Security Administration in Oracle E-Business Suite: Overview of Oracle User Management Leon Tu...
-
Upload
florence-fields -
Category
Documents
-
view
222 -
download
1
Transcript of Security Administration in Oracle E-Business Suite: Overview of Oracle User Management Leon Tu...
<Insert Picture Here>
Security Administration in Oracle E-Business Suite: Overview of Oracle User Management
Leon TuApplications Technology GroupOracle Corporation
Business Needs for User Management
• Unified approach to create and maintain users
• Improved Security
• Easier User Administration
• Provide Delegation Capabilities
Oracle User Management
Function Security
Data Security
Role Based Access Control
Delegated Administration
Provisioning Services
Self Service Features
Function Security
Function Security
• Functions represent basic entry points / operations / secured resources that do not have any data context, for example:
• “Page X”• “Region Y”• Typically done using responsibilities in Ebusiness suite
Employee HRSelf Service
Manager HRSelf Service
Hiring / Firing
Transfers
Promotions
Compensation
Personal Info
Job Posts
Pay Slip
Function Security
Data Security
Data Security
• What business objects / documents hold sensitive data & need to be secured• For example: Expense Reports, Employees
• What secured operations can be performed on each object• For example: update, delete, reject, approve, escalate• Secured operations are represented as privileges aka
permissions• Authorization Policy: grant [someone] access to perform [a set of
operations] on a given [set of business documents]:• [Managers] can • [view, approve, reject, update]• [expense reports]• [filed by their direct reports]
• Sets of business documents are identified through Object(instance sets (SQL predicates))
Data Security Grants
• Data security grants are only in effect when working on records which meet a filter criteria.
• Data filter types:• Single instance (ad-hoc)
• Applies to a specific instance of an object• "John may manage project 123"
• Instance set (policy)
• Applies to rows which match a WHERE clause• "Employees may view public projects“
• “Where project_status_flag = ‘PUB’”
Function Security
Data Security
Role Based Access Control
Role Based Access Control
• RBAC standard (ANSI INCITS 359-2004)• A role consists of
• Other roles (via inheritance)• Responsibilities (via inheritance)• Permissions• Function Security Policies• Data Security Policies
• A user can be assigned with several roles• A role can be assigned to several users
EBS RBAC Model - Users
User
User
User
User
User
User
User
User
Users can be:• Humans
• Internal: Employees• External: Customers
• Systems• Internal: integrated applications (A2A)• External: trading partners (B2B)
EBS RBAC Model - Roles
User
User
User
User
User
User
User
User Role
Role
Role
Role
Role
Roles can be:• EBS Responsibilities• HR Positions• TCA Groups• LDAP Roles• UMX Access Roles• Hierarchical
EBS RBAC Model - Permissions
Permission
Permission
Permission
Permission
Permission
Permission
Permission
Permission
User
User
User
User
User
User
User
User Role
Role
Role
Role
Role
Permissions can be:
• Screens/Flows• APIs/Services• Data Operations
EBS RBAC Model - Permission Sets
Permission
Permission
Permission
Permission
Permission
Permission
Permission
Permission
Set
Set
Set
Set
User
User
User
User
User
User
User
User Role
Role
Role
Role
Role
Permission Sets are defined using the Menu structure
EBS RBAC Model - Grants
Permission
Permission
Permission
Permission
Permission
Permission
Permission
Permission
Set
Set
Set
Set
Grant
Grant
Grant
Grant
User
User
User
User
User
User
User
User Role
Role
Role
Role
Role
EBS RBAC Model - Grants
• Gives a role access to a set of permissions• With optional context restriction
• Responsibility• Organization• Data set
• Some permissions are "context independent"
• Grants represent security policies• "Employees have access to expense reporting"• You should not to worry about navigation menus when
defining security policy...
Case Study
• Grant access to a set of Sales Managers• Need access to:
• HR Self Service• Manager + Employee access
• Sales Online • Sales Manager access
• Expenses • Manager + Employee access
• iProcurement• Manager + Employee access
Access Control before..
Expenses Mgr
Employee HRSelf Service
Manager HRSelf Service
iProcurementMgr
Sales OnlineMgr
Users directly assigned Responsibilities
Responsibility
ExpensesEmployee
iProcurementEmployee
..With RBAC: Basic Approach
Sales Manager
Employee
Sales Rep Manager
Expenses
Employee HRSelf Service
Manager HRSelf Service
iProcurement
Sales Online
Role Inheritance
Role
RBAC Benefits
• Reduces / Simplifies Administration• Mass updates via single operation• Coexists with existing Security Setups • Basic Approach: Try it now!
• Consolidate your existing Responsibilities into Roles
• Advanced Approach• Reduces # Responsibilities and Menus• “Principle of Least Privilege”
D E M O N S T R A T I O N
RBAC
Function Security
Data Security
Role Based Access Control
Provisioning Services
Provisioning Services
• Workflow based Provisioning Engine• Handles all Self Service and Administrator initiated requests for
new User Accounts and Roles / Responsibilities
• Reserve, Release, Activate Pending Accounts
• Temporary Storage of Registration Data
• “Registration Process” - Metadata that define:• Approval Policies (in Oracle Approval Management)
• Eligibility Policies
• Email Verification (Account Requests only)
• Notification Workflows
• Business Logic
• Registration UI’s
Account Provisioning Flow
Enter InfoRegister SubmitRequest
RaiseBusiness
Event
InvokeRegistration Engine
ReserveUser Name
Verify Identityvia Email
CreatePerson Party
ActivateUser Account
AssignRoles
EmailTo Approver(s)
Approved!
ConfirmationEmail
WriteRegistration Data
EventObject
EventObject
EventObject
EventObject
EventObject
EventObject
EventObject
EventObject
EventObject
EventObject
Confirmed!
