This post is more on revisiting EBS Application Module Security.
1. HRMS Security
In HRMS there are two major Securities concept
- Security Groups Enabled
Standard HRMS Security is a simple security used within a single legislation and a single business group. In this model, typically a Security Profile is created for each distinct group of employees and it is assigned to a responsibility.Its very simple.
For enabling Standard HRMS Security, Security Profile screen (US Super HRMS Manager -> Security -> Profile) can be used to create a Security Profile.
In Security Groups Enabled Security a single responsibility can be assigned to more than one business group and so users can access records from multiple business groups. In this model, multiple security profiles can be assigned to a single responsibility.
Typical example you can understand in this way : an HR Manager and Assistant HR Manager can use the same responsibility, but will be able to view different data.
For Security Groups Enabled Security, use Global Security Profiles window.
2. Multi Organization Access Control (MOAC)
This means Role based access to Operating Units.
Single installation of EBS can support different types of organizations and this feature is ability to access multiple organizations from a single responsibility, which is avaiable in majority of Oracle application modules.
Typical example of MOAC may be similar to senario listed here:
- Limit users to their relevant organizations through security profiles.
- Assign inventory organizations to inventory users.
- Enter Purchase Orders in one organization and receive goods into any other organization.
- Internal Requisitions from one organization and ship from another organization, with Intercompany invoicing.
Now, I’m going to explain how to define a security profile. Using Oracle HRMS, you can define your security profile using two forms: The Security Profile form or the Global Security Profile form that is shown here. Both forms look almost identical.
The Security Profile Form allows you to select operating units from only one Business Group. The Global Security profile Form allows you to select operating units from multiple Business Groups.
The decision on which form to use is really up to you and depends on your HR implementation and how you want to partition data. All you need to do is enter a name, and select the Security Type called “Secure organizations by organization hierarchy and/or organization list”. This allows you to assign multiple OUs. When assigning operating units, first select classification Operating Unit, and then select the organization or Operating Unit name. You can assign as many operating units as you want.
3 Bank Account Security
Bank Account Maintenance security secures the creation and update of bank accounts, whereas Bank Account Access security secures the use of bank accounts.
Bank Account Maintenance Security, which secures the creation and update of bank accounts, grants user the access to one or more legal entities. Users can create and update the bank accounts whose owner legal entity is registered in the Bank Account Maintenance Security.
Users can create Bank accounts for which the list of legal entities in Bank Account Owner LOV will be restricted by this security. Users can query and update only those bank accounts whose owner is registered in this security.
The security setup is done in a wizard called “Bank Account Security Management”.
Define bank account use and link organization for every account.
Navigation: Cash management Superuser (R) -> Setup -> Banks -> Bank Accounts -> Click Account Access (T).
Assign organization (Operating Units, Ledger Entities and Business Groups) and bank account use to a Role.
Navigation: User Management ( R) -> Roles & Role Inheritance -> Security Wizards -> CE UMX Security wizard.
Bank Account Access security rule is composed of 2 parts :
- Bank Account Access Setup => Bank Account Access setup defines organizations that can use existing bank account
- Cash Management Security Profiles => Cash Management Security Profiles provide a list of organizations where an user has access to.
4. Purchasing Security
Purchasing documents can have 4 levels of security:
- Public: Any user may access these documents.
- Private: Only the document owner and subsequent approvers can access the document.
- Purchasing: Document owner, subsequent approvers and users listed as buyers can access.
- Hierarchy: Document owner, team members, approvers and others in the security hierarchy higher than document owner.
If you have created custom responsibilities that will be assigned to supplier users,securing attributes must be included in your custom responsibility definition.
There are three securing attributes that can be used to control access. These attributes are all seeded with the pre-defined Oracle iSupplier Portal responsibilities that are released with the product:
- ICX_SUPPLIER_ORG_ID - Identifier for the supplier.
- ICX_SUPPLIER_SITE_ID - Identifier for the supplier site.
- ICX_SUPPLIER_CONTACT_ID - Identifier for the supplier contact
You can enable them from Navigation: System Administrator ( R) -> Security -> Responsibility -> Define.
6.Flexfield Security Rules
Flexfield Value Security gives you the capability to restrict the set of values a user can use during data entry. With easy-to-define security rules and responsibility level control, you can quickly set up data entry security on your flexfield segments and report parameters.
