ERP Advisors Rated Profile Options Profile Name Form? Description / Comments Recommended Setting Personalize Self-Service Defn ITGCs No Hide Diagnostics menu entry ITGCs No If this profile option is set to, the user can perform "Admin Personalization" for OA Framework-based pages. These profiles control the Help->Diagnostics->Custom Code-> Personalize choice on the pull-down menu of Oracle Forms-based forms. The default value of FND_HIDE_DIAGNOSTICS (Hide Diagnostics menu entry) is, the Diagnostics menu entry is hidden. If it is set to No, the Diagnostics menu entry is visible to the user. If DIAGNOSTICS (Utilities:Diagnostics) is set to, then users can automatically use these features. No at Site level; at level when approved through the change management process to migrate a personalization. at Site level; at any level in Production - should not be allowed at any level in Production even if approved by management If Utilities:Diagnostics is set to No, then users must enter the password for the AP schema to use the Diagnostics features. If it is set to, then the user is able to change data directly at the database level for the data to which they have access. This could corrupt the data and invalidate your support agreement with Oracle. Having access to this is like the equivalent of having the 'APPS' password as it No at Site level; No at any level in Production - should not be provides DML access to database. Having access to this functionality also allows a allowed at any level in Production even if approved by Utilities:Diagnostics ITGCs No user to turn off Custom Code (such as personalizations) that may be used to management DBAs GL Ledger ID N/A ITGCs No This is derived by the system, not set directly, when the GL Set of Books Name is As needed GL Ledger Name ITGCs No Typically set at the Responsibility level for GL related responsibilities to identify the Ledger or Book to which the responsibility relates. As needed MO: Default Operating Unit Medium ITGCs MO: Operating Unit ITGCs No MO: Security Profile ITGCs No HR: Type HR / PAY No Determines the default operating unit when a user accesses a form that is MOAC enabled. This is used in conjunction with the MO: Security Profile profile option where MOAC is enabled Determines to which operating unit a responsibility can access data (update or inquiry) As needed. Sometimes this is set at the Site level for one Global Security Profile then overridden at the Responsibility level for other responsibilities not using that Global Security Profile As needed. Sometimes this is set at the Site level for one Operating Unit then overridden at the Responsibility level for other responsibilities not using that Operating Unit Typically set at the responsibility level. Sometimes this is set at the Site level for one Global Security Profile then overridden at the Responsibility level for other responsibilities not using that Global Security Profile Determines to which global security profile (MOAC) a responsibility can access data (update or inquiry) Limits field access on windows shared between Oracle Human Resources and Oracle roll. If you do not use Oracle roll, it must be set to HR for all responsibilities. If you do use Oracle roll, you can give each Responsibility one of the following user types, depending on the work role of the holders of the responsibility: HR, HR with roll, roll As needed per policy Signon Password Case ITGCs No Critical password configuration - determines whether or not the password is case sensitive Signon Password Failure Limit ITGCs No Critical password configuration - determines the number of attempts a user can try to enter their password before the account gets locked Should be set in all instances because otherwise this just invites a hacker to keep trying without the account being locked Signon Password Hard to Guess ITGCs No Critical password configuration - determines if the hard to guess criteria is enabled. Oracle defines a password as hard-to-guess if it follows these rules: o The password contains at least one letter and at least one number o The password does not contain repeating characters. o The password does not contain the username. Signon Password Length ITGCs No Critical password configuration - determines minimum length of the password To enable the highest level of security set this to YES level. Setting should be consistent with your corporate policy and be at least five characters Signon Password No Reuse ITGCs No Critical password configuration - determine the number of days before a password can be reused Signon Password Custom ITGCs No Critical password configuration - is used if you want to define your own password scheme (validated by custom Java code) in a custom Java class. This would be used if you have a more advanced and complex password value requirement that is not supported by the standard