R12 User Managemet

R12 Surprises in User Management

Revised July, 2014

Susan Behn

GoldPartner

Agenda■ Understanding User Management Principles

■ User Management Layers■ Role Based Access Control Overview■ Building Blocks for User Management■ Modeling Security Policy Basic Example

■ Surprises■ Read only diagnostics■ Access to integration repository■ Grant worklist access■ Cash Management Security Wizard for Bank Account Management■ Access to concurrent reports■ Access which bypasses UMX■ Flexfield Value Set Security (New in 12.2)

■ Additional Topics if Time Allows■ What modules use UMX Security Reports ■ Disable subscription which grants AMW-Internal Controls Manager roles

(if time allows)

■ References

GoldPartner

User Management Layers

■ Core security – levels 1 – 2 is accomplished through AOL or with grants and permissions

■ Core security – level 3 is required for some apps

■ Administrative features – levels 4 – 6 are optional

6 User access requests with AME

Approval Processes

5 Registration processes

4 Administer functions/data for

specific groups

3 Grant access to roles that

include function/data security

2 What data can a user see

1 What can a user do

GoldPartner

Role Based Access Control

■ RBAC – The RBAC standard supports the mapping of user access control based upon a user’s role in the organization rather than their unique identity

■ Roles – a grouping of all the responsibilities, lower level permissions (functions), permission sets, and data security rules that a user requires to perform a specific task

■ Role Categories – Organize roles into groups

GoldPartner

Components by Responsibility

■ System Administrator Responsibility

■ Manage responsibilities and menus; Create users

■ User Management – Layers 3 and up

■ Functional Administrator Responsibility

■ Function Security Layer

■ Functional Developer Responsibility

■ Data Security Layer

GoldPartner

User Management Building Blocks

■ Objects

■ Define data to be secured – a table or view

■ Stored in FND_OBJECTS, FND_OBJECTS_TL

■ Object Instance Sets

■ The “WHERE” clause for an object

■ Stored in FND_OBJECT_INSTANCE_SETS, FND_OBJECT_INSTANCE_SETS_TL

■ Managed in Functional Developer Responsibility

GoldPartner

■ Permissions – 2 types – function and data

■ Function Security Permissions – control access to abstract functions

▸ Examples■ Executable function is access to User Management Roles &

Role Inheritance Form

■ Abstract functions are defined as role permissions

▸ Create Role – Assign Role

▸ Manage Role – Revoke Role

■ Data Security Permissions – control access to objects

▸ Data limited by where clause

■ Stored in FND_FORM_FUNCTIONS, FND_FORM_FUNCTIONS_TL

GoldPartner

■ Permission Sets

■ Grouping of permissions

▸ Example: All User Administration Privileges

■ A permission set can contain other permission sets

■ Stored in FND_MENUS, FND_MENUS_TL, FND_MENU_ENTRIES, FND_MENU_ENTRIES_TL

GoldPartner

■ Grants

■ Provide permissions for actions on a specified object

▸ Attach function permissions and data permissions (data security polices) to grantee

■ Grantee

■ Who gets the grant

▸ A role or group

▸ A specific user

▸ All Users

■ Data Security Policy

■ Grant that includes both an object and permission set

■ Stored in FND_GRANTS

STACKING UP THE BUILDING BLOCKS

GoldPartner

Modeling Security Policies

■ Step 1 – Assign access to user management to appropriate users

■ Step 2 – Identify or create permissions/permission sets that group functions (function security)

■ Step 3 – Identify or create product seeded objects / object instance sets (data security)

■ Step 4 – Identify seeded grants / create grants

■ Step 5 – Assign role

GoldPartner

Grant access to user management to appropriate user(s)

GoldPartner

Managing Users – Step 1

■ By default, only Sysadmin has access to User Management

■ Assign a user management role to the appropriate user

pencil to

editSearch

for user

GoldPartner

■ Click the “Assign Roles” button to add a role

Click assign roles and

then click the apply

button

Click assign roles and

then click the apply

button

GoldPartner

■ Search for the “Security Administrator” Role, check the box and click select

■ Customer Administrator – manage users with party type = customer

■ Partner Administrator – manage users with party type = partner

Other seeded security roles

include Customer

Administrator and Partner

Administrator

GoldPartner

■ Enter a justification and click “Apply”

User Management

responsibility is inherited

by assigning this role

GoldPartner

■ System Administrator User Define

■ User Management is shown as an indirect responsibility

STEP 2IDENTIFY SEEDED

PERMISSIONSCREATE PERMISSIONS

GoldPartner

Permissions

■ To demonstrate function security, Approvals Management will be used as the example

