R12 User Managemet

R12 Surprises in User Management

Revised July, 2014

Susan Behn

GoldPartner

Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.

2

Agenda■ Understanding User Management Principles

■ User Management Layers■ Role Based Access Control Overview■ Building Blocks for User Management■ Modeling Security Policy Basic Example

■ Surprises■ Read only diagnostics■ Access to integration repository■ Grant worklist access■ Cash Management Security Wizard for Bank Account Management■ Access to concurrent reports■ Access which bypasses UMX■ Flexfield Value Set Security (New in 12.2)

■ Additional Topics if Time Allows■ What modules use UMX Security Reports ■ Disable subscription which grants AMW-Internal Controls Manager roles

(if time allows)

■ References

GoldPartner


3

User Management Layers

■ Core security – levels 1 – 2 is accomplished through AOL or with grants and permissions

■ Core security – level 3 is required for some apps

■ Administrative features – levels 4 – 6 are optional

6 User access requests with AME

Approval Processes

5 Registration processes

4 Administer functions/data for

specific groups

3 Grant access to roles that

include function/data security

2 What data can a user see

1 What can a user do

GoldPartner


4

Role Based Access Control

■ RBAC – The RBAC standard supports the mapping of user access control based upon a user’s role in the organization rather than their unique identity

■ Roles – a grouping of all the responsibilities, lower level permissions (functions), permission sets, and data security rules that a user requires to perform a specific task

■ Role Categories – Organize roles into groups

GoldPartner


5

Components by Responsibility

■ System Administrator Responsibility

■ Manage responsibilities and menus; Create users

■ User Management – Layers 3 and up

■ Functional Administrator Responsibility

■ Function Security Layer

■ Functional Developer Responsibility

■ Data Security Layer

GoldPartner


6

User Management Building Blocks

■ Objects

■ Define data to be secured – a table or view

■ Stored in FND_OBJECTS, FND_OBJECTS_TL

■ Object Instance Sets

■ The “WHERE” clause for an object

■ Stored in FND_OBJECT_INSTANCE_SETS, FND_OBJECT_INSTANCE_SETS_TL

■ Managed in Functional Developer Responsibility

GoldPartner


7


■ Permissions – 2 types – function and data

■ Function Security Permissions – control access to abstract functions

▸ Examples■ Executable function is access to User Management Roles &

Role Inheritance Form

■ Abstract functions are defined as role permissions

▸ Create Role – Assign Role

▸ Manage Role – Revoke Role

■ Data Security Permissions – control access to objects

▸ Data limited by where clause

■ Stored in FND_FORM_FUNCTIONS, FND_FORM_FUNCTIONS_TL

GoldPartner


8


■ Permission Sets

■ Grouping of permissions

▸ Example: All User Administration Privileges

■ A permission set can contain other permission sets

■ Stored in FND_MENUS, FND_MENUS_TL, FND_MENU_ENTRIES, FND_MENU_ENTRIES_TL

GoldPartner


9


■ Grants

■ Provide permissions for actions on a specified object

▸ Attach function permissions and data permissions (data security polices) to grantee

■ Grantee

■ Who gets the grant

▸ A role or group

▸ A specific user

▸ All Users

■ Data Security Policy

■ Grant that includes both an object and permission set

■ Stored in FND_GRANTS

STACKING UP THE BUILDING BLOCKS

GoldPartner


11

Modeling Security Policies

■ Step 1 – Assign access to user management to appropriate users

■ Step 2 – Identify or create permissions/permission sets that group functions (function security)

■ Step 3 – Identify or create product seeded objects / object instance sets (data security)

■ Step 4 – Identify seeded grants / create grants

■ Step 5 – Assign role


GoldPartner

12

Grant access to user management to appropriate user(s)

