R12 Surprises in User Management

Similar documents
At the end of this lesson, you will be able to create a Request Set to run all of your monthly statements and detail reports at one time.

R12 In Depth: Focus on Report Manager

Ten New Forms and OAF Personalization Examples for R12.1

Downloading RIT Account Analysis Reports into Excel

How to Use Oracle Account Generator for Project-Related Transactions

AT&T Bolt-On Ordering & Sales Tool BOOST (Direct)

Rochester Institute of Technology. Oracle Training: Advanced Financial Application Training

Rochester Institute of Technology. Oracle Training: Performing Inquiries and Requesting Reports in the Oracle Applications

Subledger Accounting Reconciliation in R12

Suite. How to Use GrandMaster Suite. Exporting with ODBC

Sales Person Commission

TheFinancialEdge. Fast! Guide

Process Document Approve Payable Time

Oracle Approvals Management (AME) Case Studies for AP, PO and HR

Custom Web ADI Integrators

Oracle E-Business Suite Controls: Application Security Best Practices

TheFinancialEdge. Journal Entry Guide

TheFinancialEdge. Records Guide for Accounts Receivable

Banner Workflow. Creating FOAPAL Requests

Managing Company Credit Cards

Oracle CRM Foundation

How To Use Microsoft Gpa On Microsoft Powerbook (Windows) On A Microsoft P2.1 (Windows 2.2) On An Uniden Computer (Windows 1.5) On Micro

TheFinancialEdge. Configuration Guide for Accounts Payable

R12 e-business Tax: A Procure-to-Pay Upgrade Perspective.

Collaborative Forecasts Implementation Guide

Government of Saskatchewan Executive Council. Oracle Sourcing isupplier User Guide

Active Directory Integration for Greentree

General Ledger and Fixed Assets January 12, 2011

Oracle Applications User s Guide

NODE4 SERVICE DESK SYSTEM

Accounts Payable Expense Distribution Tables

GP REPORTS VIEWER USER GUIDE

SuccessFactors Learning: Scheduling Management

NovaBACKUP. Storage Server. NovaStor / May 2011

Mastering Mail Merge. 2 Parts to a Mail Merge. Mail Merge Mailings Ribbon. Mailings Create Envelopes or Labels

This is a training module for Maximo Asset Management V7.1. It demonstrates how to use the E-Audit function.

Microsoft Dynamics GP Release

Business Portal for Microsoft Dynamics GP Field Service Suite

Table of Contents. Manual for Core Staff - Equipment/Scheduling Core Facilities

Microsoft Dynamics GP. Project Accounting Billing Guide

Title: Payables-Invoice Inquiry Document ID: PAY0010

Important Notes for WinConnect Server ES Software Installation:

Expense Reports Training Document. Oracle iexpense

HP Service Manager. Service Request Catalog (SRC) Tips & Tricks Document

account multiple solutions

one Managing your PBX Administrator ACCESSING YOUR PBX ACCOUNT CHECKING ACCOUNT ACTIVITY

My LMS. Learning Management System Guide for Students

Microsoft Dynamics GP. Not For Profit Accounting

Oracle Fusion Applications Security Guide. 11g Release 5 (11.1.5) Part Number E

Governance, Risk, and Compliance Controls Suite. Preventive Controls Governor Audit Rules User s Guide. Software Version

Using MS Excel V Lookups

ADP Workforce Now V3.0

Cash Basis Reporting

How To Use Oracle Applications On A Pc Oracle.Org On A Microsoft Macbook Oracle 2.5 (Windows) On A Macbook (Windows 2.3) On An Ubuntu 7.5

Conexa enabler. Administration Manual. Version 1.1 November 2007

educ Office Remove & create new Outlook profile

Professional Mailbox Software Setup Guide

Microsoft Access 2007 Advanced Queries

TheFinancialEdge. Configuration Guide for Accounts Receivable

Business Portal for Microsoft Dynamics GP. Key Performance Indicators Release 10.0

IBM Sterling Control Center

How to Define Authorizations

Enterprise Accounting System (EAS) General Ledger Training- Overview

Changing from Cash to Accrual Accounting

Oracle CRM Foundation

Running a Financial Statement Generator (FSG) in EAS

MICROSOFT ACCESS TABLES

How to Inquire, Cancel, Approve or Deny a PeopleSoft Access Request through the Access Request Approval Page

[COGNOS DATA TRAINING FAQS] This is a list of frequently asked questions for a Cognos user

