user management 2012

8/13/2019 User Management 2012

1/88

Presented by Susan Behn

VP, Oracle Practice

Infosemantics, Inc.

R12 Function and Data Security - UMXand Role Based Access Control


2/88

Agenda

User Management Layers AOL Function and Data Security

New Read-only Diagnostic Function Security in 12.1.3 Role Based Access Control Overview Building Blocks for User Management Modeling Security Policy Examples Delegated Administration Provisioning Self Service & Approvals Proxy Users References


3/88

User Management Layers

Core security levels 1 2 is accomplished throughAOL orwith grants and permissions

Core security levels 3 is required for some apps Administrative features levels 4 6 are optional

6 User access requests with AME

Approval Processes

5 Registration processes

4 Administer functions/data for

specific groups

3 Grant access to roles that

include function/data security

2 What data can a user see

1 What can a user do


4/88

Responsibilities are theintersection of thefollowing: Menu (authorizes

executablefunctions)

Data Group (authorizesschemas)

Request Group(authorizes concurrentprograms)

Not used by OAF Allows for submenus

and functions to beincluded/excluded

AOL Function and Data Security


5/88

Read-Only Diagnostics in 12.1.3

Function security through menus is still a significant pieceof the puzzle LOOK WHATS NEW!

Set profile option Hide Diagnostics Menu Entry to No Assign one or more of the read only subfunctions to the

menu where this functionality is needed

Apps password will not be requested in read-only mode


6/88

Read-Only Diagnostics 12.1.3

Example - Payables, Vision Operations (USA)responsibility linked to menu AP_NAVIGATE_GUI12 Leave prompt and Submenu null


7/88

Role Based Access Control

RBAC The RBAC standard supports themapping of user access control based upon a

users role in the organization rather than their

unique identity

Roles a grouping of all the responsibilities, lowerlevel permissions (functions), permission sets,

and data security rules that a user requires to

perform a specific task

Role Categories Organize roles into groups


8/88

Examples of Roles

Employee Create Employee role with access to HR self service andiExpenses

AP Clerk Grant Employee role Grant AP Clerk role with access to AP clerk functions

Sales Rep Grant Employee role Grant Sales role with access to sales functions

AP Supervisor Grant Employee Role Grant AP Clerk Role Grant AP Manage role with access to AP Manger functions


9/88

Components by Responsibility

System Administrator Responsibility Manage responsibilities and related objects

User Management Layers 3 and up Functional Administrator Responsibility

Function Security Layer

Functional Developer Responsibility Data Security Layer


10/88

User Management Building Blocks

Objects Define data to be secured a table or view Stored in FND_OBJECTS, FND_OBJECTS_TL

Object Instance SetsA group of related objects defined by usingWHERE clause Stored in FND_OBJECT_INSTANCE_SETS,

FND_OBJECT_INSTANCE_SETS_TL

Managed in Functional DeveloperResponsibility


11/88


Permissions 2 types function and data Function Security Permissions control access to

abstractfunctions Examples

Executable function is access to User Management!Roles &Role Inheritance Form

Abstract functions defined as role permissions Create Role Assign Role Manage Role Revoke Role

Data Security Permissions control access to objects Data limited by where clause

Stored in FND_FORM_FUNCTIONS,FND_FORM_FUNCTIONS_TL


12/88


Permission Sets Grouping of permissions

Example: All User Administration PrivilegesA permission set can contain other sets Stored in FND_MENUS, FND_MENUS_TL,

FND_MENU_ENTRIES,

FND_MENU_ENTRIES_TL


13/88


Grants Provide permissions for actions on a specified objectAttach function permissions and data permissions (data

security polices) to grantee

Grantee

Who gets the grantA role or group

A specific userAll Users

Data Security Policy Grant that includes both an object and permission set

Stored in FND_GRANTS


14/88

STACKING UP THE BUILDINGBLOCKS


15/88

Modeling Security Policies

Step 1 Grant access to user management toappropriate users

Step 2 Identify or create permissions thatgroup functions (function security)

