administrator responsibility grants the individual the ability to perform these activities.U. This access is granted through the Administration tab in Oracle Workflow.
as noted below. Firm use only . the workflow administrator could initiate a new drop shipment sales order without having direct access to the order entry forms. In this circumstance. the workflow administrators can approve/reject/delete in any transaction currently in process under workflow via the view diagram form. In addition to initiating sensitive workflow. This process is the same for any workflowrelated process throughout the application.U.After selecting the "Run" icon. Page 58 of 89 Internal use only -. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved. the user is then prompted with the required information to launch the process: The individual will supply the required elements and select submit to initiate a new sales order. S.
S. If the client is relying on Personalisation for tuning controls. This feature is controlled by two system profile options: • • Hide Diagnostics menu entry.The workflow administrator can reassign workflows to any active user.5. • Many of our clients also utilise of the custom. Business end users should not have access to this feature for the following reasons: • Form Personalisation is a new feature in Oracle EBS 11. • The "examine" and "properties" capabilities under the diagnostics menu provide an individual with specific information regarding the nature of the information and data used.pll programming interface to fine tune security and data protection on a form.U. This feature is available in the Diagnostics area. then allowing business end users the ability to access this feature will circumvent the intended control. Firm use only .10 and is available in the diagnostics area. Page 59 of 89 Internal use only -. and Utilities: Diagnostics. This custom code can be disabled through the diagnostics feature. In some situations. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Form Personalisation has the capability in Oracle to perform system wide customisation. 1. or they can expedite (cancel or approve) any workflow process. All rights reserved. Diagnostics Utility The diagnostics utility is a feature that assists troubleshooting application functionality.5. This customisation ranges from protecting field-level data on a form to hiding entire forms. the individual can even update data in the application through this feature.
pll code Modify Personalisation 1. Processing/Program Management Batch Processes as well as report requests are generated through concurrent request manager. All rights reserved.7 Application manager Oracle Application Manager is a powerful tool that allows user to: o Monitor and support business flows within Oracle E-Business Suite o Edit or delete workflows o Manage concurrent manager PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Page 60 of 89 Internal use only -. The Concurrent Manager is a utility within Oracle that allows a user to manage the various requests that run various jobs and at the same time. still allows the user to have the ability to transact within the system. 1.6. Firm use only . S. The User ID who requests a concurrent program or report to be run will have their User ID assigned and tracked within the application.Gives the users detail information about the application and data Enable/Disable custom.U.
U. All rights reserved. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Firm use only . Page 61 of 89 Internal use only -. S.The following screen-shot depicts the available administrative functionalities within Application Manager: Taking the functionality business flow (Business flows consists of workflows). system administrator can manage the business flow functionality as depicted in the following screen-shots.
Page 62 of 89 Internal use only -.U.Choose the Order to Cash flow The workflows appear below the business flow PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. S. All rights reserved. Firm use only .
Practitioners should consider testing any Workflow-related transactions on a substantive basis to ensure transactions are processed in accordance with management's control objectives and policies. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Control Considerations 1. access to the Alert Manager should be restricted.4. If the client makes extensive use of Oracle Alerts. Control Dependencies o None 1. There is a legitimate need for an Application Developer to have access to Key Flexfield definitions. Control Limitations o The Application Developer comes with the Process Navigator Tab enabled.2. Testing Notes o An Alert by itself is not a control.8. Business Process Variables o Oracle does not have detailed security around Alerts.3.8.U.8. The Alert only notifies management to perform some activity. o The seeded Application Developer responsibility also contains the menus needed to change Key Flexfields (i. All rights reserved.8. S. Firm use only .1. Page 63 of 89 Internal use only -.e.8. formal change control procedures for this responsibility should be active in the production environment. Given the purpose and access granted. General Ledger Accounting Flexfield) that creates a segregation of duties issue. 1. 1.1. PwC should consider and test the procedures required of management as a result of the alert o Workflow controls should not be limited to the approval hierarchy and distribution list. The Alert Manager will provide access to all Alerts. but usually this access is restricted to a test or development environment only.
If an individual had access to the workflow administrator role.3.1. Control Limitations o None 2. This ID should have no responsibilities associated with it. These IDs are used to own and manage most.U. Disabling this ID will prevent all users from being able to log in to the application. S.1. 2. Control Considerations 2. • • • • • • • • • • • • ANONYMOUS APPSMGR ASGADM ASGUEST AUTOINSTALL CONCURRENT MANAGER FEEDER SYSTEM GUEST GUESTADMIN GUESTUSER IBEGUEST IBE_ADMIN • • • • • • • • • • • • IBE_GUEST IEXADMIN INITIAL_SETUP IRC_EMP_GUEST IRC_EXT_GUEST MOBILEADM OP_CUST_CARE_ADMIN OP_SYSADMIN PORTAL30 PORTAL30_SSO SYSADMIN WIZARD PwC should review these accounts and ensure that only required user IDs in this are enabled and that all default passwords are changed. includes the use of global database accounts (or IDs). Application Support User IDs 2. Business Process Variables o None 2. sensitive transactions could be initiated directly in workflow. APPS Database ID A common approach to application design for many web-based applications. is changed after installation. Page 64 of 89 Internal use only -. including ERP`s. The Guest password is stored as a site-level system profile option . This ID is used during the login / authentication process to validate the user's credentials. Default/Seeded User IDs The following user IDs are shipped with Oracle EBS. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. or only those required to support authentication for the selfservice applications.3.2. Control Dependencies o None 2.3. Recommended practice is that the password. All rights reserved.o The ability to view and update anyone's workflow has significant implications.4. Guest ID The Guest ID in Oracle EBS is required for all users. The default value for this profile option is GUEST/ORACLE. These seeded / default IDs should not be included in a list of generic accounts reported to the client. Firm use only .3.3. 2. 2.2.3.Guest User Password. like all default IDs. Testing Notes o None 3.
