Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leon Tu Applications Technology Group Oracle Corporation

Published byFlorence Fields Modified over 9 years ago

Similar presentations

Presentation on theme: "Leon Tu Applications Technology Group Oracle Corporation"— Presentation transcript:

1 Leon Tu Applications Technology Group Oracle Corporation
Security Administration in Oracle E-Business Suite: Overview of Oracle User Management Leon Tu Applications Technology Group Oracle Corporation

2 Business Needs for User Management
Unified approach to create and maintain users Improved Security Easier User Administration The Oracle E-business Suite consists of several self-service applications. These applications generally require users to authenticate themselves before they can perform certain tasks such as purchase items from an online store, or create a service request. To be able to use these applications, specific user information may be required. For example, the online store requires the user’s credit card information for purchasing items, while information related to user’s orders may be required to complete a service request. Obviously, creating application-specific users is not a viable solution. Our goal in User Management is to provide a unified approach to creating users which reduces redundancy, simplifies maintenance and results in improved user experience. The E-Business Suite also needs to address important security considerations. For example, what applications can a user access? What functions can the user perform? What role does a user play in the system, and what data can the user access? These and other security issues must be addressed in a manner that is easy to setup, maintain, and use. The overall maintenance and administration of users must be easy and should involve few, if any, manual processes. In addition, administrators must be able to delegate their responsibilities to local administrators who have limited administrative privileges for a subset of their organization’s users.  Oracle User Management attempts to address all these important business needs. Provide Delegation Capabilities

3 Oracle User Management
Self Service Features Delegated Administration Provisioning Services Role Based Access Control Data Security Function Security

4 Function Security

5 Function Security Functions represent basic entry points / operations / secured resources that do not have any data context, for example: “Page X” “Region Y” Typically done using responsibilities in Ebusiness suite Employee HR Self Service Manager HR Self Service Hiring / Firing Transfers Promotions Compensation Personal Info Job Posts Pay Slip

6 Data Security Function Security

7 Data Security What business objects / documents hold sensitive data & need to be secured For example: Expense Reports, Employees What secured operations can be performed on each object For example: update, delete, reject, approve, escalate Secured operations are represented as privileges aka permissions Authorization Policy: grant [someone] access to perform [a set of operations] on a given [set of business documents]: [Managers] can [view, approve, reject, update] [expense reports] [filed by their direct reports] Sets of business documents are identified through Object(instance sets (SQL predicates))

8 Data Security Grants Data security grants are only in effect when working on records which meet a filter criteria. Data filter types: Single instance (ad-hoc) Applies to a specific instance of an object "John may manage project 123" Instance set (policy) Applies to rows which match a WHERE clause "Employees may view public projects“ “Where project_status_flag = ‘PUB’”

9 Data Security Service Data security grants hold access policies
Application maintains a context User context: user identity and derived attributes Data context: data record that is “in focus” Data security service answers questions Which records can I perform a given function on Which functions can I perform on a given record Application restricts access accordingly Limited uptake right now (manual coding) Will be built into the framework (automatic) later

10 Role Based Access Control
Data Security Function Security

11 Role Based Access Control
RBAC standard (ANSI INCITS ) A role consists of Other roles (via inheritance) Responsibilities (via inheritance) Permissions Function Security Policies Data Security Policies A user can be assigned with several roles A role can be assigned to several users Speaker Notes User Management introduces the role based access control. A key feature of this model is that all access is through roles. A role can be configured to consolidate responsibilities, permissions and data security rules that are required for users to perform a specific function. Access privileges are inherited based on the roles assigned to the user. Also, a user can be assigned several roles – for example a user can play a role of an employee as well as a part of the sales rep at the same time. Also, several users can play the same role at any given time. Once again, all the employees in an organization play the employee role 

12 EBS RBAC Model - Users Users can be: Humans Internal: Employees
External: Customers Systems Internal: integrated applications (A2A) External: trading partners (B2B) User User User User User User