ImageNow Report Library Catalog

Create a New Shopping Cart Using Shop One Screen

Accounts Payable Back Office Reference Guide

GST PST Distribution 10.0

Integrated Accounting System for Mac OS X

PaymentNet Federal Card Solutions Cardholder FAQs

Nintex Workflow for Project Server 2010 Help

STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS

PeopleSoft Query Training

How to Create User-Defined Fields and Tables

AR Part 1: An Introduction to Accounts Receivable

IFAS 7i Department Accounts Payable

Web Intelligence User Guide

TheFinancialEdge. Configuration Guide for General Ledger

ReadyTalk for Salesforce User Guide

Microsoft Dynamics GP. Electronic Signatures

Business Portal for Microsoft Dynamics GP User s Guide Release 5.1

Building Event Registration Forms in DonorSnap

Table of Contents. Introduction How to access the Safari Backoffice How Safari corporate accounts are structured...

SAP FI - Automatic Payment Program (Configuration and Run)

eva Purchasing & Banner Receiving Manual

Set up Delegate & Travelers

AP WORKLIST END USER GUIDE

User Guide. Microsoft Dynamics GP 10 Upgrade. Understanding and using new features and functionality within Dynamics GP 10

CLOUDPM CITY LEDGER USER GUIDE

Accounts Payable Workflow Guide. Version 12.0

Approving CFS Invoices

Steps for Entering an OnBase Purchase Requisition (PR)

Deltek Expense Report User Instructions

Richmond Systems. SupportDesk Quick Start Guide

Integrated Invoicing and Debt Management System for Mac OS X

Transcription:

R12 Surprises in User Management Revised July, 2014 Susan Behn

Agenda Understanding User Management Principles User Management Layers Role Based Access Control Overview Building Blocks for User Management Modeling Security Policy Basic Example Surprises Read only diagnostics Access to integration repository Grant worklist access Cash Management Security Wizard for Bank Account Management Access to concurrent reports Access which bypasses UMX Flexfield Value Set Security (New in 12.2) Additional Topics if Time Allows What modules use UMX Security Reports Disable subscription which grants AMW-Internal Controls Manager roles (if time allows) References 2

User Management Layers Core security levels 1 2 is accomplished through AOL or with grants and permissions Core security level 3 is required for some apps Administrative features levels 4 6 are optional 6 User access requests with AME Approval Processes 5 Registration processes 4 Administer functions/data for specific groups 3 Grant access to roles that include function/data security 2 What data can a user see 1 What can a user do 3

Role Based Access Control RBAC The RBAC standard supports the mapping of user access control based upon a user s role in the organization rather than their unique identity Roles a grouping of all the responsibilities, lower level permissions (functions), permission sets, and data security rules that a user requires to perform a specific task Role Categories Organize roles into groups 4

Components by Responsibility System Administrator Responsibility Manage responsibilities and menus; Create users User Management Layers 3 and up Functional Administrator Responsibility Function Security Layer Functional Developer Responsibility Data Security Layer 5

User Management Building Blocks Objects Define data to be secured a table or view Stored in FND_OBJECTS, FND_OBJECTS_TL Object Instance Sets The WHERE clause for an object Stored in FND_OBJECT_INSTANCE_SETS, FND_OBJECT_INSTANCE_SETS_TL Managed in Functional Developer Responsibility 6

User Management Building Blocks Permissions 2 types function and data Function Security Permissions control access to abstract functions Examples Executable function is access to User Management Roles & Role Inheritance Form Abstract functions are defined as role permissions Create Role Assign Role Manage Role Revoke Role Data Security Permissions control access to objects Data limited by where clause Stored in FND_FORM_FUNCTIONS, FND_FORM_FUNCTIONS_TL 7

User Management Building Blocks Permission Sets Grouping of permissions Example: All User Administration Privileges A permission set can contain other permission sets Stored in FND_MENUS, FND_MENUS_TL, FND_MENU_ENTRIES, FND_MENU_ENTRIES_TL 8

User Management Building Blocks Grants Provide permissions for actions on a specified object Attach function permissions and data permissions (data security polices) to grantee Grantee Who gets the grant A role or group A specific user All Users Data Security Policy Grant that includes both an object and permission set Stored in FND_GRANTS 9

