Practice Aid Oracle System Administration Release 12

PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.

Page 1 of 89

Internal use only -- U. S. Firm use only

Oracle System Administration Practice Aid Table of Contents
A. INTRODUCTION.........................................................................3
1. Engagement Tools..............................................................................................................................3

B. ORACLE ENGAGEMENT CONSIDERATIONS ...................................6 C. ORACLE APPLICATION HIGHLIGHTS............................................7
1. Application Structure...........................................................................................................................7 2. Oracle Application Release History.....................................................................................................9 3. Overview of System Administration...................................................................................................10

D. FLEXFIELDS............................................................................14
1. Flexfield Types..................................................................................................................................14 2. Key Flexfield Components.................................................................................................................16 3. Descriptive Flexfield Components.....................................................................................................21

E. AUDITING...............................................................................23
1. Oracle Auditing Methods...................................................................................................................23 2. Non-Audit based Change Control......................................................................................................25 Configuration/Functionality Changes with iSetup..................................................................................25

F. END USER ACCESS...................................................................26
1. Responsibility and Security Group Management...............................................................................26 2. User Management.............................................................................................................................37 3. Password Management.....................................................................................................................47 4. Identity Management.........................................................................................................................49 5. Multi organization access control.......................................................................................................52

G. APPLICATION SUPPORT RESPONSIBILITIES AND USERS .............56
1. Support Responsibilities....................................................................................................................56 2. Application Support User IDs ............................................................................................................64 3. APPS Database ID............................................................................................................................64

H. SYSTEM PROFILE OPTIONS......................................................70
1. Site-Level .........................................................................................................................................70 2. Application-Level ..............................................................................................................................70 3. Responsibility-Level ..........................................................................................................................70 4. User-Level ........................................................................................................................................71 5. Key Profile Options............................................................................................................................72

I. SEGREGATION OF DUTIES CONCEPTS.........................................78 J. RESTRICTED ACCESS/SEGREGATION OF DUTIES .........................80
1. Application Setups.............................................................................................................................80 2. Standing Data ...................................................................................................................................80 3. Segregation of Duties........................................................................................................................80

K. RELEVANT MODULES...............................................................84
1. iSetup................................................................................................................................................84 2. AME..................................................................................................................................................85

L. FORMS THAT ACCEPT SQL ENTRY.............................................86 M. GLOSSARY.............................................................................89
1. Key Oracle Functionality....................................................................................................................89
PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved. Page 2 of 89

Internal use only -- U. S. Firm use only

A. Introduction
This Practice Aid and the associated tools (Work Program(s) and GATE) are for INTERNAL USE ONLY. As management is responsible for designing and implementing a system of internal control, this Practice Aid and its associated tools should not be distributed to our clients. These tools are intended to be used by PwC Oracle specialists performing an audit, attestation or consulting engagement involving the review of the client's Oracle application. For individuals intending to use this Practice Aid and / or related tools, they must have sufficient technical skills to conduct such work. It is highly recommended that at least one member of the team has specific training or experience in the ERP wherever practicable.

1. Engagement Tools
The Tools noted below provide a general overview of the Oracle application, along with its related control risks and common application controls. When these tools are utilized, the following important caveats and reminders should be considered prior to the use of these tools: • Refer to PwC Audit Guide for policy on understanding, evaluating and validating internal controls. This Practice Aid and related tools are not a substitute for PwC Audit. • This Practice Aid and its related tools should only be used in conjunction with proper risk-based engagement planning and scoping. The relevance and importance to the engagement of transaction processing, risks and controls associated with the noted modules of Oracle should be clearly understood before work is begun, and the tools should be tailored to each client environment. • This Practice Aid and its associated Work Program(s): o May not present all control risks associated with your client's use of Oracle o Are not intended to address all possible relevant application controls in the process(es) supported by the modules noted herein within Oracle ; o Do not address Information Technology General Controls (ITGCs); o Are focused primarily on automated, not manual, controls; and o Do not present all possible key controls and do not represent the minimum nor maximum level of key controls that must exist. o May have particular functionality or controls referenced as "key". This term indicates that this control / functionality might be important to the client's control environment. However, the identification of a key control for a client's environment will vary based on the client's unique risk circumstances, control environment and / or the client's use of the application. • This Practice Aid and its associated tools are based on a standard installation of the ERP package. Clients often customize their applications. Since each ERP implementation is unique, our work should be based on an understanding of the client's actual systems and processes, as implemented, not on a generic/sample process or system configuration. • Because inherent functionality and controls can be affected by system customizations, practitioners should discuss any customizations and the approach to testing inherent functionality with engagement management. • Each practice aid is specifically written for Oracle Release 12. Use with any other versions should be done with careful consideration, as there are differences between each Oracle release.

1.1. Practice Aid
PwC's Oracle Practice Aids are documents designed to give a user a broad understanding of Oracle's associated applications, their functionality, and control considerations. These documents are not intended to provide comprehensive general guidance on this process in non-Oracle environments.
PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.

Page 3 of 89

Internal use only -- U. S. Firm use only

For guidance on other modules within Oracle for which there is no PwC Practice Aid, please refer to appropriate Oracle User guides for further details. These can be found at http://www.oracle.com/technology/documentation/index.html Each practice aid is specifically written for Oracle's Release 12 and is divided into 5 main sections, as outlined below: 1.1.1. Introduction/Engagement Approach The Introduction section of each practice aid outlines potential tools and engagement approaches that may be used when conducting an assessment of an Oracle ERP system. In addition, this contains important Risk and Quality-related caveats and reminders that should be followed for every Oracle engagement. 1.1.2. Business Setups In this section, key set-ups and configurations that are generally only configured upon installation, upgrades, or major business events are discussed. Definitions of the key configurations are provided to give the practitioner a basic understanding of the setups. 1.1.3. Standing Data Within the Standing Data section, key configurations that are subject to periodic changes are discussed. Along with functionality definitions, this section outlines how standing data is generally entered into the application. In addition, the linkages between the standing data and business setups are outlined. 1.1.4. Transactions This section outlines the key transactions within the business process. This includes the definition of the transactions, how transactions are generally entered into the system, as well the data flow between transactions, standing data, and business setups. 1.1.5. Access and Segregation of Duties This section outlines the typical access and segregation of duties risks within the Practice Aid's business process. Within the Standing Data and Transactions sections of the Practice Aid, "Control Considerations" are also outlined. Each Control Consideration section is broken into 4 parts, as outlined below: o Business Process Variables: These discuss the most common configurations/transactions that may be set up or used differently depending upon the client's use of Oracle's functionality. o Control Dependencies: This section outlines how configurations or transactions are dependent upon each other or other settings within the application. o Control Limitations: This section outlines how system configurations or transactions may be overridden. In addition, this section highlights common misconceptions about how the configuration or transaction operates. o Testing Notes: This section provides suggestions on how a practitioner might test or assess configurations and/or transactions. The controls considerations section of the Practice Aid focuses solely on high-level concepts. For a listing of controls, refer to the module's work program. This Practice Aid does not list all Oracle standard reports that exist for this cycle. For a complete list of this module's standard Oracle Reports, refer to the Oracle user guide at http://www.oracle.com/technology/index.html. However, for the SA functionality the user guide does not cover all existing reports.

PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.

Page 4 of 89

Internal use only -- U. S. Firm use only

and expected results. Page 5 of 89 Internal use only -. control objective. teams should consider those controls which have been classified as Financial in nature.U. For individuals intending to use GATE. For Oracle releases 11. information processing objectives. The tool may be used in an audit of financial statements. this document provides a typical control description. The Oracle GATE tool can be accessed at oraclegatev2.pwcinternal.5. All rights reserved. a series of SQL queries are run against the client's environments to pull data from Oracle database tables. validation procedures.7 and later. Note: Prior to running any command or script on a client system. financial statement assertions. they must have sufficient technical skills to conduct such work. For each control. audit of internal controls over financial reporting or a consulting non-attest review of the Oracle application. The work program is currently available through the Knowledge Gateway in the US (accessible through Knowledge Curve) or Guardian (http://guardian. The output from these queries is uploaded to the GATE server and queries can be run against the server to obtain information about how the client's Oracle Application is configured.pwcinternal.2. 1. GATE Oracle GATE is a proprietary web-based tool developed to assist in the analysis of Oracle configuration and security.com.3. Work Program The Work Program outlines the typical automated controls within the Oracle application. Each processes' work program is specifically designed for a particular release of the Oracle Application. business risk. discuss with the client and obtain verbal consent.1. S. Firm use only . Written consent is also recommended to the extent that this may be obtained. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. To use Oracle GATE. Oracle GATE can assist with segregation of duties analysis and module configuration.com) in other territories. Oracle Application navigation path. For the purposes of an audit of financial statements. an audit of internal controls over financial reports or an integrated audit.

3) Confirm the number of instances (separate Oracle databases environments) that the client maintains. 12) If needed.B. 5) Interview the systems administrator or other suitable IT personnel to gain knowledge and understanding of the system design (linkage with external applications. Operating Units and Modules in scope within each Oracle instance. databases and network). and reports (customized or normal) that the client relies upon. Page 6 of 89 Internal use only -. 11) When documenting any test results and resulting risks. 1) Determine which version of the software your client is using. All rights reserved. an audit of internal controls over financial reporting. Firm use only . and manual processes that may impact an automated environment.U. S. This role/ group should enable the practitioner to have read-only access to all menus and programs in the in-scope Oracle application. Oracle Engagement Considerations Practitioners may want to consider the following items during an audit of financial statements. consider both the mitigating/compensating controls. 6) Ascertain the approximate size of the user population and number of responsibilities. 2) Inquire of the client's business owners and system administrator if any customizations to the standard software have been made. Request a list of these customizations to assess the effect. contact the key contacts shown in the Contacts section of this for additional guidance regarding complex technical situations that may arise during the engagement. to ensure the appropriate Practice Aid is utilized. 4) Confirm the number of Ledgers. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. 10) Based upon the knowledge gained regarding the client's environment. 9) A fresh copy of the Practice Aid and its related Work Program(s) should be downloaded for each new engagement to ensure the most up-to-date version is used for tailoring. tailor the Work Program to match the client's business processes and specific risk profile. ensuring an understanding of the application version. or a consulting non-attest review of the Oracle application. Check the version against the compatibility table in the "Application Highlights" section of this Practice Aid. 7) Approach the security manager and request that a user is created for the practitioner. functionality. 8) Discuss the relevant business processes with the client.

Application Servers and Database Servers.Application Tier Web Servers (optional) Optional Optional Application Servers (Forms servers. a web-based model via the End User Tier mentioned in further detail below. or in the case of Self-Service modules. There are several key servers that may exist within this layer some of which are detailed below: PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Firm use only . The Oracle EBS system is a three-tier system that consists of the End Users Desktop.U. screens and administrative tasks within the system. information is seamlessly integrated. or middleware. End User Tier The end user tier is the path by which users gain access to the application tier. ` Tier 1 – End-User Tier Tier 2 . contains the key application programs as well as programs to support web use. S. Application Structure The Oracle E-Business Suite (EBS) Enterprise Resource Planning (ERP) system is an integrated software solution that runs off an Oracle database instance. users enter a user name and password (previously defined at the application tier). administration servers) Oracle Database Server Tier 3 . customer relationship management. human resources. All rights reserved. An ERP consists of applications or “modules”.2. Some modules are used for system-wide support. etc. Users access functions either via a forms-based model. Most modules hold transactional data for each business process area (financials. From the URL address. Application Tier The application layer. user access is governed by responsibilities assigned to the user. which grants them access to the application tier.1. Each module is linked to each other via the database. manufacturing. concurrent processing servers. therefore.Database Tier 1. Page 7 of 89 Internal use only -. Once onto the application tier.).C. Oracle Application Highlights 1. Users access the application via their own computers and a URL address. 1. supply chain management.

U. Administration Server This server interfaces directly to the Database tier and provides operational support such as backup. Reports and other requests are executed by this server.2. concurrent processing can prioritize activities based on transaction importance. Oracle has now provided an instance-specific directory(s) to support each unique environment . it provides statistical information on system use and performance. The new instance home model supports two key concepts: • The base configuration directories APPL_TOP and ORACLE_HOME can be read-only to support change control. Another advantage of employing the concept of an Instance Home is that log files can be stored centrally for an instance. Since the Oracle DBMS contains all Oracle-related financially-significant data. In addition. test. upgrades and migrations should be more easily controlled. 1. Common application files are not touched for instance-specific modifications. prod. Forms Server The forms server stores the format of the Oracle forms. All rights reserved. Web Server (Oracle Portal) The Portal manages access to Oracle ‘Forms’ (note that this is the definition Oracle uses to describe screens or windows displayed on the monitor). It is also used to provide batch processing capability.1.2. startup and shutdown. With instance-specific data files separated into dedicated directories. Within Oracle EBS. 1. The forms server interfaces directly to the Database tier. 1. S. File System Oracle has made a primary change to the file structure supporting the applications in Release 12. Database Tier The database environment allows for storage and retrieval of user and administrative data and of other application programs and components.3.1.4. the Oracle DBMS is considered the highest risk of the three tiers. which interfaces directly to the Database tier. • PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. etc. Concurrent Processing The Concurrent Processing's primary purpose is to load balance the system and enhance performance. security and transactional) are stored in the Oracle DBMS.3. entering and posting of journal entries). and therefore managed more easily.4. 1. all data (master.2. The version numbers of the database do not correspond with the Oracle applications version numbers. as log files may contain sensitive data that should not be accessible to general users. Releases of Oracle DBMS are intended to operate with specific versions of Oracle applications. recovery. This is particularly significant from a security perspective. standing. Concurrent processing is managed through a scheduling system that controls when updates occur.dev.2. Along with the scheduling system. 1. Page 8 of 89 Internal use only -.e. Oracle Enterprise Database Management System (DBMS) is the only DBMS that will work with Oracle applications.2. Firm use only . This is also where the application and some administrative functions reside (i.

0.6 -Supported by Oracle 11. 11. Oracle Application Release History Version Rele ase date 1998 1999 Market Prevalence Functionality Changes Practice Aid and Work Program Applicability No No OASIS/ GATE Compatibility OASIS OASIS 10. 11. -Limited.5.8. -Full support by Oracle. 2000 -Limited Use 11.7.8 use limited (buggy) Broad use Yes Yes GATE GATE Yes GATE 12 2007 Latest release. General Ledger.5.3 -Rare.5. Yes GATE PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Firm use only . -Limited support by Oracle corporation.5.5. 11i Environment 11.5.9 11.9 in broad use -11.10 2002 (5. Page 9 of 89 Internal use only -.5. -Significant changes in System Administration module. and infrastructure. All rights reserved.5. -Limited system audit capabilities -Full character based -Corrected Y2K deficiencies -Included client / server environment -Introduced GUI Interface -Enhanced performance -Web based -Expansion in Web based and workflow functionality -Significant changes in System Administration module.5.The following picture depicts the structure of the Oracle EBS file system: 2.7 11.U.7) 2005 -11. S.7 & 5. including limited introduction of Role Based Access Control.

terminals. 3.1. the expected results from the change. and other business entities. For a more detailed discussion of flexfields. It enables administrators to extract. Responsibilities can be defined to allow access to the following areas: • Specific applications/modules. • Reports in specific application. 3. A diagram outlining the relationship between users. functions and modules is below: PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. what. • Restricted list of windows. the application can be enabled to monitor successful and unsuccessful user logons and the responsibilities. Page 10 of 89 Internal use only -. or segments. Please see the Auditing section of this Practice Aid for further discussion.3.U. • Restricted list of functions. but a company can customize responsibilities to suit their business needs and restrict access to various tasks as appropriate. part numbers. S. responsibilities. Firm use only .e. when.2. Oracle uses two types of flexfields: key flexfields and descriptive flexfields. Key flexfields are stored codes (or values) used system-wide for general ledger accounts. There are various objects/settings assigned to a responsibility within the application that allow a User ID the ability to perform activities within Oracle (i. The iSetup functionality available from 11i can support the change management process. or forms accessed by a user are noted. data groups. All rights reserved. Descriptive flexfields provide customizable "expansion space" on Oracle forms to track unique to the company's business. refer to the Flexfields section below. the testing procedures and their outcomes. User Management In addition to the AOL module. the System Administration module is used to store the Oracle responsibility (user profile) definitions. Change control monitors who requested the change. menus. On the other hand. where and why. • Ledger name/Legal entity. we refer to the AOL and System Administration module together as System Administration (SA). transform and migrate setup data in a controlled way and compare setup data with available standard reports. A record of change control includes who. The following key functions are performed within the AOL module: • Flexfields • Auditing and Change Control • User Management • System Profile Options • System Reports NOTE: Internally at PwC.3. and the final approval by management to implement the change in production. flexfields are flexible fields made up of sub-fields. In addition. 3. The application comes with a number of default responsibilities. Overview of System Administration The Application Object Library (AOL) module is the gateway to all functionality in Oracle applications. functions and request security groups). Auditing and Change Control Auditing can be enabled to monitor changes made either through the application or directly to the database rows. Flexfields As the name suggests.