13 EBS RBAC Model - Roles Roles can be: EBS Responsibilities HR Positions
User User Role Roles can be: EBS Responsibilities HR Positions TCA Groups LDAP Roles UMX Access Roles Hierarchical User User Role Role User User Role User User Role

14 EBS RBAC Model - Permissions
User Permission User Role Permission Permissions can be: Screens/Flows APIs/Services Data Operations User Permission User Role Role Permission User Permission User Role Permission User Permission User Role Permission

15 EBS RBAC Model - Permission Sets
User Permission User Role Set Permission User Permission Sets are defined using the Menu structure Permission User Role Role Permission User Set Permission User Role Permission Set User Permission Set User Role Permission

16 EBS RBAC Model - Grants User Permission User Role Set Permission User

17 EBS RBAC Model - Grants Grants represent security policies
Gives a role access to a set of permissions With optional context restriction Responsibility Organization Data set Some permissions are "context independent" Grants represent security policies "Employees have access to expense reporting" You should not to worry about navigation menus when defining security policy...

18 Case Study Grant access to a set of Sales Managers Need access to:
HR Self Service Manager + Employee access Sales Online Sales Manager access Expenses iProcurement The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre and how the setup differs in release

19 Access Control before.. Users directly assigned Responsibilities
Sales Online Mgr Expenses Employee Manager HR Self Service Employee HR Self Service iProcurement Employee Expenses Mgr iProcurement Mgr Speaker Notes User Management introduces the role based access control. A key feature of this model is that all access is through roles. A role can be configured to consolidate responsibilities, permissions and data security rules that are required for users to perform a specific function. Access privileges are inherited based on the roles assigned to the user. Also, a user can be assigned several roles – for example a user can play a role of an employee as well as a part of the sales rep at the same time. Also, several users can play the same role at any given time. Once again, all the employees in an organization play the employee role  Users directly assigned Responsibilities Responsibility

20 ..With RBAC: Basic Approach
Sales Manager Employee Sales Rep Manager Expenses Employee HR Self Service Manager HR Self Service iProcurement Sales Online Speaker Notes User Management introduces the role based access control. A key feature of this model is that all access is through roles. A role can be configured to consolidate responsibilities, permissions and data security rules that are required for users to perform a specific function. Access privileges are inherited based on the roles assigned to the user. Also, a user can be assigned several roles – for example a user can play a role of an employee as well as a part of the sales rep at the same time. Also, several users can play the same role at any given time. Once again, all the employees in an organization play the employee role  Role Inheritance Role

21 RBAC Benefits Reduces / Simplifies Administration
Mass updates via single operation Coexists with existing Security Setups Basic Approach: Try it now! Consolidate your existing Responsibilities into Roles Advanced Approach Reduces # Responsibilities and Menus “Principle of Least Privilege” The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre and how the setup differs in release

22 D E M O N S T R A T I O N RBAC

23 Provisioning Services
Role Based Access Control Data Security Function Security

24 Provisioning Services
Workflow based Provisioning Engine Handles all Self Service and Administrator initiated requests for new User Accounts and Roles / Responsibilities Reserve, Release, Activate Pending Accounts Temporary Storage of Registration Data “Registration Process” - Metadata that define: Approval Policies (in Oracle Approval Management) Eligibility Policies Verification (Account Requests only) Notification Workflows Business Logic Registration UI’s The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre and how the setup differs in release

25 Account Provisioning Flow
The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre and how the setup differs in release

26 Delegated Administration
Provisioning Services Role Based Access Control Data Security Function Security

27 Delegated Administration
Local Administrator Americas System Administrator System Administrator All Users & Roles Local Administrator Subset of Users & Roles The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre and how the setup differs in release Local Administrator Europe

28 Delegated Administration
Fine Grained Admin Policies based on Data Security Defines who can: [query, create, update, reset pwd] a given set of users Examples: Internal / External Users Location Organization Or anything else derived using SQL Granted to Admin Roles Leverages Provisioning Services (if set up) RBAC is not required (except for Admin Roles) The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre and how the setup differs in release