Step 3 Identify product seeded objects /object instance sets (data security)

Step 4 Identify seeded grants / creategrants

Step 5 Create roles / Identify seeded roles


16/88

GRANT ACCESS TO USER

MANAGEMENT TOAPPROPRIATE USER(S)


17/88

Managing Users Step 1

By default, only Sysadmin has access to UserManagement

Grant a user management role to the appropriateuser

Clickpencil to

edit

Searchfor user


18/88


Click the Assign Roles button to add a role

Click assign roles andthen click the apply

button

Click assign roles andthen click the apply

button


19/88


Search for the Security Administrator Role, check thebox and click select Customer Administrator manage users with party type =

customer

Partner Administrator manage users with party type =partner

Other seeded security rolesinclude Customer

Administrator and PartnerAdministrator


20/88


Enter a justification and click Apply

User Managementresponsibility is inherited

by assigning this role


21/88


System Administrator!User!Define User Management is shown as an indirect responsibility


22/88

STEP 2

IDENTIFY SEEDED PERMISSIONSCREATE PERMISSIONS


23/88

Permissions

To demonstrate function security, ApprovalsManagement will be used as the example

A user will be given access to perform allfunctions in approvals management

Go to Functional Administrator!Permissions to search for seeded permissions


24/88

Permissions

There are16permissionsavailable forAME

Click theupdatebutton toexaminethe AMEActionCreatePermission


25/88

Permissions

This permission belongs to one permission setwith the same name as the permission


26/88

Permission Set

Permissions are part of the story Examine the permission set by selecting the permission setin the permission set tab and clicking the update button


27/88

Permission Set

Notice the AME Action Create includes morethan one permission

Grants are to permission sets not topermissions

Become familiar with the security hierarchy Working with seeded permission, permission sets and

other seeded user management components are a

good way to learn user management concepts


28/88

Permission Set

In our example, we want the user to have access toALL functions for a specific approval transaction typewhich is called AP Invoice Approval

The permission set for all AME functions is AME AllPermission Sets

OtherPermission

setsincluded in

set


29/88

STEP 3

SEEDED OBJECTS


30/88

Seeded Objects

To demonstrate data security, ApprovalsManagement will be used again as theexample

A user will be given access to manage theapproval process for the payables invoiceapproval

Go to Functional Developer!Objects tosearch for available seeded objects

If an object is not available, you can createobjects


31/88

Seeded Objects

Tip: Query by

responsibility to getfamiliar with what is

seeded

Click update toview details but

avoid changingseeded objects


32/88

Seeded Objects

Two columns are included which can be usedto limit access

Note the ObjectInstance Sets Tab

and Grants Tab


33/88

Seeded Objects

Click on the Object Instance Set tab for thisobject to view the where clause

The predicateallows the user

to enter theparameters to

select the

application andtransaction type

in the grant


34/88

STEP 4

IDENTIFY SEEDED GRANTSCREATE GRANTS


35/88

Grants

Create the grant to allow sbehn to perform allAME function for the payables invoiceapproval transaction type

Click on grant tab Notice this takes you to the same form as you see

in the Functional Administrator responsibility

We are going to enter an object in this case toestablish a Data Security Policy


36/88

Grants

Entername,description,granteetype,grantee

Enter theobject

name Click Next


37/88

Grants

Choose the context to limit rows For this example, choose instance set


38/88

Grants

We already determined there was an AMETransaction Type Instance Set

Chose this value and Click Next

G


39/88

Grants

Now enter the valuesfor the parameters wesaw earlier in the

object instance set

The predicate isdisplayed for reference

Parameter 1 is theapplication

Parameter 2 is the AMEtransaction type

G t


40/88

Grants

Scroll down and choose the functions thegrantee will be allowed to execute for thisgroup of data by selecting the permission set