profile options This determines the level of Sign-On auditing. Levels are, Responsibility, and Form. If this is enabled, the system tracks basic sign-on information for each Sign-On:Audit Level ITGCs No session. Local Login Mask ITGCs Enables Self-Service Password Reset functionality Should be set to "Form" to capture maximum amount of audit data. We recommend you work with your DBAs and auditors to determine the purge criteria. The DBAs will want to purge more often than your auditors or Corporate Governance group would. A balance needs to be reached. Sign-On:Notification ITGCs Critical password configuration - determines whether or not users are notified when there have been failed login attempts for their user account FND: Developer Mode ITGCs Enables logging No at the Site level, set at the or Responsibility on an as needed, but temporary basis. Generally only set to only for debugging as this impact the performance. See No at all levels other than when debugging an issue in Production. Ideally debugging would be done in a clone of FND: Debug Log Enabled ITGCs No more at - How to Collect an FND Diagnostics Trace (aka FND:Debug) [ID 372209.1] Production rather than Production. Determines how much information is collected when the FND: Debug Log Enabled is set to "YES". Options are: LEVEL_UNEXPECTED : Internal Level Id is 6 LEVEL_ERROR : Internal Level Id is 5 LEVEL_EXCEPTION : Internal Level Id is 4 LEVEL_EVENT : Internal Level Id is 3 LEVEL_PROCEDURE : Internal Level Id is 2 FND: Debug Log Level ITGCs No LEVEL_STATEMENT : Internal Level Id is 1 Depends on your policy EGO: Organization Context ITGCs No This option stores the organization selected by a user. When the user logs in to the system, the system retrieves the organization from this option and uses it for the session. So this is set dynamically as the user changes organizations and, therefore, should not be set statically. Probably not wise to set this manually rather allow the system to generate it dynamically.
Profile Name Form? Description / Comments Recommended Setting GLDI: Journal Source Finl Close No Determines the default source in ADI / Web ADI. If this is wrong or is changed to a source that doesn't require journal approval, it would allow a user to enter a journal entry that is not subject to the journal approval workflow. This may result in a control violation depending on how your organization's journal entry and Typically this is set to Spreadsheet at the Site level and should approval controls are defined. not be overridden at any other level. GLDI: Force Journal to Balance Medium Finl Close No Determines whether JE's uploaded from ADI must balance GL process lead GL: Journal Review Required Finl Close Determines if Allocation journals that are a generated from the Mass Allocation process (formulas) are subject to the journal approval workflow process Typically this is set to YES at the Site level, but it depends on how the journal entry and approval controls are defined. This should not be overridden at any other level (Application, Responsibility) Journals: Allow Preparer Approval Finl Close No Journals: Find Approver Method Finl Close No Determines if the preparer of a journal entry can approve their own journal entry. The risk is determined by the journal entry and approval controls. If all journal entries should be subject to a secondary approval, then not setting this properly Typically this is set to NO at the Site level, but it depends on how would allow a user to enter and approve their own journal and result in a violation the journal entry and approval controls are defined. This should of your internal controls not be overridden at any other level (Application, Responsibility) This determines how an approval will be sought when the journal approval workflow is required. Options are: Go Up Management Chain, Go Direct, and One Stop Then Go Direct. It needs to be set according to how you policy expects the approval to be routed. The risk is that the configuration would not support the No specific recommendation. Make sure your policy and this policy. configuration are consistent / they match. ICX:Session Timeout Medium ITGCs No This profile option determines the length of time (in minutes) of inactivity in a user's form session before the session is disabled. Note that disabled does not mean terminated or killed. The user is provided the opportunity to reauthenticate and re-enable their timed-out session. If the re-authentication is successful, the disabled session is re-enabled and no work is lost. Otherwise, the session is terminated without saving pending work. Depends on your policy GL Account Analysis Report: Enable Segment Value Security on Beginning/Ending Balances Finl Close No This profile option applies segment value security rules to the beginning and ending balances of the following Account Analysis reports: