171285

8/4/2019 171285

1/46

8/4/2019 171285

2/46

Java Authentication and Authorization Servicesfor E-Business Suite

Veshaal Singh

Director, Applications Technology

8/4/2019 171285

3/46

The following is intended to outline our generalproduct direction. It is intended for informationpurposes only, and may not be incorporated into anycontract. It is not a commitment to deliver anymaterial, code, or functionality, and should not be

relied upon in making purchasing decisions.The development, release, and timing of anyfeatures or functionality described for Oraclesproducts remains at the sole discretion of Oracle.

8/4/2019 171285

4/46

Program Agenda

Current Scenarios

Problems Solution

Benefits

Demonstration Q & A

8/4/2019 171285

5/46

Current Scenarios

8/4/2019 171285

6/46

ADF with e-Business Suite

E-Business Suite ships with standard Modules

Needs to extend/develop module Wants to develop using ADF

Ensure that it works with the e-Business SecurityModel

Register as a Responsibility

Utilize the FND_USER for authentication

Leverage UMX and RBAC for authorization

8/4/2019 171285

7/46

EJBs with e-Business Suite

Healthcare platform is exposed using EJBs

E-Business Suite does not support EJBs. There EJBs run on a separate OC4J.

Ensure that it works with the e-Business SecurityModel

8/4/2019 171285

8/46

Database Logic Application logic

EBS Technology StackTopology

JSP

JMS

Web-Services

Servlets

EJB

Application

JSP

Forms

Reports

BC4J

OC4J

WebListener

UIX

9iAS 1.0.2.29i or 10g

Database

10gR2

Ext. TierJ2EE Server

Others..

8/4/2019 171285

9/46

External Tier Access

Problems and Existing

Solutions

8/4/2019 171285

10/46

Apps Schema Access

Issues

Apps Schema

Schema password keeps changing Standard based access

Is it secured?

Current Solution Create a new schema and provide privileges

Provide apps password to external system

8/4/2019 171285

11/46

SolutionApplication Data Source

Application Data Source Implementation

J2EE/JDBC standards based

On the External Tier Application Server

Register the Application Data Source

Register the Node as trusted Node

Create a new Application User

Grant Role (shipped) to this User Register this new User in the Application Server

8/4/2019 171285

12/46

EBS Security ModelAuthentication and Authorization

Issues

Can I Utilize the existing Responsibility/Menu to Registermy custom/extended application?

Will I get the EBS Authentication/SSO? Will I be able to leverage the Function Security?

Current Solution

Need access to Apps Schema

Ship large AOL/J libraries on the external tier

Deal with the dependencies etc.

Need to understand the EBS security internals Application logic needs to have the security call

8/4/2019 171285

13/46

New Requirements..

Develop or extend e-Business Suite application usingstandard J2EE technologies

Leverage EBS security

Authentication

Authorization

Secured connectivity

Upgrade my Custom/Extended ApplicationTechnology stack

8/4/2019 171285

14/46

EBS Security

Overview

8/4/2019 171285

15/46

Authentication & Authorization

Authentication is the process ofverifying the users identity. Typically

this entails obtaining a user name and apassword or some other credential fromthe user.

Authorization is the process of verifyingwhether a user has access to protected

resources.

Authentication

Andy

Authentication

Service

Is the user who hesays he is?

User Name

Password

Authorization

Andy

Resource

AuthorizationService

Some Action

Can this user

perform thisaction on me?