AME All Permission Sets

G t


41/88

Grants

The final page is a review page Click finish and the confirmation page will

appear

Now you have access to data and functionsyou can perform on that data

Click OK

R l B d A C t l


42/88

Role Based Access Control

In step 1, we gave someone access to usermanagement

In step 2, we identified the AME All PermissionSets to provide function security

In step 3 we identified the AME TransactionTypes object to provide data security

In step 4 we joined the function and data securitytogether in a grant to allow SBEHN to perform allfunctions for AME for Payables Invoice

Approvals Butthe user still doesnt have access yet to

the responsibility used to manage AME


43/88

STEP 5

CREATE ROLE CATEGORIESCREATE ROLES

ASSIGN RESPONSIBILITIES TO ROLES

A i R l


44/88

Assign Roles

Assign AME roles to SBEHN the same waywe assigned the Security Administrator role

Query the user and click the pencil

A i R l


45/88

Assign Roles

Click the Assign Roles button


46/88


47/88

FULL UTILIZATION OF RBAC

ROLE CATEGORIES

CREATING ROLES FOR

RESPONSIBILITIES

Role Categories


48/88

Role Categories

User Management!Role Categories

ClickUpdate

Button

Role Categories


49/88

Role Categories

Click Add

AnotherRow

Role Categories


50/88

Role Categories

Add a category to help organize your roles

ClickApply

Create Role


51/88

Create Role

User Management!Role & Role Categories

ClickCreate

Role

Create Role


52/88

Create Role

Select category, provide role code, displayname, description and application and clickapply

Create Role


53/88

Create Role

To add responsibility - re-query role, view inhierarchy, then add node

Click Viewin

Hierarchy

Click AddNode

Create Role


54/88

Create Role

Query the responsibility required, then clickthe Quick Select icon

Create Role


55/88

Create Role

Payables Manager role now includesPayables Manager responsibility

Add other responsibilities as needed

Responsibility

Role

Seeded Roles


56/88

Seeded Roles

Oracle has provided seeded roles forApprovals Management Diagnostics Learning Management Territory Management User Management Integration Repository iReceivables iSetup

To see whats new after patches, look for roles inUser Management responsibility or queryWF_ALL_ROLES_VL

New Surprises: Access to iRep


57/88

New Surprises: Access to iRep

Release 11i Go to My Oracle Support

Early R12Assign Responsibility Integrated SOA Gateway

Release 12.1+Assign one of following roles

57


58/88

Roles vs Responsibilities


59/88

Roles vs. Responsibilities

User Management!Roles & Role Inheritance Responsibilities start with FND_RESP

No inherited privileges Roles start with UMX

Logically group roles, responsibilities, permissionsand data security policies

Must include at least one responsibility


60/88

DELEGATED

ADMINISTRATION

Delegated Administration


61/88


Create local administrators to manage a subsetof users and/or roles

What is required?A role that grants User Management!Users to user

who will be delegated administrator

Grant of subset of UMX_PERSON_OBJECT definingwhich users can be administered

Grant of permission set with appropriate privileges Query Person Details Edit Person Details Manage User Accounts Reset Passwords



62/88


Presentations with good examples Create a role to administer a specific organization

Collaborate 2009: From Responsibilities to Roles:Moving Toward the Role Based Access Control

(RBAC) Model

Marquette University Create a junior workflow administrator

Collaborate 2009: Whats New in Workflow: 11i RUP5,RUP6 and R12

Karen Brownfield and Susan Behn


63/88

PROVISIONING

Provisioning (Registration)