29 Delegated Admin Benefits
Decentralized Administration Administrators closer to the users they manage System more likely to be up to date Improved response time The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre and how the setup differs in release

30 30

31 31

32 32

33 33

34 34

35 35

36 D E M O N S T R A T I O N Delegated Admin

37 Delegated Administration
Self Service Features Delegated Administration Provisioning Services Role Based Access Control Data Security Function Security

38 Self Service Features End Users can request
New User Accounts New Roles and Responsibilities From the “Access Requests” page (Preferences menu) Password Reset From AppsLogin page (set “Local Login Mask” profile) Leverages Provisioning Services Does not require RBAC The next few slides will take you through a simple set up process of some roles / responsibilities. We will see how an employee, sales rep, sales mgr, support mgr can be set up pre and how the setup differs in release

39 D E M O N S T R A T I O N Self Service Features

40 R12 Enhance for User Management
Proxy User ICM (Separation of Duties – SoD) Integration Enhanced Forget Username/Password New Registration Process Type for Administrator Role Assignment Security Wizard Infrastructure Search Enhancement for List of Value’s (LOV) List of new/updated R12 features

41 Proxy User Description
Proxy User Framework Provide the delegator the ability to grant/revoke the proxy privilege to individuals Provide a mechanism throughout the application’s framework where the user can access the proxy switcher feature Provide a mechanism throughout the application’s framework which indicates to the user that they are acting as a proxy Provide the ability to track the delegate’s actions within the system, while the delegate is acting on behalf of the delegator (Audit)

42 Proxy User Process - How to grant proxy privileges
Grant proxy privileges to a user under Preferences -> Manage Proxies Example: SYSADMIN grants proxy privileges to KWALKER

43 Proxy User Process – How to switch to proxy user - I
“Switch User” link appears for the delegated user KWALKER

44 Proxy User Process – How to switch to proxy user - II
Clicking on “Switch User” allows the user to select which user to act as proxy for

45 Proxy User Process – Framework chrome for proxy user
All UI screens show the updated chrome for proxy user “Return to Self” link allows to switch back to regular user session

46 ICM (SoD) Integration Description
Separation of Duties integration - ICM Oracle User Management (UMX) provides SoD (Segregation of Duties) functionality through integration with Oracle Internal Controls Manager (ICM) Preventative enforcement of SoD constraints At assignment time (admin flows) With Notifications (self service flows) Function security based constraint override for administrators

47 ICM (SoD) Integration Benefits
Improve Regulatory Compliance Allows for preventative enforcement of separation of duties constraints as defined by regulatory requirements (SOX)

48 Enhanced Forgot Username/Password
Forgot Username / Password Enhancements Centralized “Forgot Username/Password” capability Improved implementation by coupling of username and password retrieval (or reset) process “Forgot username” functionality introduced Enhanced “forgot password” functionality – allowing user to reset password Ability to query on either lost “username” or lost “password” Enter address if lost username Enter username if lost password

49 New Registration Process Type for Administrator Role Assignment
New registration process of type “Administrator Assisted Additional Access” Different policies (registration processes) can be used as administrative actions vs. self service requests for Approval Routing UI Notifications Business Logic

50 New Registration Process Type Benefits
Reduce complexity Simpler registration processes can be created for self-service and administrator flavors Increase flexibility Support alternative approvals for administrator role assignment

51 Security Wizard Infrastructure
Infrastructure for product teams to create their own security wizards in context of a role Product teams create their wizards and seed relevant information These wizards appear in list of security wizards available to the administrator when creating/updating role information New User Interface for Delegated Administration Existing functionality( ) of delegated administration setup implemented using wizard infrastructure Wizard guides the user through what options they can set for a delegated administration

52 Security Wizard Infrastructure Benefits
Increase Ease of Use Wizard framework for managing security information Improved flexibility Wizard to guide user through delegation setup

53 Security Wizard Infrastructure Setup – Add function to wizard menu
Seed the function for their wizard in the wizard menu - UMX_ROLE_WIZARD_LINKS_MENU