GoldPartner


13

Managing Users – Step 1

■ By default, only Sysadmin has access to User Management

■ Assign a user management role to the appropriate user

Click

pencil to

editSearch

for user

GoldPartner


14


■ Click the “Assign Roles” button to add a role

Click assign roles and

then click the apply

button

Click assign roles and

then click the apply

button

GoldPartner


15


■ Search for the “Security Administrator” Role, check the box and click select

■ Customer Administrator – manage users with party type = customer

■ Partner Administrator – manage users with party type = partner

Other seeded security roles

include Customer

Administrator and Partner

Administrator

GoldPartner


16


■ Enter a justification and click “Apply”

User Management

responsibility is inherited

by assigning this role

GoldPartner


17


■ System Administrator User Define

■ User Management is shown as an indirect responsibility

STEP 2IDENTIFY SEEDED

PERMISSIONSCREATE PERMISSIONS

GoldPartner


19

Permissions

■ To demonstrate function security, Approvals Management will be used as the example

■ A user will be given access to perform all functions in approvals management

■ To gain familiarity with permissions available

■ Go to Functional Administrator Permissions to search for seeded permissions

GoldPartner


20

Permissions

■ There are 16 permissions available for AME

■ Click the update button to examine the “AME Action Create” Permission

GoldPartner


21

Permissions

■ This permission belongs to one permission set with the same name as the permission

GoldPartner


22

Permission Set

■ In our example, we want the user to have access to ALL functions the transaction type “AP Invoice Approval”

■ Go to the permission set tab to see the permission set for all AME functions which is “AME All Permission Sets”

■ Note that this permission set includes other permission sets Other

Permission

sets

included in

set

STEP 3 SEEDED OBJECTS

GoldPartner


24

Seeded Objects

■ To demonstrate data security, Approvals Management will be used again as the example

■ A user will be given access to manage the approval process for the payables invoice approval

■ Go to Functional Developer Objects to search for available seeded objects

■ If an object is not available, you can create objects

GoldPartner

25


Seeded Objects

Tip: Query by

responsibility to get

familiar with what is

seeded

Click update to

view details but

avoid changing

seeded objects

GoldPartner


26

Seeded Objects

■ Two columns are included which can be used to limit access

Note the Object

Instance Sets Tab

and Grants Tab

GoldPartner


27

Seeded Objects

■ Click on the Object Instance Set tab for this object to view the where clause■ The predicate

allows the user to enter the parameters to select the application and transaction type in the grant

STEP 4IDENTIFY SEEDED GRANTS

CREATE GRANTS

GoldPartner


29

Grants

■ Create the grant to allow sbehn to perform all AME function for the payables invoice approval transaction type

■ Click on grants tab

■ Notice this takes you to the same form as you see in the Functional Administrator responsibility

■ We are going to enter an object to establish a Data Security Policy

GoldPartner


30

Grants

■ Enter name, description, grantee type, grantee

■ Enter the object name

■ Click Next

GoldPartner


31

Grants

■ Choose the context to limit rows

■ For this example, choose instance set

GoldPartner


32

Grants

■ We already determined there was an “AME Transaction Type” Instance Set

■ Chose this value and Click Next

GoldPartner


33

Grants

■ Now enter the values for the parameters we saw earlier in the object instance set

■ The predicate is displayed for reference

▸ Parameter 1 is the application

▸ Parameter 2 is the AME transaction type

GoldPartner


34

Grants

■ Scroll down and choose the functions the grantee will be allowed to execute for this group of data by selecting the permission set “AME All Permission Sets”

GoldPartner


35

Grants

■ The final page is a review page

■ Click finish and the confirmation page will appear

■ Now you have access to data and functions you can perform on that data

■ Click OK

GoldPartner


36

Role Based Access Control

■ In step 1, we gave someone access to user management

■ In step 2, we identified the “AME All Permission Sets” to provide function security

■ In step 3 we identified the “AME Transaction Types” object to provide data security

■ In step 4 we joined the function and data security together in a grant to allow SBEHN to perform all functions for AME for Payables Invoice Approvals

■ But…the user still doesn’t have access yet to the responsibility used to manage AME

STEP 5ASSIGN RESPONSIBILITIES

TO ROLES

GoldPartner


38

Assign Roles

■ Assign AME roles to SBEHN the same way we assigned the “Security Administrator” role