with direct and ongoing access to key data. Lastly. The APPS ID is not an application ID and cannot be used to log in to the application by an end-user.The APPS ID is the primary schema owner for Oracle EBS. all-powerful ID where user accountability is reduced.if not all. Risk The use of a generic. This places increased risk related to the use of the APPS ID and therefore greater pressure on the need to obtain a reasonable level of comfort on the appropriate use of APPS. SYS. it can access/update any data in the database. certain features of the Oracle E-Business Suite require the use of the APPS ID password in order to be utilized. the audit trail created by this ID would potentially be too large to be of use and would have a detrimental effect on application performance. For example. therefore. The APPS password is generally required to access these diagnostics. Use of the APPS ID in the Oracle EBS results in a shared. not every maintenance procedure needed to be performed by the client requires the use of the APPS ID. Unlike other ERP packages. Reduced ability to monitor changes made by this ID -. Many of the stored procedures/packages will not function correctly unless executed by APPS. Understanding the proper use of the APPS ID is key for the client and for us to gain comfort with regards to management's culture and company-level controls. These diagnostics features are accessed through a restricted menu in the application. Additionally. Examples of use by these IDs include connection pooling (for better performance) and cross-functional access by the application within the database. the global database ID that owns the application schema is called "APPS". PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.1. Note: Many of the inherent functions called by the APPS ID cannot be substituted with other database administrator IDs such as SYSTEM. However. S. such as APPS. system backups should be able to be performed by other database administer IDs. This table is where database user IDs are stored and is found in every instance of the Oracle database. there is also reduced comfort that applications controls and other security measures are working as intended. application DBA`s require the use of APPS to help determine and remediate performance issues. authorized or not. However. In the Oracle E-Business Suite. The APPS ID grants privileged users. presents a heightened risk that unauthorized changes to the database may go undetected due to the difficulty in monitoring its appropriate use.DBA_USERS" table in the Oracle database. APPS is unique to Oracle E-Business Suite and is not applicable to any other application. they are used during implementations and patch upgrades. and the related password is changed infrequently. all-powerful database ID. All rights reserved. Because these IDs own the application components in the database. 3. The APPS ID is stored in the "SYS. Without auditing at the database level. this issue should be addressed during a database review performed in conjunction with the Oracle EBS review. many of the activities performed in the application have some relationship to APPS. the Oracle E-Business Suite environment does not have a formal change control process embedded into the functionality of the application (including physical application files and database components). application components in the database. The use of the APPS ID increases the following risks: • • Unauthorised changes to any application data or object . Firm use only . it is subject to additional changes. Once the data is in the database. Although technically this ID related to the Oracle database.U. Oracle EBusiness suite user IDs such as SYSADMIN are stored in an application specific table called FND_USERS. The FND_USERS table will only be found in E-Business Suite environments.By design. Page 65 of 89 Internal use only -. such as DBA`s. logging and monitoring is challenging. or other custom administrator IDs.
IDS monitoring and reporting features could also be us. To augment basic monitoring procedures over the APPS ID. Potential Automated Solutions The inherent auditing mechanism in the Oracle database (and related Application Programming Interfaces . Oracle is currently introducing its IT Auditor module for the E-Business suite which will further help with change control. Even though ERP transactional data is generally very complex and difficult to initiate from the database. Firm use only . An intrusion detection system (IDS) including firewalls and other hardware/software could isolate the database server. Generally.APIs such as the "Audit API") can be used to help monitor changes to the database and is discussed later.ora configuration file) and the LISTENER (listener. the requirements for using this ID would be similar to those of an emergency or "fire-call" ID. bring down the system.U. This risk is especially true if the client makes use of custom routines that require the APPS password. These routines would need to be modified as well in order to function properly. Access to APPS Password Generally. S.com/. other features can be implemented to help ensure that access to the database is controlled. when & where an application can be accessed Additionally. IDS security could limit access to pre-determined locations. functionality in other third party tools provides tighter control over Oracle E-Business Suite change control procedures. Changing the APPS password should be a controlled and planned event to ensure that unplanned system outage does not occur due to password errors. Refer to Oracle Metalink at https://metalink. Page 66 of 89 Internal use only -. Oracle is also introducing Database Vault which addresses segregation of duties within the database. Oracle-native security is not the only way to restrict access to the database.1. good company-level controls and good policies and procedures. 3. restricted access.oracle. monitoring sensitive changes to the database. Through the use of native Oracle security features found within SQLNET (sqlnet. Management should also have fraud monitoring controls in place for key employees and users of the application. we do not suggest this approach in managing these passwords. All rights reserved. Control Considerations The overall approach for managing this issue (and subsequent testing) is a combination of IT monitoring controls. Additionally. Failure during this password change process could. Specifically.2. the listener.3. the business process controls mentioned could provide a significant amount of risk mitigation.ora configuration file). The exception with the APPS ID is that periodic change of the password is not suggested since the application itself uses the ID to perform certain actions and procedures. The IT controls that can be implemented include monitoring sensitive access to the database.3.ora file has an optional section where a list of authorized connection sources is listed.3. protecting the audit trail and restricting access to the database. Either approach individually or collectively are controls we recommend. and probably will. 3. Oracle can be configured to only allow connections from certain locations or IP addresses. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. the possibility does exist that inappropriate business information can be initiated from the database and processed. While Oracle does provide some ability to dynamically change application passwords while the system is still live. Oracle Database Vault addresses some of the most common database security problems and internal threats by: • Restricting the DBA and other privileged users from accessing application data • Preventing the Application DBA from manipulating the database and accessing other applications • Provides better control over who. However these auditing mechanisms in the application and in database are not sufficient to allow for effective monitoring of the APPS ID.
