Post on 09-May-2020
R12 Surprises in User Management
Revised July, 2014
Susan Behn
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
2
Agenda■ Understanding User Management Principles
■ User Management Layers■ Role Based Access Control Overview■ Building Blocks for User Management■ Modeling Security Policy Basic Example
■ Surprises■ Read only diagnostics■ Access to integration repository■ Grant worklist access■ Cash Management Security Wizard for Bank Account Management■ Access to concurrent reports■ Access which bypasses UMX■ Flexfield Value Set Security (New in 12.2)
■ Additional Topics if Time Allows■ What modules use UMX Security Reports ■ Disable subscription which grants AMW-Internal Controls Manager roles
(if time allows)
■ References
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
3
User Management Layers
■ Core security – levels 1 – 2 is accomplished through AOL or with grants and permissions
■ Core security – level 3 is required for some apps
■ Administrative features – levels 4 – 6 are optional
6 User access requests with AME
Approval Processes
5 Registration processes
4 Administer functions/data for
specific groups
3 Grant access to roles that
include function/data security
2 What data can a user see
1 What can a user do
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
4
Role Based Access Control
■ RBAC – The RBAC standard supports the mapping of user access control based upon a user’s role in the organization rather than their unique identity
■ Roles – a grouping of all the responsibilities, lower level permissions (functions), permission sets, and data security rules that a user requires to perform a specific task
■ Role Categories – Organize roles into groups
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
5
Components by Responsibility
■ System Administrator Responsibility
■ Manage responsibilities and menus; Create users
■ User Management – Layers 3 and up
■ Functional Administrator Responsibility
■ Function Security Layer
■ Functional Developer Responsibility
■ Data Security Layer
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
6
User Management Building Blocks
■ Objects
■ Define data to be secured – a table or view
■ Stored in FND_OBJECTS, FND_OBJECTS_TL
■ Object Instance Sets
■ The “WHERE” clause for an object
■ Stored in FND_OBJECT_INSTANCE_SETS, FND_OBJECT_INSTANCE_SETS_TL
■ Managed in Functional Developer Responsibility
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
7
User Management Building Blocks
■ Permissions – 2 types – function and data
■ Function Security Permissions – control access to abstract functions
▸ Examples■ Executable function is access to User Management Roles &
Role Inheritance Form
■ Abstract functions are defined as role permissions
▸ Create Role – Assign Role
▸ Manage Role – Revoke Role
■ Data Security Permissions – control access to objects
▸ Data limited by where clause
■ Stored in FND_FORM_FUNCTIONS, FND_FORM_FUNCTIONS_TL
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
8
User Management Building Blocks
■ Permission Sets
■ Grouping of permissions
▸ Example: All User Administration Privileges
■ A permission set can contain other permission sets
■ Stored in FND_MENUS, FND_MENUS_TL, FND_MENU_ENTRIES, FND_MENU_ENTRIES_TL
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
9
User Management Building Blocks
■ Grants
■ Provide permissions for actions on a specified object
▸ Attach function permissions and data permissions (data security polices) to grantee
■ Grantee
■ Who gets the grant
▸ A role or group
▸ A specific user
▸ All Users
■ Data Security Policy
■ Grant that includes both an object and permission set
■ Stored in FND_GRANTS
STACKING UP THE BUILDING BLOCKS
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
11
Modeling Security Policies
■ Step 1 – Assign access to user management to appropriate users
■ Step 2 – Identify or create permissions/permission sets that group functions (function security)
■ Step 3 – Identify or create product seeded objects / object instance sets (data security)
■ Step 4 – Identify seeded grants / create grants
■ Step 5 – Assign role
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
GoldPartner
12
Grant access to user management to appropriate user(s)
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
13
Managing Users – Step 1
■ By default, only Sysadmin has access to User Management
■ Assign a user management role to the appropriate user
Click
pencil to
editSearch
for user
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
14
Managing Users – Step 1
■ Click the “Assign Roles” button to add a role
Click assign roles and
then click the apply
button
Click assign roles and
then click the apply
button
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
15
Managing Users – Step 1
■ Search for the “Security Administrator” Role, check the box and click select
■ Customer Administrator – manage users with party type = customer
■ Partner Administrator – manage users with party type = partner
Other seeded security roles
include Customer
Administrator and Partner
Administrator
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
