Leon Tu Applications Technology Group Oracle Corporation Security Administration in Oracle E-Business Suite: Overview of Oracle User Management Leon Tu Applications Technology Group Oracle Corporation

Business Needs for User Management Unified approach to create and maintain users Improved Security Easier User Administration The Oracle E-business Suite consists of several self-service applications. These applications generally require users to authenticate themselves before they can perform certain tasks such as purchase items from an online store, or create a service request. To be able to use these applications, specific user information may be required. For example, the online store requires the user’s credit card information for purchasing items, while information related to user’s orders may be required to complete a service request. Obviously, creating application-specific users is not a viable solution. Our goal in User Management is to provide a unified approach to creating users which reduces redundancy, simplifies maintenance and results in improved user experience. The E-Business Suite also needs to address important security considerations. For example, what applications can a user access? What functions can the user perform? What role does a user play in the system, and what data can the user access? These and other security issues must be addressed in a manner that is easy to setup, maintain, and use. The overall maintenance and administration of users must be easy and should involve few, if any, manual processes. In addition, administrators must be able to delegate their responsibilities to local administrators who have limited administrative privileges for a subset of their organization’s users.  Oracle User Management attempts to address all these important business needs. Provide Delegation Capabilities

Oracle User Management Self Service Features Delegated Administration Provisioning Services Role Based Access Control Data Security Function Security

Function Security

Function Security Functions represent basic entry points / operations / secured resources that do not have any data context, for example: “Page X” “Region Y” Typically done using responsibilities in Ebusiness suite Employee HR Self Service Manager HR Self Service Hiring / Firing Transfers Promotions Compensation Personal Info Job Posts Pay Slip

Data Security Function Security

Data Security What business objects / documents hold sensitive data & need to be secured For example: Expense Reports, Employees What secured operations can be performed on each object For example: update, delete, reject, approve, escalate Secured operations are represented as privileges aka permissions Authorization Policy: grant [someone] access to perform [a set of operations] on a given [set of business documents]: [Managers] can [view, approve, reject, update] [expense reports] [filed by their direct reports] Sets of business documents are identified through Object(instance sets (SQL predicates))

Data Security Grants Data security grants are only in effect when working on records which meet a filter criteria. Data filter types: Single instance (ad-hoc) Applies to a specific instance of an object "John may manage project 123" Instance set (policy) Applies to rows which match a WHERE clause "Employees may view public projects“ “Where project_status_flag = ‘PUB’”

Data Security Service Data security grants hold access policies Application maintains a context User context: user identity and derived attributes Data context: data record that is “in focus” Data security service answers questions Which records can I perform a given function on Which functions can I perform on a given record Application restricts access accordingly Limited uptake right now (manual coding) Will be built into the framework (automatic) later

Role Based Access Control Data Security Function Security

Role Based Access Control RBAC standard (ANSI INCITS 359-2004) A role consists of Other roles (via inheritance) Responsibilities (via inheritance) Permissions Function Security Policies Data Security Policies A user can be assigned with several roles A role can be assigned to several users Speaker Notes User Management introduces the role based access control. A key feature of this model is that all access is through roles. A role can be configured to consolidate responsibilities, permissions and data security rules that are required for users to perform a specific function. Access privileges are inherited based on the roles assigned to the user. Also, a user can be assigned several roles – for example a user can play a role of an employee as well as a part of the sales rep at the same time. Also, several users can play the same role at any given time. Once again, all the employees in an organization play the employee role 

EBS RBAC Model - Users Users can be: Humans Internal: Employees External: Customers Systems Internal: integrated applications (A2A) External: trading partners (B2B) User User User User User User

EBS RBAC Model - Roles Roles can be: EBS Responsibilities HR Positions User User Role Roles can be: EBS Responsibilities HR Positions TCA Groups LDAP Roles UMX Access Roles Hierarchical User User Role Role User User Role User User Role

EBS RBAC Model - Permissions User Permission User Role Permission Permissions can be: Screens/Flows APIs/Services Data Operations User Permission User Role Role Permission User Permission User Role Permission User Permission User Role Permission

EBS RBAC Model - Permission Sets User Permission User Role Set Permission User Permission Sets are defined using the Menu structure Permission User Role Role Permission User Set Permission User Role Permission Set User Permission Set User Role Permission

EBS RBAC Model - Grants User Permission User Role Set Permission User

EBS RBAC Model - Grants Grants represent security policies Gives a role access to a set of permissions With optional context restriction Responsibility Organization Data set Some permissions are "context independent" Grants represent security policies "Employees have access to expense reporting" You should not to worry about navigation menus when defining security policy...