■ A user will be given access to perform all functions in approvals management

■ To gain familiarity with permissions available

■ Go to Functional Administrator Permissions to search for seeded permissions

GoldPartner

Permissions

■ There are 16 permissions available for AME

■ Click the update button to examine the “AME Action Create” Permission

GoldPartner

Permissions

■ This permission belongs to one permission set with the same name as the permission

GoldPartner

Permission Set

■ In our example, we want the user to have access to ALL functions the transaction type “AP Invoice Approval”

■ Go to the permission set tab to see the permission set for all AME functions which is “AME All Permission Sets”

■ Note that this permission set includes other permission sets Other

Permission

included in

STEP 3 SEEDED OBJECTS

GoldPartner

Seeded Objects

■ To demonstrate data security, Approvals Management will be used again as the example

■ A user will be given access to manage the approval process for the payables invoice approval

■ Go to Functional Developer Objects to search for available seeded objects

■ If an object is not available, you can create objects

GoldPartner

Seeded Objects

Tip: Query by

responsibility to get

familiar with what is

seeded

Click update to

view details but

avoid changing

seeded objects

GoldPartner

Seeded Objects

■ Two columns are included which can be used to limit access

Note the Object

Instance Sets Tab

and Grants Tab

GoldPartner

Seeded Objects

■ Click on the Object Instance Set tab for this object to view the where clause■ The predicate

allows the user to enter the parameters to select the application and transaction type in the grant

STEP 4IDENTIFY SEEDED GRANTS

CREATE GRANTS

GoldPartner

Grants

■ Create the grant to allow sbehn to perform all AME function for the payables invoice approval transaction type

■ Click on grants tab

■ Notice this takes you to the same form as you see in the Functional Administrator responsibility

■ We are going to enter an object to establish a Data Security Policy

GoldPartner

Grants

■ Enter name, description, grantee type, grantee

■ Enter the object name

■ Click Next

GoldPartner

Grants

■ Choose the context to limit rows

■ For this example, choose instance set

GoldPartner

Grants

■ We already determined there was an “AME Transaction Type” Instance Set

■ Chose this value and Click Next

GoldPartner

Grants

■ Now enter the values for the parameters we saw earlier in the object instance set

■ The predicate is displayed for reference

▸ Parameter 1 is the application

▸ Parameter 2 is the AME transaction type

GoldPartner

Grants

■ Scroll down and choose the functions the grantee will be allowed to execute for this group of data by selecting the permission set “AME All Permission Sets”

GoldPartner

Grants

■ The final page is a review page

■ Click finish and the confirmation page will appear

■ Now you have access to data and functions you can perform on that data

■ Click OK

GoldPartner

Role Based Access Control

■ In step 1, we gave someone access to user management

■ In step 2, we identified the “AME All Permission Sets” to provide function security

■ In step 3 we identified the “AME Transaction Types” object to provide data security

■ In step 4 we joined the function and data security together in a grant to allow SBEHN to perform all functions for AME for Payables Invoice Approvals

■ But…the user still doesn’t have access yet to the responsibility used to manage AME

STEP 5ASSIGN RESPONSIBILITIES

TO ROLES

GoldPartner

Assign Roles

■ Assign AME roles to SBEHN the same way we assigned the “Security Administrator” role

■ Query the user and click the pencil

GoldPartner

Assign Roles

■ Click the “Assign Roles” button

GoldPartner

Seeded Roles

■ Choose the “Approvals Management Administrator” role and provide justification

■ Grants multiple roles shown in the hierarchy below and two responsibilities having a code starting with “FND_RESP”

ResponsibilityResponsibility

GoldPartner

Seeded Roles

■ Below is a partial list of products with seeded roles; This changes frequently

■ Approvals Management

■ Diagnostics

■ Learning Management

■ Territory Management

■ User Management

■ Integration Repository

■ iReceivables

■ iSetup

■ Integrated SOA Gateway (New)

■ To see what’s new after patches, look for roles in User Management responsibility or query WF_ALL_ROLES_VL

GoldPartner

R12 Surprises

GoldPartner

Read-Only Diagnostics

GoldPartner

Read-Only Diagnostics in 12.1.3Function Security (outside of UMX)

■ Set profile option “Hide Diagnostics Menu Entry” to “No”

■ Assign one or more of the read only subfunctions to the menu where this functionality is needed

■ Apps password will not be requested in read-only mode

GoldPartner

Read-Only Diagnostics 12.1.3

■ Example - Payables, Vision Operations (USA) responsibility linked to menu AP_NAVIGATE_GUI12