16
Managing Users – Step 1
■ Enter a justification and click “Apply”
User Management
responsibility is inherited
by assigning this role
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
17
Managing Users – Step 1
■ System Administrator User Define
■ User Management is shown as an indirect responsibility
STEP 2IDENTIFY SEEDED
PERMISSIONSCREATE PERMISSIONS
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
19
Permissions
■ To demonstrate function security, Approvals Management will be used as the example
■ A user will be given access to perform all functions in approvals management
■ To gain familiarity with permissions available
■ Go to Functional Administrator Permissions to search for seeded permissions
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
20
Permissions
■ There are 16 permissions available for AME
■ Click the update button to examine the “AME Action Create” Permission
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
21
Permissions
■ This permission belongs to one permission set with the same name as the permission
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
22
Permission Set
■ In our example, we want the user to have access to ALL functions the transaction type “AP Invoice Approval”
■ Go to the permission set tab to see the permission set for all AME functions which is “AME All Permission Sets”
■ Note that this permission set includes other permission sets Other
Permission
sets
included in
set
STEP 3 SEEDED OBJECTS
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
24
Seeded Objects
■ To demonstrate data security, Approvals Management will be used again as the example
■ A user will be given access to manage the approval process for the payables invoice approval
■ Go to Functional Developer Objects to search for available seeded objects
■ If an object is not available, you can create objects
GoldPartner
25
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
Seeded Objects
Tip: Query by
responsibility to get
familiar with what is
seeded
Click update to
view details but
avoid changing
seeded objects
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
26
Seeded Objects
■ Two columns are included which can be used to limit access
Note the Object
Instance Sets Tab
and Grants Tab
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
27
Seeded Objects
■ Click on the Object Instance Set tab for this object to view the where clause■ The predicate
allows the user to enter the parameters to select the application and transaction type in the grant
STEP 4IDENTIFY SEEDED GRANTS
CREATE GRANTS
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
29
Grants
■ Create the grant to allow sbehn to perform all AME function for the payables invoice approval transaction type
■ Click on grants tab
■ Notice this takes you to the same form as you see in the Functional Administrator responsibility
■ We are going to enter an object to establish a Data Security Policy
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
30
Grants
■ Enter name, description, grantee type, grantee
■ Enter the object name
■ Click Next
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
31
Grants
■ Choose the context to limit rows
■ For this example, choose instance set
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
32
Grants
■ We already determined there was an “AME Transaction Type” Instance Set
■ Chose this value and Click Next
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
33
Grants
■ Now enter the values for the parameters we saw earlier in the object instance set
■ The predicate is displayed for reference
▸ Parameter 1 is the application
▸ Parameter 2 is the AME transaction type
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
34
Grants
■ Scroll down and choose the functions the grantee will be allowed to execute for this group of data by selecting the permission set “AME All Permission Sets”
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
35
Grants
■ The final page is a review page
■ Click finish and the confirmation page will appear
■ Now you have access to data and functions you can perform on that data
■ Click OK
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
36
Role Based Access Control
■ In step 1, we gave someone access to user management
■ In step 2, we identified the “AME All Permission Sets” to provide function security
■ In step 3 we identified the “AME Transaction Types” object to provide data security
■ In step 4 we joined the function and data security together in a grant to allow SBEHN to perform all functions for AME for Payables Invoice Approvals
■ But…the user still doesn’t have access yet to the responsibility used to manage AME
STEP 5ASSIGN RESPONSIBILITIES
TO ROLES
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
38
Assign Roles
■ Assign AME roles to SBEHN the same way we assigned the “Security Administrator” role
■ Query the user and click the pencil
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
39
Assign Roles
■ Click the “Assign Roles” button
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
40
Seeded Roles
■ Choose the “Approvals Management Administrator” role and provide justification