Account Analysis - (132 Char) Account Analysis (180 Char) Account Analysis - Foreign Currency (132 Char) Account Analysis - Foreign Currency (180 Char) The following values are available: No: Segment Value Security rules will only apply to the period activity, not the beginning and ending balances of the reports listed above. Thus, the above reports will display the beginning and ending balances for any secured segment values, but hide the period activity from view. YES: Segment Value Security rules will be applied to both the period activity and the beginning and ending balances of the reports listed above. The default value for this profile option is No. Control whether your defined security rules will apply to reports produced using FSG. The following values are available to you: : If security rules are defined that prevent you from accessing specific account segment values, then you cannot produce financial information for those same segment values when you run FSG reports. For example, if you are excluded from using any accounts for cost centers 100 and 200, then any balances for those same accounts will not appear on any FSG reports you might run. FSG: Enforce Segment Value Security Finl Close No No: Defined security rules are not used for FSG reporting purposes. at the Site level FND: Personalization Region Link Enabled ITGCs Used to enable Oracle Apps Personalization link on JSP pages. Enables approval of workflow approvals via email - does not require the user to authenticate with their credentials in order to make the approval. WF: GUEST Access to Notification ITGCs No From Oracle s Guide: This profile option helps control whether users must log in before they can access the Notification Details Web page from a notification. To enable guest access, which does not require an individual login, you must both set this profile option to Enabled and create a grant assigning the "Workflow Guest permission set" to the GUEST user. Depends on your policy JTF_INACTIVE_SESSION_TIMEOUT ITGCs This profile option affects CRM-based products only, and serves the same purpose as the ICX:Session Timeout profile. This profile option exists for legacy reasons, and its value should be set the same as ICX:Session Timeout.
Profile Name Form? Description / Comments Recommended Setting This profile option controls how users can reassign notifications. See: Setting the WF: Notification Reassign Mode Profile Option. Delegate - Provides users access to delegate a notification to another user while still retaining ownership of the notification. WF: Notification Reassign Mode ITGCs Transfer - Provides users access to transfer complete ownership of a notification to another user. Reassign - Provides users access to both the Delegate and Transfer reassign modes. This setting is the default value for this profile option. Depends on your policy. Generally most organizations set this to Transfer so that the person to whom the notification is transferred needs to have proper authority to respond to the workflow notification. WF: Vacation Rules - Allow All ITGCs No Set the profile option to Enabled if you want the "All" option to appear in the list of item types for vacation rules, or to Disabled if you do not want the "All" option to appear. If you choose Disabled, then users must always specify the item type to which a vacation rule applies. The WF: Vacation Rules - Allow All profile option must be set at site level. The default value is Enabled. Depends on your policy Journals: Override Reversal Method Finl Close No Journals: Allow Posting During Journal Entry (post button on Journals Entry form) (Rel 11.0 and earlier) Finl Close No GLDI: Analysis Wizard Privileges (allow use of Analysis Wizard) Finl Close No GL/MRC: Post Reporting Journals Automatically Finl Close No (if using MRC) ADI: Use Function Security Finl Close No PO: Allow Auto-generate Sourcing Rules No PO: Allow Autocreation of Oracle Sourcing Documents No PO: Allow Buyer Override in Autocreate Find PO: Allow Retroactive Pricing of POs No PO: Amount Billed Threshold Percentage No PO: Automatic Document Sourcing No PO: Change Supplier Site No PO: Price Tolerance (%) for Catalog Updates PO: Release During ReqImport Tax: Allow Manual Tax Lines No Tax: Allow Override of Customer Exemptions No Tax: Allow Override of Tax Code No AR: Update Due Date Cash No AR: Allow Update Of Existing Sales Credits Cash AR: Cash - Allow Actions Cash No AR: Receipt Batch Source Cash AR: Use Invoice Accounting For Credit Memos Cash No FND: Diagnostics Medium ITGCs AuditTrail:Activate ITGCs No HR:Cross Business Group HR / PAY No HR:Cross BG Duplicate Person Check Medium HR / PAY No Enables/Disables Logging (used to collect debug information) - should only be enabled when debug process is necessary for troubleshooting. This could cause a No unless needed for debugging a certain