Performance impact (if any) as a result of these triggers is not known and could vary based on client implementations. These repercussions should be significant enough to have an impact on the culture. These activities should be limited to implementation/patch maintenance and startup/shutdown of middle-tier services -.such as the application server itself. Database Triggers When APPS and other highly sensitive database IDs are used.4. Monitoring of APPS The use of APPS is generally not monitored formally. The reasons are noted above -detailed monitoring activity performed on this ID will probably produce a voluminous audit trail and have a detrimental effect on system performance. All rights reserved. DDL transactions (data definition language) are those activities that change the structure of the database -. the core DBA team could implement its own internal firecall system for this ID. these situations should be documented and follow-up procedures should be performed.3. 3. 3. The use of a second trigger.3. an audit trail can be created to identify when these IDs are used but not by the application. S.U. The related benefits include a more complete picture with regards to change control and maintenance activities. Management should have a support department large enough for effective monitoring. stored procedures. The activity in the resulting audit trail should then be able to be matched to the access request log and the maintenance activities. an additional trigger could be enabled to monitor all database structure changes. a logoff trigger. the APPS password should be restricted to a limited number of individuals in that team. a login trigger can be developed and implemented to track when database IDs connect to the database. The true cost of ownership will involve the monitoring and follow-up activities. Typically. Even then. triggers. When these IDs are used outside of the application.3.creating. Technically. setting up the triggers and audit trail is not complicated. altering and dropping tables. the core DBA team are the only individuals who should have access to this password. Normal database maintenance activities such as system backup and most statistics can be performed using SYSTEM or other database administrator IDs with equivalent rights. By excluding the application server locations.Unless the client has a very strong reason to the contrary (exceptions should be discussed with the PwC Oracle SME team). etc. Another typical type of activity that requires the APPS ID is the need to run diagnostic scripts and data fixes authorized by Oracle Support.3. 3. To support this control. To augment the login/logoff trigger. reasonable assurance should only require monitoring to a sufficient level that its use can be tied to formal change request activities or those used to recover normal operations. These are same individuals who know the SYSTEM and SYS passwords. an important element to consider is whether or not the ID was used (or at least appeared to be used) by the application. This monitoring should also be tied to a stated policy on its use. The objective is reasonable (not complete) assurance that APPS is used appropriately. the application end-users should not have access to this password.2. indexes. is essential to this audit trail in that the duration of time used by the ID can also be recorded. Some monitoring should occur. documented and acknowledged policies and practices on the repercussions of its use when not used as approved. However. Most all the activity performed within Oracle E-Business Suite involves transactions related to data not PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Page 67 of 89 Internal use only -. Firm use only . If needed. Valid APPS ID Users Valid use of APPS by individuals should relate only to formal IT activities in support of the application that require the use of the APPS ID and that cannot be executed by other IDs. This trigger should be natively available in Oracle.
g. and 2) within the database. Page 68 of 89 Internal use only -. then this is an acceptable approach. The benefits of this control would include monitoring of some custom configurations designed and implemented to support management's key controls.5. and 2) increased database capacity requirements.U. the audit mechanism for the APPS ID or other sensitive database IDs would have to be enabled prior to its use and disabled prior to the application going live again. 3.3. All rights reserved. Procedurally. One cost of this approach is that it does not easily support streamlined reporting.3. The cost of this approach includes 1) a greater risk of inappropriate audit trail modifications. This approach to assigning PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.5.the database structure. our clients have considered this control in an attempt to better document the actual activities performed under change control. However. therefore. the audit trail will be owned by the database. Protecting the Audit Trail The objective is to ensure that DBA`s and other individuals with very sensitive access do not have the ability to alter the audit trail created by the database. Occasionally. The true benefits of this control are probably outweighed by existing business process controls. Firm use only . The benefit of this approach includes a consistent format that can be used for consolidated reporting. Note: The DDL trigger should capture all structure changes and not be limited just to APPS. E. Enabling a DDL trigger should not have a significant impact on system performance and should be able to be effectively used to monitor database changes. The Oracle database supports two different ways to record audit trail information: 1) outside the database on the operating system. Outside the Database on the operating system Oracle can write each audit event to a separate file on the operating system. We should only recommend this control if management is leveraging some sort of customization in the database to support key controls. Again the objective is to protect the audit trail from highlevel access.5. Changes to standard E-Business Suite tables and views should be noticed by the end users of the system fairly quickly. If detailed auditing is attempted. 3. the following items should be collectively considered: The use of individual database administrator user IDs and custom database roles.3.1. 3. The benefit of this approach is that large volumes of audit events do not impact database capacity. the DBA probably has access to the audit trail. if management had implemented the logon/logoff controls above. The cost of this control includes additional procedures pre/post change control to enable/disable the detailed auditing.3. The cost of this control would involve protecting the audit trail and independent review. Unless management's circumstances are really unusual.2. To support this approach. These custom roles would not allow updates to the audit trail. If management can prove that it can effectively protect this audit trail from inappropriate updates and can report against the information. Detailed Auditing Detailed auditing of the APPS ID or any other database ID used by the application is not suggested while the application is live and supporting production activities.3.5. they would want to know if that trigger had been subsequently modified. Within the Database The Oracle database can record audit trail within the database.. it should only be performed while the application is down and under change control. S. this is a control we would not generally recommend. 3. Changes to triggers and stored procedures are custom code that could alter the results of control activities.
Note: Several of our clients have considered this approach.access to DBA`s can provide sufficient access to administer the database but prevent updates to the audit trail. enabling auditing over the audit trail will at least identify that the audit trail was modified. S. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. While detailed information might not be available regarding the update. All rights reserved. the audit trail would be sent through the system logging facility on the operating system. The audit trail should be sent to the operating system away from the control of the DBA. enable auditing over the audit trail. The frequency by which the audit trail is sent to the operating system should be assessed against the feasibility of enforcing individual user IDs and custom roles. Page 69 of 89 Internal use only -. This approach would further separate the audit trail from the DBA`s. If the audit trail is copied out of the database infrequently.U. Formal fire-call / request procedures for the use of default DBA ID such as SYS and SYSTEM. The implemented status of this approach. is not currently known. Ideally. As a precaution against default DBA IDs updating the audit trail. Follow-up activities should then be performed to understand why the audit trail was updated. however. greater need is realised to enforce individual user IDs and custom roles in the database. Firm use only .