Oracle End Users User 1 User 2 Oracle Role (available in 11. as they can be set at the Site. superseded by Application. Due to the newly introduced functionality multi-organizational access control (MOAC) functionality. Responsibility. Application. users can access multiple operating unit (OU) data either within or across business groups from a single responsibility. or User level. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Practitioners are mainly concerned with Security type profile options that affect the operation of Oracle Applications. The security system profile options hierarchy is documented below in the diagram. Security type profile options can be configured according to the needs of the user community.10) Oracle Responsibility Oracle Forms / Functions GL Controller AR Inquiry AP Payment Supervisor GL Forms / Functions AR Forms / Functions AP Forms / Functions Oracle Modules Oracle General Ledger Oracle Accounts Receivables Oracle Accounts Payables There is no default user access that is granted just by being given an account in Oracle EBS. Please see the System Profile Options section of this Practice Aid for more details. Page 11 of 89 Internal use only -. S. For further details on MOAC please refer to the section on Multiple Organization Access Control.4. Organization. System Profile Options System Profile Options can be grouped into three types: Security. then Responsibility. and finally User. This security profile is then assigned either to responsibilities or directly to users. Higher profile option settings will override lower level options. Firm use only . 3. which serves different operating units. multiple operating units are assigned to a security profile. The security administrator (through the System Administrator responsibility) must assign a User ID with responsibilities for the user to be granted abilities to perform tasks/functions within Oracle.U. and Server types. A typical usage would be responsibility in a shared service centre. All rights reserved. Using MOAC.5. Security profile options are generally maintained by the Application System Administrators and may be set at more than one level: Site has the lowest priority.

All rights reserved.3. Firm use only .5. S. Page 12 of 89 Internal use only -. System Reports The following table lists key default reports that can be used for the assessment of Oracle System Administration when the Oracle GATE Application is not being utilized: Reports Active Responsibilities and Users (Application Object Library) Active Users Description The report of responsibilities linked to the users assigned to the responsibility All the usernames that are both currently active and have at least one active responsibilities Concurrent Request to Force All Applications Users To Change their Password CP SQL*Plus Expire FND_USER Passwords Workflow Directory Services User/Role Validation (Application Object Library) Validates the user/role information in Workflow Directory Services PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.U.

All rights reserved.Sample report: Active Responsibilities and Users Report PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Firm use only .U. Page 13 of 89 Internal use only -. S.

who do not "own" the flexfield.U. 1. Flexfields Flexfields are Oracle's main method of storing data. Key Flexfields Key flexfields provide a flexible way for the Oracle Applications to represent objects such as accounting codes. Firm use only . may have access to define and/or use the flexfield. Flexfield Types There are two types of flexfields in Oracle: Key flexfields (such as a job flexfield) and Descriptive flexfields (additional order hold approval information).e. and some key flexfields are required. • Have the structure of an intelligent field change depending on data in the form or application data. and other codes. S. Note that other modules. item/product codes. HR codes such as job and position codes. Each flexfield is made up of segments (i. and more. • Configure data fields to your meet your business needs without programming. 1. item numbers. Key flexfield definitions are seeded within Oracle forms. where each segment has both a value and a meaning. All rights reserved. while others are optional. • Configure applications to capture data that would not otherwise be tracked by the application. Page 14 of 89 Internal use only -. job descriptions. The following sections describe the types of flexfields available and how these flexfields are structured. Here is a table listing all the key flexfields in Oracle Applications. ordered by the application that "owns" the key flexfield. • Query intelligent fields for very specific information. Owner Oracle Assets Oracle General Ledger Oracle Human Resources Name Asset Key Flexfield Category Flexfield Location Flexfield Accounting Flexfield (changes within the Flexfield) Grade Flexfield Job Flexfield Personal Analysis Flexfield Position Flexfield Soft Coded KeyFlexfield Account Aliases Item Catalogs Item Categories SalesOrders Stock Locators System Items Bank Details Cost Allocation People Group Sales Tax Location Oracle Inventory Oracle Payroll Oracle Receivables (Penaki) PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. • Have "intelligent fields" that are fields comprised of one or more segments. • Rely upon application to validate the values and the combination of values that are entered in intelligent fields. subfields) for which data entry and validation procedures may be easily completed without programming. Flexfields provide clients with flexible features needed to satisfy the following business needs: • Configure applications to conform to current business practice for accounting codes. Flexfields are generally created and maintained by a System Administrator via the Applications Object Library (Sys Admin) module.1.D.

The following screenshot illustrates the drilldown from an accounting flexfield on a journal entry window to its individual segments and segment values. Page 15 of 89 Internal use only -. For information on how each key flexfield is used within its "owner" application. All rights reserved.com/technology/index. S.Owner Oracle Service Oracle Training Administration Name Territory Oracle Service Item Training Resources To an end user. Code Combination Segment Values for Account Segment Segments For more information on the components of flexfields.oracle. 1. Descriptive Flexfields Similarly. a key flexfield appears on the form as a normal text field with an ellipsis prompt at the end of the field.U.e. This prompt function has a drill down.html. please refer to that module's Practice Aid and/or Oracle User Guide at http://www. For example. screen as a twocharacter-wide text field with square brackets [ ] as its prompt. The following screenshot illustrates a descriptive flexfield called “Reconciliation Headers” used to capture additional data that would not normally be required in a journal entry window. or as context-sensitive fields that appear only when needed. bringing users to a list of values These segments and combination of values (segment values) represent the object. descriptive flexfields provide a flexible way for Oracle to provide configurable "expansion space" or additional fields in forms. refer to the following sections. the General Ledger uses a key flexfield to represent accounting codes throughout Oracle Applications. Firm use only .2. A descriptive flexfield appears on the form i. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.

Then. Key Flexfield Components 2. Asset Flexfield.Both types of flexfields described above enable clients to customize Oracle Application features through simple configuration setups i. clients must first select the type of structure.e.1. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. the Accounting Flexfield named Operations_Accounting (the structure) is created. The following sections discuss the setup steps required to configure these flexfields. Flexfield Structure To create a key or descriptive flexfield. S. they must create the structure. Firm use only .U. All rights reserved. Flexfield structures provide the framework for all of the flexfield's components and tie the Key Flexfield to the Application. without programming. Control Considerations Refer to each module's practice aid for control considerations pertinent to that's module's specific flexfields. such as an Accounting Flexfield. Page 16 of 89 Internal use only -. 1.3. 2. Below. or Item Catalog.

These actions cause flexfields to compile automatically in order to improve on-line performance.2. Value sets govern the type of content that can be entered into a segment and what validation needs to occur for each segment. Firm use only . 2. All rights reserved.U. Value Sets Oracle uses the concept of segments (i.1.1. please refer to the General Ledger Practice Aid. the flexfield definition must be frozen and saved.1. Refer to the General Ledger practice aid for more information on rollup groups.1. Structures cannot be deleted from this window because they are referenced elsewhere in the system.1. 2. For more information on Dynamic Insertion. A structure must be enabled before it can be used. users are prevented from modifying rollup groups using the Segment Values form. The available values are 2. Page 17 of 89 Internal use only -. For a detailed discussion of cross-validation rules in the context of the General Ledger key accounting flexfield.1. Allow Dynamic Inserts Dynamic Inserts are used for General Ledger Key Flexfield to allow dynamic insertion of new valid account code combinations into the GL code combinations table. sub-fields) to determine the data structure and they want to use and in what order they want them to appear.6. 2. If this is enabled. Segment Separator This character is used to separate flexfield segment values or descriptions whenever the application displays concatenated segment values or descriptions. S. but they can be disabled at any time. Cross-validation rules are used to define valid combinations using the Cross-Validation Rules window. refer to the General Ledger practice aid. Freeze Flexfield Definitions Once the structure's setup has been completed (or modified).5.2. Freeze Rollup Groups Used to indicate whether rollup group definitions are to be frozen. The cross-validation concepts discussed there apply to other key flexfields.1.Each Key flexfield can be set with the following configurations. 2. Cross-validation rules The Cross-Validate Segments check box is selected if clients want to cross-validate multiple segments using cross-validation rules.4. 2. Enabling Flexfield Structures The Enabled check box is checked so that structures may be used in key flexfields.3. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.e. 2. This box is unchecked if clients want to disable any existing cross-validation rules.

Department. 2. Page 18 of 89 Internal use only -. Sub-Account.Note: This screen was modified with the addition of the usages button. 2. Account. Flexfield Segment Definition For a key flexfield. and Product. S. They can also be thought of as "containers" for segment values. In the accounting flexfield each segment is separated by a hyphen and represents a different characteristic. in the screenshot below the different segments are Company. Firm use only .3.3. Flexfield Segments PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.1. a segment's definition usually describes a particular characteristic of the entity identified by the flexfield. The usages button is used to view which flexfield segment or concurrent program parameter uses a particular value. Flexfield Segments A segment is a single sub-field within a flexfield. Flexfield Segments can have two components. the segment definition and a segment qualifier. All rights reserved.U. Please also consider the new color scheme Oracle has added.

their appearance and meaning as well as the validation of segment values. since a key flexfield can be configured so that segments appear in any order with any prompts. Oracle General Ledger needs the flexfield qualifier to determine which segment is being used for natural account information. For example. the account segment is assigned a value set “Operations Account” which restricts the range of values that can be defined for the account segment to a maximum size of 4 alphanumeric characters. 2.3. 000002 to 999999 instead of 1. both value sets and values should be defined at the same time. Flexfield qualifiers serve this purpose. flexfield qualifiers that apply to each segment must be specified as illustrated below. Flexfield Segment Qualifiers A flexfield qualifier identifies a particular segment of a key flexfield. When an Accounting Flexfield is defined. Usually an application needs some method of identifying a particular segment for some application purpose such as security or computations.2. For example. Page 19 of 89 Internal use only -. S.U. the Oracle General Ledger product needs to be able to identify which segment in the Accounting Flexfield contains balancing information and which segment contains natural account information. Flexfield qualifiers can be thought of as "identification tags" for a segment. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. etc. if values are designed to be 6 characters long ranging from 000001. However. All rights reserved.The following window is used to configure the number of segments. if required. the application needs a mechanism other than the segment name or segment order to use for segment identification. Firm use only . 2. Since the Accounting Flexfield can be configured so that segments appear in any order with any prompts. In the example below. Because the conditions specified for value sets determine what values can be used for them. the value set would be defined to accept only values with “Right-Justify Zero-fill” set to “Yes” and other validation parameters set accordingly as illustrated below.

Cash (account 1110) and Payroll Cash Accounts (account 1120) are individual values within the 'Account' Segment: PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Total Assets (account 1000). 2.4. S.Other applications. Flexfield Segment Values There are 3 key concepts to consider regarding Flexfield Segment Values: • Definition of Segment Values • Segment Value Qualifiers • Segment Value Combinations 2. Definition of Segment Values Segment values are individual values contained within the segment that further define the segment definition. Firm use only . Oracle Human Resources uses flexfield qualifiers to control who has access to confidential information in flexfield segments. such as Oracle Human Resources. All rights reserved.U. Page 20 of 89 Internal use only -.4. In the example below.1. also use flexfield qualifiers.

A flexfield qualifier is used by the whole flexfield to tag its pieces i.U. Page 21 of 89 Internal use only -. segments. and Vendor Number.2. All rights reserved. the Cash Account is defined as an Asset account. 3. only the Accounting Flexfield uses segment value qualifiers. A descriptive flexfield requires one column for each possible segment and one additional column in which to store structure PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. and this value can be used in budgeting and posted transactions. Segment Value Qualifiers A segment value qualifier identifies a particular type of value within a single segment of a key flexfield. Control Considerations Refer to each module's practice aid for control considerations pertinent to that's module's specific flexfields. clients need only enter this information for values that are associated with the Accounting Flexfield.e. including Structure. A segment value qualifier can be thought of as an "identification tag" for a value. In the Accounting Flexfield. a Vendors table would contain columns for standard vendor information such as Vendor Name. Because the GL Accounting Flexfield is the only Oracle Applications key flexfield that uses the parent.2. The table contains any columns that its entity requires. It is easy to confuse the two types of qualifiers. In the Oracle Applications. Firm use only . Descriptive Flexfield Components Descriptive Flexfields (DFFs) use the same concepts as Key Flexfields.5. segment value qualifiers determine whether detail posting or budgeting are allowed for a particular value. S. rollup group.4. refer to the General Ledger practice aid. Segments. and a segment qualifier is used to tag its values and is only applicable to the Oracle General Ledger accounting flexfield. and Segment Values. For more information on such account hierarchies. hierarchy level and segment qualifier information illustrated above. In the example below. The descriptive flexfield columns provide ”blank” columns that you can use to store information that is not already stored in another column of that table. 2. such as a primary key column and other information columns. For example. The difference with descriptive flexfield is that they use columns that are added on to a database table. Address.

U. Page 22 of 89 Internal use only -. Oracle Applications submits a concurrent request to generate a database view of the table that contains the descriptive flexfield segment columns. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved. global and context–sensitive. Descriptive flexfields have two different types of segments. S. Note that fields in a descriptive flexfield pop-up window are also referred to as segments even though they do not necessarily make up meaningful codes like the segments in key flexfields. that you can decide to use in a descriptive flexfield structure. 3. Firm use only .1. The following screenshot illustrates a descriptive flexfield called “Reconciliation Headers” used to capture additional data that would not normally be required in a journal entry window. A context–sensitive segment appears when the appropriate context information is entered in a related field. regardless of context (any other information in your form). Control Considerations Refer to each module's practice aid for control considerations pertinent to that's module's specific flexfields.Once the DFF's structure is defined. compiled and frozen. A global segment is a segment that always appears in the descriptive flexfield pop–up window.

Oracle Auditing Methods 1. the audit trail will be twice the size of the audit trail created by selecting the value user. Auditing for the specific application is enabled to identify which users access that application through any responsibility. Much like other system profile options. 1. application. Oracle will default to the sitelevel value. including login activities and which forms have been accessed by users. Auditing is enabled that identifies the forms / screens the user accesses within the application. Individually. Oracle EBS can track the actions of users. The size of the audit trail is dependent on the active user population. Even though many audit features might be configured. The size of the audit trail created by this setting (site/form) will vary Page 23 of 89 User Responsibility Form Application None / blank User Responsibility Form PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Responsibility and Form. All rights reserved. The values for this system profile option are None. Auditing Oracle EBS supports two fundamental methods of auditing -. Global auditing is enabled to not only identify when users sign-on to the system but also the responsibilities selected. User.E. these two methods provide only a partial picture of the activity or changes to the system. Together. The system profile option Sign-On: Audit Level is used to support this method of auditing. Internal use only -. those features will not function unless this profile option is enabled. this profile option can be set at the site.1. Global auditing is enabled to track when users sign-on to the system. The size of the audit trail created by this setting (site/form) will be significant. At a minimum.activity-based auditing and data-based auditing. Activity Based Auditing Activity-based auditing focuses on the actions by individuals or groups of individuals. Global auditing is enabled that identifies the forms / screens the user accesses while signed on in the system. The AuditTrail: Activate system profile option is required to be enabled for Oracle-based auditing to function. Auditing for the specific application is enabled to identify which users and responsibilities access the application. S.U. Firm use only . No auditing is specifically enabled to track when users sign-on to the system. these two methods provide for a deeper understanding of the activity and changes to the system. Level Site Profile Option Value None Audit Trail Impact No global auditing is enabled to track when users signon to the system. responsibility and user level.

