Oracle Functions 1380
We are looking to implement SOD in Oracle. As part of that I am in the process of compiling the functions that enable various business functions. For instance I am compiling a list of all functions that enable supplier creation. I am doing this by querying on the functions form. I am not sure if this will give me accurate results. In this regard
- Can you please tell me if there is an accurate way of arriving at all functions that result in a particular business function?
- Where can I find a list of all oracle functions given a particular business function like ‘Ability to Vouch Invoices’
Any help in this regard is highly appreciated.
You might check out a presentation online, ‘Sarbanes-Oxley Best Practices in an Oracle Environment’. Slide #4-12 addresses Segregation of Duties in Oracle and Best Practices.
If you need specific technical guidance on how to implement some of the Best Practices or functionality within Oracle, you can also send a message to the Atlanta Oracle Application Users Group and I’m sure someone there should be able to provide additional feedback.
Hope this helps,
Jeffrey Hare developed the presentation identified above, SOX Best Practices in an Oracle Applications Environment . Additionally, some Tips/Techniques may be found at:
The author of the slide deck states that he has formed a SOX eGroup to facilitate discussion re: SOX issues in an Oracle Applications Environment. You can sign up at: groups.yahoo.com/group/OracleSox/
Thank You for the information. I did go through the presentation you mentioned. I got that from the Logical Apps website. What I am looking for is specifics with regards to identifying functions. For instance how does one identify all functions that enable a user to create vendors. How does one identify all functions that enable a user to create invoices? Has anyone done this exercise earlier and if yes is it ok to share the results.
Please reply again with your question to the forum if follow-up to the AOAUG and the detailed action steps below does not fully answer your question.
I’m sure with the large number of Oracle users, someone has probably addressed your issue and will share his/her experiences in detail.
Checklist for Review of Oracle Financials Security
Have profiles been enabled at the user, responsibility, application or site level.
Run the User Profile Option Values Report’ for the following options below. Examine the settings within this report
Sign-on: notification yes’ displays a message at log-in indicating number of failed requests since last session
Signon Password Length min/default of 5 if blank
Audittrail:Activate default is NO, not visible to the user, only to site and application levels.
Concurrent:Active Request Limit number of requests that may be run simultaneously by each user. Default is unlimited. Only for site level.
Sign-On: Audit Level level at which to audit users. Four levels, none, user, responsibility and Form. None is default. User level tracks who signs on, times users log on and off and the terminals in use. Responsibility tracks user plus the responsibilities chosen and how much time spent on each responsibility. Form tracks responsibility plus the forms chosen, time spent on each form.
Users and Responsibilities
Identify all of the Oracle Usernames. Are there any additional usernames besides those created by default in the system, and what is their purpose? Are they set up as restricted’ (read-only), enabled’ (all privileges) or disabled’ (no privileges)?
Have the default passwords been changed for all default Oracle usernames?
Review each user’s settings which is either:
Password expiration number of days between password changes
Password expiration maximum allowed number of sign-ons allowed
between password changes
Run the Active Responsibilities Report’. Review the entries listed. Look for any incompatible responsibilities for a user.
Run the Active Users Report’. Review the entries listed.
Have any customized responsibilities been installed, or are predefined responsibilities being used
If there are customized responsibilities, understand the data groups assigned (mandatory). (Data groups provide a linkage between the responsibilities and the Oracle usernames that actually do the database reads/writes)
If there are customized responsibilities, understand the request security groups in use (optional). (Request security group defines the concurrent programs, that may be run by an application user under a particular responsibility)
If there are customized responsibilities, understand the menu (mandatory). (A menu is an arrangement of application functions [forms]) If there are customized responsibilities, understand the function and menu exclusions (optional). (Exclusions may be applied for functions and menus)
For those customized responsibilities, run the Function Security Function Report’ and the Function Security Menu Report’.
Is audit logging enabled? If so, understand the level and depth of logging being applied.
Is the audit logging subject to review? Are the standards reports such as Signon Audit Unsuccessful Logins’ subject to periodic review?
Have customized menus been defined? If so, understand the functions and function exclusions applied, the responsibilities assigned
Is SQLPlus or another similar tool in use? What restrictions are there to prevent direct update to the database tables? Ensure the Oracle Tool such as Oracle Browser, SQLPlus or SQL*Forms are read-only.
Additionally, on AuditNet, an Oracle Appliation APG is posted and provides specific audit procedures to perform the tests noted in your question.
auditnet.org/docs/Oracle Application Audit.doc
Hope this helps,
A good reference and implementation guide is available from Oracle:
Best Practices for Securing Oracle E-Business Suite
This might also give you implementation procedures to accomplish your audit objective.
Thank you for the info. I am looking for information specifically for Oracle Applications. In Oracle Applications, can I get a list of all the FUNCTIONS that give a user the capability to do a specific business function like create customers.
The reason I am asking this is because we are trying to find all users that have the capability to create customers. This is being done as part of preparation for an IT audit. We have more than 12 operating units in a single instance of oracle applications. The 12 operating units in turn mean that we have more than 300 responsibilities in the instance. Checking each one of them manually can be a pain. If we can identify all functions that have the capability to create customers we have a script that will identify the responsibilities that have access to the function. We have been able to identify a few functions but are not sure if there are more.
Have you tried calling the Oracle Technical Support Group for feedback to your technical question?
From what I’ve observed after reading/replying to many of the questions posted in the Forum, the SOX Forum is quite effective to obtain quick answers to questions that pertain to SOX implementations and overall guidance.
I think you are looking for a technical solution to a problem that you have encountered while using Oracle Applications. Thus, the solution is very specific and benefits only persons who are using Oracle. A solution might entail sharing of code, SQL query strings, or other detailed procedures, some of which might be considered proprietary business processes.
In short, I think that you will have more success obtaining an answer to your question by also posting it to an Oracle Users Group site. There, you will find much more activity and technical discussions among Oracle users. Also, someone might be willing to share Oracle code or procedures with you.
A few companies have developed specific products to address SoD issues in Oracle…Versa is one of them. They probably have a product exactly suited to your requirements, but at a cost nonetheless.
As a matter of information, Oracle User Management contains a new module that simplifies user account and security privilege administration and assignment across Oracle Applications.
- Support for delegated user administration,
- a role based access control (RBAC) model, and self-service support with configurable approval processes.
You can probably find out more about the functionality of this module by contacting Oracle directly.
Hope this helps,
harrywaldron last edited by
Milan - Thank you for sharing this excellent list of considerations … I’m most likely going to pass on the checklist to our DBAs
No problem…share the wealth…I’ve found your responses in the Forum also insightful and consistently a good value-add.
Too bad that I’m not in an Oracle shop and could take advantage of some of the integrated application controls.