process then should significant amount of data to be collected unnecessarily if left enabled. only be enabled for a short period of time. Enables the use of the System Administrator audit trail functionality. Disabling this could disable the triggers being used to capture audit history as expected. Controls whether users of some HRMS windows can see certain information for more than one business group. Controls the duplicate person check functionality across multiple business groups in Oracle HRMS and Oracle SSHR. Set to to enable the duplicate person check functionality across business groups If not using native audit trail, this should be No, otherwise it needs to be ICX: Limit time Medium ITGCs No ICX: Limit connect Medium ITGCs No FND: Enable Cancel Query ITGCs No This profile option defines the maximum connection time for a connection regardless of user activity. If 'ICX:Session Timeout' is set to NULL, then the session will last only as long as 'ICX: Limit Time', regardless of user activity. This profile option defines the maximum number of connection requests a user can make in a single session. Note that other EBS internal checks will generate connection requests during a user session, so it is not just user activity that can increment the count. This allows a user to cancel a query submitted. Enabling this could cause performance issues. Discuss with DBAs - generally set to No POR: Days Needed By Medium Indicates the default number of days until the requester needs the order. This value is used to calculate the need by date. The risk would be a need by date that too long and the item not being received on time.
Profile Name Form? Description / Comments Recommended Setting PO: Default Need-By Time Medium Concurrent:Report Access Level Medium ITGCs No Initialization SQL Statement - Custom ITGCs No Initialization SQL Statement - Oracle ITGCs No Indicates that the time is defaulted to need-by dates in purchase order. This value is used to calculate the time on the need by date. The risk would be a need by date that too long and the item not being received on time. This profile determines access privileges to report output files and log files generated by a concurrent program. When it is set to YES which is typically at the Responsibility level, then others with the same Responsibility can see the output and log files of other users using the same Responsibility. I believe this is only relevant prior to R12. As per policy Using the profile option Initialization SQL Statement - Custom, you can add sitespecific initialization code, such as optimizer settings. This profile value must be a This could be used for a variety of purposes causing issues and valid SQL statement, or a PL/SQL block for more than one statement, that is to be any use of it should be peer-reviewed and be subject to the executed once at the startup of every database session. change management process. Per Oracle in its "Oracle E-Business Suite System Administrator's Guide - Configuration". This profile option is used by Oracle E-Business Suite. This profile option and its value settings are delivered as seed data, and must not be modified. Never make any change to the default value per Oracle. Create Seeded Personalizations ITGCs Used to enable Oracle Apps Personalization link on JSP pages. FND: Personalization Seeding Mode ITGCs Used to enable Oracle Apps Personalization link on JSP pages. HR: Enable Personalization ITGCs No Used to enable Oracle Apps Personalization link on JSP pages. POR: Require Blind Receiving No If this is set, and this setting matches the PO setting defaulting in the Receiving Controls form, the quantities are hidden when entering a receipt. If this is set incorrectly it could cause a deviation from control design if blind receiving is expected. As per policy ICX:Session Timeout ITGCs No Responsibility Trust Level ITGCs No Node Trust Level ITGCs No POS: External Responsibility Flag No This profile option determines the length of time (in minutes) of inactivity in a user's form session before the session is disabled. Note that disabled does not mean terminated or killed. The user is provided the opportunity to reauthenticate and re-enable their timed-out session. If the re-authentication is successful, the disabled session is re-enabled and no work is lost. Otherwise, the session is terminated without saving pending work. This functionality is available via Patch 2012308 (included in 11.5.7, FND.E). Per Solution Beacon recommendations -- Note: Setting the profile value to greater than 30 minutes can drain the JVM resources and cause out of memory errors. As per policy The main significance of Responsibility Trust Level is to make a responsibility accessible from an external web tier when this profile option is set at These profile options should be set according to policy how your responsibility level equal