Level

Profile Option Value

Audit Trail Impact based on the application selected and the amount of activity in that application. No auditing is specifically enabled to track when responsibilities are accessed. Oracle will default to the application and site-level values. Auditing for the specified responsibility is enabled to identify which users access that responsibility. At the responsibility level, this setting appears to be redundant with the User value. Auditing is enabled that identifies the forms / screens the user accesses from within the responsibility. The size of the audit trail created by this setting (site/form) will vary based on the responsibility selected and the amount of activity performed by that responsibility. No auditing is specifically enabled to track when a specified form is accessed. Oracle will default to the responsibility, application and site-level values. Auditing is enabled that identifies which user access a specified form. Auditing is enabled that identifies which responsibility via any user accesses a specified form. At the form level, this setting appears to be redundant with the Responsibility value.

Responsibility

None / blank

User

Responsibility

Form

Form

None / blank

User

Responsibility

Form

1.2. Data Based Auditing
Oracle EBS also supports auditing based on changes to data. These features in Oracle are called Audit Groups and Audit Tables. Standing or master data can be monitored to identify changes to specific fields. Audit groups assist the administrator in managing the various Audit Tables being used.

1.3. Control Considerations
1.3.1. Business Process Variables o Oracle's auditing functionality is generally not enabled at clients because it consumes significant computing resources. o A balance between monitoring too much and too little should be established. Clients who have set Sign-On: Audit Level at the site level with a value of Form is recording voluminous information that probably is not providing the audit or control benefit intended. Clients using this setting have not performed a risk-based assessment to determine the sensitive areas, users and responsibilities within EBS that should be monitored. o For the most efficient auditing, a risk-based approach should be used to identify the high risk transactions and/or users.
PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.

Page 24 of 89

Internal use only -- U. S. Firm use only

1.3.2. Control Dependencies o None 1.3.3. Control Limitations o None 1.3.4. Testing Notes o PwC staff reviewing Oracle-based auditing should consider the client's requirements for monitoring. Oracle-based auditing should compliment those requirements. o Additionally, PwC staff should consider the relationship between activitybased auditing and the data-based auditing that the client has enabled, if any.

2. Non-Audit based Change Control
Without the auditing feature turned on, Oracle only maintains a minimal audit trail. When auditing is not enabled, only the record creation date, record creator and the record's last modification date are recorded. Oracle does not automatically store any changes made between the creation of the record and the last update, and Oracle does not record what data was changed during the last update (only that the form was changed). Because change control is not maintained within the application, it can only be controlled manually or via a third-party application. Since a comprehensive list of changes to the application is not available within the application; clients often use a third party tool to track versions and movement of the code. Tools and controls used to support a change control environment could include: • Application versioning using tools such as PVCS from Serena, or Oracle Enterprise Manager • Change request / ticket management using tools such as Remedy from BMC. • Operating system security controlling access to production files and folders. • Server change monitoring tool such as Tripwire from Tripwire, Inc. Oracle EBS: This audit trail only includes a time/date stamp and the user responsible for the last update to the record. This audit trail will show a history of changes or the elements that were changed, only when the last update occurred and who performed that update. Please see the Auditing section in this Practice Aid for further information. Related topics are the new file structure and the usage of iSetup. iSetup is a data management product that helps in automating migration and monitoring of EBS setup data. iSetup helps in the migration of data between different instances of the EBS functionality. However iSetup might not be used widely in the marketplace, especially for this purpose. iSetup is a two-part application:


iSetup Configurator runs on the web and provides an interactive questionnaire to capture an organization's business requirements and configurations. iSetup Migrator is the load functionality that populates the application setup tables with the requested parameter values.

Configuration/Functionality Changes with iSetup
iSetup Migrator: Hierarchical Selection Sets

PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.

Page 25 of 89

Internal use only -- U. S. Firm use only

Hierarchical Selection Sets capture functional dependencies between items scheduled for migration. iSetup is able to remember and enforce these dependencies when migrating configurations / data. Upload Extracts New functionality includes the ability to upload an iSetup Extract from the user’s desktop. Once uploaded successfully, the extract can be re- used for reporting or the load process. Comparison Reporting iSetup now allows user to compare the snapshot files. These snapshot files can be data from a single instance across a timeline or from two different instances. Users can view the generated report online or download the report in PDF, RTF or Excel format.

2.1. Control Considerations
2.1.1. Business Process Variables o None 2.1.2. Control Dependencies o None 2.1.3. Control Limitations o None 2.1.4. Testing Notes o None

F. End User Access
1. Responsibility and Security Group Management
Users having access to Oracle EBS only have access to application functionality through the use of responsibilities. A responsibility is a collection of menus that are, in essence, navigation paths. Each menu, or sub-menu, is a collection of Oracle forms (screens) and functions (transactions). In addition to these application features, groups of programs are assigned to responsibilities via a request security group. In version 11.5.10, responsibilities could be grouped together under roles. A role can be configured to consolidate the responsibilities, permissions, function security and data security polices that users require to perform a specific function. This is accomplished with a one-time setup, in which permissions, responsibilities, and other roles are assigned to a single role. For more information on Role Based Access Control (RBAC) refer to section 2.3 in this practice aid. The following illustration identifies and briefly describes the elements required to create a responsibility.

PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.

Page 26 of 89

Internal use only -- U. S. Firm use only

Responsibility Name -- Unique User-created name for the responsibility Application -- selected application (module) in which the responsibility resides Responsibility Key -- User-created

*Effective Dates -- range of dates between which the responsibility is active.

Data Group -Name - Selected data group for the responsibility. Note: This element corresponds to the security group on the Users form. Application - The module used in conjunction with the data group name.

Menu -- selected main menu for the responsibility.

Menu Exclusions, Excluded Items, Securing Attributes -- additional configurable elements that further restrict the responsibility's access

Request Group -Name - selected request security group associated with the responsibility Application - The module used in conjunction with the specified request security group.

PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved.

Page 27 of 89

Internal use only -- U. S. Firm use only

the function is the window (or screen) in which data is entered into the application. both are just instances of functions. Forms and Functions Menu Functions. For example. Within PwC's GATE tool. o User Function Name: This name appears in the end users Navigator window. However. or excluding it from. this name is called the "function".1. From an end-user perspective. and non-form functions. Description o Function: Users do not see this unique function name. All rights reserved. Together. Within Oracle There are two types of functions: form functions. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. this would be indicated by: Responsibility Form Function Submenu Access 1. this may be used when calling your function programmatically. Within PwC's GATE tool. these two values form the navigation path to the screen in which data is entered. Firm use only .1. A function is a part of an application's functionality that is registered under a unique name for the purpose of assigning it to. 1. This name is also used when assigning functions to menus. Forms and Functions are defined within the System Administration module with the following characteristics.From a functional perspective. invoices can be entered into the Invoices (form)>Invoices (function) screen or via Invoices (form)>Invoice Batches (function). Page 28 of 89 Internal use only -. For clarity. are the lowest level of access. even though within the database. and the non-form function (or sub function) is called a function. or functions. Also known as the "database name". a responsibility.1.U. S. and a non-form function as a sub function. a form function is called a form. Oracle refers to a form function as a form.

OA Framework JSP portlet. Standard function types include the following: Form Type FORM SUBFUNCTION JSP WWW or WWK WWR or WWL WWJ Description Oracle Applications form functions are registered with a type of FORM. The developer can write code that takes an action based on the function's type. Functions used for some products in the Oracle Self-Service Web Applications. Page 29 of 89 Internal use only -.1.1. Oracle Applications treats it as a form if a valid Form Name/Application is specified. A function's type is passed back when a developer tests the availability of a function. These are typically PL/SQL functions. S. These are typically JSP functions. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Functions used for some products in the Oracle Self-Service Web Applications. Properties o Type: Type is a free-form description of the function's use. Sub functions are added to menus (without prompts) to provide security functionality for forms or other functions. All rights reserved. Functions used for some products in the Oracle Self-Service Web Applications.2.U. Firm use only . Even if it is not register a form function with a type of FORM.

which can in turn be assigned to one or more menus. 1. Form o Form/Application: This field is where the function is linked to a form. Menus are composed of the following: PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Web provider portlet. S. Finally. o Context Dependence: Some functions are controlled by profile options that affect what the user can perform within the current context.1. The function is controlled by the user's security group (service bureau mode) There is no dependence on the user's session context. o Parameters: Parameters determine is a form is query only or entry.3.4. this value is referred to as the "form". the form opens in query-only mode.U. Types of context dependence are: Context Responsibility Organization Security Group None Description The function is controlled by the user's responsibility (RESP_ID/RESP_APPL_ID (includes ORG_ID)). 1.Form Type SERVLET DBPORTLET WEBPORTLET Description Servlet functions used for some products in the Oracle Self-Service Web Applications. Menus A menu is a hierarchical arrangement of functions and menus of functions. For a form function. Functions are assigned to menus. All rights reserved. menus are assigned to responsibilities. Values are not required here if the functions are based on Oracle Forms Developer forms. Database provider portlet. The Region section's fields are for future releases of Oracle. The fields in the Web HTML and Web Host are only required if your function will be accessed from Oracle Applications Framework. The function is controlled by the user's organization (ORG_ID). Web HTML. Host and Region. In the PwC GATE tool.1. 1. and those responsibilities to specific users. Firm use only . Page 30 of 89 Internal use only -. if the parameter is QUERY_ONLY=YES.2.

A menu entry with a lower sequence number appears before a menu entry with a higher sequence number. • Submenu: Links another menu to the menu and allows end users to select menu entries from that menu. However. • Grant: If enabled. S. Note: Oracle uses the term "submenu" to define any menu that is assigned to another menu. All rights reserved. • Navigator Prompt: This is a user-friendly. A form function (form) appears in the Navigate window and allows access to that form. Other non-form functions (sub functions) allow access to a particular subset of form functionality from this menu. intuitive prompt the menu displays for the menu entry. However.e.U.. Custom menus can be created using predefined forms (i. However. a submenu must be defined before it can be called by another menu. • Function: A function included in the menu. End users see this menu prompt in the hierarchy list of the Navigator window. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.• Sequence: Specifies where a menu entry appears relative to other menu entries in a menu. Oracle does not recommend that a form be disassociated from its developer-defined menus of sub functions. If this is not checked then the function must be enabled using additional data security rules. Firm use only . Outlined below is a graphic illustration of how menus are compiled: • The function "invoice actions" is assigned to the AP_APXINWKB submenu. • Description: Appears in a field at the top of the Navigate window when a menu entry is highlighted. there is no technical distinction between a menu and submenu. this function is automatically enabled for the user. Page 31 of 89 Internal use only -. form functions) and their associated menus of sub functions.

S.U. • menu. Firm use only .• The AP_APXINWKB Menu is assigned to the AP_INVOICES_ENTRY_GUI12 Menu. Page 32 of 89 Internal use only -. All rights reserved. The AP_INVOICES_ENTRY_GUI12Menu is assigned to the AP_INVOICES_GUI12 PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.

U.• The AP_INVOICES_GUI12 menu is assigned to the AP_NAVIGATE_GUI12 menu. Page 33 of 89 Internal use only -. All rights reserved. S. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Firm use only . • The AP_NAVIGATE_GUI12 menu is assigned to the Payables Manager Responsibility.

Requests are grouped and assigned to responsibilities via Request Security Groups. they can potentially increase the risk of SoD conflicts. there is an additional method by which users can be assigned functions .Because of all the submenus attached to the AP_NAVIGATE_GUI12 menu.4.U. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. or grants. Permission sets are granted independently of responsibilities and can be used to augment access assigned through responsibilities. This Oracle feature is intended to give the user an overview of a business process and walk them through each step. Page 34 of 89 Internal use only -. This feature also allows support individuals a better view of the transaction and where problems might exist during troubleshooting exercises. 1. Because permission sets are granted independently of responsibilities. the Payables Manager can enter data into the Invoice Actions function. Firm use only . All rights reserved. This feature contains the menus and navigation paths to the various forms and functions granted to the responsibility.3. Common to Oracle EBS is the use of the "All Reports" Request Security Group for each module. S. Process Navigator Tab The first tab on an Oracle EBS form is the Functions tab. The Process Navigator Tab within Oracle is a little-used feature that presents a heightened risk of segregation of duties and sensitive access violations by indirectly granting access not intended for specified users and not intentionally designed into their responsibilities. 1. This default or seeded request security group contains all reports/updateable programs defined in the system.permission sets. However. Request Groups Oracle EBS requests not only include paper-based reports but also other programs that perform transactions such as automatically creating invoices. The Functions tab is where users (end users and support personnel) spend a majority of their time. A permission set is a grouping of functions that can be assigned directly to a user through permission assignments.

users can create and approve purchase orders. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved. process invoices. that does not have access to transactions in the Functions tab. Example 2: Application Developer access to vendor management. Page 35 of 89 Internal use only -. invoice and payment processing The 1099 Reporting process assigned to Application Developer by default gives the user the ability to: create vendors.The next two examples will show how the Application Developer responsibility. S. Example 1: Application Developer access to purchase order processing The Process Navigator Tab is an optional 3rd tab on the primary transaction By launching this node of the process. will have access to many different sensitive and conflicting functions through the Process Navigator Tab. Firm use only .U. Launching these specific nodes of the process will display the appropriate forms to enter the transaction. and process payments.

For example. 1. o Clients should not use seeded or default responsibilities in the production environment. Clients tend to copy seeded or default responsibilities in order to develop new ones. of which access could pose an increased risk of excessive access and segregation of duties violations. revenue recognition) manipulate financial data. Additionally. Control Limitations o Because some concurrent processes (auto post journals. run the report "Reports within Request Groups" to identify which reports are associated with each request security group.2."All Reports Request Group" PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Responsibility design focused solely on segregation of duties might increase the cost of performing transactions. as it contains all reports and processes. Clients that modify the seeded responsibilities and menus for increased security will lose these customisations and will increase their risk of unauthorised activity being performed in Oracle EBS. Clients should follow an appropriate naming convention so that effective responsibility management can be supported. Upgrades and patches to Oracle EBS will frequently overwrite seeded functionality. The risk introduced in this method of creating responsibilities is that weaknesses in one responsibility will be re-introduced in the new responsibility. A balance between flexibility and segregation of duties should be established.4. o The functionality of a responsibility is independent of the naming convention of that responsibility.1. o The presence of the Process Navigator Tab does not necessarily represent a control deficiency in the client's environment. This increased cost is due to the additional time introduced into the business process to separate conflicting activities. the Process Navigator Tab is enabled for many seeded or default responsibilities and will be enabled in new responsibilities unless the client actively manages this feature. All rights reserved. Business Process Variables o Clients should have a defined process for developing and updating responsibilities. S.5. Better control practice is that the Process Navigator Tab is not enabled in any responsibility.U. Please refer to the Process Navigator Tab section in this Practice Aid for further discussion on this Oracle feature.3. Clients should not use the "All Reports" request security group. o An additional argument for not using seeded responsibilities (and even forms) is to support upgradeability. Control Considerations 1. Page 36 of 89 Internal use only -. This process "resets" seeded responsibilities and menus to their original configuration. A specific report focusing on the "All Reports" request security group is also available -. access to concurrent processes (reports) should be assigned to complement the online access granted to responsibilities. Responsibility design focused solely on responsibility functionality and flexibility will introduce conflicting and excessive access. Processes available to the responsibility can be added and removed. Responsibilities named 'view' or 'inquiry could actually update and initiate transactions. 1. Testing Notes o To test Security Groups using GATE: Run the GATE Responsibility Report "Responsibilities by Request Groups" to identify the various request security groups defined and to which responsibilities they are assigned. Firm use only .1. The responsibilities shipped with Oracle provide excessive and conflicting access to users. Control Dependencies o None 1.5.5.5.5.

1. This is the user name the end users will enter when accessing the Oracle application. Page 37 of 89 Internal use only -. programs. Once the user logs into the application for the first time. User Management 2. should work with the client to identify where it is being used. o To Process tab access using Manual Testing -. To run the report.1. There is an Oracle report titled "Reports and Sets by Responsibility" that identifies which reports.2. the following can be entered: 2. you must have the Application and Responsibility names you want to analyse. o GATE does not pick up menu exclusions and therefore online testing is required in a recent copy of PROD. User Name (required) This is a freeform text field in which the clients can enter a value. S. Password and Password Expiration (required) The password entered in the password field is a temporary password which will expire upon first use. refer to the Password PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. PwC should be aware of this feature and. When creating a new user ID.1. Firm use only . In addition. they will be required to enter a new "permanent" password. Defining Users Entry and maintenance of users is completed in the User form. and request sets are included in a request security group available for a given responsibility. The database administrator should be able to identify the "AZN" menus and potentially the responsibilities with which they are associated. a user can be set up with a password expiration date that is used with the "permanent" password. whose navigation path is Security / User / Define menu path. (For more information regarding passwords. o To test Process Tab access using Oracle GATE Responsibility Reports: PwC should run the GATE report "Responsibilities with the Process Tab" to determine whether the process tab is enabled throughout the client's environment. o Function and menu exclusion rules should be defined to restrict the application functionality accessible to a responsibility.U. All rights reserved.1. 2. Oftentimes companies use standard a naming convention to link the Oracle user name to the individual (jsmith.An effective way for testing the AZN menus by reviewing online in the client's system has not been identified. 2. etc).o To test Security Groups using online testing: Effective online testing of reports and request groups has not been identified. when they identify its use.