Case Study Grant access to a set of Sales Managers Need access to: HR Self Service Manager + Employee access Sales Online Sales Manager access Expenses iProcurement The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre 11.5.10 and how the setup differs in 11.5.10 release

Access Control before.. Users directly assigned Responsibilities Sales Online Mgr Expenses Employee Manager HR Self Service Employee HR Self Service iProcurement Employee Expenses Mgr iProcurement Mgr Speaker Notes User Management introduces the role based access control. A key feature of this model is that all access is through roles. A role can be configured to consolidate responsibilities, permissions and data security rules that are required for users to perform a specific function. Access privileges are inherited based on the roles assigned to the user. Also, a user can be assigned several roles – for example a user can play a role of an employee as well as a part of the sales rep at the same time. Also, several users can play the same role at any given time. Once again, all the employees in an organization play the employee role  Users directly assigned Responsibilities Responsibility

..With RBAC: Basic Approach Sales Manager Employee Sales Rep Manager Expenses Employee HR Self Service Manager HR Self Service iProcurement Sales Online Speaker Notes User Management introduces the role based access control. A key feature of this model is that all access is through roles. A role can be configured to consolidate responsibilities, permissions and data security rules that are required for users to perform a specific function. Access privileges are inherited based on the roles assigned to the user. Also, a user can be assigned several roles – for example a user can play a role of an employee as well as a part of the sales rep at the same time. Also, several users can play the same role at any given time. Once again, all the employees in an organization play the employee role  Role Inheritance Role

RBAC Benefits Reduces / Simplifies Administration Mass updates via single operation Coexists with existing Security Setups Basic Approach: Try it now! Consolidate your existing Responsibilities into Roles Advanced Approach Reduces # Responsibilities and Menus “Principle of Least Privilege” The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre 11.5.10 and how the setup differs in 11.5.10 release

D E M O N S T R A T I O N RBAC

Provisioning Services Role Based Access Control Data Security Function Security

Provisioning Services Workflow based Provisioning Engine Handles all Self Service and Administrator initiated requests for new User Accounts and Roles / Responsibilities Reserve, Release, Activate Pending Accounts Temporary Storage of Registration Data “Registration Process” - Metadata that define: Approval Policies (in Oracle Approval Management) Eligibility Policies Email Verification (Account Requests only) Notification Workflows Business Logic Registration UI’s The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre 11.5.10 and how the setup differs in 11.5.10 release

Account Provisioning Flow The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre 11.5.10 and how the setup differs in 11.5.10 release

Delegated Administration Provisioning Services Role Based Access Control Data Security Function Security

Delegated Administration Local Administrator Americas System Administrator System Administrator All Users & Roles Local Administrator Subset of Users & Roles The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre 11.5.10 and how the setup differs in 11.5.10 release Local Administrator Europe

Delegated Administration Fine Grained Admin Policies based on Data Security Defines who can: [query, create, update, reset pwd] a given set of users Examples: Internal / External Users Location Organization Or anything else derived using SQL Granted to Admin Roles Leverages Provisioning Services (if set up) RBAC is not required (except for Admin Roles) The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre 11.5.10 and how the setup differs in 11.5.10 release

Delegated Admin Benefits Decentralized Administration Administrators closer to the users they manage System more likely to be up to date Improved response time The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre 11.5.10 and how the setup differs in 11.5.10 release

30

31

32

33

34

35

D E M O N S T R A T I O N Delegated Admin

Delegated Administration Self Service Features Delegated Administration Provisioning Services Role Based Access Control Data Security Function Security

Self Service Features End Users can request New User Accounts New Roles and Responsibilities From the “Access Requests” page (Preferences menu) Password Reset From AppsLogin page (set “Local Login Mask” profile) Leverages Provisioning Services Does not require RBAC The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre 11.5.10 and how the setup differs in 11.5.10 release