to External. Only those responsibilities that have this technical architecture should be configured. This is typically set profile option against them will be accessible from External Middle tiers. The risk up at the Responsibility level only for the externally facing is that responsibilities that should not be externally facing are set to be. Responsibility(ies). This should NOT be set at the Site level. If this profile option is set to EXTERNAL for any server, the server is external facing - that is it can be accessed via a url outside the firewall. The risk is that servers that should not be externally facing are set to EXTERNAL making a public url These profile options should be set according to policy how your available on the world wide web. technical architecture should be configured. The main significance of this profile option is to make a responsibility accessible from an external web tier. This is specific to the isupplier module when this profile option is set at responsibility level set to "". Only those responsibilities These profile options should be set according to policy how your that have this profile option against them will be accessible from External Middle technical architecture should be configured. This is typically set tiers. The risk is that responsibilities that should not be externally facing are set to up at the Responsibility level only for the externally facing be. Responsibility(ies). This should NOT be set at the Site level. DateTrack:Date Security HR / PAY No DateTrack:Reminder Medium HR / PAY HR:Query Only Mode HR / PAY No Controls the way users can change their effective date: All (users can change to any date), Past (users can change to dates in the past only), Present(users cannot change their effective date), Future (users can change to dates in the future only). The risk is this is set contrary to what your organization's policy would require. Set according to your organization's policy Determines whether the Decision window appears when a date tracked window opens: Always (the window always appears), Never (the window never appears), Not Today (the window appears only if the effective date is not the system date). The risk is this is set contrary to what your organization's policy would require. Set according to your organization's policy Restricts access to view-only for all HR and roll forms on a menu. The risk is the is NOT set or is removed from the or Responsibility that is intended to be Set according to your organization's policy for a given user or query only - giving one or more users the ability to maintain HR data that they responsibility. This should NOT be set at the Application or Site should only be able to view. levels.
Profile Name Form? Description / Comments Recommended Setting This profile option is used to restrict access to the organizations, positions, and payrolls defined in the security profile. This option is seeded at Site level with the view-all security profile created for the Startup Business Group. Typically this is set at the responsibility level for each custom responsibility that needs access to a subset of organizations, positions, and payrolls to override the Site level setting where security is needed to be more granular. If you use Standard HRMS security you must set up the HR: Security Profile option for each responsibility. If you use Security Groups Enabled security you must not set up the HR: Security Profile option. This is set up automatically when you assign security profiles using the Assign Security Profile window. You must only change the HR: Security Profile option by assigning a different security profile to a responsibility using the Assign Security Profile window. HR: Security Profile ITGCs No The risk is setting wrong security profile to a responsibility or inappropriately setting it at the Site level that could allow one or more users to have access to data to which they shouldn't. Set according to your organization's policy This profile option determines the business group linked to a responsibility. This option is used online to control access to records that are not related to organization, position, or payroll. The Setup Business Group is defaulted at Site level. It is view only. If you use Standard HRMS security this option is automatically set up when you enter the HR: Security Profile profile option, except in cases where you are using a global security profile (that is, a security profile that does not specify a business group). In this case, you must specifically set up this option for each responsibility. If you use Security Groups Enabled security, this option is not user-configurable. The business group is determined when you create a security profile assignment using the Assign Security Profile window. HR:Business Group ITGCs No The risk is setting wrong business group to a responsibility