The effective to date indicates which date the Responsibility is no longer valid for the user. effective dates control when the User ID is active. 2. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Using the new MOAC functionality. Indirect responsibilities are used with Oracle User Management only. a responsibility needs to be assigned to a user. S. For more information on Responsibilities and Security Groups. This is done by selecting a value in the person field. Using MOAC. This security profile is then assigned either to responsibilities or directly to users.6. Firm use only .1. users can access multiple operating unit (OU) data either within or across business groups from a single responsibility.10) A user may "inherit" an indirect responsibility through membership in a group to which the responsibility has been assigned.8. multiple operating units are assigned to a security profile.1. Essentially. will have their access removed automatically on a certain date.9. The same Users form (identified above) is used. and the security administrator will select a responsibility from the active responsibilities defined within the responsibilities table. Indirect Responsibilities (new to 11. 2. 2. Effective Dates (required) When user accounts are created. external suppliers. All rights reserved. some functionality (workflow. 2.5.1. However. etc). This date can be in the future so that the User ID is disabled at a predetermined time. Securing Attributes Securing attributes are used by Oracle HTML-based applications (Self Service) to allow rows (records) of data to be visible to specified users or responsibilities based on the specific data (attribute values) contained in the row.) Note: the option to set password expiration to "NONE" will result in the user's password to never expire 2. The security administrator will supply an end-date to disable the User ID. When employee A logs onto the iExpense. Employee "A" can be assigned to securing attributes for Oracle iExpense for Employee "B". For example. Page 38 of 89 Internal use only -.1.1. so that users. MOAC The Multiple Organization Access Control (MOAC) is a new functionality with R12.Management section of this practice aid.1.7. based upon the responsibility selected. Supplier and Customer (optional) An Oracle user name can also be linked to a supplier or customer as defined in the supplier and customer master. This is not required.5.U. those responsibilities are "end-dated". This can be enabled in order to facilitate external supplier and customer access to the application (refer to the Procure to Pay and Oracle to Cash practice aids for more information). refer to the Responsibility section of this practice aid.4. These dates can be in the future. self-service users can be limit or to add to the information they see by assigning security attributes to their user record. purchasing) requires that a User Name have a person assigned to the User record.1. Direct Responsibilities In order for a user to access the application. Person (optional) An Oracle user name can be linked to a person (employee) listed within the HR tables. 2. as some users may need access who are not employees (temporary workers. they can choose to enter expenses for either themselves or for employee "B". The security group automatically assigned to the user. When Responsibilities are removed from users.3. 2. respectively. such as temporary users or contractors.

Page 39 of 89 Internal use only -. All rights reserved.2. Personalization examples are: • Tailor the color scheme of the UI. This might mainly used for the maintenance of Roles. Firm use only . layout or visibility of page content or a user preference. S. Oracle EBS users can also maintain user functionalities like role assignment and functionalities as role inheritance through the usage of the user Management Module.1.1 Usage There are a number of business scenarios in which users of Oracle EBS need to grant delegates the ability to act on their behalf (act as proxy users for them) when performing PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. The objective of personalization is to declaratively tailor the user interface (UI) look-and-feel.10. Please compare for the implication the chapter about Role Based Access (RBAC). Usage of roles With Release 12.2 Proxy users Functionality for management of the Proxy Users has been introduced covering the following functions: o Setting up Proxy Users o Delegating Proxy User Privileges o Acting as a Proxy User o Running the Proxy User Report 2.2.U. • Tailor a query result 2. the usage of roles is widened.11. However maintenance features like reset of passwords or end dating of users can be done via this module.1. • Tailor the order in which table columns are displayed. 2. Personalisation The personalization functionality is accessibly for end-user via the diagnostic functionality.

The new mechanism was designed to enable limited. auditable access to accounts such as SYSADMIN that might otherwise have to be shared and therefore harder to audit. Examples of Delegation Executives allowing their assistants to access selected business applications on their behalf Similarly. Following screenshots depicts the functionality. auditable delegation of privilege from delegators to their delegates.2.3. The ability for users to access the proxy feature is controlled by a Security Administrator role. 2. The first picture shows how to assign proxies as a separate role and then how to run the report in the user management module: PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. managers may need to grant peers or subordinates limited authority to act on their behalf while they are out of the office Users may need to grant help-desk staff limited duration access to their EBS accounts. All rights reserved.U. but for a more limited duration. Users with this role determine which set of users can create delegates who can act on their behalf. Firm use only . so that help desk staff can investigate problems and provide assistance. The Proxy User mechanism allows such users to obtain limited. Page 40 of 89 Internal use only -.specific EBS functions. S.

For example. Roles are a grouping of access rights at a level higher than responsibilities.U.10 (and earlier with patch FND. and they can in turn view item and view item people list.1. A role is a collection of privileges. Roles are granted to users by the owner of the object. or by someone who has the privilege to add people.3. Firm use only . Roles are a convenient way to group privileges into a bundle that can later on be assigned to users. and responsibilities can be assigned to roles. Roles provide the client tools to better align access to the functional job responsibilities of their employees. the concept of roles is introduced. Responsibilities cannot be assigned to responsibilities. the role Item Reviewer contains the privileges View Item and View Item People List. RBAC is a layer that builds upon the data and function security models of previous releases tive nistra Admi dures proce Core ity secur rv Self se es servic ioning tion Provis inistra Adm egated ion Del rol rat ministaccess cont Ad ed as Role b curity ata Se D rity n Secu o Functi als approv ic e & ity Secur PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. 2. Page 41 of 89 Internal use only -. The user can give this role to various people on individual item instances. however.H installed). Roles are object-type specific.2. roles can be assigned to roles.5. edit and perform certain actions on an object is determined by the user's role on that object. RBAC Functionality The user's ability to view.3 Role Based Access (RBAC) In Oracle EBS 11. All rights reserved. S.

Firm use only .U. some roles such as "Employee" or "Manager" are assigned general permissions for a given function. These roles may provide access to job-specific menus and data such as the Sales Forecasting menu. as well as any of that role's own subordinate roles. function security and data security polices that users require performing a specific function Roles can be included in role inheritance hierarchies that can contain multiple subordinate roles and superior roles. With role inheritance hierarchies. Hierarchies within the roles functionality is granted via the Oracle user management application. Responsibilities are also a type of role and the same principal with regards to inheritance hierarchies as detailed above applies to responsibilities. the Employee role may provide access to menus generally available to all employees. permissions. or the Support application. Other roles in this example pertain to more specific job functions. a superior role inherits all of the properties of its subordinate role. all lower level responsibilities will also be end-dated.Role Based Access Control (RBAC) is an ANSI standard (ANSI INCITS 359-2004) supported by the National Institute of Standards & Technology (NIST). One of the effects of this is that if the top level responsibility assignment is end-dated for a specific user. assigning the top level responsibility to a user will result in all inherited responsibilities also being automatically assigned to the user. When responsibilities are structured in the form of a hierarchy. All rights reserved. For example. To consolidate the responsibilities. When this occurs it has the effect that it will not PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. The following example illustrates this: In this example. anyone assigned the Manager role automatically obtains the permissions associated with the Employee role. such as Sales Manager and Sales Representative. Because the Employee role is to subordinate to the Manager role. while the Manager role provides access to menus that should only be accessible by managers. S. or Support Manager and Support Agent. Page 42 of 89 Internal use only -.

The set of data policies that are defined as part of delegated administration are known as the Administration Privileges. and organization. and the ability to easily scale their administrative capabilities. These privileges can be defined along with the role definition in the Role & Role Inheritance user interface in Oracle User Management.3. Firm use only . users. This provides organizations with a tighter. See the following screens in the user management module. S. For example. With delegated administration. organizations could internally designate administrators at division or even department levels. 2. Administration Privileges determine what users and roles the delegated administrator can manage.be possible to directly assign any of the lower level responsibilities to the user without either dismantling the hierarchy or assigning the top-level responsibility to the user again. Each privilege is granted separately. and then delegate administration of external users to people within those (external) organizations. yet the three work together to provide the complete set of abilities for the delegated administrator. an organization can create local administrators and grant them sufficient privileges to manage a specific subset of the organization's users and roles. instead of relying on a central administrator to manage all its users. Page 43 of 89 Internal use only -. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Delegation policies are defined as data security policies. There are three aspects to administration privileges: roles. The administrative privileges that can be delegated could be of the following privilege categories: o User Administration Privileges o Role Administration Privileges o Organization Privileges Delegation policies are defined as data security policies. All rights reserved. Supporting functionality: Delegated Administration Delegated Administration is a privilege model that builds on the RBAC system to provide organizations with the ability to assign the required access rights for managing roles and user accounts. where you can see the search function and an example of a delegated administration function. The set of data policies that are defined as part of delegated administration are known as Administration Privileges. more granular level of security.U.2.

are able to extend or create their own registration UIs and business logic. a registration process could route the approval requests to the most appropriate approver. 2. All rights reserved. external individuals.4. all those who request an account from Norway could be routed to a Norwegian account approver.2. Page 44 of 89 Internal use only -.4. The registration link can contain additional parameters that are not known at design time.4.1. 2. User management tool The functionality was established in the version 11.4. Organizations can copy these sample Self-Service registration and extend them based on their own requirements.10. Oracle User Management provides support for displaying different registration links on the login page based on the application tier login page that provides access. Firm use only . Request for additional access Users can request additional access through the Oracle User Management Access Request Tool (ART). In addition. User Name Policies PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Self-Service Account Requests Commonly referred to as Self-Service Registration. organizations that wish to support other types of users. available in the Global Preferences menu. or capture additional information specific to their applications. Consider a case where customers may need to register before they can purchase an item from an online store.Example of delegated administrative functionality how it is assigned within the role administration 2.3. Requests for additional access use the same Oracle User Management infrastructure and processing logic as Self Service Account Requests.5. Therefore. Using country code as an example. the customer obtains both a user account and the necessary role(s) for accessing some portion of the web site in which they registered.U. but was not mentioned in the Practice aid. 2. These additional parameters can be used later during the registration process. S. self-service account requests provide a method for individuals to request a new user account. This release of Oracle User Management provides sample Self-Service registration UIs for internal employees. such as the country code. Once the registration process has been completed. and for new.

5. Clicking Apply will override the constraint. an organization should indicate in the UIs and confirmation messages that a response is required to process the user's request.4. Email Verification Oracle User Management provides a mechanism for verifying the identity of the requester before the registration request is processed. or some other meaningful information. Oracle User Management reserves the specified user name for the duration of the approval process. "firstname. Email verification is only applicable to Self-Service account requests. This is implemented as a configurable infrastructure that organizations can easily customize to suit their specific needs. 2. and resolution of separation-of-duties constraints during the assignment of roles by administrators to users. manage the process Risk Library. ICM Integration: Functionality for integration of the role assignment and revocation processes with Oracle Internal Controls Manager is described below: Oracle User Management is now integrated with Oracle Internal Controls Manager (ICM) for the prevention. For example. social security number. detection. Control Considerations 2. These can include such formats as email address. UMX integration with ICM is enabled according to the setting of site-level profile option "UMX: Enable ICM Validation". All rights reserved. Oracle User Management ships with a default user name policy that identifies users by their email address. if he has the "AMW: Allow SOD Violation Override" permission granted to him. test and monitor internal controls and compliance. S. and is enabled or disabled for each registration process. Business Process Variables PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.5. employee number. and assign Role B to the user despite the warning.Oracle User Management enables organizations to define their own user name policies for new users. 2. When the account request is submitted.lastname" (or an abbreviated version). At this point.U. Firm use only .5. Note: Oracle recommends that when building self-service registration UIs with identity verification enabled. manage process documentation. Identity verification is based on the email address provided by the requester.4. the administrator will see Apply and Cancel buttons on the constraint violation dialog page. In such a case. enforcement. an administrator attempting to assign Role B to a user who already has Role A will be presented with a dialog page displaying the constraint violation information. the request is automatically rejected. With this permission. Override the constraint violation. 2. Page 45 of 89 Internal use only -. The application assembles the components necessary to document. a constraint (created using a set of ICM UIs) can be defined such that no user is allowed to have "Role A" and "Role B" at the same time.1. The default value is "Yes". It provides a workbench for managing tasks like define the business processes of the enterprise. the administrator can take one of two actions: o o Go back to the role assignment page and remove the assignment that is causing the violation. Oracle User Management sends the requester an email notification when the requester has completes the registration flow. Clicking Cancel will cancel the save operation without granting Role B to the user. ICM is used to document and test internal controls and monitor ongoing compliance. If the user does not reply to the email notification within a specified time.4.

but they can be end-dated to have the user’s access disabled. o Companies may create a specific user (the auditor) access to employees' EBS accounts. Page 46 of 89 Internal use only -. All rights reserved.U. o Monitoring controls over Roles. Overall proxy user related privileges should only be granted on exceptional basis. normally on a read-only basis. Control Dependencies o Oracle General Ledger. o Appropriately completed authorisation request forms should accompany any additions/changes to a user ID. o Clients might use the registration process that comes with Oracle user management application as there are individual user registration. o Responsibilities cannot be deleted from a user’s profile. 2. 2. Please refer to these Practice Aids for more information.4. o Whenever a role concept is followed.3. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. and the account creation for an existing person. start and end dates can be defined to limit the duration of proxy access. MOAG and the proxy user. Control Limitations o If a proxy user access is given. this might violate the existing SOD and cause a possible conflict. iExpense. and therefore might grant function excessively or inappropriately resulting in SoD violations. o Two responsibilities can be assigned to a single user that when combined may create a SoD violation. Periodic review by management of all active users and their currently assigned Responsibilities should occur. external organization contact and employee registration. Firm use only .o Security may be administered in a centralized or decentralized manner.5. o Proxy User functionality gives all-or-nothing delegation capability. and Human Resources have additional security methods that may restrict a user's ability to view and update data. Projects.5. it should be thoroughly considered that the roles and responsibilities do not represent a SoD conflict. o User Administration (creating/disabling user IDs and assigning access) should be separate from business process transactions and responsibility design activities. o Analyze the overall concurrence of RBAC. o Accessing the granted proxy users enables the auditor to analyze the usage of delegated responsibilities (usage of the proxy user report). However. o A user can be assigned multiple responsibilities and responsibilities can be assigned to multiple users o Oracle EBS is highly configurable and any responsibility (even seeded responsibilities including General Ledger Super User) can be modified. which would not haven been there without this proxy given. Each method has its own risks. or iProcurement are used. which Responsibility) that should be granted. Testing Notes o Securing Attributes could be a significant security component of the client's user population if iTime. o Enabling proxy users allow business process owners to delegate responsibility. These registration processes create role assignments. o Clients using the roles concept must monitor the granting process for role inheritance.. PwC should understand the requirements for securing attributes and consider testing those configurations.5. 2. This authorisation form should clearly indicate the specific Oracle access (e. S. Responsibilities and user assignment throughout the period should be used to understand the nature of any temporary changes to these elements.g.2.