■ Grants multiple roles shown in the hierarchy below and two responsibilities having a code starting with “FND_RESP”
ResponsibilityResponsibility
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
41
Seeded Roles
■ Below is a partial list of products with seeded roles; This changes frequently
■ Approvals Management
■ Diagnostics
■ Learning Management
■ Territory Management
■ User Management
■ Integration Repository
■ iReceivables
■ iSetup
■ Integrated SOA Gateway (New)
■ To see what’s new after patches, look for roles in User Management responsibility or query WF_ALL_ROLES_VL
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
GoldPartner
42
R12 Surprises
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
GoldPartner
43
Read-Only Diagnostics
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
44
Read-Only Diagnostics in 12.1.3Function Security (outside of UMX)
■ Set profile option “Hide Diagnostics Menu Entry” to “No”
■ Assign one or more of the read only subfunctions to the menu where this functionality is needed
■ Apps password will not be requested in read-only mode
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
45
Read-Only Diagnostics 12.1.3
■ Example - Payables, Vision Operations (USA) responsibility linked to menu AP_NAVIGATE_GUI12
■ Leave prompt and Submenu null
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
GoldPartner
46
Integration Repository
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
47
New Surprises: Access to Integration Repository
■ Release 11i
■ http://irep.oracle.com/
▸ As of March, 2014 – the above link is not working
■ Early R12
■ Assign Responsibility – Integrated SOA Gateway
■ Release 12.1+
■ Assign one of following roles
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
GoldPartner
48
Grant Worklist Access
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
49
Grant Worklist Access
■ From Form –Click “WorklistAccess” link
■ To limit security risk – request this functionality from system administrators■ From
Functional Administrator Responsibility▸ Grants Tab
Create Grant
49
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
50
Grant Worklist Access
■ Select specific user
■ Data Security object is “Notifications”
50
GoldPartner
51
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
Grant Worklist Access
User that
Grantee can see
Abstract
Functions
51
Seeded instance
Set
GoldPartner
52
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
Grant Worklist Access
Results
52
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
53
Grant Worklist Access
■ By default, notifications are limited to active workflows or those in Lookup type WF_RR_ITEM_TYPES
■ To limit this access to specific workflow types, enter in parameter2 (hidden parameter)
Note: Predicate
does not list
Parameter2
Parameter2
stores specific
workflows
53
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
GoldPartner
54
Cash ManagementSecurity Wizard
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
55
Cash Management – Bank Account Security
■ Grant access to manage banks to the responsibility “Cash Management, Vision Operations (USA)”
■ Go to User ManagementRoles & Role Inheritance
■ In the Type field, select Roles and Responsibilities
■ In the Category field, select “Miscellaneous”
■ In the Application field, select “Cash Management”, then click “Go”
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
56
Cash Management – Bank Account Security
■ Click on the pencil to update for the correct responsibility
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
57
Cash Management – Bank Account Security
■ Click on the security wizard button
■ On the next page, click the icon to run the CE UMX Security Wizard
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
58
Cash Management – Bank Account Security
■ Click the button to add legal entities
■ Select the legal entities this responsibility will manage
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
59
Cash Management – Bank Account Security
■ Check the boxes for the privileges needed for this responsibility and apply your changes
■ Repeat these steps for additional responsibilites
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
GoldPartner
60
View Concurrent Requests
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
61
New Surprises: Access to Concurrent Requests
■ Profile Option “Concurrent Report Access Level” is obsolete in 12.1
■ Allowed users to see all concurrent requests in a responsibility
■ Except for View Own and System Administrator View Logs, this functionality is replaced by RBAC permissions
■ See My Oracle Support ID 737547.1
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
62
View Others RequestsObject – Concurrent Requests
■ Start with the Concurrent Requests data object shown below which is seeded
62
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
63
View Others Requests-Permission Set / Permission
■ The Request Operations permission set includes permissions to submit and view requests
63
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
64
View Others Requests-Instance Sets