or inappropriately setting it at the Site level that could allow one or more users to have access to data to which they shouldn't. Set according to your organization's policy GL: Debug Mode ITGCs Allow features in General Ledger to run in Debug Mode where additional messages are detailed in the log file. Debug Mode operates for many General Ledger features, such as Journal Import, Posting, Translation, Revaluation, Consolidation, Recurring Journals, and Mass Allocation. No at all levels other than when debugging an issue in Production. Ideally debugging would be done in a clone of Production rather than Production. Those profile options that have negligible risk in Production and may not be need to be subject to the Change Management process: JTF_PROFILE_DEFAULT_RESPONSIBILI TY Low ITGCs? Specifies the default responsibility for the Site Administration UI. Set to 21819 for the istore Administrator responsibility. Set at istore application level only. May be higher risk if you are using istore and this is set manually to the wrong responsibility. Often this is set dynamically by the system 'behind the scenes.' Specifies the default application ID. May be higher risk if you are using istore and this is set manually to the wrong responsibility. Often this is set dynamically by the system 'behind the scenes.' JTF_PROFILE_DEFAULT_APPLICATION Low ITGCs? IBE: Preferred Shipping Method Low?? ICX: Language Low ITGCs? Determines the default session language. ICX: Territory Low ITGCs? Printer:Type Low ITGCs? Printer Low ITGCs? ICX: Date format mask Low ITGCs? GL Journals: Last Find Window State Low ITGCs? Determines the date format mask to use. The American English default is DD- MON-RRRR, for example, 12-NOV-2002. JTF_PROFILE_DEFAULT_CURRENCY Low ITGCs? Viewer: Text Low ITGCs? Viewer: Application for HTML Low ITGCs? Viewer: Application for XML Low ITGCs? Viewer: Application for Text Low ITGCs? Viewer: Application for PCL ITGCs? Viewer: Application for PDF Low ITGCs? Sets the display viewer for text report output. Valid values are Browser and Report Viewer. If your system administrator has registered other applications for viewing text output, select the application from the list of values. The profile option Viewer: Text must be set to Browser to use this profile option.
Profile Name Form? Description / Comments Recommended Setting Viewer: Application for Postscript Low ITGCs? Export MIME type Low ITGCs? Determines how files are exported - such as text/tab-separated-values Applications Start page Low ITGCs? ICX: Preferred Currency Low ITGCs? This profile determines in which currency a user will see the currency number in the UI. For example, the source currency number might be stored in database such as 10.00 as US Dollar (USD), but the displayed currency number is based on the currency set in this profile option such as 1,200 as Japanese Yen (JPY). ICX: Date language ITGCs? Determines the date language to use. This impacts the default date format mask. ICX: Numeric characters Low ITGCs? Default Country Low ITGCs? Currency:Thousands Separator Low ITGCs? Currency:Positive Format Low ITGCs? Currency:Negative Format Low ITGCs? Currency:Mixed Precision Low ITGCs? Viewer:Default Font Size Low ITGCs? Enter the preferred decimal and group separators you want to display for numbers. For example, if you specify.. as the value for this profile option, you indicate that the decimal separator is a period and the group separator is a comma. When set to blank, the decimal and group separators are obtained from the nls_numeric_parameters setting in the database. This is the default source for the Country field for all address zones and is used by the Flexible Address Formats feature, the Flexible Bank Structures feature and the Tax Registration Number and Taxpayer ID validation routines. The profile can be set to any valid country listed in the Maintain Countries and Territories form and can be set to a different value for each user. You can separate your currency amounts in thousands by placing a thousands separator. For example, one million appears as 1,000,000. You can use different formats to identify positive currency values. The default condition is no special identifier. You can use different formats to identify negative currency. The default identifier is a hyphen ( - ) preceding the currency amount, as in "-xxx". Other options: Angle brackets < > < xxx > Trailing hyphen - xxx - Parentheses ( ) ( xxx ) Square Brackets [ ] [ xxx ] Use Mixed Currency Precision to specify how many spaces are available to the right of the decimal point when displaying numbers representing different currencies. Normally, currency numbers are right-justified. Using this new profile option, you can set the default font size used when you display report output in the Report Viewer. The valid values for this option are 6, 8, 10, 12, and 14.