54 Security Wizard Infrastructure Setup – Create grant for their function
Create grant for the function seeded in previous step for all the administrator roles that the wizard should be available to

55 Security Wizard Infrastructure Process – How to use the feature
Security wizard can be launched from create/update role page

56 Security Wizard Infrastructure Process – How to use the feature
Wizard launcher page lists available wizards to the logged in user Clicking on the icon launches the wizard in context of the role

57 Security Wizard Infrastructure Process – Delegated Admin Wizard
UMX delegated admin wizard launched from the wizard launch page

58 Search Enhancements Description
List of Values Search Enhancements Search Enhancement for LOVs (List of Values) All LOVs in User Management (UMX) searchable by Role Responsibility Both Internal Code A type included in the results – to differentiate roles and responsibilities

59 Search Enhancements Benefits
Reduce Ambiguity Returning a type to reduce ambiguity between roles and responsibilities Increase Ease of Use Common LOV can be used to search roles, responsibilities or both

60 Search Enhancements Process - How to use the feature
Search by name or code for role, responsibility or both

61 UMX Homepage

62 Q & A

63

Download ppt "Leon Tu Applications Technology Group Oracle Corporation"

Similar presentations

AmeriCorps is introducing a new online payment system for the processing of AmeriCorps forms

AmeriCorps is introducing a new online payment system for the processing of AmeriCorps forms
PRODUCTVIEWS USERPROGRAMS with Colleen Alber Design & Implement a DKT Solution.

PRODUCTVIEWS USERPROGRAMS with Colleen Alber Design & Implement a DKT Solution.
Pharos Uniprint 8.3.

Pharos Uniprint 8.3.
DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
Recruitment Booster.

Recruitment Booster.
Home This training presentation is designed to introduce the Residency Management Suite to new users. This presentation covers the following topics: Login.

Home This training presentation is designed to introduce the Residency Management Suite to new users. This presentation covers the following topics: Login.
6 th Annual Focus Users’ Conference 6 th Annual Focus Users’ Conference Profiles and User Permissions Presented by: Josh Mostyn Presented by: Josh Mostyn.

6 th Annual Focus Users’ Conference 6 th Annual Focus Users’ Conference Profiles and User Permissions Presented by: Josh Mostyn Presented by: Josh Mostyn.
Case Study By: Susan Gulick Principal Consultant – Solutions Partners, Inc. May 18, 2005 Oracle Self-Service HR.

Case Study By: Susan Gulick Principal Consultant – Solutions Partners, Inc. May 18, 2005 Oracle Self-Service HR.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Program Management Portal: Overview for the Client

Program Management Portal: Overview for the Client
PantherSoft Financials 9.2 Fundamentals Office of the Controller

PantherSoft Financials 9.2 Fundamentals Office of the Controller
National Service Trust Automation Project Training Materials: Members and Alumni Corporation for National & Community Service (CNCS) National Service Trust.

National Service Trust Automation Project Training Materials: Members and Alumni Corporation for National & Community Service (CNCS) National Service Trust.
Single Sign On Tutorial for New Employees February 10, 2005.

Single Sign On Tutorial for New Employees February 10, 2005.
Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.

Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.
Workflow & Event Derivation Workshop

Workflow & Event Derivation Workshop
EmpowHR EmpowHR Security Overview. 2 Application Security Administration Permission List Roles User Profiles Row level security Distributed Security Administration.

EmpowHR EmpowHR Security Overview. 2 Application Security Administration Permission List Roles User Profiles Row level security Distributed Security Administration.
Workflow & Event Derivation Workshop

Workflow & Event Derivation Workshop
Smart HR Need a subtitle Presented by Marc Levinson & Swetha Lingala.

Smart HR Need a subtitle Presented by Marc Levinson & Swetha Lingala.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Title Slide without Picture Subtitle Presenter’s Name Presenter’s Title Organization,

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Title Slide without Picture Subtitle Presenter’s Name Presenter’s Title Organization,
Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.

Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.

Similar presentations

Ads by Google