■ Several object instance sets are seeded or you can create your own
64
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
65
View Others Requests - Seeded Instance Sets
■ Examples of seeded object instance sets
■ View all my requests from any responsibility
▸ More efficient then trying to remember where you ran a request
■ View my requests for the application identified by parameter 2
65
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
66
View Others Requests - Create Instance Sets
■ From Functional Developer Objects
■ Query Object
■ Click link in Name column, then Object Instance Sets tab, then Create Instance Set
66
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
67
View Others Requests-Create Instance Sets
■ Any user of a responsibility can see all requests in that responsibility
■ Exact replacement of obsolete profile option
■ MOS ID 804296.1 “R12: How To Configure Access To Request Output Of The Same Responsibility”
67
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
68
View Others RequestsSite Level – Grant for All Responsibilities
■ Grant New Instance Set to All Users
■ All users can see requests in only in responsibility that ran request
68
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
69
View Others Requests-Operating Unit Level
■ ***Same as previous example but limited by operating unit
■ Grant New Instance Set to Specific Operating Unit or responsibility
■ Repeat for each desired Operating Unit
■ Still can only see requests in responsibility that ran request
69
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
70
View Others Requests - User Level
■ Recommended only for help desk/support users who have limited responsibilities in Production
■ Can see any request regardless of what responsibility currently using
Access to All to
Specific User
Access to All
Requests to
Specific User
70
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
71
Diagnostic Permission sets
■ Permission sets are available now for all Diagnostic menu items starting in R12.1.3.
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
72
Setup – Profile Options
■ R12.1.3+
■ Utilities: Diagnostics
■ Set to Yes (not secure)
■ RBAC – create role with permission set “FND Diagnostics Personalizations Menu” and assign as needed
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
GoldPartner
74
Security Hole
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
75
Access to Menus screen can bypass UMX function security – Security hole
■ Access to Menus form allows user to bypass UMX function security
■ Grant flag can be clicked and then responsibility assignment displays menu
■ Menus can be duplicated with grant flag checked
▸ If the user then has access to create data security grants through the Functional Developer responsibility, you end up with a major security gap
75
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
GoldPartner
76
Flexfield SecurityRequired in 12.2
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
77
Flexfield Value Set Security – FNDFFMSV –12.2
■ Upon upgrade, users will not have access to any records in this form
■ Many ways to get to this form…our example
■ GLSetupFinancialsFlexfieldsValidationValues
77
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
78
Function and Data Security
■ Must set up function security to define what the user can do in the form
■ Grant by flexfield, report or value set
■ Grant to application, user, group
■ Must set up data security to define which values can be queried
■ Affects Independent and Dependent value sets.
■ Affects what privileges users have in the Segment Values form.
■ Note: Even if you create a new value set, you still won’t be able to assign values to that set until security is set up
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
79
Patch for 12.2.2
■ Apply this patch for 12.2.2 (not needed for 12.2.3)
■ Oracle Support Document 1589204.1 (Release 12.2.2 Flexfield Value Set Security Documentation Update for Patch 17305947:R12.FND.C) can be found at: https://support.oracle.com/epmos/faces/DocumentDisplay?id=1589204.1
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
80
Grant access to the data
■ Functional AdminstratorGrants
■ This example – General Ledger, Vision Operations (USA) responsibility needs to see GL value sets for Vision Operations Accounting Flexfield
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
81
Data Security - Instance Set
■ Flexfield Value Set Security Object
■ Key Flexfield Structure by app id, key flexfield code and structure number
GoldPartner
82
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
Other Instance Sets
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
83
Permission set for allowable actions
■ For this example, I chose to allow insert or update
■ Seeded permission sets for flexfield security
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
84
Results
■ Now I have access to all the value sets for the accounting flexfield
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
GoldPartner
85
Time Check for Next 3 topics
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
GoldPartner
86
Where is UMX Applicable?