Page 70 of 89 Internal use only -. 1. Business Process Variables o None 1.2. then. the default Ledger name is set at the site level. All rights reserved. Application-level system profile options override site-level system profile options. For example.1. Those same parameters can also only have limited effect on the system. Responsibility-Level System Profile Options at the responsibility level only have impact on the responsibility associated with the particular parameter. application. If Oracle responsibilities are not explicitly assigned to Ledger names. Testing Notes o System profile options at the site level can be effectively tested online. 3. Site-Level System Profile Options at the site level have global impact to Oracle EBS. Business Process Variables o None 2. GATE reports can also be used. Testing Notes o System profile options can be tested online for applications in-scope. responsibility and user.1.1. Oracle responsibilities are generally associated with a specific Ledger PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. GATE reports can also be used. Control Dependencies o None 2.2.1. 2. System Profile Options System Profile Options are system parameters that can have a global impact on Oracle EBS.1. S.3. sequential numbering could be set to "Partially Used" at the site level. "Gapless" sequential numbering will be used in Payables. Control Dependencies o None 1. Application-Level System Profile Options at the application level only have impact on the application associated with the particular parameter. Control Considerations 2.1. For example. Control Limitations o None 2.site. they are assigned to the site-level default Ledger name. 2. but set to "Gapless" in Payables.1.1.U. but "Partially Used" will be enforced in the other Oracle modules. 1.3. Firm use only .1. Control Limitations o None 1. Control Considerations 1. The overall effect of the parameters on the system is dependent on which level the parameters are configured -. by default.H.188.8.131.52. In this situation.1.
Testing Notes o System profile options at the user level cannot be effectively tested online unless specific users are being tested. For example.1.1. In addition you can assign a responsibility to several organizations. even though the site level ledger name and operating organization is set to "Ledger name A and Org A" respectively. Please refer also to the chapter about Multiple Organizations Access Control MOAC.1.1. application and responsibility levels. User-Level System Profile Options at the user level only have impact on the user associated with the particular parameter. Control Limitations o None 4. Again. Testing Notes o System profile options at the responsibility level cannot be effectively tested online unless specific responsibilities are being tested.1. otherwise. Firm use only .name and operating organization by using responsibility-level system profile options. 4. For example. a custom query made by the client will be required to obtain profile options set at the responsibility level.2. GATE reports should be used. Responsibility-level system profile options override those system profile options at the site and application levels.4. S. 4. The user-level system profile options override system profile options set at the site.1.1.2. Business Process Variables o None 3. For example. However.1. Unless overridden elsewhere. Page 71 of 89 Internal use only -. GATE reports should be used. this system profile option could be set to yes for individually system support personnel.4. no one would see the Diagnostics menu under Help. Control Dependencies o None 3.1. the system profile option "Hide Diagnostics menu entry" could be set to No at the site level. However. "ABC Responsibility" could be assigned to Org 2 and Ledger name 4 at the responsibility level.1. All rights reserved. Control Considerations 3. otherwise. a PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. The responsibility-level assignment will be the one that is enforced.1. 3. Org 1 and Org 2 might be associated with Ledger name 1. Control Dependencies o None 4. Control Considerations 4.3. Business Process Variables o None 4. Control Limitations o None 3.U. this situation would be enforced even though the Ledger name / Org relationship is not consistent with the overall legal structure.3. An important concept with regards to responsibility assignments is that they do not have to correspond to the Ledger name and operating organization relationships defined in Oracle EBS.1. "ABC Responsibility" could be assigned to "Ledger name B and Org B" respectively at the responsibility level.
disable TBD PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. If found. Page 72 of 89 Internal use only -. All rights reserved.custom query made by the client will be required to obtain profile options set at the user level. Firm use only . S. Key Profile Options The following section highlights the key system profile options to review for audit and consulting engagements. This event controls whether an EBusiness Suite instance should create the user in response to IDENTITY_ADD If a user authenticated by SSO has no corresponding user in E-Business Suite. 5. what is it? Applications SSO Linking Source of Truth Applications SSO Post Logout URL When a user is created in OID. the IDENTITY_ADD event is sent to all registered instances. Available Options E-Business Suite. it will look for a local user with the same user name.U. disable C APPS_SSO_AUTO_L INK_USER Applications SSO Auto Link User Enable. disable TBD APPS_SSO_ALLOW _MULTIPLE_ACCOU NTS Applications SSO Allow Multiple Accounts Enable. it enables a user to have multiple EBusiness Suite accounts linked to a single SSO user name.1 Profile options Profile Option APPS_SSO_LINK_T RUTH_SRC Setting Applications SSO Linking Source of Truth Applications SSO Post Logout URL Applications SSO Enable OID Identity Add Event If new for R12. The "Relevant" column indicates if the profile option is applicable for audit (A) and consulting (C) projects. Oracle Internet Directory User Defined Relevant C APPS_SSO_POSTL OGOUT_HOME_URL APPS_SSO_OID_ID ENTITY C Enable. 5. it will be permanently linked At user level.
At site level. Firm use only . Disabled A&C PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Page 73 of 89 Internal use only -. S. it indicates the default for users without this specific setting.U. Opening up a range of ports so that machine can talk across DMZ Profile option to allow data scrambling Profile to enable or disable data scrambling Enable or Disable Web Service Auditing Enables or Disables Password Available Options Relevant FND_EXPORT_ALL_ BLOCK_DATA FND Export All Block Data Yes. No TBD FND_FIXED_SEC_K EY FND: Fixed Key User Defined C FND_FIXED_KEY_E NABLED FND: Fixed Key Enabled Yes. All rights reserved. This profile determines if a fixed key will be used for security purposes in Framework.Profile Option Setting If new for R12. The fixed security key to be used in Framework if the profile FND Fixed Key Enabled is set to Y for the user. No C FND_CACHE_PORT _RANGE FND_CACHE_P ORT_RANGE User Defined C OAM_DSCRAM_ALL OWED OAM: Data Scrambling Allowed OAM: Data Scrambling Enabled OAM_WS_AUDI T_ENABLED User Defined C OAM_DSCRAM_ENA BLED User Defined C OAM_WS_AUDIT_E NABLED User Defined C SIGNON_PASSWOR D_CASE Signon Password Case Enabled. The key should be a Hexadecimal string of size 64. what is it? Selection of which account is active is done via the Preferences page. The profile control what data is exported from a form's block.