This parameter setting identifies the number of failed login attempts after which an EBS login is disabled. The minimum number of days that a user must wait before being allowed to reuse a password can be set with the Sign on Password No Reuse profile option. Page 47 of 89 Internal use only -. • The password does not contain the username. The Sign on Password Custom profile option must be set to be the full name of the java class. who cannot do any work in the meantime. The Oracle E-Business suite password configurations are as follows: Configuration Name Sign on Password Custom Type of configuration System Profile Option Default Setting not set Description If the client has more advanced password restrictions. and for the administrator. Note: This profile option became available in Release 11. This is unproductive for both the user. Password Management Oracle EBS provides multiple configurations to support the client's corporate security policy. • The password does not contain repeating characters.the number of days between password changes Accesses . The default is unlimited failures. The profile option Sign on Password Hard to Guess is used to help ensure that the password is "hard to guess.the number of successful logins until the next password change Passwords are either case sensitive or not case sensitive Sign on Password Failure Limit System Profile Option not set Sign on Password Hard to Guess System Profile Option not set Sign on Password Length Sign on Password No Reuse System Profile Option System Profile Option 5 not set Password Expiration User Record not set Password case sensitivity Profile option disabled Functionality for “Login Assistance” self service has been introduced in place of the Forgotten Password administrative function." A password is considered hard-to-guess if it follows these rules: • The password contains at least one letter and at least one number. In addition.3.U. S. All rights reserved. It is not uncommon for system administrators to have to reset a user's forgotten password. custom Java classes can be used to implement these restrictions.7 or via patch 2061872. Firm use only . or even advise a user of the account's user (login) name.5. The minimum length of Oracle EBS user passwords can be set using the profile option Sign on Password Length. Days . a user will occasionally request PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.

S. The process that Oracle uses to encrypt the passwords can be reverseengineered resulting in the original clear-text password being disclosed. enter the email address associated with the account. consistency for enforcing password changes is not supported in Oracle. you can either: o Go to the Forgot Password section. when it is actually the user name that has been forgotten. This type of occurrence leads to even more time being lost. or vice versa. set at the site level. The identity verification process required in previous Applications releases is no longer needed.3. 3. Refer to the controls consideration section for details on how this may affect the review of the Oracle environment. a link to a secure page is sent to the email address of the user name defined in the system.the password to be reset. A new feature reduces the time spent in such administrative activities by implementing a login help mechanism that is easily accessed from the EBS Login Page. 3. Strong company security policies will generally require password controls that are met by using all of the password configuration settings in Oracle with the exception of "Signon Password Custom". a good understanding of its features is suggested. 3. Control Limitations o Oracle has a known weakness with regards to the strength of the encrypted passwords. If this configuration is used.1. the user can change password immediately. If passwords are not changed when the production instance is cloned. On the screen that appears. From this secure page. Firm use only . A compromise of any database account will compromise the APPS ID or any other sensitive database account. and the URLs employed have both an expiration time and a single-use limitation. the relevant data is stored securely in workflow tables. enter the correct user name and then click on the "Forgot Password" button.1. Clients tend to clone their production environment so that they may conduct application development and testing.1. o Go to the Forgot User Name section. Page 48 of 89 Internal use only -.2. Business Process Variables o Not all password configurations are required to be used. Instead. an inquiry clerk ID might not have any password changes enforced. therefore. individuals may be able to obtain PROD passwords within the test and PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. This flexibility does allow the client to risk rate different users and require more or less frequent password changes based on the user's functional job responsibilities For example. but an HR manager having access to sensitive employee records might be required to change the password every 30 days. the password expiration is set for individual users. the approach for implementing password parameters should be consistent. A user simply clicks on the "Login Assistance" link located below the Login and Cancel buttons. All rights reserved. However. You will then be emailed details of how to reset your password.2. The user name will then be emailed to the address specified. o Password expiration parameter is associated with each user record. Control Considerations 3.2. For security. Most of these configurations are profile options. Regardless of the client's approach. Control Dependencies o If Single Sign On (SSO) functionality is enabled. this will influence the password management in the Oracle EBS. and click on the Forgot User Name button.U. This password option has the potential of replacing one or more of the other password options.

1. S.  Ensuring all seeded / default accounts. 3. then a compromise in one of these lower security environments will significantly increase the risk of a compromise in the production environments. Testing Notes o The password weaknesses and control considerations discussed in this section are applicable to the EBS but are found in the Oracle database. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. • Provisioning is the process of automatically maintaining user records in various applications.FND_USER_VIEW. This can be accomplished by:  Verifying the account APPLSYSPUB does not have SELECT privileges on APPS. Often an APPSREAD or similar database account is created for support purposes or end-user query use. Where a SSO solution is used. • User management involves providing a common mechanism throughout the company of creating user accounts. Firm use only . the Oracle EBS password related profile options setting might be overridden by the password setting in the SSO application. 4. APPSMGR. An IdM solution involves five basic components: • Directory services focuses on providing a common view of an individual regardless of what databases and applications (and associated user IDs) to which that individual has access. an Identity Management ("IdM") solution could be used as the central point of creating. just as should be done with DBA_USERS. These accounts tend to be created with SELECT ANY TABLE system privilege.FND_ORACLE_USERID tables by all non-DBA accounts including any query-only accounts. managing the access granted to those user accounts. Oracle might not be the only application used.) even though these accounts may be already disabled. databases and operating systems that require their own internal authorisation mechanism as part of the overall IdM environment.  Ensuring the client has changed the passwords for all Oracle Applications 11i seeded accounts (SYSADMIN. Identity management is the process by which an employee is identified and managed consistently through each of the applications in use at the company. This issue should be addressed during a database review performed in conjunction with the Oracle EBS review.2.FND_USER and APPLSYS. and then disabling those accounts. o The goal is to limit access to the FND_USER table and the encrypted passwords. Identity Management 4. etc. Identity management with non Oracle ERP`s In many environments. In these situations. o Usage of SSO limits the existing Oracle EBS password management. Large companies could easily have multiple ERP`s or other systems in place to support its businesses. • Workflow is the business logic enabled that provides for the approval process and other notification activities required maintaining user accounts. If the system passwords are the same in a non-production environment as they are in production.4. updating and disabling users. GUEST. All rights reserved. except for SYSADMIN and GUEST.  Ensuring the passwords for Oracle EBS accounts are unique across each of the environments used in change control. which allows them access to FND_USER.  Ensuring the client has limited access to the APPLSYS. Page 49 of 89 Internal use only -. WIZARD. • Access control involves providing a common mechanism for allow/denying access to applications at the company.  Ensuring the client has created all new user accounts with strong and unique passwords. are disabled.development environments.U.

Page 50 of 89 Internal use only -.2.User Creation and Provisioning should be sourced at the IdM solution IdM Us Ac ers ce ss Gro up p ers rou Us sG ce s Ac Responsibilities Technical and /or monitoring controls should be enabled to promote user creation and assignment from the IdM solution System 1 Oracle ERP Users System 2 4. Firm use only . All rights reserved.U. for the process from OID to Oracle EBS. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. The Oracle EBS has to be registered as an instance to the OID. In principle users created in Oracle EBS are provisioned to OID (and vice versa). which have to be enabled and some workflow events must be activated. Identity management within Oracle EBS Oracle EBS as part of the overall Oracle identity management framework can be considered as one additional application to be included. S. In addition there are some profile options (see profile options list).

Registration Processes create Role Assignments. Once the username and password have been authenticated. Authentication Phase: Validating a user's identity User attempts to access a protected page from Oracle Applications Release 12. it will scan the new changeLog and will filter them using the provisioning profiles. Single Sign-On Server verifies if user is already authenticated (validates the cookie SSO_ID presented to this site). Introduction of “User Management: Security Administration Set Up” Wizard for performing the following system administration functions: o Defining User Administration Privileges for Roles o Defining Role Administration Privileges for Roles o Defining Organisation Administration Privileges for Roles The functionality of “Administrator assisted request for additional access” is added as the fourth type of user registration process. B. encrypted and signed information regarding the authentication (user name for example) is sent in the redirect. which are equivalent to RBAC policies. They also provide administrators with a faster and more efficient method of creating new user accounts. user information is propagated to OID using DBMS_LDAP commands Profile values are checked to verify that the user should be propagated to OID If all checks pass the changes are made to the user in OID. there might be enhanced usage of provisioning within Oracle EBS. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Oracle Applications Release 12 will create an application session (reflected in the session cookie named <sid>_<host>). Therefore new functionalities are introduced in the new version R12. Firm use only . Provisioning services are modelled as registration processes that enable end users to perform some of their own registration tasks. When the DIP server wakes up. and redirects the browser to a predetermined Oracle Applications Release 12 page. as these Role Assignments control the actions or access for a user. the DIP server will connect to the Applications database and will use a WF interface (WF_OID) to raise corresponding WF events. The login page will continue to be presented until a valid username and password are provided. If user is not authenticated Single Sign-On Server displays a login page requesting a user name and password. For changes that are first in the profile. All rights reserved. C. If the decrypted information is valid. Only the receiving site can decrypt it. Along this request. Synchronization Phase: OID to Applications When a change is made in OID. S. Single Sign-On Server verifies the credentials against Oracle Internet Directory.U. Source: Oracle note ID380487. Single Sign-On Server creates or updates the SSO cookie. A. the change vector is stored (changeLog). Later the WF Agent will process and implement the events. such as requesting new accounts or additional access to the system. User is redirected to Single Sign-On Server site. Page 51 of 89 Internal use only -. Here is a brief description for the simplest cases. Synchronization Phase: From Applications to OID In Applications.1 However with the usage of the new RBAC functionality.It is important to understand how the login and synchronization process works. as well as assigning roles. Please see the main documentation for more details. The browser is redirected to the original requested page.

3.. Page 52 of 89 Internal use only -.Addition of the new field “Business Event Name” in the user registration process to record the custom business event that will be raised by Oracle User Management with context information for processing. In addition. users can access multiple operating unit (OU) data either within or across business groups from a single responsibility.3. where the authentication starts. Firm use only .1. Control Limitations o None 4. o Each new or changed user ID should have a completed authorisation request form. All rights reserved. 4. the practitioner should understand. This security profile is then assigned either to responsibilities or directly to users. if users are created in the IdM and automatically sent to Oracle. Control Dependencies o None 4.3. the risk in this situation is that the IdM would never have knowledge of the new user.g. S. and then seamlessly enter invoices for another operating unit o Select invoices across operating units for payment processing within a single pay run. 5. Business Process Variables o None 4. either via the Oracle EBS or via the OID application. the provisioning of non existing users in OEBS to most likely users).g.2. multiple operating units are assigned to a security profile. For example. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.4. Testing Notes o When IdMs are in use. Control Considerations 4. controls testing related to user management procedures should focus more on the use of the IdM. which Responsibility) should be granted. o The risks vary depending on how the IdM is architected. Examples of MOAC's impact on Oracle Payables are provided below. Using the new MOAC functionality. the practitioner should understand to what degree the IdM solution affects the Oracle Applications and the user provisioning process. o Controls testing should also include change control and testing around the IdM as it relates to integrating with Oracle. When IdMs are in use. the practitioner should understand to what degree the IdM solution affects the Oracle Applications and the user provisioning process (e. o When IdM is used. o Enter invoices or batches of invoices for one operating unit. Multi organization access control Oracle Release 12 introduced for the first time the concept of Multiple Organization Access Control (MOAC).U. controls testing should address gaps that might exist between the management of users in the IdM and in Oracle.3.3. This functionality can be leveraged in shared service environments to improve efficiency of data processing. Using MOAC. o When IdM is used. is access to user provisioning in Oracle sufficiently restricted to prevent an Oracle System Administrator from creating a new user outside of the IdM? Depending on how the IdM is structured. This user ID authorisation form should clearly indicate the specific Oracle access (e.3.

PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. S. Page 53 of 89 Internal use only -. All rights reserved. a responsibility could have access to multiple operating units from a single responsibility. If MOAC is used.U.1. Further granular access controls can be achieved through set up of Definition Access Groups covered under General Ledger module. users may be able to enter Journals in multiple ledgers through their sub-ledger level access (e. and report data in multiple operating units from a single responsibility: o MO: Security Profile . The Reporting Level and Reporting Context determine the level a user can submit a report for. The following profile options are relevant to MOAC: o MO: Security Profile o MO: Default Operating Unit o MO: Operating Unit (legacy functionality) o SLA: Enable data access set security in Sub-ledger The last profile option might expose the client to a specific risk. the E-Business Suite (EBS) uses the profile option MO: Operating Unit to link an operating unit to a particular responsibility. by the MOAC. The system administrator must set this profile option for each responsibility. With multiple organizations access control. If it is activated users with Sub-ledger access cannot enter data into any ledger.Allows the assignment of multiple operating units for the same business group.Allows the assignment multiple operating units across multiple business groups. process. This process creates one-to-one relationship between the responsibility and the operating unit. if an organization wants to provide multiple organization access from a single responsibility. AP Subledger) if this Profile option is deactivated. but not replaced. the user can only report data for one operating unit at a time. Functionality In the Oracle 11i environment. New reports in the various EBS modules are available as a result of MOAC and can be categorized by the following: o Cross Organization Reports report data for one or more Operating Units. MO: Security Profile option controls the operating units a user can submit a report for. o Multiple Organization Reports report data for one or more multiple operating units from a single responsibility. o MO: Global Security Profile .MO: Security Profile MOAC provides the following two security profiles that enable users to access.10 has been enhanced. If a user wants to enter transactions or perform setup functions across several business units. Firm use only . The old model of managing multi-organization access in Oracle 11. Optionally.5.g. EBS allows a user to see only the information for that particular operating unit is assigned to the responsibility. The user must switch between responsibilities to perform updates to different business units.5. then those organizations will use MOAC. then that user must be assigned multiple responsibilities with access to each of the relevant business units. The option to use MO: Operating Unit profile option to enforce one-to-one relationship between responsibilities and business units can still be used. EBS introduces a new profile option that enables MOAC -. Even though the user can access one or more Operating Units.

then client should consider using the traditional 11i multi-org model where a responsibility is restricted to a single operating unit. this does not prevent the use of MO: Security Profile option. however. MO: Default Operating Unit This profile options sets the default value of a specific operating unit for a given responsibility.3. For access purposes. as this option allows a responsibility to access data across business groups.2 Profile options MO: Security Profile This profile option needs to be set in order for the MOAC model to work. the MO: Security Profile option needs to be defined. If a company wants to allow access across operating units from a single responsibility.U. The client's IT operations should reflect a shared service environment to truly leverage the benefits of using MOAC. All rights reserved. This could be compared to a scenario where a user in the US subsidiary can access data in the UK subsidiary. If both MO: Security Profile and MO: Operating Unit profile options are defined for the responsibility or user. Control Dependencies o Consider this functionality in relation with other enhancements like ROBAC and proxy user. employees are assigned to handle data for a specific region). the highest level of organization in the hierarchy). The MO: Security Profile will allow the user to choose from a drop-down list of operating units so the default value is not enforced. 5. Business Process Variables o Take the time to understand the reason why a client might be using the MOAC model to grant a single responsibility access to multiple operating units. This profile option is used to establish and enforce a oneto-one relationship between responsibility and operating unit. However. there is also a Global profile option which allows a single responsibility to access across business groups (i.5. MO: Operating Unit This profile option existed in 11i and prior. (e.e.3. Within the MO: Security Profile option. the MO: Security Profile option will still take precedence over the MO: Operating Unit.g. The MO: Security Profile option should NOT be enabled for this scenario. 5.e. S. If there remains separate delegation within shared service (i. Page 54 of 89 Internal use only -.1. Control Considerations 5. this setting would allow a user in the US Company to access the UK Company’s information. SLA: Enable data access set security in Sub-ledger See comment above Exception If a company is using journal tax functionality in GL. The use of the Global Security Profile is currently not recommended. Firm use only .3.2. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Additional considerations must be made if MO: Global Security Profile is used instead of just MO: Security Profile. this default value can be changed / overridden by the user. the system will grant access based on the rules defined in the MO: Security Profile option. which presents an even greater risk to data and transaction security. then the MO: Operating Unit profile option must be defined for the GL responsibility. if the MO: Security Profile is also defined..

3. Page 55 of 89 Internal use only -. depending on the Oracle module.U. this might be identified as a violation of SOD rules. if MOAC is used to allow access to multiple operating units from a single responsibility. Testing Notes o Begin testing by understanding what kind of Multi-Org Access Control is being used by the client. All rights reserved. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. understand how the MOAC module impacts the SOD environment. o Consider the impact if the sub ledger profile option is enabled. Then. and process payment in operating unit C is not a true SOD violation. S. then in an AP review. and within a inventory org for the INV module. within a ledger/ledger set for the GL module.4. that a true segregation of duties violation exist when a user is able to have conflicting functions within an organization/operating unit for transaction modules such as AP and PO. Keep in mind. understand how the ledger / ledger sets are impacted based on the organization structure of the company. create invoices in operating unit B. Control Limitations o N/A 5. For future details on this concept.From a segregation of duties perspective. refer to the GL practice aid for information on Data Access Sets and Definition Access Sets. Firm use only . 5. a user having access to create vendors in operating unit A. Based on the Gate report. within an asset for the FA module. which is true if a user is able to do all the above functions in a single operating unit. For example.3.3.