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
87
Where is UMX applicable?
■ “Not all products have adopted data security in their UIs. If a customer is considering data security in a particular module, it is advisable to first check with the product development if that module has the infrastructure for data security in place otherwise, their data security policies will not be honored by the product UIs. Data Security policies can only be defined for applications that have been written to utilize the Data Security”■ MOS ID 553290.1 “Introduction to the Grants Security
System and Data Security”
■ Self research – what objects and/or permissions has Oracle defined
87
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
88
Where is UMX applicable?
■ MOS ID 1162403.1 “How Find Out Which Oracle Application Products Have Adopted Data Security Policies”■ Use following select statement to find objects / created
by
88
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
89
Where is UMX applicable?
■ Use the following query to find seeded instance sets
89
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
90
Where is UMX applicable?
■ Permissions are indicative that UMX will work and usually provide hint to the Object
■ Use the following query to find permissions
90
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
GoldPartner
91
Security Reports
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
92
Security Reports
■ From User Management, Security Reports
■ Choose Report Type - Remaining screen repaints based on Type
▸ Example Select Output
format
Choose Offline to
get underlying SQL
MUST specify
Role/Resp
92
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
93
Security Reports
■ Report Status
■ Output – click Output icon
93
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
94
Security Reports
■ For Log (and query), click Details, then View Log
■ Partial log shown
94
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
95
Security Reports
■ List of Users w/access to key User Management function
Clicking ‘Show’ displays
how assigned and by whom
95
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
96
Security Reports
■ List of users with access to view all concurrent requests
■ List of users with access to the user management role
96
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
97
R12.2 – Disable subscription to eventoracle.apps.fnd.umx.requestapproved
■ Error that appears is ambiguous
■ Real error:
■ The rule function for the subscription to this event, AMW_VIOLATION_PVT.Do_On_Role_Assigned, is a non-existent package
■ Cause:
■ AMW-Internal Controls Manager has been replaced by GRC-Governance Risk and Compliance in 12.2
■ MOS note 1303189.1
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
98
References
■ Oracle Applications System Administrator's Guide -Security
■ See Oracle User Management Developer Guide
■ My Oracle Support ID: 553547.1 – Data Security Terminology
■ My Oracle Support ID: 553290.1 – Introduction to the Grants Security System and Data Security
■ E-Business Suite User Management SIG
■ http://ebsumx.oaug.org/
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
99
Other Presentations
■ Create a role to administer a specific organization
■ Collaborate 2009: From Responsibilities to Roles: Moving Toward the Role Based Access Control (RBAC) Model
▸ Marquette University
■ Create a junior workflow administrator
■ Collaborate 2009: What’s New in Workflow: 11i RUP5, RUP6 and R12
▸ Karen Brownfield and Susan Behn
GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
100
Collaborate 2014
■ UMX Sig Presentation
■ 15330 - E-Business Suite User Management SIG at Collaborate 14 on April 7th at 3:20 PM PST in Level 3, San Polo – 3401
■ Sara Woodhull - How to secure flexfields and value sets in user management
■ This new feature in R12 was specifically requested by this special interest group
■ We are making an impact and Oracle is listening!
101 GoldPartner
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
About Infosemantics
■ Established in 2001
■ Customer Focused
■ People First
■ Global
■ Shared Expertise
■ For more information, go to our web site at www.Infosemantics.com
■ R12.1.3, R12.2, OBIEE public vision instances
■ Posted presentations on functional and technical topics
GoldPartner
102
Copyright © 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
Questions?Comments
Susan Behn
Susan.Behn@Infosemantics.com
Thank You!!!