Minimum length of Applications user password Profile to specify the number of days a user must wait before being allowed to reuse a password. None Insensitive. S. Critical and Error. No A&C SIGNONAUDIT:LEVE L Sign-On: Audit Level NONE. what is it? Case Sensitivity System Alert Enable Level Enables or Disables Password Case Sensitivity Profile option that specifies the full name of the class containing custom password validation logic.Profile Option Setting If new for R12. USER. RESPONSIBILITY. No A&C SIGNON_PASSWOR D_LENGTH Signon Password Length User Defined A&C SIGNON_PASSWOR D_NO_REUSE Signon Password No Reuse Yes. A positive integer indicating the maximum number of logon attempts before the user's account is disabled. Level at which to audit foundation usage Notify User Concurrent Program Failures and Invalid Printers Available Options Relevant OAM_ENABLE_SYS TEM_ALERT SIGNON_PASSWOR D_CASE System Alert Enable Level Signon Password Case All.U. No A&C SIGNONAUDIT:NOTI FY Sign-On: Notification A&C PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Critical. Page 74 of 89 Internal use only -. All rights reserved. Sensitive C A&C SIGNON_PASSWOR D_CUSTOM Signon Password Custom User Defined A&C SIGNON_PASSWOR D_FAILURE_LIMIT Signon Password Failure Limit User Defined A&C SIGNON_PASSWOR D_HARD_TO_GUES S Signon Password Hard To Guess Yes. Firm use only . Profile that gets set to "true" if hard-toguess password validation rules should be enforced for new passwords. FORM Yes.
Partially Used Responsibility. LabelPDF) Yes. A&C Workflow activity settings: Request Approval From Approver timeout Days C UMX: Enable ICM Validation" Enabled/disable access to override violation is restricted or not allowed at all Oracle User Management is now integrated with Oracle Internal Controls Manager (ICM) for the prevention. S. No A&C PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. No Relevant A&C FND_HIDE_DIAGNO STICS Hide Diagnostics menu entry Yes. Firm use only . Not Used. User A&C C PRINTER Printer Registered Printers e. detection. All rights reserved. No A&C UNIQUE:SEQ_NUMB ERS CONC_REPORT_AC CESS_ LEVEL Sequential Numbering Concurrent: Report Access Level Always Used.Profile Option FND_DIAGNOSTICS Setting FND: Diagnostics If new for R12. and resolution of separation-ofduties constraints during the Yes. Journal Approval notifies the preparer that no approver response has been received. Page 75 of 89 Internal use only -. No A&C FA_WF_GENERATE _CCIDS FA WF GENERATE FA: use workflow account generation notification for new assets. what is it? Enables Diagnostics Global Button Hides the Help: Diagnostics Menu entry Sequential Numbering Provides controlled access of log/output files of requests to group of users based on the current responsibility of the user based on this profile option value Output Printer Available Options Yes.g.U. After this time has expired. enforcement. The standard setting is 7 days. ( noprint.
In Release 12.U. No A&C PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. assign this profile option to an application responsibility. This responsibility will then allow the assigned users the access to multiple operating units. S. This profile option needs to be set to “Yes” in order to enable data access set security in the sub-ledger. what is it? assignment of roles by administrators to users. No A&C SLA: Enable Data Access Set Security in Sub ledger Yes. All rights reserved. a Security Profile is created in the HR module. No A&C MO: Default Operating Unit Operating unit Yes. The Security Profile is then assigned to a responsibility using the profile option MO: Security Profile (Optional) This profile option defines the default operating unit for users when they perform activities in the sub-ledgers. Page 76 of 89 Internal use only -.Profile Option Setting If new for R12. If this is not set regardless of the data access set that is assigned to the responsibility or even if the responsibility is restricted to a specific ledger Available Options Relevant MO: Security Profile (Global or just Security Profile) Yes. Firm use only . Required for MOAC: To enable MOAC. Multiple operating units are then assigned to the profile.
the user will be able to create and post any journal in any ledger through the sub-ledger. Available Options Relevant Note: audit trail profile options are not considered here. the workflow notification email bypasses the EBS sign-on process. All rights reserved. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. The key allows the user to access the Notification Details web page directly without authenticating. Firm use only .Profile Option Setting If new for R12. Other settings to be considered 5. Page 77 of 89 Internal use only -. 5.2.1 Set workflow notification mailer SEND_ACCESS_KEY to N When SEND_ACCESS_KEY is set to Y.U. When set to N. an unauthenticated user who clicks on the notification link must sign on before accessing the Notification Details web page.2. Set SEND_ACCESS_KEY to N to prevent inclusion of the key with the Notification Detail link. S. email notifications contain an access key. what is it? using the “GL Ledger Name” profile option.