All rights reserved. the system support features have been separated.U. Application Developer The Application Developer responsibility is a responsibility that is shipped with Oracle. Oracle would come with one system-administration ID with system-wide primary responsibility. audit trail management Concurrent process management System-wide application configuration capabilities Workflow management System Administrator By default. responsibility. Clients generally leverage Alerts as key components of their monitoring controls.G.3. 1. Alert Manager Oracle Alerts are system notifications that inform users of sensitive events occurring within Oracle. Application Support Responsibilities and Users 1. In 11. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. 1. Please see the Auditing section of this Practice Aid for further information.User. Application Developer can update system wide configurations. S. This responsibility is used to develop and register new functionality within the Oracle EBS.2. Alerts can send notifications at the time of the event or simply send a periodic message about a certain type of event. no auditing is enabled for the system administration / support responsibilities. Support Responsibilities 1. Page 56 of 89 Internal use only -.10.5. Additionally.10. Users having access to the Alert Manager can modify any/all Alerts and disable them if needed.1. Oracle System Administration In releases prior to 11. These events are defined by client management.5. Responsibility System Administration Features • Technology/Infrastructure management • System diagnostics • • • • Security -. Firm use only .

This access is granted through the Administration tab in Oracle Workflow.The Alert Manager can enable/disable the Alert. The Alert Manager can modify what is being monitored. To impact system-wide workflows. If an individual had access to the workflow administrator role. is generally limited to the user's own workflows. Workflow also provides the information required to support each step of the business cycle. and run workflows in the production environment. 1. implement. Workflow Administrator Workflow is the automatic routing of documents (physical or electronic) to the individuals responsible for working on them. the Workflow Administrator role must be assigned to the user.4. The ability to view and update anyone's workflow has significant implications.U. The Oracle Workflow Administrator responsibility grants the individual the ability to perform these activities. All rights reserved. The following example identifies how to create a new sales order through workflow: The individual selects the order entry process workflow and selects the "Run" option. The Oracle Workflow Administrator can build. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Workflow administrator capabilities are required to assign another individual this role. This powerful access. S. The flow of physical documents in an organization is subject to errors and delays. Workflow sets timers that ensure that documents move along at a prescribed pace and that the appropriate person processes them in the correct order. sensitive transactions could be initiated directly in workflow. Firm use only . Page 57 of 89 Internal use only -. however.

the workflow administrator could initiate a new drop shipment sales order without having direct access to the order entry forms. In addition to initiating sensitive workflow.After selecting the "Run" icon. In this circumstance. as noted below. This process is the same for any workflowrelated process throughout the application. Page 58 of 89 Internal use only -. Firm use only . S. the workflow administrators can approve/reject/delete in any transaction currently in process under workflow via the view diagram form. All rights reserved. the user is then prompted with the required information to launch the process: The individual will supply the required elements and select submit to initiate a new sales order. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.U.

or they can expedite (cancel or approve) any workflow process. • Many of our clients also utilise of the custom. Page 59 of 89 Internal use only -.pll programming interface to fine tune security and data protection on a form. Diagnostics Utility The diagnostics utility is a feature that assists troubleshooting application functionality. This feature is controlled by two system profile options: • • Hide Diagnostics menu entry. Business end users should not have access to this feature for the following reasons: • Form Personalisation is a new feature in Oracle EBS 11. then allowing business end users the ability to access this feature will circumvent the intended control. and Utilities: Diagnostics. In some situations.10 and is available in the diagnostics area. This custom code can be disabled through the diagnostics feature. 1. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. • The "examine" and "properties" capabilities under the diagnostics menu provide an individual with specific information regarding the nature of the information and data used. If the client is relying on Personalisation for tuning controls. Firm use only .5.The workflow administrator can reassign workflows to any active user. This feature is available in the Diagnostics area. S.5. All rights reserved.U. the individual can even update data in the application through this feature. Form Personalisation has the capability in Oracle to perform system wide customisation. This customisation ranges from protecting field-level data on a form to hiding entire forms.

S. The User ID who requests a concurrent program or report to be run will have their User ID assigned and tracked within the application. The Concurrent Manager is a utility within Oracle that allows a user to manage the various requests that run various jobs and at the same time. All rights reserved.Gives the users detail information about the application and data Enable/Disable custom. still allows the user to have the ability to transact within the system. Processing/Program Management Batch Processes as well as report requests are generated through concurrent request manager.7 Application manager Oracle Application Manager is a powerful tool that allows user to: o Monitor and support business flows within Oracle E-Business Suite o Edit or delete workflows o Manage concurrent manager PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Firm use only . Page 60 of 89 Internal use only -. 1.6.U.pll code Modify Personalisation 1.

PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved. system administrator can manage the business flow functionality as depicted in the following screen-shots.U. Page 61 of 89 Internal use only -.The following screen-shot depicts the available administrative functionalities within Application Manager: Taking the functionality business flow (Business flows consists of workflows). S. Firm use only .

All rights reserved. Firm use only . S.Choose the Order to Cash flow The workflows appear below the business flow PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Page 62 of 89 Internal use only -.U.

1.8. Control Limitations o The Application Developer comes with the Process Navigator Tab enabled. The Alert Manager will provide access to all Alerts. Firm use only .e. Testing Notes o An Alert by itself is not a control.1. o The seeded Application Developer responsibility also contains the menus needed to change Key Flexfields (i. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. PwC should consider and test the procedures required of management as a result of the alert o Workflow controls should not be limited to the approval hierarchy and distribution list. Practitioners should consider testing any Workflow-related transactions on a substantive basis to ensure transactions are processed in accordance with management's control objectives and policies. 1. All rights reserved. Page 63 of 89 Internal use only -.2. Control Dependencies o None 1. Business Process Variables o Oracle does not have detailed security around Alerts.8.U.3.1. General Ledger Accounting Flexfield) that creates a segregation of duties issue. The Alert only notifies management to perform some activity. There is a legitimate need for an Application Developer to have access to Key Flexfield definitions. If the client makes extensive use of Oracle Alerts. formal change control procedures for this responsibility should be active in the production environment. but usually this access is restricted to a test or development environment only. Control Considerations 1.8. access to the Alert Manager should be restricted.8. S.4. Given the purpose and access granted.8.

Page 64 of 89 Internal use only -. S. • • • • • • • • • • • • ANONYMOUS APPSMGR ASGADM ASGUEST AUTOINSTALL CONCURRENT MANAGER FEEDER SYSTEM GUEST GUESTADMIN GUESTUSER IBEGUEST IBE_ADMIN • • • • • • • • • • • • IBE_GUEST IEXADMIN INITIAL_SETUP IRC_EMP_GUEST IRC_EXT_GUEST MOBILEADM OP_CUST_CARE_ADMIN OP_SYSADMIN PORTAL30 PORTAL30_SSO SYSADMIN WIZARD PwC should review these accounts and ensure that only required user IDs in this are enabled and that all default passwords are changed. Application Support User IDs 2. Control Dependencies o None 2. The Guest password is stored as a site-level system profile option . Guest ID The Guest ID in Oracle EBS is required for all users.3. like all default IDs.1. Control Limitations o None 2.2. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Business Process Variables o None 2. The default value for this profile option is GUEST/ORACLE.2. These IDs are used to own and manage most. 2. 2. Testing Notes o None 3. These seeded / default IDs should not be included in a list of generic accounts reported to the client. Control Considerations 2. sensitive transactions could be initiated directly in workflow. APPS Database ID A common approach to application design for many web-based applications.3. Disabling this ID will prevent all users from being able to log in to the application. This ID should have no responsibilities associated with it.Guest User Password.3.4. Firm use only .3. If an individual had access to the workflow administrator role.3. is changed after installation.o The ability to view and update anyone's workflow has significant implications. 2.3. or only those required to support authentication for the selfservice applications.1. All rights reserved. This ID is used during the login / authentication process to validate the user's credentials.U. includes the use of global database accounts (or IDs). Default/Seeded User IDs The following user IDs are shipped with Oracle EBS. Recommended practice is that the password. including ERP`s.

the global database ID that owns the application schema is called "APPS". The APPS ID is stored in the "SYS. Note: Many of the inherent functions called by the APPS ID cannot be substituted with other database administrator IDs such as SYSTEM. Once the data is in the database. authorized or not. The APPS ID grants privileged users. Page 65 of 89 Internal use only -. many of the activities performed in the application have some relationship to APPS. Firm use only . In the Oracle E-Business Suite.1. Because these IDs own the application components in the database. For example.DBA_USERS" table in the Oracle database. Risk The use of a generic. The FND_USERS table will only be found in E-Business Suite environments. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. it can access/update any data in the database. However. Unlike other ERP packages. Although technically this ID related to the Oracle database. Use of the APPS ID in the Oracle EBS results in a shared. logging and monitoring is challenging.U. and the related password is changed infrequently. they are used during implementations and patch upgrades. APPS is unique to Oracle E-Business Suite and is not applicable to any other application. Lastly. presents a heightened risk that unauthorized changes to the database may go undetected due to the difficulty in monitoring its appropriate use. All rights reserved. such as APPS. This table is where database user IDs are stored and is found in every instance of the Oracle database. Without auditing at the database level. S. However. all-powerful database ID. Oracle EBusiness suite user IDs such as SYSADMIN are stored in an application specific table called FND_USERS. Reduced ability to monitor changes made by this ID -. certain features of the Oracle E-Business Suite require the use of the APPS ID password in order to be utilized. it is subject to additional changes. The use of the APPS ID increases the following risks: • • Unauthorised changes to any application data or object . the audit trail created by this ID would potentially be too large to be of use and would have a detrimental effect on application performance. application DBA`s require the use of APPS to help determine and remediate performance issues. The APPS ID is not an application ID and cannot be used to log in to the application by an end-user.if not all. Many of the stored procedures/packages will not function correctly unless executed by APPS. application components in the database. therefore. Additionally.The APPS ID is the primary schema owner for Oracle EBS. or other custom administrator IDs. Examples of use by these IDs include connection pooling (for better performance) and cross-functional access by the application within the database. not every maintenance procedure needed to be performed by the client requires the use of the APPS ID. such as DBA`s. 3. Understanding the proper use of the APPS ID is key for the client and for us to gain comfort with regards to management's culture and company-level controls. SYS.By design. there is also reduced comfort that applications controls and other security measures are working as intended. The APPS password is generally required to access these diagnostics. These diagnostics features are accessed through a restricted menu in the application. with direct and ongoing access to key data. this issue should be addressed during a database review performed in conjunction with the Oracle EBS review. all-powerful ID where user accountability is reduced. system backups should be able to be performed by other database administer IDs. the Oracle E-Business Suite environment does not have a formal change control process embedded into the functionality of the application (including physical application files and database components). This places increased risk related to the use of the APPS ID and therefore greater pressure on the need to obtain a reasonable level of comfort on the appropriate use of APPS.

we do not suggest this approach in managing these passwords. Generally. the possibility does exist that inappropriate business information can be initiated from the database and processed. Page 66 of 89 Internal use only -. Oracle-native security is not the only way to restrict access to the database. Additionally. Changing the APPS password should be a controlled and planned event to ensure that unplanned system outage does not occur due to password errors. good company-level controls and good policies and procedures. and probably will. other features can be implemented to help ensure that access to the database is controlled. Potential Automated Solutions The inherent auditing mechanism in the Oracle database (and related Application Programming Interfaces . monitoring sensitive changes to the database.U. functionality in other third party tools provides tighter control over Oracle E-Business Suite change control procedures. Through the use of native Oracle security features found within SQLNET (sqlnet.ora configuration file). Oracle is currently introducing its IT Auditor module for the E-Business suite which will further help with change control. 3. The exception with the APPS ID is that periodic change of the password is not suggested since the application itself uses the ID to perform certain actions and procedures. when & where an application can be accessed Additionally.1. To augment basic monitoring procedures over the APPS ID.oracle.ora file has an optional section where a list of authorized connection sources is listed. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.3. An intrusion detection system (IDS) including firewalls and other hardware/software could isolate the database server.APIs such as the "Audit API") can be used to help monitor changes to the database and is discussed later. S.3. However these auditing mechanisms in the application and in database are not sufficient to allow for effective monitoring of the APPS ID. Oracle Database Vault addresses some of the most common database security problems and internal threats by: • Restricting the DBA and other privileged users from accessing application data • Preventing the Application DBA from manipulating the database and accessing other applications • Provides better control over who. Specifically.2. These routines would need to be modified as well in order to function properly. Firm use only . the business process controls mentioned could provide a significant amount of risk mitigation. Refer to Oracle Metalink at https://metalink. Access to APPS Password Generally. the requirements for using this ID would be similar to those of an emergency or "fire-call" ID. Either approach individually or collectively are controls we recommend. the listener. IDS monitoring and reporting features could also be us. This risk is especially true if the client makes use of custom routines that require the APPS password. Oracle is also introducing Database Vault which addresses segregation of duties within the database. Even though ERP transactional data is generally very complex and difficult to initiate from the database. While Oracle does provide some ability to dynamically change application passwords while the system is still live. Management should also have fraud monitoring controls in place for key employees and users of the application. Failure during this password change process could.3. bring down the system. IDS security could limit access to pre-determined locations. protecting the audit trail and restricting access to the database. The IT controls that can be implemented include monitoring sensitive access to the database.ora configuration file) and the LISTENER (listener. Oracle can be configured to only allow connections from certain locations or IP addresses. All rights reserved. restricted access.com/. 3. Control Considerations The overall approach for managing this issue (and subsequent testing) is a combination of IT monitoring controls.

Valid APPS ID Users Valid use of APPS by individuals should relate only to formal IT activities in support of the application that require the use of the APPS ID and that cannot be executed by other IDs. Performance impact (if any) as a result of these triggers is not known and could vary based on client implementations. an important element to consider is whether or not the ID was used (or at least appeared to be used) by the application. Some monitoring should occur.3. 3. All rights reserved. indexes. Management should have a support department large enough for effective monitoring. a logoff trigger. etc. DDL transactions (data definition language) are those activities that change the structure of the database -. Monitoring of APPS The use of APPS is generally not monitored formally.3. documented and acknowledged policies and practices on the repercussions of its use when not used as approved. stored procedures. By excluding the application server locations. To support this control.3. an audit trail can be created to identify when these IDs are used but not by the application. The objective is reasonable (not complete) assurance that APPS is used appropriately. These repercussions should be significant enough to have an impact on the culture.3. the core DBA team could implement its own internal firecall system for this ID. the core DBA team are the only individuals who should have access to this password. an additional trigger could be enabled to monitor all database structure changes. reasonable assurance should only require monitoring to a sufficient level that its use can be tied to formal change request activities or those used to recover normal operations. The related benefits include a more complete picture with regards to change control and maintenance activities. the APPS password should be restricted to a limited number of individuals in that team. the application end-users should not have access to this password. This monitoring should also be tied to a stated policy on its use. When these IDs are used outside of the application. Typically.creating. 3. Another typical type of activity that requires the APPS ID is the need to run diagnostic scripts and data fixes authorized by Oracle Support. Page 67 of 89 Internal use only -. These activities should be limited to implementation/patch maintenance and startup/shutdown of middle-tier services -. altering and dropping tables. However. If needed. Technically. 3. triggers. Most all the activity performed within Oracle E-Business Suite involves transactions related to data not PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. these situations should be documented and follow-up procedures should be performed. setting up the triggers and audit trail is not complicated. Firm use only .Unless the client has a very strong reason to the contrary (exceptions should be discussed with the PwC Oracle SME team). These are same individuals who know the SYSTEM and SYS passwords.2. The true cost of ownership will involve the monitoring and follow-up activities.U. This trigger should be natively available in Oracle.4. a login trigger can be developed and implemented to track when database IDs connect to the database. S. Even then. Normal database maintenance activities such as system backup and most statistics can be performed using SYSTEM or other database administrator IDs with equivalent rights. The reasons are noted above -detailed monitoring activity performed on this ID will probably produce a voluminous audit trail and have a detrimental effect on system performance. To augment the login/logoff trigger. is essential to this audit trail in that the duration of time used by the ID can also be recorded.such as the application server itself. Database Triggers When APPS and other highly sensitive database IDs are used. The activity in the resulting audit trail should then be able to be matched to the access request log and the maintenance activities. The use of a second trigger.