STACKING UP THE BUILDING BLOCKS

Modeling Security Policies Step 1 Assign access to user management to appropriate users Step 2 Identify or create permissions/permission sets that group functions (function security) Step 3 Identify or create product seeded objects / object instance sets (data security) Step 4 Identify seeded grants / create grants Step 5 Assign role 11

Grant access to user management to appropriate user(s) 12

Managing Users Step 1 By default, only Sysadmin has access to User Management Assign a user management role to the appropriate user Search for user Click pencil to edit 13

Managing Users Step 1 Click the Assign Roles button to add a role Click assign roles and then click the apply button 14

Managing Users Step 1 Search for the Security Administrator Role, check the box and click select Customer Administrator manage users with party type = customer Administrator manage users with party type = partner Other seeded security roles include Customer Administrator and Administrator 15

Managing Users Step 1 Enter a justification and click Apply User Management responsibility is inherited by assigning this role 16

Managing Users Step 1 System Administrator User Define User Management is shown as an indirect responsibility 17

STEP 2 IDENTIFY SEEDED PERMISSIONS CREATE PERMISSIONS

Permissions To demonstrate function security, Approvals Management will be used as the example A user will be given access to perform all functions in approvals management To gain familiarity with permissions available Go to Functional Administrator Permissions to search for seeded permissions 19

Permissions There are 16 permissions available for AME Click the update button to examine the AME Action Create Permission 20

Permissions This permission belongs to one permission set with the same name as the permission 21

Permission Set In our example, we want the user to have access to ALL functions the transaction type AP Invoice Approval Go to the permission set tab to see the permission set for all AME functions which is AME All Permission Sets Note that this permission set includes other permission sets Other Permission sets included in set 22

STEP 3 SEEDED OBJECTS

Seeded Objects To demonstrate data security, Approvals Management will be used again as the example A user will be given access to manage the approval process for the payables invoice approval Go to Functional Developer Objects to search for available seeded objects If an object is not available, you can create objects 24

Seeded Objects Tip: Query by responsibility to get familiar with what is seeded Click update to view details but avoid changing seeded objects 25

Seeded Objects Two columns are included which can be used to limit access Note the Object Instance Sets Tab and Grants Tab 26

Seeded Objects Click on the Object Instance Set tab for this object to view the where clause The predicate allows the user to enter the parameters to select the application and transaction type in the grant 27

STEP 4 IDENTIFY SEEDED GRANTS CREATE GRANTS

Grants Create the grant to allow sbehn to perform all AME function for the payables invoice approval transaction type Click on grants tab Notice this takes you to the same form as you see in the Functional Administrator responsibility We are going to enter an object to establish a Data Security Policy 29

Grants Enter name, description, grantee type, grantee Enter the object name Click Next 30

Grants Choose the context to limit rows For this example, choose instance set 31

Grants We already determined there was an AME Transaction Type Instance Set Chose this value and Click Next 32

Grants Now enter the values for the parameters we saw earlier in the object instance set The predicate is displayed for reference Parameter 1 is the application Parameter 2 is the AME transaction type 33

Grants Scroll down and choose the functions the grantee will be allowed to execute for this group of data by selecting the permission set AME All Permission Sets 34

Grants The final page is a review page Click finish and the confirmation page will appear Now you have access to data and functions you can perform on that data Click OK 35

Role Based Access Control In step 1, we gave someone access to user management In step 2, we identified the AME All Permission Sets to provide function security In step 3 we identified the AME Transaction Types object to provide data security In step 4 we joined the function and data security together in a grant to allow SBEHN to perform all functions for AME for Payables Invoice Approvals But the user still doesn t have access yet to the responsibility used to manage AME 36

STEP 5 ASSIGN RESPONSIBILITIES TO ROLES

Assign Roles Assign AME roles to SBEHN the same way we assigned the Security Administrator role Query the user and click the pencil 38

Assign Roles Click the Assign Roles button 39

Seeded Roles Choose the Approvals Management Administrator role and provide justification Grants multiple roles shown in the hierarchy below and two responsibilities having a code starting with FND_RESP Responsibility 40

Seeded Roles Below is a partial list of products with seeded roles; This changes frequently Approvals Management Diagnostics Learning Management Territory Management User Management Integration Repository ireceivables isetup Integrated SOA Gateway (New) To see what s new after patches, look for roles in User Management responsibility or query WF_ALL_ROLES_VL 41

R12 Surprises 42

Read-Only Diagnostics 43

Read-Only Diagnostics in 12.1.3 Function Security (outside of UMX) Set profile option Hide Diagnostics Menu Entry to No Assign one or more of the read only subfunctions to the menu where this functionality is needed Apps password will not be requested in read-only mode 44