■ Query the user and click the pencil

GoldPartner


39

Assign Roles

■ Click the “Assign Roles” button

GoldPartner


40

Seeded Roles

■ Choose the “Approvals Management Administrator” role and provide justification

■ Grants multiple roles shown in the hierarchy below and two responsibilities having a code starting with “FND_RESP”

ResponsibilityResponsibility

GoldPartner


41

Seeded Roles

■ Below is a partial list of products with seeded roles; This changes frequently

■ Approvals Management

■ Diagnostics

■ Learning Management

■ Territory Management

■ User Management

■ Integration Repository

■ iReceivables

■ iSetup

■ Integrated SOA Gateway (New)

■ To see what’s new after patches, look for roles in User Management responsibility or query WF_ALL_ROLES_VL


GoldPartner

42

R12 Surprises


GoldPartner

43

Read-Only Diagnostics

GoldPartner


44

Read-Only Diagnostics in 12.1.3Function Security (outside of UMX)

■ Set profile option “Hide Diagnostics Menu Entry” to “No”

■ Assign one or more of the read only subfunctions to the menu where this functionality is needed

■ Apps password will not be requested in read-only mode

GoldPartner


45

Read-Only Diagnostics 12.1.3

■ Example - Payables, Vision Operations (USA) responsibility linked to menu AP_NAVIGATE_GUI12

■ Leave prompt and Submenu null


GoldPartner

46

Integration Repository

GoldPartner


47

New Surprises: Access to Integration Repository

■ Release 11i

■ http://irep.oracle.com/

▸ As of March, 2014 – the above link is not working

■ Early R12

■ Assign Responsibility – Integrated SOA Gateway

■ Release 12.1+

■ Assign one of following roles

http://irep.oracle.com/


GoldPartner

48

Grant Worklist Access

GoldPartner


49


■ From Form –Click “WorklistAccess” link

■ To limit security risk – request this functionality from system administrators■ From

Functional Administrator Responsibility▸ Grants Tab

Create Grant

49

GoldPartner


50


■ Select specific user

■ Data Security object is “Notifications”

50

GoldPartner

51



User that

Grantee can see

Abstract

Functions

51

Seeded instance

Set

GoldPartner

52



Results

52

GoldPartner


53


■ By default, notifications are limited to active workflows or those in Lookup type WF_RR_ITEM_TYPES

■ To limit this access to specific workflow types, enter in parameter2 (hidden parameter)

Note: Predicate

does not list

Parameter2

Parameter2

stores specific

workflows

53


GoldPartner

54

Cash ManagementSecurity Wizard

GoldPartner


55

Cash Management – Bank Account Security

■ Grant access to manage banks to the responsibility “Cash Management, Vision Operations (USA)”

■ Go to User ManagementRoles & Role Inheritance

■ In the Type field, select Roles and Responsibilities

■ In the Category field, select “Miscellaneous”

■ In the Application field, select “Cash Management”, then click “Go”

GoldPartner


56


■ Click on the pencil to update for the correct responsibility

GoldPartner


57


■ Click on the security wizard button

■ On the next page, click the icon to run the CE UMX Security Wizard

GoldPartner


58


■ Click the button to add legal entities

■ Select the legal entities this responsibility will manage

GoldPartner


59


■ Check the boxes for the privileges needed for this responsibility and apply your changes

■ Repeat these steps for additional responsibilites


GoldPartner

60

View Concurrent Requests

GoldPartner


61

New Surprises: Access to Concurrent Requests

■ Profile Option “Concurrent Report Access Level” is obsolete in 12.1

■ Allowed users to see all concurrent requests in a responsibility

■ Except for View Own and System Administrator View Logs, this functionality is replaced by RBAC permissions

■ See My Oracle Support ID 737547.1

GoldPartner


62

View Others RequestsObject – Concurrent Requests

■ Start with the Concurrent Requests data object shown below which is seeded

62

GoldPartner


63

View Others Requests-Permission Set / Permission

■ The Request Operations permission set includes permissions to submit and view requests