.3. If management can prove that it can effectively protect this audit trail from inappropriate updates and can report against the information. These custom roles would not allow updates to the audit trail.3.1. Within the Database The Oracle database can record audit trail within the database. 3.5. The benefit of this approach includes a consistent format that can be used for consolidated reporting. E. The benefits of this control would include monitoring of some custom configurations designed and implemented to support management's key controls. the audit trail will be owned by the database. Note: The DDL trigger should capture all structure changes and not be limited just to APPS. Page 68 of 89 Internal use only -.5. if management had implemented the logon/logoff controls above.3. Changes to triggers and stored procedures are custom code that could alter the results of control activities. then this is an acceptable approach. 3.the database structure. Firm use only . The Oracle database supports two different ways to record audit trail information: 1) outside the database on the operating system. The benefit of this approach is that large volumes of audit events do not impact database capacity. Again the objective is to protect the audit trail from highlevel access. and 2) increased database capacity requirements.g. and 2) within the database. it should only be performed while the application is down and under change control.3. Changes to standard E-Business Suite tables and views should be noticed by the end users of the system fairly quickly. this is a control we would not generally recommend. All rights reserved. 3. S. 3. The cost of this approach includes 1) a greater risk of inappropriate audit trail modifications. Enabling a DDL trigger should not have a significant impact on system performance and should be able to be effectively used to monitor database changes. One cost of this approach is that it does not easily support streamlined reporting. We should only recommend this control if management is leveraging some sort of customization in the database to support key controls. the following items should be collectively considered:  The use of individual database administrator user IDs and custom database roles. the audit mechanism for the APPS ID or other sensitive database IDs would have to be enabled prior to its use and disabled prior to the application going live again. Unless management's circumstances are really unusual. To support this approach. Procedurally. Occasionally.3.5. This approach to assigning PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. The true benefits of this control are probably outweighed by existing business process controls. the DBA probably has access to the audit trail. If detailed auditing is attempted. The cost of this control would involve protecting the audit trail and independent review. Protecting the Audit Trail The objective is to ensure that DBA`s and other individuals with very sensitive access do not have the ability to alter the audit trail created by the database. therefore. our clients have considered this control in an attempt to better document the actual activities performed under change control. However. Outside the Database on the operating system Oracle can write each audit event to a separate file on the operating system. Detailed Auditing Detailed auditing of the APPS ID or any other database ID used by the application is not suggested while the application is live and supporting production activities. The cost of this control includes additional procedures pre/post change control to enable/disable the detailed auditing. they would want to know if that trigger had been subsequently modified.U.5.2.

If the audit trail is copied out of the database infrequently. Note: Several of our clients have considered this approach. enable auditing over the audit trail. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. S. greater need is realised to enforce individual user IDs and custom roles in the database. however.  As a precaution against default DBA IDs updating the audit trail.access to DBA`s can provide sufficient access to administer the database but prevent updates to the audit trail.  Formal fire-call / request procedures for the use of default DBA ID such as SYS and SYSTEM. the audit trail would be sent through the system logging facility on the operating system. enabling auditing over the audit trail will at least identify that the audit trail was modified. This approach would further separate the audit trail from the DBA`s.  The audit trail should be sent to the operating system away from the control of the DBA. While detailed information might not be available regarding the update. Follow-up activities should then be performed to understand why the audit trail was updated. Firm use only . All rights reserved.U. is not currently known. The implemented status of this approach. Page 69 of 89 Internal use only -. The frequency by which the audit trail is sent to the operating system should be assessed against the feasibility of enforcing individual user IDs and custom roles. Ideally.

Control Limitations o None 2. For example. Control Limitations o None 1. Site-Level System Profile Options at the site level have global impact to Oracle EBS. Testing Notes o System profile options can be tested online for applications in-scope.4. Control Dependencies o None 2. responsibility and user.1. Firm use only . 3.1. then.1.2. Those same parameters can also only have limited effect on the system. "Gapless" sequential numbering will be used in Payables. 2. GATE reports can also be used.1. Testing Notes o System profile options at the site level can be effectively tested online. The overall effect of the parameters on the system is dependent on which level the parameters are configured -. 1.2.1. Application-level system profile options override site-level system profile options. System Profile Options System Profile Options are system parameters that can have a global impact on Oracle EBS. All rights reserved. they are assigned to the site-level default Ledger name.1. Application-Level System Profile Options at the application level only have impact on the application associated with the particular parameter.3. Responsibility-Level System Profile Options at the responsibility level only have impact on the responsibility associated with the particular parameter.U.4. Control Considerations 2.1.1. application.1.site.3. Business Process Variables o None 2. Page 70 of 89 Internal use only -.1. but set to "Gapless" in Payables. GATE reports can also be used. Business Process Variables o None 1.1. the default Ledger name is set at the site level. In this situation. For example. sequential numbering could be set to "Partially Used" at the site level.H.1. by default. but "Partially Used" will be enforced in the other Oracle modules. 1. Oracle responsibilities are generally associated with a specific Ledger PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. If Oracle responsibilities are not explicitly assigned to Ledger names. S. Control Dependencies o None 1. Control Considerations 1. 2.

Control Considerations 3.1. otherwise. otherwise. 4. Control Dependencies o None 4. Responsibility-level system profile options override those system profile options at the site and application levels. However. Again. Firm use only . a PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Page 71 of 89 Internal use only -. Business Process Variables o None 4. Business Process Variables o None 3.1. User-Level System Profile Options at the user level only have impact on the user associated with the particular parameter. Testing Notes o System profile options at the user level cannot be effectively tested online unless specific users are being tested. a custom query made by the client will be required to obtain profile options set at the responsibility level.1. "ABC Responsibility" could be assigned to Org 2 and Ledger name 4 at the responsibility level. Control Considerations 4. For example. even though the site level ledger name and operating organization is set to "Ledger name A and Org A" respectively. no one would see the Diagnostics menu under Help.name and operating organization by using responsibility-level system profile options.1.1. 3. this system profile option could be set to yes for individually system support personnel. For example.U.1.2. this situation would be enforced even though the Ledger name / Org relationship is not consistent with the overall legal structure. Control Limitations o None 3. Please refer also to the chapter about Multiple Organizations Access Control MOAC. "ABC Responsibility" could be assigned to "Ledger name B and Org B" respectively at the responsibility level. All rights reserved. S.1.4. 4.3. Control Limitations o None 4. Org 1 and Org 2 might be associated with Ledger name 1.1. the system profile option "Hide Diagnostics menu entry" could be set to No at the site level. In addition you can assign a responsibility to several organizations. For example. Testing Notes o System profile options at the responsibility level cannot be effectively tested online unless specific responsibilities are being tested.3.1. application and responsibility levels. GATE reports should be used. Unless overridden elsewhere. However.2. The responsibility-level assignment will be the one that is enforced. Control Dependencies o None 3. GATE reports should be used. The user-level system profile options override system profile options set at the site. An important concept with regards to responsibility assignments is that they do not have to correspond to the Ledger name and operating organization relationships defined in Oracle EBS.1.4.1.1.

This event controls whether an EBusiness Suite instance should create the user in response to IDENTITY_ADD If a user authenticated by SSO has no corresponding user in E-Business Suite. it enables a user to have multiple EBusiness Suite accounts linked to a single SSO user name. the IDENTITY_ADD event is sent to all registered instances. disable TBD PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. disable C APPS_SSO_AUTO_L INK_USER Applications SSO Auto Link User Enable. All rights reserved. 5. what is it? Applications SSO Linking Source of Truth Applications SSO Post Logout URL When a user is created in OID. it will look for a local user with the same user name. Key Profile Options The following section highlights the key system profile options to review for audit and consulting engagements. The "Relevant" column indicates if the profile option is applicable for audit (A) and consulting (C) projects.custom query made by the client will be required to obtain profile options set at the user level.U. Oracle Internet Directory User Defined Relevant C APPS_SSO_POSTL OGOUT_HOME_URL APPS_SSO_OID_ID ENTITY C Enable. disable TBD APPS_SSO_ALLOW _MULTIPLE_ACCOU NTS Applications SSO Allow Multiple Accounts Enable. 5. Page 72 of 89 Internal use only -. Available Options E-Business Suite. it will be permanently linked At user level. Firm use only . S.1 Profile options Profile Option APPS_SSO_LINK_T RUTH_SRC Setting Applications SSO Linking Source of Truth Applications SSO Post Logout URL Applications SSO Enable OID Identity Add Event If new for R12. If found.

what is it? Selection of which account is active is done via the Preferences page. All rights reserved. it indicates the default for users without this specific setting.U. The profile control what data is exported from a form's block. At site level. S. Page 73 of 89 Internal use only -. Firm use only . The key should be a Hexadecimal string of size 64. This profile determines if a fixed key will be used for security purposes in Framework.Profile Option Setting If new for R12. The fixed security key to be used in Framework if the profile FND Fixed Key Enabled is set to Y for the user. No C FND_CACHE_PORT _RANGE FND_CACHE_P ORT_RANGE User Defined C OAM_DSCRAM_ALL OWED OAM: Data Scrambling Allowed OAM: Data Scrambling Enabled OAM_WS_AUDI T_ENABLED User Defined C OAM_DSCRAM_ENA BLED User Defined C OAM_WS_AUDIT_E NABLED User Defined C SIGNON_PASSWOR D_CASE Signon Password Case Enabled. Opening up a range of ports so that machine can talk across DMZ Profile option to allow data scrambling Profile to enable or disable data scrambling Enable or Disable Web Service Auditing Enables or Disables Password Available Options Relevant FND_EXPORT_ALL_ BLOCK_DATA FND Export All Block Data Yes. No TBD FND_FIXED_SEC_K EY FND: Fixed Key User Defined C FND_FIXED_KEY_E NABLED FND: Fixed Key Enabled Yes. Disabled A&C PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.

Page 74 of 89 Internal use only -. RESPONSIBILITY. No A&C SIGNONAUDIT:NOTI FY Sign-On: Notification A&C PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.Profile Option Setting If new for R12. Sensitive C A&C SIGNON_PASSWOR D_CUSTOM Signon Password Custom User Defined A&C SIGNON_PASSWOR D_FAILURE_LIMIT Signon Password Failure Limit User Defined A&C SIGNON_PASSWOR D_HARD_TO_GUES S Signon Password Hard To Guess Yes. Level at which to audit foundation usage Notify User Concurrent Program Failures and Invalid Printers Available Options Relevant OAM_ENABLE_SYS TEM_ALERT SIGNON_PASSWOR D_CASE System Alert Enable Level Signon Password Case All. S. No A&C SIGNONAUDIT:LEVE L Sign-On: Audit Level NONE. Critical and Error.U. Firm use only . Profile that gets set to "true" if hard-toguess password validation rules should be enforced for new passwords. A positive integer indicating the maximum number of logon attempts before the user's account is disabled. None Insensitive. Critical. USER. All rights reserved. Minimum length of Applications user password Profile to specify the number of days a user must wait before being allowed to reuse a password. FORM Yes. what is it? Case Sensitivity System Alert Enable Level Enables or Disables Password Case Sensitivity Profile option that specifies the full name of the class containing custom password validation logic. No A&C SIGNON_PASSWOR D_LENGTH Signon Password Length User Defined A&C SIGNON_PASSWOR D_NO_REUSE Signon Password No Reuse Yes.

U. S. The standard setting is 7 days. Page 75 of 89 Internal use only -. Journal Approval notifies the preparer that no approver response has been received. what is it? Enables Diagnostics Global Button Hides the Help: Diagnostics Menu entry Sequential Numbering Provides controlled access of log/output files of requests to group of users based on the current responsibility of the user based on this profile option value Output Printer Available Options Yes. LabelPDF) Yes. ( noprint. After this time has expired. No A&C UNIQUE:SEQ_NUMB ERS CONC_REPORT_AC CESS_ LEVEL Sequential Numbering Concurrent: Report Access Level Always Used. and resolution of separation-ofduties constraints during the Yes. No A&C FA_WF_GENERATE _CCIDS FA WF GENERATE FA: use workflow account generation notification for new assets. detection. enforcement. No A&C PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. All rights reserved. Partially Used Responsibility. Not Used.Profile Option FND_DIAGNOSTICS Setting FND: Diagnostics If new for R12. A&C Workflow activity settings: Request Approval From Approver timeout Days C UMX: Enable ICM Validation" Enabled/disable access to override violation is restricted or not allowed at all Oracle User Management is now integrated with Oracle Internal Controls Manager (ICM) for the prevention.g. Firm use only . No Relevant A&C FND_HIDE_DIAGNO STICS Hide Diagnostics menu entry Yes. User A&C C PRINTER Printer Registered Printers e.

Firm use only .U. This responsibility will then allow the assigned users the access to multiple operating units. In Release 12. S. Page 76 of 89 Internal use only -. No A&C SLA: Enable Data Access Set Security in Sub ledger Yes.Profile Option Setting If new for R12. If this is not set regardless of the data access set that is assigned to the responsibility or even if the responsibility is restricted to a specific ledger Available Options Relevant MO: Security Profile (Global or just Security Profile) Yes. No A&C PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. assign this profile option to an application responsibility. All rights reserved. Multiple operating units are then assigned to the profile. Required for MOAC: To enable MOAC. The Security Profile is then assigned to a responsibility using the profile option MO: Security Profile (Optional) This profile option defines the default operating unit for users when they perform activities in the sub-ledgers. what is it? assignment of roles by administrators to users. This profile option needs to be set to “Yes” in order to enable data access set security in the sub-ledger. No A&C MO: Default Operating Unit Operating unit Yes. a Security Profile is created in the HR module.

the workflow notification email bypasses the EBS sign-on process. Other settings to be considered 5. When set to N. Set SEND_ACCESS_KEY to N to prevent inclusion of the key with the Notification Detail link. an unauthenticated user who clicks on the notification link must sign on before accessing the Notification Details web page. Page 77 of 89 Internal use only -.Profile Option Setting If new for R12. Firm use only . the user will be able to create and post any journal in any ledger through the sub-ledger.U. Available Options Relevant Note: audit trail profile options are not considered here. The key allows the user to access the Notification Details web page directly without authenticating. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. S. what is it? using the “GL Ledger Name” profile option.2.1 Set workflow notification mailer SEND_ACCESS_KEY to N When SEND_ACCESS_KEY is set to Y.2. email notifications contain an access key. All rights reserved. 5.

Reconciling/Reviewing the accounting activity over certain transactions Sensitive Access -.Application and Business setups that support the business. when combined. legal structures and flexfield definitions. Application setups are those configurations in the application that have a very broad effect on how accounting is performed and reported. if at all. a new feature called Personalisation is an additional element that affects SOD.10. Many layers of configurations. and in conjunction with.U.maintaining master data such as the vendor master file Custody of Assets -. This feature can be used to improve security on forms. These additional configurations should be considered for additional testing separate from. The fundamental types of activities that should be separated from each other are as follows: Initiation -.Entering the transaction Authorising -. All rights reserved. Examples of application setups include Sets of Books definitions. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. a SoD analysis. Page 78 of 89 Internal use only -. Changes to application setups should follow a very formal change control process much like an IT change control. these Oracle features are augmented by other configurations as indicated below. access and other elements in the application come together to both restrict and increase the exposure to security weaknesses. Most practitioners only consider SoD in relation to forms and functions. Segregation of Duties Concepts Segregation of Duties (SoD) within Oracle E-Business Suite (EBS) is challenging. present a significant risk of fraud or theft. These configurations should be finalized after implementation and changed infrequently. However.Physical custody of assets Recon/Review -. S. Firm use only . These changes should be tested and approved prior to migration into production. Segregation of duties and restricted access is a multidimensional challenge within Oracle EBS Note: From release 11.Posting the transaction Standing Data -.5.I. The technical support group should be the individuals with access to these types of setups. Segregation of Duties is defined as segregating access to multiple sensitive functions that.

pll library is a standard Oracle Forms PL/SQL library that is supplied by the Oracle Applications. Process Tab) or enforce even more granular controls in forms and functions access. Control Dependencies o The Custom. however. Control Limitations o Oracle is installed with default responsibilities that help the client enter and post transactions.3. 1. Firm use only . refer to each module's Practice Aid. An example of a business setup would be opening/closing GL periods. Testing Notes o Personalisation is not currently analysed by Oracle GATE.PLL to further control user access during SOD testing and validation. on the other hand. Periods must be opened and closed to support accounting activity.3. Control Considerations 1. This allows customers to create business rules that effect the entire organization.3. and any custom form developed using the Oracle Application development standards. Every Oracle Forms -based eBusiness screen. This is Oracle’s built-in feature that allows the customer to enhance the standard functionality of the Applications by implementing site-specific business rules.1.2. 1. 1. Business Process Variables o None 1. These responsibilities were built by Oracle without any consideration of Segregation of Duties principles. PwC should inquire if the client is using Custom. Customers may use this functionality to hide certain tabs from users (i.4.3.U.3. For SOD testing and process specific SOD principles. will access the CUSTOM library. All rights reserved.3. a business process owner has access to this feature and will make the change outside of a formal change control process. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.Business setups. are those application configurations that might change over the course of the accounting period as a normal course of business.e. S. Page 79 of 89 Internal use only -.