Application and Business setups that support the business. Segregation of Duties is defined as segregating access to multiple sensitive functions that.Posting the transaction Standing Data -.10. These changes should be tested and approved prior to migration into production.maintaining master data such as the vendor master file Custody of Assets -. Most practitioners only consider SoD in relation to forms and functions. if at all. These additional configurations should be considered for additional testing separate from. Application setups are those configurations in the application that have a very broad effect on how accounting is performed and reported. these Oracle features are augmented by other configurations as indicated below. The fundamental types of activities that should be separated from each other are as follows: Initiation -.Entering the transaction Authorising -. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. access and other elements in the application come together to both restrict and increase the exposure to security weaknesses. a SoD analysis. This feature can be used to improve security on forms.Physical custody of assets Recon/Review -. legal structures and flexfield definitions. However. Segregation of duties and restricted access is a multidimensional challenge within Oracle EBS Note: From release 11.I.Reconciling/Reviewing the accounting activity over certain transactions Sensitive Access -. Firm use only . and in conjunction with. present a significant risk of fraud or theft.U. All rights reserved. Page 78 of 89 Internal use only -. These configurations should be finalized after implementation and changed infrequently. a new feature called Personalisation is an additional element that affects SOD. when combined.5. S. Segregation of Duties Concepts Segregation of Duties (SoD) within Oracle E-Business Suite (EBS) is challenging. Changes to application setups should follow a very formal change control process much like an IT change control. Examples of application setups include Sets of Books definitions. Many layers of configurations. The technical support group should be the individuals with access to these types of setups.
however. PwC should inquire if the client is using Custom.Business setups.3. S. Periods must be opened and closed to support accounting activity. a business process owner has access to this feature and will make the change outside of a formal change control process.1. This allows customers to create business rules that effect the entire organization. refer to each module's Practice Aid. and any custom form developed using the Oracle Application development standards. Customers may use this functionality to hide certain tabs from users (i. Testing Notes o Personalisation is not currently analysed by Oracle GATE. Process Tab) or enforce even more granular controls in forms and functions access. Firm use only . Page 79 of 89 Internal use only -. This is Oracle’s built-in feature that allows the customer to enhance the standard functionality of the Applications by implementing site-specific business rules. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. are those application configurations that might change over the course of the accounting period as a normal course of business. Every Oracle Forms -based eBusiness screen. All rights reserved. An example of a business setup would be opening/closing GL periods.3.PLL to further control user access during SOD testing and validation.U.3.2. on the other hand. 1. Control Limitations o Oracle is installed with default responsibilities that help the client enter and post transactions.e.3.3.4. For SOD testing and process specific SOD principles. 1. Control Considerations 1.pll library is a standard Oracle Forms PL/SQL library that is supplied by the Oracle Applications. These responsibilities were built by Oracle without any consideration of Segregation of Duties principles. Control Dependencies o The Custom.3. 1. Business Process Variables o None 1. will access the CUSTOM library.
In addition. management override. 3. S. fraud or theft. access to these setups should be restricted to the IT department or similar technical role. any changes to these should be implemented via the client’s stated change management process & controls. Please note that the definition of what constitutes standing data will vary from client to client. In either circumstance. Segregation of Duties and Restricted access design could include a balance between separating all conflicting activities and mitigating all segregation of duties violations. Changes to standing data setups should be approved prior to implementation due to their potential impact on key financial controls and/or processes. upgrades. access to these setups should be limited to a select few business process or IT owners who do not have transactional access. These setups are generally configured upon installation. Segregation of Duties Segregation of Duties is defined as segregating access to two or more sensitive functions that. Restricted Access/Segregation of Duties When conducting an Oracle restricted access / segregation of duties review. or major business events. When designing SoD principles. Page 80 of 89 Internal use only -. Application Setups Application Setups are defined as configurations that change the behaviour of the application. Firm use only .J. there are three main access considerations: • Application Setups • Standing Data • Segregation of Duties 1. 3. 2. could present a risk of material misstatement.1. This decision making process should include formal elements of SoD analysis. and practitioners should discuss these concepts with clients prior to commencing any Oracle work. Designing SoD Segregation of Duties and Restricted access design could be complex and is dependent upon each client's environment. Changes in standing data could cause financial processing difficulties and/or changes to standard transaction accounting procedures. However.U. Clients should acknowledge the inherent accounting and unique business risks that require certain activities to be performed by different individuals. or major business events. because of the potential impact on key financial controls associated with these setups. These setups are generally only configured upon installation. Therefore. Please note that the definition of what constitutes application setups will vary from client to client. Standing Data Standing Data are defined as either setup that affect the processing of transactions or is used in the processing of transactions that could have a financial statement impact. the following should be kept in mind: PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. upgrades. All rights reserved. when combined. and practitioners should discuss these concepts with clients prior to commencing any Oracle work. Therefore. they may also need to be changed periodically to reflect ongoing changes to the business environment. the rules and related documentation developed should be associated with the client's significant financial risks. Changes in business process setups could cause system failure and/or data inconsistencies.
All rights reserved. the client can then determine the more effective cost of the control to mitigate the segregation of duties risk or to rely on the separation of conflicting activities. Unless the business process owners sponsor and drive the project. then the following may be used: PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. monitored accounting environment.1.3. • IT support should not violate the SoD rules. controlled. Ideally. An example of this matrix is identified below. the following SoD principles should be adhered to: • Users with transactional access are restricted from standing data and application setup. All high-risk financial systems should be considered. When SOD is impossible. SoD management is often much less effective. These controls could include a balance between segregation of duties. risk and likelihood should be considered. Large environments will almost always require technology to management SoD effectively. Support procedures should be developed that will allow for the effective remediation of technical issues while giving the business process owners a stable. SOD Monitoring Once rules are established.2.U. not just Oracle. Small environments could leverage a manual approach to SoD management. The X's in the matrix identify the SoD conflict between the x and y axis of the matrix. However. The H's identify the agreed-upon sensitive business transactions that should also be tested with regards to restricted access.3. restricted access and/or other business mitigating controls. Typically SoD management is driven and managed by the technology group. Smaller areas / business units may not be able to implement proper SoD rules due to resource constraints. Page 81 of 89 Internal use only -. ledger) and/or hidden access (process tab) should typically not exist • Users should not be able to create and approve their own transactions. regardless of head count. Documentation of Rules Management should have a formal set of documents identifying the high segregation of duties and restricted access risks and conflicts that could exist for each business cycle. Manual Monitoring If the client chooses to sustain SoD on paper. Sample SoD matrix 3. S. • Cross module (currency. 3. This set of documentation should then include the relevant segregation of duties and restricted access controls that the client implemented to mitigate these risks. the client has developed a matrix of business processes (including Oracle functionality) that identifies the SoD and restricted access rules for a business process.• • • • Envision the “ideal” environment. Firm use only . mitigating / compensating controls should be identified Generally. 3. • Custody of assets is separate from accounting transactions.