D E M O N S T R A T I O N Self Service Features

R12 Enhance for User Management Proxy User ICM (Separation of Duties – SoD) Integration Enhanced Forget Username/Password New Registration Process Type for Administrator Role Assignment Security Wizard Infrastructure Search Enhancement for List of Value’s (LOV) List of new/updated R12 features

Proxy User Description Proxy User Framework Provide the delegator the ability to grant/revoke the proxy privilege to individuals Provide a mechanism throughout the application’s framework where the user can access the proxy switcher feature Provide a mechanism throughout the application’s framework which indicates to the user that they are acting as a proxy Provide the ability to track the delegate’s actions within the system, while the delegate is acting on behalf of the delegator (Audit)

Proxy User Process - How to grant proxy privileges Grant proxy privileges to a user under Preferences -> Manage Proxies Example: SYSADMIN grants proxy privileges to KWALKER Ymtu5@ymtu.com

Proxy User Process – How to switch to proxy user - I “Switch User” link appears for the delegated user KWALKER

Proxy User Process – How to switch to proxy user - II Clicking on “Switch User” allows the user to select which user to act as proxy for

Proxy User Process – Framework chrome for proxy user All UI screens show the updated chrome for proxy user “Return to Self” link allows to switch back to regular user session

ICM (SoD) Integration Description Separation of Duties integration - ICM Oracle User Management (UMX) provides SoD (Segregation of Duties) functionality through integration with Oracle Internal Controls Manager (ICM) Preventative enforcement of SoD constraints At assignment time (admin flows) With Notifications (self service flows) Function security based constraint override for administrators

ICM (SoD) Integration Benefits Improve Regulatory Compliance Allows for preventative enforcement of separation of duties constraints as defined by regulatory requirements (SOX)

Enhanced Forgot Username/Password Forgot Username / Password Enhancements Centralized “Forgot Username/Password” capability Improved implementation by coupling of username and password retrieval (or reset) process “Forgot username” functionality introduced Enhanced “forgot password” functionality – allowing user to reset password Ability to query on either lost “username” or lost “password” Enter email address if lost username Enter username if lost password

New Registration Process Type for Administrator Role Assignment New registration process of type “Administrator Assisted Additional Access” Different policies (registration processes) can be used as administrative actions vs. self service requests for Approval Routing UI Notifications Business Logic

New Registration Process Type Benefits Reduce complexity Simpler registration processes can be created for self-service and administrator flavors Increase flexibility Support alternative approvals for administrator role assignment

Security Wizard Infrastructure Infrastructure for product teams to create their own security wizards in context of a role Product teams create their wizards and seed relevant information These wizards appear in list of security wizards available to the administrator when creating/updating role information New User Interface for Delegated Administration Existing functionality(11.5.10) of delegated administration setup implemented using wizard infrastructure Wizard guides the user through what options they can set for a delegated administration

Security Wizard Infrastructure Benefits Increase Ease of Use Wizard framework for managing security information Improved flexibility Wizard to guide user through delegation setup

Security Wizard Infrastructure Setup – Add function to wizard menu Seed the function for their wizard in the wizard menu - UMX_ROLE_WIZARD_LINKS_MENU

Security Wizard Infrastructure Setup – Create grant for their function Create grant for the function seeded in previous step for all the administrator roles that the wizard should be available to

Security Wizard Infrastructure Process – How to use the feature Security wizard can be launched from create/update role page

Security Wizard Infrastructure Process – How to use the feature Wizard launcher page lists available wizards to the logged in user Clicking on the icon launches the wizard in context of the role

Security Wizard Infrastructure Process – Delegated Admin Wizard UMX delegated admin wizard launched from the wizard launch page

Search Enhancements Description List of Values Search Enhancements Search Enhancement for LOVs (List of Values) All LOVs in User Management (UMX) searchable by Role Responsibility Both Internal Code A type included in the results – to differentiate roles and responsibilities

Search Enhancements Benefits Reduce Ambiguity Returning a type to reduce ambiguity between roles and responsibilities Increase Ease of Use Common LOV can be used to search roles, responsibilities or both

Search Enhancements Process - How to use the feature Search by name or code for role, responsibility or both

UMX Homepage http://www-apps.us.oracle.com:1100/umx/home/overview/

Q & A