■ Leave prompt and Submenu null

GoldPartner

Integration Repository

GoldPartner

New Surprises: Access to Integration Repository

■ Release 11i

■ http://irep.oracle.com/

▸ As of March, 2014 – the above link is not working

■ Early R12

■ Assign Responsibility – Integrated SOA Gateway

■ Release 12.1+

■ Assign one of following roles

GoldPartner

Grant Worklist Access

GoldPartner

■ From Form –Click “WorklistAccess” link

■ To limit security risk – request this functionality from system administrators■ From

Functional Administrator Responsibility▸ Grants Tab

Create Grant

GoldPartner

■ Select specific user

■ Data Security object is “Notifications”

GoldPartner

User that

Grantee can see

Abstract

Functions

Seeded instance

GoldPartner

Results

GoldPartner

■ By default, notifications are limited to active workflows or those in Lookup type WF_RR_ITEM_TYPES

■ To limit this access to specific workflow types, enter in parameter2 (hidden parameter)

Note: Predicate

does not list

Parameter2

stores specific

workflows

GoldPartner

Cash ManagementSecurity Wizard

GoldPartner

Cash Management – Bank Account Security

■ Grant access to manage banks to the responsibility “Cash Management, Vision Operations (USA)”

■ Go to User ManagementRoles & Role Inheritance

■ In the Type field, select Roles and Responsibilities

■ In the Category field, select “Miscellaneous”

■ In the Application field, select “Cash Management”, then click “Go”

GoldPartner

■ Click on the pencil to update for the correct responsibility

GoldPartner

■ Click on the security wizard button

■ On the next page, click the icon to run the CE UMX Security Wizard

GoldPartner

■ Click the button to add legal entities

■ Select the legal entities this responsibility will manage

GoldPartner

■ Check the boxes for the privileges needed for this responsibility and apply your changes

■ Repeat these steps for additional responsibilites

GoldPartner

View Concurrent Requests

GoldPartner

New Surprises: Access to Concurrent Requests

■ Profile Option “Concurrent Report Access Level” is obsolete in 12.1

■ Allowed users to see all concurrent requests in a responsibility

■ Except for View Own and System Administrator View Logs, this functionality is replaced by RBAC permissions

■ See My Oracle Support ID 737547.1

GoldPartner

View Others RequestsObject – Concurrent Requests

■ Start with the Concurrent Requests data object shown below which is seeded

GoldPartner

View Others Requests-Permission Set / Permission

■ The Request Operations permission set includes permissions to submit and view requests

GoldPartner

View Others Requests-Instance Sets

■ Several object instance sets are seeded or you can create your own

GoldPartner

View Others Requests - Seeded Instance Sets

■ Examples of seeded object instance sets

■ View all my requests from any responsibility

▸ More efficient then trying to remember where you ran a request

■ View my requests for the application identified by parameter 2

GoldPartner

View Others Requests - Create Instance Sets

■ From Functional Developer Objects

■ Query Object

■ Click link in Name column, then Object Instance Sets tab, then Create Instance Set

GoldPartner

View Others Requests-Create Instance Sets

■ Any user of a responsibility can see all requests in that responsibility

■ Exact replacement of obsolete profile option

■ MOS ID 804296.1 “R12: How To Configure Access To Request Output Of The Same Responsibility”

GoldPartner

View Others RequestsSite Level – Grant for All Responsibilities

■ Grant New Instance Set to All Users

■ All users can see requests in only in responsibility that ran request

GoldPartner

View Others Requests-Operating Unit Level

■ ***Same as previous example but limited by operating unit

■ Grant New Instance Set to Specific Operating Unit or responsibility

■ Repeat for each desired Operating Unit

■ Still can only see requests in responsibility that ran request

GoldPartner

View Others Requests - User Level

■ Recommended only for help desk/support users who have limited responsibilities in Production

■ Can see any request regardless of what responsibility currently using

Access to All to

Specific User

Access to All

Requests to

Specific User

GoldPartner

Diagnostic Permission sets

■ Permission sets are available now for all Diagnostic menu items starting in R12.1.3.

GoldPartner

Setup – Profile Options

■ R12.1.3+

■ Utilities: Diagnostics

■ Set to Yes (not secure)

■ RBAC – create role with permission set “FND Diagnostics Personalizations Menu” and assign as needed

GoldPartner

Security Hole

GoldPartner

Access to Menus screen can bypass UMX function security – Security hole

■ Access to Menus form allows user to bypass UMX function security

■ Grant flag can be clicked and then responsibility assignment displays menu

■ Menus can be duplicated with grant flag checked

▸ If the user then has access to create data security grants through the Functional Developer responsibility, you end up with a major security gap

GoldPartner

Flexfield SecurityRequired in 12.2

GoldPartner

Flexfield Value Set Security – FNDFFMSV –12.2

■ Upon upgrade, users will not have access to any records in this form

■ Many ways to get to this form…our example

■ GLSetupFinancialsFlexfieldsValidationValues

GoldPartner

Function and Data Security

■ Must set up function security to define what the user can do in the form

■ Grant by flexfield, report or value set

■ Grant to application, user, group

■ Must set up data security to define which values can be queried

■ Affects Independent and Dependent value sets.