Read-Only Diagnostics 12.1.3 Example - Payables, Vision Operations (USA) responsibility linked to menu AP_NAVIGATE_GUI12 Leave prompt and Submenu null 45

Integration Repository 46

New Surprises: Access to Integration Repository Release 11i http://irep.oracle.com/ As of March, 2014 the above link is not working Early R12 Assign Responsibility Integrated SOA Gateway Release 12.1+ Assign one of following roles 47

Grant Worklist Access 48

Grant Worklist Access From Form Click Worklist Access link To limit security risk request this functionality from system administrators From Functional Administrator Responsibility Grants Tab Create Grant 49 49

Grant Worklist Access Select specific user Data Security object is Notifications 50 50

Grant Worklist Access Seeded instance Set User that Grantee can see Abstract Functions 51 51

Grant Worklist Access Results 52 52

Grant Worklist Access By default, notifications are limited to active workflows or those in Lookup type WF_RR_ITEM_TY PES To limit this access to specific workflow types, enter in parameter2 (hidden parameter) Note: Predicate does not list Parameter2 Parameter2 stores specific workflows 53 53

Cash Management Security Wizard 54

Cash Management Bank Account Security Grant access to manage banks to the responsibility Cash Management, Vision Operations (USA) Go to User Management Roles & Role Inheritance In the Type field, select Roles and Responsibilities In the Category field, select Miscellaneous In the Application field, select Cash Management, then click Go 55

Cash Management Bank Account Security Click on the pencil to update for the correct responsibility 56

Cash Management Bank Account Security Click on the security wizard button On the next page, click the icon to run the CE UMX Security Wizard 57

Cash Management Bank Account Security Click the button to add legal entities Select the legal entities this responsibility will manage 58

Cash Management Bank Account Security Check the boxes for the privileges needed for this responsibility and apply your changes Repeat these steps for additional responsibilites 59

View Concurrent Requests 60

New Surprises: Access to Concurrent Requests Profile Option Concurrent Report Access Level is obsolete in 12.1 Allowed users to see all concurrent requests in a responsibility Except for View Own and System Administrator View Logs, this functionality is replaced by RBAC permissions See My Oracle Support ID 737547.1 61

View Others Requests Object Concurrent Requests Start with the Concurrent Requests data object shown below which is seeded 62 62

View Others Requests-Permission Set / Permission The Request Operations permission set includes permissions to submit and view requests 63 63

View Others Requests-Instance Sets Several object instance sets are seeded or you can create your own 64 64

View Others Requests - Seeded Instance Sets Examples of seeded object instance sets View all my requests from any responsibility More efficient then trying to remember where you ran a request View my requests for the application identified by parameter 2 65 65

View Others Requests - Create Instance Sets From Functional Developer Objects Query Object Click link in Name column, then Object Instance Sets tab, then Create Instance Set 66 66

View Others Requests-Create Instance Sets Any user of a responsibility can see all requests in that responsibility Exact replacement of obsolete profile option MOS ID 804296.1 R12: How To Configure Access To Request Output Of The Same Responsibility 67 67

View Others Requests Site Level Grant for All Responsibilities Grant New Instance Set to All Users All users can see requests in only in responsibility that ran request 68 68

View Others Requests-Operating Unit Level ***Same as previous example but limited by operating unit Grant New Instance Set to Specific Operating Unit or responsibility Repeat for each desired Operating Unit Still can only see requests in responsibility that ran request 69 69

View Others Requests - User Level Recommended only for help desk/support users who have limited responsibilities in Production Can see any request regardless of what responsibility currently using Access to to All All to Specific Requests User to Specific User 70 70

Diagnostic Permission sets Permission sets are available now for all Diagnostic menu items starting in R12.1.3. 71

Setup Profile Options R12.1.3+ Utilities: Diagnostics Set to Yes (not secure) RBAC create role with permission set FND Diagnostics Personalizations Menu and assign as needed 72

Security Hole 74

Access to Menus screen can bypass UMX function security Security hole Access to Menus form allows user to bypass UMX function security Grant flag can be clicked and then responsibility assignment displays menu Menus can be duplicated with grant flag checked If the user then has access to create data security grants through the Functional Developer responsibility, you end up with a major security gap 75 75