63

GoldPartner


64

View Others Requests-Instance Sets

■ Several object instance sets are seeded or you can create your own

64

GoldPartner


65

View Others Requests - Seeded Instance Sets

■ Examples of seeded object instance sets

■ View all my requests from any responsibility

▸ More efficient then trying to remember where you ran a request

■ View my requests for the application identified by parameter 2

65

GoldPartner


66

View Others Requests - Create Instance Sets

■ From Functional Developer Objects

■ Query Object

■ Click link in Name column, then Object Instance Sets tab, then Create Instance Set

66

GoldPartner


67

View Others Requests-Create Instance Sets

■ Any user of a responsibility can see all requests in that responsibility

■ Exact replacement of obsolete profile option

■ MOS ID 804296.1 “R12: How To Configure Access To Request Output Of The Same Responsibility”

67

GoldPartner


68

View Others RequestsSite Level – Grant for All Responsibilities

■ Grant New Instance Set to All Users

■ All users can see requests in only in responsibility that ran request

68

GoldPartner


69

View Others Requests-Operating Unit Level

■ ***Same as previous example but limited by operating unit

■ Grant New Instance Set to Specific Operating Unit or responsibility

■ Repeat for each desired Operating Unit

■ Still can only see requests in responsibility that ran request

69

GoldPartner


70

View Others Requests - User Level

■ Recommended only for help desk/support users who have limited responsibilities in Production

■ Can see any request regardless of what responsibility currently using

Access to All to

Specific User

Access to All

Requests to

Specific User

70

GoldPartner


71

Diagnostic Permission sets

■ Permission sets are available now for all Diagnostic menu items starting in R12.1.3.

GoldPartner


72

Setup – Profile Options

■ R12.1.3+

■ Utilities: Diagnostics

■ Set to Yes (not secure)

■ RBAC – create role with permission set “FND Diagnostics Personalizations Menu” and assign as needed


GoldPartner

74

Security Hole

GoldPartner


75

Access to Menus screen can bypass UMX function security – Security hole

■ Access to Menus form allows user to bypass UMX function security

■ Grant flag can be clicked and then responsibility assignment displays menu

■ Menus can be duplicated with grant flag checked

▸ If the user then has access to create data security grants through the Functional Developer responsibility, you end up with a major security gap

75


GoldPartner

76

Flexfield SecurityRequired in 12.2

GoldPartner


77

Flexfield Value Set Security – FNDFFMSV –12.2

■ Upon upgrade, users will not have access to any records in this form

■ Many ways to get to this form…our example

■ GLSetupFinancialsFlexfieldsValidationValues

77

GoldPartner


78

Function and Data Security

■ Must set up function security to define what the user can do in the form

■ Grant by flexfield, report or value set

■ Grant to application, user, group

■ Must set up data security to define which values can be queried

■ Affects Independent and Dependent value sets.

■ Affects what privileges users have in the Segment Values form.

■ Note: Even if you create a new value set, you still won’t be able to assign values to that set until security is set up

GoldPartner


79

Patch for 12.2.2

■ Apply this patch for 12.2.2 (not needed for 12.2.3)

■ Oracle Support Document 1589204.1 (Release 12.2.2 Flexfield Value Set Security Documentation Update for Patch 17305947:R12.FND.C) can be found at: https://support.oracle.com/epmos/faces/DocumentDisplay?id=1589204.1

https://support.oracle.com/epmos/faces/DocumentDisplay?id=1589204.1

GoldPartner


80

Grant access to the data

■ Functional AdminstratorGrants

■ This example – General Ledger, Vision Operations (USA) responsibility needs to see GL value sets for Vision Operations Accounting Flexfield

GoldPartner


81

Data Security - Instance Set

■ Flexfield Value Set Security Object

■ Key Flexfield Structure by app id, key flexfield code and structure number

GoldPartner

82


Other Instance Sets

GoldPartner


83

Permission set for allowable actions

■ For this example, I chose to allow insert or update

■ Seeded permission sets for flexfield security

GoldPartner


84

Results

■ Now I have access to all the value sets for the accounting flexfield


GoldPartner

85

Time Check for Next 3 topics


GoldPartner

86

Where is UMX Applicable?