64/88


Three types supported Self-service account requests typically invoked

from a web page

Collections Self Registration iReceivables Self Registration

Requests for additional access Employee Registration

Account Creation by AdministratorsAccount Creation for Existing Person



65/88


Other products also utilize the usermanagement registration engine forregistration process, but they access theregistration process through their own UI

iSupplier Consult the implementation guide for those

products to utilize those registrationprocesses

iSupplier users are not created in usermanagement



66/88


Update an existing process or duplicate tocreate new processes



67/88


See Oracle User Management DeveloperGuide

Example Self Service Account Creation



68/88


Example Self Service Account CreationCreate pages to ask

all the required

questions

Business eventwhich raises a

workflow forapproval and identify

verificationnotification

Event to invoke

custom business logic

AME transaction typeto manage approvals

Registration Process Flow


69/88

Registration Process Flow


70/88

SELF SERVICE AND

APPROVALS

Self Service and Approvals


71/88


Once registration processes are configured, usersperform self service tasks to request access

Login and click the preferences button in the top rightcorner

Click the Access Requests button on the left side ofthe screen

Current roles will be displayed Click the Request Access button



72/88


Select the role to add and click next

Enter a justification and click next



73/88

Se Se ce a d pp o a s

Review and click submit

Note the Warning For iReceivables, additional information is required Click on the link to enter the addition information



74/88

pp

Once all the requested information is entered,the business event will raise the workflow tocomplete the registration process


75/88

Proxies


76/88

Proxy authority can be granted to anotheruser for a specific time period Cover vacation/leave of absence

Delegator grants/revokes proxy privilege touser User utilizes proxy switcher feature tochange roles

All forms will show proxy mode statusAudit control - Actions are tracked to show

delegate is acting on behalf of delegator

Proxies


77/88

In order to delegate or receive authority, usersmust have the Manage Proxies role Query the users, click the pencil to update, click

the Assign Roles button and add the Manage

Proxies role Enter a justification and save

Proxies


78/88

Click the preference button There is now a new Manage Proxies function

The Add People Button will allow the user todesignate a proxy user

Proxies


79/88

Add a user and apply Now the operations user can act on my behalf Set an End Date at this time if this is to cover a

fixed vacation period or other leave of absence

Proxies


80/88

When the operations user is logged in a Switch User optionwill be available

Notice that the user is currently logged is as OPERATIONS

Click the Switch icon to switch users

Proxies


81/88

Now there is a Return to Self button The user is logged in as Operations operating

as Proxy for SBEHN

Proxies


82/88

Run the Page Access Tracking DataMigration concurrent program to populate theProxy Report There are no parameters

Then go back to Manage Proxies and clickthe Run Proxy Report Button

Proxies


83/88

The report shows all navigation completed bythe proxy user

Security Reports


84/88

Reports are available for lists of users, roles/responsibilities, functions and data securityobjects

Reports can be generated in html, excel orpdf

Summary


85/88

RBAC allows organizations to create roles based on job functions Less maintenance after initial setup Better security

Delegated administration allows organizations to decentralize themanagement of users Will this help your organization distribution the load of user access

assignments more efficiently or provide better security across globalorganizations?

Registration processes enable organizations to automate theprocess to provide user access Think about how much time system administrators or DBAs would

save over a period of one year by automating this process

Self Service requests and approvals allow users to request access Less paper More efficiency

References


86/88

Oracle EBS User Management SIG http://ebsumx.oaug.org/

Oracle Applications System Administrator'sGuide - Security

See Oracle User Management DeveloperGuide

My Oracle Support ID: 553547.1 DataSecurity Terminology

My Oracle Support ID: 553290.1 Introduction to the Grants Security System

and Data Security

Books Co-Authored by Susan Behn


87/88

The Release 12 Primer Shining a Light on theRelease 12 World

The ABCs of Workflow for OracleE Business Suite Release 11i andRelease 12

! # $


88/88

!"#$% '()*

+),#$ -."$

,),#$/0."$12$3(,.4#$526,/6(4

777/2$3(,.4#$526,/6(4!"#$%" '()*+, -)(.(/0 1#%2+(#/* 3#0"+4")

user management 2012

Documents