In this. 3. Control Considerations 3. when assessing the SOD. Control Limitations o The majority of Oracle seeded responsibilities contain SoD conflicts. All rights reserved.4. described further in the system administration practice aid) is currently only applicable for self-service applications (iTime. GATE's standard reports contain baseline. Business Process Variables o The challenge to our clients is that they either do not have the necessary time and staffing resources to identify and document the segregation of duties rules applicable to the company or they underestimate the commitment required. o RBAC (Role Based Access Control. This responsibility-level SoD matrix would help management more quickly identify potential SoD issues before granting additional access. S.4. Firm use only . 3. 3. iExpense. generic rules that are industry agnostic and should be tailored/customized for each client's environment. o PwC should recognise how the client manages SoD and make adjustments to the testing strategy accordingly. o In complex environments such as Oracle EBS. with minor modifications. then the client might have a higher-level SoD matrix based on Oracle responsibilities. Also this is a very broad statement. On-going maintenance of the technology solution should follow the client's formal change management process and controls.2. o For a suggested list of detailed SoD principles and their associated risks. Page 82 of 89 Internal use only -. 3. proxy users and delegated admin responsibilities. Control Dependencies o Activities might be influenced by different functionalities as RBAC and the sub functionality data entry via sub ledgers. It's highly likely that these revised responsibilities have SoD conflicts. then the client should maintain testing over the design and implementation of the solution and document their daily use of the solution.4. practitioners should consider going beyond the access approval form and consider the overarching process management uses when deciding to approve access.2. etc).4. Access authorisation makes an assumption that management understands the risk of granting the additional access and the functions associated with each responsibility o SoD Maintenance: If the client's responsibility design is good.U.o Access Authorisation: Testing the authorisation sign-off form is a common test for IT general control reviews. MOAC and the hybrid usage of roles. o Clients tend to build their responsibilities based on functionality and may make copies of the default Oracle responsibilities.4. evidence that existing user access was compared to requested access should be documented. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. refer to PwC GATE. the practitioner should consider the mentioned functionalities.3. 3.3. refer to PwC Audit 4164 and 4164. Testing Notes o For general guidance on Access and Segregation of Duties control considerations in the context of a financial audit or an audit of internal controls over financial reporting. o Not only should specific SoD issues be addressed. but clients should look to identify the root cause of these issues. iProcurement.1. Automated Monitoring If the client chooses technology to help sustain their SoD environment. o Each client's Segregation of Duties principles must be considered in light of the client's specific business processes and risks.01.4.
U. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. the reports generated from the tool will identify the menus associated with the issue.o Processes Tab Access: "AZN" menus are those menus that are associated with the Process Navigator Tab. When testing for segregation of duties. they should be included in SoD analysis. False positives are results in the SoD analysis that indicate where issues exist when they do not or are simply less pervasive. Revenue Recognition). Automatic Journal Posting. Practitioners should be aware of the AZN menu and help the client understand where the excessive or conflicting access exists. Page 83 of 89 Internal use only -. o As many concurrent processes have the similar financial impact as the direct entry of transactions (AutoInvoice. Firm use only . o PwC should also expect false positives in the SoD analysis. All rights reserved. S. the segregation of duties analysis will appear to contain many false positives. o PwC should confirm the legitimacy of the SoD rules and test results prior to raising issues with the client. o Without understanding the menu being used and the implications with the "AZN" menu.
or comparison between multiple instances can be used to retrieve and compare setup data.1. Usage of iSetup iSetup is a two-part application: o iSetup Configurator runs on the web and provides an interactive questionnaire to capture business requirements and configuration decisions.4.1. iSetup is covered in this document. Control Considerations 2. which then can be transferred to any output.3. Relevant Modules 1. S. as this module might influence the setup of Oracle EBS and can be used for analyzing the overall setup of Oracle EBS. Testing Notes o The reports. All rights reserved. Control Limitations o None 2. iSetup helps in the migration of data between different instances of Oracle.1.1. Control Dependencies o None 2. o iSetup Migrator is the load functionality that populates the application setup tables with the detailed parameter values. Clients could use this for migrating data between: • Production instance to another production instance • Test or development environment to the production environment 1.U. For detailed analytics refer to the iSetup User Guide. Page 84 of 89 Internal use only -.2.1. Firm use only . Business Process Variables o None 2.2.K. 1. The following graph depicts the process of using iSetup to support the creation and extraction of the transformation files. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. either standalone for a single instance.1. iSetup iSetup is a data management product that helps in automating migration and monitoring of EBS setup data.
Firm use only . Oracle AME is also integrated with Oracle user management. and notification routing.U. and the transaction is for travel expenses.o The history of executed migrations can be used for analytics of the change management process. a transaction is assured to be approved under the latest conditions. The following graphic illustrates the typical approval process used in an organization. the application communicates directly with AME to manage the approvals for the application's transactions. For example an approval rule can be as follows: If the transaction's total cost is less than 1. Usage of AME The purpose of Oracle Approvals Management (AME) is to define approval rules that determine the approval processes for Oracle applications. 2. Once the rules are defined for an application. For detailed analytics refer to the Oracle AME user guide. Otherwise get approval from the company travel manger.000 USD. As AME recalculates the chain of approvals after each approval. S. Client can define rules to be specific to one application or shared between different applications. dollar amount limits. AME Oracle Approvals Management (AME) is a self-service Web application that enables client to define business rules governing the process for approving transactions in Oracle applications. as the usage of AME might impact the analytics of approval processes and controls based on approvals.1. then get approvals from the immediate supervisor of the person submitting the transaction. Page 85 of 89 Internal use only -. Rules are constructed from conditions and actions. changes PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved. 1. An approval rule is a business rule that helps determine a transaction's approval process such as who gets to approve certain transactions. Oracle Approvals Management enables business users to specify the approval rules for an application without having to write code or customize the application. regardless of organizational changes. AME is covered in this document.