GoldPartner


87

Where is UMX applicable?

■ “Not all products have adopted data security in their UIs. If a customer is considering data security in a particular module, it is advisable to first check with the product development if that module has the infrastructure for data security in place otherwise, their data security policies will not be honored by the product UIs. Data Security policies can only be defined for applications that have been written to utilize the Data Security”■ MOS ID 553290.1 “Introduction to the Grants Security

System and Data Security”

■ Self research – what objects and/or permissions has Oracle defined

87

GoldPartner


88


■ MOS ID 1162403.1 “How Find Out Which Oracle Application Products Have Adopted Data Security Policies”■ Use following select statement to find objects / created

by

88

GoldPartner


89


■ Use the following query to find seeded instance sets

89

GoldPartner


90


■ Permissions are indicative that UMX will work and usually provide hint to the Object

■ Use the following query to find permissions

90


GoldPartner

91

Security Reports

GoldPartner


92

Security Reports

■ From User Management, Security Reports

■ Choose Report Type - Remaining screen repaints based on Type

▸ Example Select Output

format

Choose Offline to

get underlying SQL

MUST specify

Role/Resp

92

GoldPartner


93

Security Reports

■ Report Status

■ Output – click Output icon

93

GoldPartner


94

Security Reports

■ For Log (and query), click Details, then View Log

■ Partial log shown

94

GoldPartner


95

Security Reports

■ List of Users w/access to key User Management function

Clicking ‘Show’ displays

how assigned and by whom

95

GoldPartner


96

Security Reports

■ List of users with access to view all concurrent requests

■ List of users with access to the user management role

96

GoldPartner


97

R12.2 – Disable subscription to eventoracle.apps.fnd.umx.requestapproved

■ Error that appears is ambiguous

■ Real error:

■ The rule function for the subscription to this event, AMW_VIOLATION_PVT.Do_On_Role_Assigned, is a non-existent package

■ Cause:

■ AMW-Internal Controls Manager has been replaced by GRC-Governance Risk and Compliance in 12.2

■ MOS note 1303189.1

GoldPartner


98

References

■ Oracle Applications System Administrator's Guide -Security

■ See Oracle User Management Developer Guide

■ My Oracle Support ID: 553547.1 – Data Security Terminology

■ My Oracle Support ID: 553290.1 – Introduction to the Grants Security System and Data Security

■ E-Business Suite User Management SIG

■ http://ebsumx.oaug.org/

GoldPartner


99

Other Presentations

■ Create a role to administer a specific organization

■ Collaborate 2009: From Responsibilities to Roles: Moving Toward the Role Based Access Control (RBAC) Model

▸ Marquette University

■ Create a junior workflow administrator

■ Collaborate 2009: What’s New in Workflow: 11i RUP5, RUP6 and R12

▸ Karen Brownfield and Susan Behn

GoldPartner


100

Collaborate 2014

■ UMX Sig Presentation

■ 15330 - E-Business Suite User Management SIG at Collaborate 14 on April 7th at 3:20 PM PST in Level 3, San Polo – 3401

■ Sara Woodhull - How to secure flexfields and value sets in user management

■ This new feature in R12 was specifically requested by this special interest group

■ We are making an impact and Oracle is listening!

101 GoldPartner


About Infosemantics

■ Established in 2001

■ Customer Focused

■ People First

■ Global

■ Shared Expertise

■ For more information, go to our web site at www.Infosemantics.com

■ R12.1.3, R12.2, OBIEE public vision instances

■ Posted presentations on functional and technical topics

http://www.infosemantics.com/

GoldPartner

102


Questions?Comments

Susan Behn

[email protected]

Thank You!!!

Documents

R12 User Managemet