Function Security
Data Security
Role Based Access Control
Provisioning Services
Delegated Administration
Delegated Administration
System Administrator
Local AdministratorAmericas
Local AdministratorEurope
• System Administrator• All Users & Roles
• Local Administrator• Subset of Users & Roles
Delegated Administration
• Fine Grained Admin Policies based on Data Security• Defines who can:
• [query, create, update, reset pwd] a given set of users
• Examples:• Internal / External Users• Location• Organization• Or anything else derived using SQL
• Granted to Admin Roles
• Leverages Provisioning Services (if set up)• RBAC is not required (except for Admin Roles)
Delegated Admin Benefits
• Decentralized Administration• Administrators closer to the users they manage• System more likely to be up to date• Improved response time
D E M O N S T R A T I O N
Delegated Admin
Function Security
Data Security
Role Based Access Control
Provisioning Services
Delegated Administration
Self Service Features
Self Service Features
• End Users can request• New User Accounts
• New Roles and Responsibilities• From the “Access Requests” page (Preferences menu)
• Password Reset• From AppsLogin page (set “Local Login Mask” profile)
• Leverages Provisioning Services• Does not require RBAC
D E M O N S T R A T I O N
Self Service Features
R12 Enhance for User Management
• Proxy User• ICM (Separation of Duties – SoD) Integration• Enhanced Forget Username/Password• New Registration Process Type for Administrator Role
Assignment• Security Wizard Infrastructure• Search Enhancement for List of Value’s (LOV)
Proxy User Description
• Proxy User Framework• Provide the delegator the ability to grant/revoke the proxy privilege
to individuals• Provide a mechanism throughout the application’s framework
where the user can access the proxy switcher feature• Provide a mechanism throughout the application’s framework
which indicates to the user that they are acting as a proxy• Provide the ability to track the delegate’s actions within the system,
while the delegate is acting on behalf of the delegator (Audit)
Proxy User Process - How to grant proxy privileges
• Grant proxy privileges to a user under Preferences -> Manage Proxies
• Example: SYSADMIN grants proxy privileges to KWALKER
Proxy User Process – How to switch to proxy user - I
• “Switch User” link appears for the delegated user KWALKER
Proxy User Process – How to switch to proxy user - II
• Clicking on “Switch User” allows the user to select which user to act as proxy for
Proxy User Process – Framework chrome for proxy user
• All UI screens show the updated chrome for proxy user
• “Return to Self” link allows to switch back to regular user session
ICM (SoD) Integration Description
• Separation of Duties integration - ICM• Oracle User Management (UMX) provides SoD (Segregation of
Duties) functionality through integration with Oracle Internal Controls Manager (ICM)
• Preventative enforcement of SoD constraints• At assignment time (admin flows)• With Notifications (self service flows)
• Function security based constraint override for administrators
ICM (SoD) Integration Benefits
• Improve Regulatory Compliance• Allows for preventative enforcement of separation of duties
constraints as defined by regulatory requirements (SOX)
Enhanced Forgot Username/Password
• Forgot Username / Password Enhancements• Centralized “Forgot Username/Password” capability• Improved implementation by coupling of username and password
retrieval (or reset) process• “Forgot username” functionality introduced• Enhanced “forgot password” functionality – allowing user to reset
password• Ability to query on either lost “username” or lost “password”
• Enter email address if lost username• Enter username if lost password
New Registration Process Type for Administrator Role Assignment
• New Registration Process Type• New registration process of type “Administrator Assisted Additional
Access” • Different policies (registration processes) can be used as
administrative actions vs. self service requests for
• Approval Routing
• UI
• Notifications
• Business Logic
New Registration Process Type Benefits
• Reduce complexity • Simpler registration processes can be created for self-service and
administrator flavors
• Increase flexibility• Support alternative approvals for administrator role assignment
Security Wizard Infrastructure
• Security Wizard Infrastructure• Infrastructure for product teams to create their own security
wizards in context of a role
• Product teams create their wizards and seed relevant information
• These wizards appear in list of security wizards available to the administrator when creating/updating role information
• New User Interface for Delegated Administration
• Existing functionality(11.5.10) of delegated administration setup implemented using wizard infrastructure
• Wizard guides the user through what options they can set for a delegated administration
Security Wizard Infrastructure Benefits
• Increase Ease of Use• Wizard framework for managing security information
• Improved flexibility• Wizard to guide user through delegation setup
Security Wizard Infrastructure Setup – Add function to wizard menu
• Seed the function for their wizard in the wizard menu - UMX_ROLE_WIZARD_LINKS_MENU
Security Wizard Infrastructure Setup – Create grant for their function
• Create grant for the function seeded in previous step for all the administrator roles that the wizard should be available to
Security Wizard Infrastructure Process – How to use the feature
• Security wizard can be launched from create/update role page
Security Wizard Infrastructure Process – How to use the feature
• Wizard launcher page lists available wizards to the logged in user
• Clicking on the icon launches the wizard in context of the role
Security Wizard Infrastructure Process – Delegated Admin Wizard
• UMX delegated admin wizard launched from the wizard launch page
Search Enhancements Description
• List of Values Search Enhancements• Search Enhancement for LOVs (List of Values)• All LOVs in User Management (UMX) searchable by
• Role• Responsibility• Both• Internal Code
• A type included in the results – to differentiate roles and responsibilities
Search Enhancements Benefits
• Reduce Ambiguity• Returning a type to reduce ambiguity between roles and
responsibilities
• Increase Ease of Use• Common LOV can be used to search roles, responsibilities or both
Search Enhancements Process - How to use the feature
• Search by name or code for role, responsibility or both
UMX Homepage
• http://www-apps.us.oracle.com:1100/umx/home/overview/
AQ&