rule changes.2. From an efficiency. Control Limitations o None 2.1. L. Firm use only . Business Process Variables o Many clients might rely on manual approvals or sign-offs sheets as their key controls over account procedures. Control Dependencies o None 2. All rights reserved. PwC practioners should be on the look out for areas of process improvement where a manual approval process can be automated in Oracle.1. 2. Testing Notes o The use of AME gives auditors the ability to test the approval process systematically and gain comfort over established key controls.1. Forms that accept SQL entry To improve flexibility.2.1. effectiveness perspective.U. These forms are typically used during the initial setup of the system. or currency conversions. Function – Internal Name ALR_ALRALERT FND_FNDCPMCP_SYS Function – Display Name Define Alert Concurrent Programs (System Administrator Mode) Concurrent Program Executables Descriptive Flexfield Segments Flexfield Value Sets Profile Options Applications Data Groups Form – Internal Name ALRALERT FNDCPMCP Form – Display Name Alerts Define Concurrent Program FND_FNDCPMPE FNDCPMPE Define Concurrent Program Executable Define Descriptive Flexfield Segments Define Value Set Define User Profile Option Register Applications Define Data Group FND_FNDFFMDC FNDFFMDC FND_FNDFFMVS FND_FNDPOMPO FND_FNDSCAPP FND_FNDSCDDG FNDFFMVS FNDPOMPO FNDSCAPP FNDSCDDG PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.4. Control Considerations 2.3. S. 1. AME has built-in testing features that enable you to confirm the behavior of new or edited business rules before live execution. The table below lists the Forms that allow the user to edit code.1. add code or otherwise affect executable code. Page 86 of 89 Internal use only -. some forms allow users to enter SQL statements.to transaction values.
Function – Internal Name FND_FNDSCMOU PSB_PSBSTPTY MSDCSDFN MSDCSDFA Function – Display Name ORACLE Usernames Attribute Mapping Details Define Data Stream Custom Stream Advanced Setup Audit Statements Define Dynamic Resource Groups Business Rule Workbench Validation Templates Defaulting Rules. All rights reserved. QP_OEXDEFWK JTFTKOBT JTF_GRID_ADMIN OEXPCFVT OEXDEFWK Define Validation Templates Defaulting Rules JTFTKOBT JTFGRDMD Foundation Objects Spreadtable Metadata Administration SpreadTable Diagnostic Form JTFGANTT Define WMS Rules Define Pricing Formulas Attribute Mapping Workflow Process Configuration Framework Workflow Activity Approval Configuration Framework TBD JTFGDIAG JTFGANTT WMS_WMSRULEF QP_QPXPRFOR QP_QPXPTMAP GMAWFPCL_F JTFGDIAG JTFGANTT WMSRULEF QPXPRFOR QPXPTMAP GMAWFPCL GMAWFCOL_F GMAWFCOL AME_WEB_APPROVALS TBD PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Page 87 of 89 Internal use only -. Attribute Mapping Objects Meta-data Spreadtable Metadata Administration SpreadTable Diagnostics JTFGANTT Define WMS Rules Create Pricing Formulas New Attribute Mapping Workflow Process Configuration Framework Workflow Activity Approval Configuration Framework Approvals Management Form – Internal Name FNDSCMOU PSBSTPTY MSDCSDFN MSDCSDFA Form – Display Name Register ORACLE IDs Attribute Mapping Details Define Data Stream Custom Stream Advanced Setup MSD_MSDAUDIT JTFRSDGR MSDAUDIT JTFRSDGR Audit Statements Define Dynamic Resource Groups Business Rule Workbench JTFBRWKB JTFBRWKB ONT_OEXPCFVT ONT_OEXDEFWK. S. Firm use only .U.
U. Firm use only . All rights reserved.Function – Internal Name Function – Display Name PL/SQL tester Write Formula Define Function Create Quickpaint Inquiry Define Assignment Set Dynamic Trigger Maintenance Define Security Profile Form – Internal Name PERWSAPI FFXWSMNG FFXWSDFF FFXWSBQR PAYWSDAS PAYWSDYG Form – Display Name PERWSAPI FFXWSMNG FFXWSDFF FFXWSBQR PAYWSDAS PAYWSDYG PL/SQL tester Write Formula Define Function Create QuickPaint Inquiry Define Assignment Set Dynamic Trigger Maintenance PERWSSCP PERWSSCP Define Security Profile PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. S. Page 88 of 89 Internal use only -.
Audit Trail tracks which rows in a database table(s) were updated at what time and which user was logged in using the form(s). All rights reserved. A command to start a concurrent program. Term Alert Description A mechanism that checks your database for a specific exception condition. Firm use only . An action can include sending an electronic mail message to a mail ID. An alert is characterised by the SQL SELECT statement it contains. Glossary 1. Alert Action Audit Trail Concurrent Manager Concurrent Program Concurrent Request Data Group Menu Request Security Groups PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.M. S. A manager can run any concurrent program. An alert action can depend on the output from the alert. A mechanism that runs concurrent programs. Page 89 of 89 Internal use only -. A manager operates during the time and days defined by a work shift. An action the alert is to perform. or be specialised to. Key Oracle Functionality A number of terms that are used within the Oracle System Administration module are listed below with an associated definition. Several updates can be tracked. A hierarchical arrangement of application functions (forms) that is displayed within the main navigate window Defines the concurrent programs and reports. A SQL SELECT statement tells the application what database exception to identify as well as what output to produce for that exception. while you continue to work at your terminal. running an Oracle Applications program. including requests and request sets that might be run by an application user under a particular responsibility. An Oracle ID grants access privileges to tables in an Oracle database. running a program or script from your operating system. A data group is a group list of Oracle Applications and the Oracle ID each application is assigned to. An example of a concurrent request is a command to generate and print a report. A program that runs concurrently (at the same time) as other programs. Concurrent programs run as background processes. or running a SQL script to modify information in your database.run only certain kinds of programs. establishing a trail of audit data that documents the database table changes.U.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.