Flexfield Security Required in 12.2 76

Flexfield Value Set Security FNDFFMSV 12.2 Upon upgrade, users will not have access to any records in this form Many ways to get to this form our example GL Setup Financials F lexfields Val idation Valu es 77 77

Function and Data Security Must set up function security to define what the user can do in the form Grant by flexfield, report or value set Grant to application, user, group Must set up data security to define which values can be queried Affects Independent and Dependent value sets. Affects what privileges users have in the Segment Values form. Note: Even if you create a new value set, you still won t be able to assign values to that set until security is set up 78

Patch for 12.2.2 Apply this patch for 12.2.2 (not needed for 12.2.3) Oracle Support Document 1589204.1 (Release 12.2.2 Flexfield Value Set Security Documentation Update for Patch 17305947:R12.FND.C) can be found at: https://support.oracle.com/epmos/faces/documentdisplay?id=1589204.1 79

Grant access to the data Functional Adminstrator Grants This example General Ledger, Vision Operations (USA) responsibility needs to see GL value sets for Vision Operations Accounting Flexfield 80

Data Security - Instance Set Flexfield Value Set Security Object Key Flexfield Structure by app id, key flexfield code and structure number 81

Other Instance Sets 82

Permission set for allowable actions For this example, I chose to allow insert or update Seeded permission sets for flexfield security 83

Results Now I have access to all the value sets for the accounting flexfield 84

Time Check for Next 3 topics 85

Where is UMX Applicable? 86

Where is UMX applicable? Not all products have adopted data security in their UIs. If a customer is considering data security in a particular module, it is advisable to first check with the product development if that module has the infrastructure for data security in place otherwise, their data security policies will not be honored by the product UIs. Data Security policies can only be defined for applications that have been written to utilize the Data Security MOS ID 553290.1 Introduction to the Grants Security System and Data Security Self research what objects and/or permissions has Oracle defined 87 87

Where is UMX applicable? MOS ID 1162403.1 How Find Out Which Oracle Application Products Have Adopted Data Security Policies Use following select statement to find objects / created by 88 88

Where is UMX applicable? Use the following query to find seeded instance sets 89 89

Where is UMX applicable? Permissions are indicative that UMX will work and usually provide hint to the Object Use the following query to find permissions 90 90

Security Reports 91

Security Reports From User Management, Security Reports Choose Report Type - Remaining screen repaints based on Type Example Select Output format MUST specify Role/Resp Choose Offline to get underlying SQL 92 92

Security Reports Report Status Output click Output icon 93 93

Security Reports For Log (and query), click Details, then View Log Partial log shown 94 94

Security Reports List of Users w/access to key User Management function Clicking Show displays how assigned and by whom 95 95

Security Reports List of users with access to view all concurrent requests List of users with access to the user management role 96 96

R12.2 Disable subscription to event oracle.apps.fnd.umx.requestapproved Error that appears is ambiguous Real error: The rule function for the subscription to this event, AMW_VIOLATION_PVT.Do_On_Role_Assigned, is a non-existent package Cause: AMW-Internal Controls Manager has been replaced by GRC-Governance Risk and Compliance in 12.2 MOS note 1303189.1 97

References Oracle Applications System Administrator's Guide - Security See Oracle User Management Developer Guide My Oracle Support ID: 553547.1 Data Security Terminology My Oracle Support ID: 553290.1 Introduction to the Grants Security System and Data Security E-Business Suite User Management SIG http://ebsumx.oaug.org/ 98

Other Presentations Create a role to administer a specific organization Collaborate 2009: From Responsibilities to Roles: Moving Toward the Role Based Access Control (RBAC) Model Marquette University Create a junior workflow administrator Collaborate 2009: What s New in Workflow: 11i RUP5, RUP6 and R12 Karen Brownfield and Susan Behn 99

Collaborate 2014 UMX Sig Presentation 15330 - E-Business Suite User Management SIG at Collaborate 14 on April 7 th at 3:20 PM PST in Level 3, San Polo 3401 Sara Woodhull - How to secure flexfields and value sets in user management This new feature in R12 was specifically requested by this special interest group We are making an impact and Oracle is listening! 100

About Infosemantics Established in 2001 Customer Focused People First Global Shared Expertise For more information, go to our web site at www.infosemantics.com R12.1.3, R12.2, OBIEE public vision instances Posted presentations on functional and technical topics 101

Questions? Comments Thank You!!! Susan Behn Susan.Behn@Infosemantics.com 102

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information