8/4/2019 171285

16/46

OverviewEBS Security

Function Security

Data Security

Role Based Access Control

Delegated Administration

Provisioning Services

Self Service Features

8/4/2019 171285

17/46

Function Security

OverviewEBS Security

8/4/2019 171285

18/46

Function Security

Functions represent basic entry points / operations / securedresources that do not have any data context, for example:

Page X

Region Y Typically done using responsibilities in the eBusiness suite

Employee HRSelf Service

Manager HRSelf Service

Hiring / Firing

Transfers

Promotions

Compensation

Personal Info

Job Posts

Pay Slip

8/4/2019 171285

19/46

Function Security

Data Security

8/4/2019 171285

20/46

Data Security

What business objects / documentshold sensitive data & need to besecured

For example: Expense Reports, Employees

What secured operationscan be performed on each object For example: update, delete, reject, approve, escalate

Secured operations are represented as privilegesaka permissions

Authorization Policy: grant [someone] access to perform [a set ofoperations] on a given [set of business documents]:

[Managers] can

[view, approve, reject, update]

[expense reports]

[filed by their direct reports]

Sets of business documents are identified through instance sets(SQLpredicates)

8/4/2019 171285

21/46

Function Security

Data Security


8/4/2019 171285

22/46


RBAC standard (ANSI INCITS 359-2004)

A role consists of Other roles (via inheritance) Responsibilities (via inheritance)

Function Security Policies

Data Security Policies

A user can be assigned with several roles

A role can be assigned to several users

8/4/2019 171285

23/46

Use Cases

Grant access to a set of Sales Managers

Need access to: HR Self Service Manager + Employee access

Sales Online

Sales Manager access Expenses

Manager + Employee access

iProcurement

Manager + Employee access

8/4/2019 171285

24/46

Access Control before..

Expenses Mgr

Employee HR

Self Service

Manager HR

Self Service

iProcurement

Mgr

Sales Online

Mgr

Users directly assigned Responsibilities

Responsibility

Expenses

Employee

iProcurementEmployee

8/4/2019 171285

25/46

..With RBAC: Basic Approach

SalesManager

Employee

Sales Rep Manager

Expenses

Employee HR

Self Service

Manager HR

Self Service

iProcurement

Sales Online

Role Inheritance

Role

8/4/2019 171285

26/46

..With RBAC: Basic Approach (2)

Employee HRSelf Service Manager HRSelf Service

Hiring / Firing

Transfers

Promotions

Compensation

Personal Info

Job Posts

Pay Slip

Before RBAC & with Basic RBAC Approach:

A Responsibility includes both the menu and the permissions toaccess the menu items

Menu Item

8/4/2019 171285

27/46

RBAC: Advanced Approach

Human

Resources

With Advanced Approach:

Separation of Navigation & Access Control

A Responsibility represents an Application Menu Menu items disabled by default (grant = false)

Hiring / Firing

Transfers

Promotions

Compensation

Personal Info

Job Posts

Pay Slip

Employee

Manager

8/4/2019 171285

28/46

Manager

Employee

RBAC: Advanced Approach (2)

Human

Resources

Personal Info

Job Posts

Pay Slip

Employee

Employee

Manager

Hiring / Firing

Transfers

Promotions

Compensation

Manager

Menu items (functions) granted to Roles

Menus automatically pruned in theNavigator

Users only see the menus they have

access to

Not all Apps support this approach due tolegacy security implementations

Responsibility level Profiles etc

8/4/2019 171285

29/46

RBAC Benefits

Reduces / Simplifies Administration

Mass updates via single operation Coexists with existing Security Setups

Basic Approach: Try it now!

Consolidate your existing Responsibilities into Roles

Advanced Approach

Reduces # Responsibilities and Menus

8/4/2019 171285

30/46

New Requirements

Standardized External

Authentication andAuthorization Service

8/4/2019 171285

31/46

JAAS

Java Authentication and

Authorization Service

JAAS

8/4/2019 171285

32/46

JAASWhat is JAAS?

JAAS Specifications offers the necessary methods forauthentication and authorization for J2EE and coreJava applications.

It abstracts the underlying mechanism of control.

Authentication User login

Authorization Access Control

JAAS implementation for EBS

8/4/2019 171285

33/46

JAAS implementation for EBSNew Solution

E-Biz light-weight LoginModule, compliant with JAASspecifications, works with JDK or J2EE environments.