■ Affects what privileges users have in the Segment Values form.

■ Note: Even if you create a new value set, you still won’t be able to assign values to that set until security is set up

GoldPartner

Patch for 12.2.2

■ Apply this patch for 12.2.2 (not needed for 12.2.3)

■ Oracle Support Document 1589204.1 (Release 12.2.2 Flexfield Value Set Security Documentation Update for Patch 17305947:R12.FND.C) can be found at: https://support.oracle.com/epmos/faces/DocumentDisplay?id=1589204.1

GoldPartner

Grant access to the data

■ Functional AdminstratorGrants

■ This example – General Ledger, Vision Operations (USA) responsibility needs to see GL value sets for Vision Operations Accounting Flexfield

GoldPartner

Data Security - Instance Set

■ Flexfield Value Set Security Object

■ Key Flexfield Structure by app id, key flexfield code and structure number

GoldPartner

Other Instance Sets

GoldPartner

Permission set for allowable actions

■ For this example, I chose to allow insert or update

■ Seeded permission sets for flexfield security

GoldPartner

Results

■ Now I have access to all the value sets for the accounting flexfield

GoldPartner

Time Check for Next 3 topics

GoldPartner

Where is UMX Applicable?

GoldPartner

Where is UMX applicable?

■ “Not all products have adopted data security in their UIs. If a customer is considering data security in a particular module, it is advisable to first check with the product development if that module has the infrastructure for data security in place otherwise, their data security policies will not be honored by the product UIs. Data Security policies can only be defined for applications that have been written to utilize the Data Security”■ MOS ID 553290.1 “Introduction to the Grants Security

System and Data Security”

■ Self research – what objects and/or permissions has Oracle defined

GoldPartner

■ MOS ID 1162403.1 “How Find Out Which Oracle Application Products Have Adopted Data Security Policies”■ Use following select statement to find objects / created

GoldPartner

■ Use the following query to find seeded instance sets

GoldPartner

■ Permissions are indicative that UMX will work and usually provide hint to the Object

■ Use the following query to find permissions

GoldPartner

Security Reports

GoldPartner

Security Reports

■ From User Management, Security Reports

■ Choose Report Type - Remaining screen repaints based on Type

▸ Example Select Output

format

Choose Offline to

get underlying SQL

MUST specify

Role/Resp

GoldPartner

Security Reports

■ Report Status

■ Output – click Output icon

GoldPartner

Security Reports

■ For Log (and query), click Details, then View Log

■ Partial log shown

GoldPartner

Security Reports

■ List of Users w/access to key User Management function

Clicking ‘Show’ displays

how assigned and by whom

GoldPartner

Security Reports

■ List of users with access to view all concurrent requests

■ List of users with access to the user management role

GoldPartner

R12.2 – Disable subscription to eventoracle.apps.fnd.umx.requestapproved

■ Error that appears is ambiguous

■ Real error:

■ The rule function for the subscription to this event, AMW_VIOLATION_PVT.Do_On_Role_Assigned, is a non-existent package

■ Cause:

■ AMW-Internal Controls Manager has been replaced by GRC-Governance Risk and Compliance in 12.2

■ MOS note 1303189.1

GoldPartner

References

■ Oracle Applications System Administrator's Guide -Security

■ See Oracle User Management Developer Guide

■ My Oracle Support ID: 553547.1 – Data Security Terminology

■ My Oracle Support ID: 553290.1 – Introduction to the Grants Security System and Data Security

■ E-Business Suite User Management SIG

■ http://ebsumx.oaug.org/

GoldPartner

R12 User Managemet

Documents

Oracle Payments R12 User Guide

R12 Payments User Guide

Project managemet en

User Reference Inventory - R12

Amundi asset managemet

R12 eTax User Guide

R12 EAM User Guide

R12 Suppliers User Manual

Brand managemet

R12 system user FAQs - City & Guilds

Supplier Creation in R12: New User Interface, Richer Functionalityidealpenngroup.tripod.com/sitebuildercontent/OAUG200… · · 2008-04-30Supplier Creation in R12: New User Interface,

Linear Asset Managemet

Project managemet

XML Gateway User Guide R12

Anger Managemet 2

User Reference Employee Console - R12

Time Managemet Talk

Financial Managemet

Oracle User Management R12 Developers Guide

Project Managemet Basics