Therefore. Designing SoD Segregation of Duties and Restricted access design could be complex and is dependent upon each client's environment. However. When designing SoD principles. management override. In addition. Standing Data Standing Data are defined as either setup that affect the processing of transactions or is used in the processing of transactions that could have a financial statement impact. Page 80 of 89 Internal use only -. or major business events. In either circumstance.1. Clients should acknowledge the inherent accounting and unique business risks that require certain activities to be performed by different individuals. when combined. Changes to standing data setups should be approved prior to implementation due to their potential impact on key financial controls and/or processes. access to these setups should be limited to a select few business process or IT owners who do not have transactional access. and practitioners should discuss these concepts with clients prior to commencing any Oracle work. or major business events. These setups are generally configured upon installation. These setups are generally only configured upon installation. Changes in standing data could cause financial processing difficulties and/or changes to standard transaction accounting procedures. Segregation of Duties and Restricted access design could include a balance between separating all conflicting activities and mitigating all segregation of duties violations. because of the potential impact on key financial controls associated with these setups. 3. the following should be kept in mind: PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.J. Changes in business process setups could cause system failure and/or data inconsistencies. This decision making process should include formal elements of SoD analysis. S. 2. the rules and related documentation developed should be associated with the client's significant financial risks. they may also need to be changed periodically to reflect ongoing changes to the business environment. there are three main access considerations: • Application Setups • Standing Data • Segregation of Duties 1. could present a risk of material misstatement. Application Setups Application Setups are defined as configurations that change the behaviour of the application. Firm use only . Segregation of Duties Segregation of Duties is defined as segregating access to two or more sensitive functions that. Restricted Access/Segregation of Duties When conducting an Oracle restricted access / segregation of duties review. and practitioners should discuss these concepts with clients prior to commencing any Oracle work. Please note that the definition of what constitutes standing data will vary from client to client. Please note that the definition of what constitutes application setups will vary from client to client. 3. any changes to these should be implemented via the client’s stated change management process & controls. Therefore. upgrades.U. All rights reserved. access to these setups should be restricted to the IT department or similar technical role. fraud or theft. upgrades.

An example of this matrix is identified below. not just Oracle. Support procedures should be developed that will allow for the effective remediation of technical issues while giving the business process owners a stable. The H's identify the agreed-upon sensitive business transactions that should also be tested with regards to restricted access.• • • • Envision the “ideal” environment. • Custody of assets is separate from accounting transactions.3. Firm use only . Smaller areas / business units may not be able to implement proper SoD rules due to resource constraints. S. regardless of head count. monitored accounting environment. SoD management is often much less effective. Large environments will almost always require technology to management SoD effectively. the client can then determine the more effective cost of the control to mitigate the segregation of duties risk or to rely on the separation of conflicting activities.2. then the following may be used: PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. Sample SoD matrix 3. • IT support should not violate the SoD rules. Small environments could leverage a manual approach to SoD management. Unless the business process owners sponsor and drive the project. the following SoD principles should be adhered to: • Users with transactional access are restricted from standing data and application setup. risk and likelihood should be considered.3. However. SOD Monitoring Once rules are established. Manual Monitoring If the client chooses to sustain SoD on paper. The X's in the matrix identify the SoD conflict between the x and y axis of the matrix. Typically SoD management is driven and managed by the technology group. • Cross module (currency. the client has developed a matrix of business processes (including Oracle functionality) that identifies the SoD and restricted access rules for a business process. Documentation of Rules Management should have a formal set of documents identifying the high segregation of duties and restricted access risks and conflicts that could exist for each business cycle. 3. ledger) and/or hidden access (process tab) should typically not exist • Users should not be able to create and approve their own transactions. All rights reserved. All high-risk financial systems should be considered.1. This set of documentation should then include the relevant segregation of duties and restricted access controls that the client implemented to mitigate these risks. 3. When SOD is impossible. Ideally. mitigating / compensating controls should be identified Generally.U. These controls could include a balance between segregation of duties. Page 81 of 89 Internal use only -. controlled. restricted access and/or other business mitigating controls.

3. S.4.o Access Authorisation: Testing the authorisation sign-off form is a common test for IT general control reviews. etc). o PwC should recognise how the client manages SoD and make adjustments to the testing strategy accordingly. This responsibility-level SoD matrix would help management more quickly identify potential SoD issues before granting additional access.1. GATE's standard reports contain baseline. On-going maintenance of the technology solution should follow the client's formal change management process and controls. It's highly likely that these revised responsibilities have SoD conflicts.4. the practitioner should consider the mentioned functionalities. evidence that existing user access was compared to requested access should be documented.4. refer to PwC Audit 4164 and 4164. Page 82 of 89 Internal use only -. iExpense. with minor modifications. generic rules that are industry agnostic and should be tailored/customized for each client's environment. then the client might have a higher-level SoD matrix based on Oracle responsibilities. Control Considerations 3. o For a suggested list of detailed SoD principles and their associated risks.3. o Each client's Segregation of Duties principles must be considered in light of the client's specific business processes and risks. o Not only should specific SoD issues be addressed. 3. Control Limitations o The majority of Oracle seeded responsibilities contain SoD conflicts. when assessing the SOD.U.3. Also this is a very broad statement. Firm use only . Testing Notes o For general guidance on Access and Segregation of Duties control considerations in the context of a financial audit or an audit of internal controls over financial reporting.01. 3. o RBAC (Role Based Access Control. Automated Monitoring If the client chooses technology to help sustain their SoD environment. described further in the system administration practice aid) is currently only applicable for self-service applications (iTime. o Clients tend to build their responsibilities based on functionality and may make copies of the default Oracle responsibilities. practitioners should consider going beyond the access approval form and consider the overarching process management uses when deciding to approve access. proxy users and delegated admin responsibilities. then the client should maintain testing over the design and implementation of the solution and document their daily use of the solution.2.4. In this. All rights reserved. refer to PwC GATE. o In complex environments such as Oracle EBS. Control Dependencies o Activities might be influenced by different functionalities as RBAC and the sub functionality data entry via sub ledgers. MOAC and the hybrid usage of roles. 3. Business Process Variables o The challenge to our clients is that they either do not have the necessary time and staffing resources to identify and document the segregation of duties rules applicable to the company or they underestimate the commitment required. iProcurement. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.2. but clients should look to identify the root cause of these issues.4. Access authorisation makes an assumption that management understands the risk of granting the additional access and the functions associated with each responsibility o SoD Maintenance: If the client's responsibility design is good.4. 3.

Automatic Journal Posting. o Without understanding the menu being used and the implications with the "AZN" menu. Firm use only . Revenue Recognition). PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. the segregation of duties analysis will appear to contain many false positives. All rights reserved. o PwC should also expect false positives in the SoD analysis. o As many concurrent processes have the similar financial impact as the direct entry of transactions (AutoInvoice. False positives are results in the SoD analysis that indicate where issues exist when they do not or are simply less pervasive.o Processes Tab Access: "AZN" menus are those menus that are associated with the Process Navigator Tab. o PwC should confirm the legitimacy of the SoD rules and test results prior to raising issues with the client.U. S. When testing for segregation of duties. Practitioners should be aware of the AZN menu and help the client understand where the excessive or conflicting access exists. the reports generated from the tool will identify the menus associated with the issue. they should be included in SoD analysis. Page 83 of 89 Internal use only -.

Firm use only . Control Dependencies o None 2. For detailed analytics refer to the iSetup User Guide. All rights reserved. or comparison between multiple instances can be used to retrieve and compare setup data.1. Page 84 of 89 Internal use only -.2.1.U. Control Limitations o None 2. Testing Notes o The reports. PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.4.2. 1. iSetup is covered in this document. iSetup helps in the migration of data between different instances of Oracle. S. The following graph depicts the process of using iSetup to support the creation and extraction of the transformation files.1. Clients could use this for migrating data between: • Production instance to another production instance • Test or development environment to the production environment 1.1.1. Relevant Modules 1. which then can be transferred to any output. either standalone for a single instance. Usage of iSetup iSetup is a two-part application: o iSetup Configurator runs on the web and provides an interactive questionnaire to capture business requirements and configuration decisions. o iSetup Migrator is the load functionality that populates the application setup tables with the detailed parameter values. as this module might influence the setup of Oracle EBS and can be used for analyzing the overall setup of Oracle EBS. iSetup iSetup is a data management product that helps in automating migration and monitoring of EBS setup data.K.3.1. Business Process Variables o None 2. Control Considerations 2.

regardless of organizational changes. and the transaction is for travel expenses. For detailed analytics refer to the Oracle AME user guide. All rights reserved.o The history of executed migrations can be used for analytics of the change management process. An approval rule is a business rule that helps determine a transaction's approval process such as who gets to approve certain transactions. and notification routing. Otherwise get approval from the company travel manger. AME is covered in this document. 2. For example an approval rule can be as follows: If the transaction's total cost is less than 1. 1. as the usage of AME might impact the analytics of approval processes and controls based on approvals. Page 85 of 89 Internal use only -. Oracle Approvals Management enables business users to specify the approval rules for an application without having to write code or customize the application. a transaction is assured to be approved under the latest conditions. As AME recalculates the chain of approvals after each approval. The following graphic illustrates the typical approval process used in an organization. dollar amount limits. Client can define rules to be specific to one application or shared between different applications. Rules are constructed from conditions and actions. Usage of AME The purpose of Oracle Approvals Management (AME) is to define approval rules that determine the approval processes for Oracle applications. S. then get approvals from the immediate supervisor of the person submitting the transaction.U.1.000 USD. Firm use only . the application communicates directly with AME to manage the approvals for the application's transactions. Once the rules are defined for an application. changes PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. AME Oracle Approvals Management (AME) is a self-service Web application that enables client to define business rules governing the process for approving transactions in Oracle applications. Oracle AME is also integrated with Oracle user management.

L. 1. AME has built-in testing features that enable you to confirm the behavior of new or edited business rules before live execution. some forms allow users to enter SQL statements. PwC practioners should be on the look out for areas of process improvement where a manual approval process can be automated in Oracle. Control Limitations o None 2.1. 2. Forms that accept SQL entry To improve flexibility. add code or otherwise affect executable code. From an efficiency.1. Control Dependencies o None 2.to transaction values.1. S. Function – Internal Name ALR_ALRALERT FND_FNDCPMCP_SYS Function – Display Name Define Alert Concurrent Programs (System Administrator Mode) Concurrent Program Executables Descriptive Flexfield Segments Flexfield Value Sets Profile Options Applications Data Groups Form – Internal Name ALRALERT FNDCPMCP Form – Display Name Alerts Define Concurrent Program FND_FNDCPMPE FNDCPMPE Define Concurrent Program Executable Define Descriptive Flexfield Segments Define Value Set Define User Profile Option Register Applications Define Data Group FND_FNDFFMDC FNDFFMDC FND_FNDFFMVS FND_FNDPOMPO FND_FNDSCAPP FND_FNDSCDDG FNDFFMVS FNDPOMPO FNDSCAPP FNDSCDDG PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.2.4.1. The table below lists the Forms that allow the user to edit code.3.2. Control Considerations 2. Business Process Variables o Many clients might rely on manual approvals or sign-offs sheets as their key controls over account procedures. effectiveness perspective.U.1. Page 86 of 89 Internal use only -. These forms are typically used during the initial setup of the system. Testing Notes o The use of AME gives auditors the ability to test the approval process systematically and gain comfort over established key controls. rule changes. All rights reserved. Firm use only . or currency conversions.

Firm use only . Attribute Mapping Objects Meta-data Spreadtable Metadata Administration SpreadTable Diagnostics JTFGANTT Define WMS Rules Create Pricing Formulas New Attribute Mapping Workflow Process Configuration Framework Workflow Activity Approval Configuration Framework Approvals Management Form – Internal Name FNDSCMOU PSBSTPTY MSDCSDFN MSDCSDFA Form – Display Name Register ORACLE IDs Attribute Mapping Details Define Data Stream Custom Stream Advanced Setup MSD_MSDAUDIT JTFRSDGR MSDAUDIT JTFRSDGR Audit Statements Define Dynamic Resource Groups Business Rule Workbench JTFBRWKB JTFBRWKB ONT_OEXPCFVT ONT_OEXDEFWK. Page 87 of 89 Internal use only -. QP_OEXDEFWK JTFTKOBT JTF_GRID_ADMIN OEXPCFVT OEXDEFWK Define Validation Templates Defaulting Rules JTFTKOBT JTFGRDMD Foundation Objects Spreadtable Metadata Administration SpreadTable Diagnostic Form JTFGANTT Define WMS Rules Define Pricing Formulas Attribute Mapping Workflow Process Configuration Framework Workflow Activity Approval Configuration Framework TBD JTFGDIAG JTFGANTT WMS_WMSRULEF QP_QPXPRFOR QP_QPXPTMAP GMAWFPCL_F JTFGDIAG JTFGANTT WMSRULEF QPXPRFOR QPXPTMAP GMAWFPCL GMAWFCOL_F GMAWFCOL AME_WEB_APPROVALS TBD PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers. S.Function – Internal Name FND_FNDSCMOU PSB_PSBSTPTY MSDCSDFN MSDCSDFA Function – Display Name ORACLE Usernames Attribute Mapping Details Define Data Stream Custom Stream Advanced Setup Audit Statements Define Dynamic Resource Groups Business Rule Workbench Validation Templates Defaulting Rules. All rights reserved.U.

Firm use only . S. All rights reserved.Function – Internal Name Function – Display Name PL/SQL tester Write Formula Define Function Create Quickpaint Inquiry Define Assignment Set Dynamic Trigger Maintenance Define Security Profile Form – Internal Name PERWSAPI FFXWSMNG FFXWSDFF FFXWSBQR PAYWSDAS PAYWSDYG Form – Display Name PERWSAPI FFXWSMNG FFXWSDFF FFXWSBQR PAYWSDAS PAYWSDYG PL/SQL tester Write Formula Define Function Create QuickPaint Inquiry Define Assignment Set Dynamic Trigger Maintenance PERWSSCP PERWSSCP Define Security Profile PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.U. Page 88 of 89 Internal use only -.

A manager operates during the time and days defined by a work shift. Alert Action Audit Trail Concurrent Manager Concurrent Program Concurrent Request Data Group Menu Request Security Groups PricewaterhouseCoopers-For internal use only © 2007 PricewaterhouseCoopers.run only certain kinds of programs. running a program or script from your operating system. All rights reserved. An alert is characterised by the SQL SELECT statement it contains. A command to start a concurrent program. An action can include sending an electronic mail message to a mail ID. Audit Trail tracks which rows in a database table(s) were updated at what time and which user was logged in using the form(s). A program that runs concurrently (at the same time) as other programs. A manager can run any concurrent program. Term Alert Description A mechanism that checks your database for a specific exception condition. A SQL SELECT statement tells the application what database exception to identify as well as what output to produce for that exception. Page 89 of 89 Internal use only -. S. or be specialised to. Firm use only . A mechanism that runs concurrent programs. establishing a trail of audit data that documents the database table changes. including requests and request sets that might be run by an application user under a particular responsibility. while you continue to work at your terminal. An action the alert is to perform. A data group is a group list of Oracle Applications and the Oracle ID each application is assigned to. An alert action can depend on the output from the alert.U. Key Oracle Functionality A number of terms that are used within the Oracle System Administration module are listed below with an associated definition. Glossary 1. or running a SQL script to modify information in your database.M. running an Oracle Applications program. Concurrent programs run as background processes. An example of a concurrent request is a command to generate and print a report. A hierarchical arrangement of application functions (forms) that is displayed within the main navigate window Defines the concurrent programs and reports. Several updates can be tracked. An Oracle ID grants access privileges to tables in an Oracle database.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.