Implement JAAS Authentication using AOL securitySystem

Implement JAAS Authorization using UMX roles.

JAAS for EBS

8/4/2019 171285

34/46

Client

JAAS for EBSDeployment Diagram

JSP

Forms

Reports

BC4J

OC4J

WebListener

UIX

9i or 10g

DB Tier

10gR2

Mid-Tier

WebListener

Ext J2EEApplication

Server

E-Business

LoginModule

ADF

Web-Services

EJB

1. Access

7 Allow if User in Role

4 Send

Credentials

6 Add Roles2 Delegate

5 Verify

Credentials

Add Roles

3 Request

Credentials

Key Benefits

8/4/2019 171285

35/46

Key Benefits

Utilize standard Java development technologies

Security using Java Standards Data Source Java Authentication and Authorization Services

Runs on any J2EE compliant Servers

Standards based development and deployment model

Upgrade the development technology without gettingtied to EBS technology stack

8/4/2019 171285

36/46

Availability

Today

Works for both 11i and R12 versions

8/4/2019 171285

37/46

Demonstration

Order Management Extension

8/4/2019 171285

38/46

Order Management Extension

Extension has been developed in ADF for the OrderManagement Application Module shipped by standard EBS.

Sample ADF application from OTN (Order management)

Module is registered as Order Management ADF Responsibility

ADF runs on a separate application Server 10g

Role has been created for the ADF responsibility

User has been granted this new ADF Role

8/4/2019 171285

39/46

Order Management Demo

8/4/2019 171285

40/46

Related Sessions: ATG

ThursdaySeptember 25, 2008

09.00 Centralize your Oracle E-Business Suite SearchPowered by Oracle Secure Enterprise SearchRajesh Ghosh and Veshaal Singh, OracleMoscone West 2007

10.30 Customer Case Study: Forsythe Technologies IncOracle E-Business Suite SOA ImplementationSamuel Tong, Forsythe Technologies Inc and Neeraj Chauhan, OracleMoscone West 2007

8/4/2019 171285

41/46

Related Sessions: ATG

ThursdaySeptember 25, 2008

12.00 Managing Oracle E-Business Suite Customizations andPatches, using Oracle Enterprise ManagerUma Prabhala, OracleMoscone West 2005

13.30 Opening Up Oracle Application Framework Applications

through Web Services and PortletsRamkumar Sekar, OracleMoscone West 2005

13.30 Understanding the Oracle Diagnostics Security Model andSupport for Custom ResponsibilityAngelo Rosado, OracleMoscone West 2007

D d

8/4/2019 171285

42/46

Demogrounds

Oracle Applications Management Pack forOracle E-Business Suite

Oracle iSetup and Oracle DiagnosticsFramework

Oracle E-Business Suite CloningTechniques

Native Service Enablement of OracleE-Business Suite

Integration Repository and E-BusinessSuite Adapter

Oracle SOA Suite for Oracle E-BusinessSuite

The Next-Generation Semantic SearchExperience

Design and Develop New Searchable

Objects, Using the Search Modeler Powered by Oracle Enterprise Search

Extract Portlets from Oracle OAFApplications

Generate, Test, Deploy, and Integrate Web

Services Desktop Integrators Using Oracle Web

Applications Desktop Integrator

Oracle Secure Enterprise SearchPod K26

E-Business Suite Lifecycle Management

Web Services / Portlets in Oracle OAFPod K25

SOA Enablement of E-Business SuitePod K24Pod K30

F M I f ti

8/4/2019 171285

43/46

For More Information

http://search.oracle.com

Applications technology

or

http://www.oracle.com/

Conclusion

8/4/2019 171285

44/46

The new solution is a light weight JAAS login moduleimplementation independent of APPS schema

password and large-sized AOL/J libraries.

The new solution makes application code

independent of Authentication & Authorization code.

The solution works in any J2EE compliant application

server and configurable at deployment time.

8/4/2019 171285

45/46

8/4/2019 171285

46/46

Documents

171285