Flexfield Value Security lets you determine who can use flexfield segment values and report parameter values. Based on your responsibility and access rules that you define, Flexfield Value Security limits what values you can enter in flexfield pop-up windows and report parameters.
Security rules for the Accounting Flexfield also restrict query access to segment values in the Account Inquiry, Funds Available, and Summary Account Inquiry windows. In these windows, you cannot query up any combination that contains a secure value. However in all other forms, you will be able to query up a value even if it is restricted to the user.
In order to use, you just need to define Security Rules window to define value security rules for ranges of flexfield and report parameter values.
Navigation: Application -> Validation -> Security -> Define.
Use Assign Security Rules window to assign the flexfield security rules to an application responsibility.
Navigation: Application -> Validation -> Security -> Assign.
7.Fixed Assets Security
You can manage your Asset Book Security, as mention in one of previous post.This Functionality you can understood as:
- Secure access to each depreciation book / Ledger
- Create a flexible hierarchy of asset organizations
- Associate a responsibility with one or more depreciation books
Asset Book Security allows multiple asset books/registers to be manage/administered independently
Fixed Assets responsibility can be secured by linking a Fixed Asset Book / Ledger, by executing the following steps:
- Link an Asset organization to the Fixed Asset Set of Book/Ledger.
- Establish an Organization hierarchy for the asset organization.
- Navigation: Fixed Assets Manager ( R) -> Setup -> Security -> Organization -> Description -> Query Asset Organization -> Select ‘Asset
- Organization’ -> Click ‘Others’ -> Assign FA Book.
8. Oracle Projects Security
Oracle Projects provides several integrated security mechanisms to help you define user access to organization, project, and resource information, as well as a variety of Oracle Projects functions. These mechanisms are all based on function security, which is the foundation of Oracle Applications security.
Using these integrated security mechanisms, you can define Oracle Projects security at the following levels:
- Responsibility level, across projects.
- Project level, using project roles.
- Organization level, using predefined organization authority roles.
9. Inventory Organization Access
Inventory organizations can be assigned to responsibilities with inventory screens, thereby restricting the access to only those inventory organizations.
Navigation: Inventory ( R) -> Setup -> Organizations -> Organization Access.
It is a very straight forward Form that you can assign which Inventory Organization(s) available to a responsibility. The Rule behind this Form is that once a responsibility is used, the default is that this responsibility does not allow to access all Inv. Org., unless you explicitly assign it. The good side is that this setting is effective immediately; no need to submit what-is-the-name-again process, setup all-look-like-the-same profile options
10. Manufacturing Organization Access
Manufacturing organizations can be assigned to responsibilities with manufacturing screens, thereby restricting the access to only those organizations.
your Navigation is: Advanced Planning Administrator ( R) -> Admin -> Organization Security.
11. Shipping Grants & Warehouse Access
Shipping roles can enable or disable access to individual functions within Shipping.
Navigation: Order Management ( R) -> Setup -> Shipping -> Grants and Role Definitions -> Define Roles.
Then you can assocaite shipping roles then can be assigned to individual users.
Navigation: Order Management ( R) -> Setup -> Shipping -> Grants and Role Definitions -> Grants.
12. Order Holds
In Order Management, when further processing has to be prevented on an order, a hold can be placed and released later.
Navigation: Order Management ( R) -> Setup -> Orders -> Holds.
13. Advance pricing
Pricing security enables you to restrict pricing activities such as updating and viewing pricing entities to users who are granted specific access privileges. Pricing entities include price lists, pricing agreements, and modifiers.
Pricing security can be set up and maintained in the HTML user interface by a user who is assigned the Oracle Pricing Administrator responsibility. The Oracle Pricing Administrator has the authorization to access and update all pricing entities for all functional users.
With pricing security, you can implement a higher level of control by:
- Assigning pricing entities to operating units: A pricing entity can be assigned ownership to a specific operating unit. You can restrict usage to one operating unit or by all operating units.
- Assigning privileges that control which grantee (Global, Operating Unit, Responsibility, or User level) can view or maintain the specified entity: You can use security privileges to control user's access to pricing entities in the following ways:
- Grant view-only or maintain access privileges to functional users at the Global, Operating Unit, Responsibility, or User level.
Assign or reassign Operating Unit ownership to price lists and modifiers and control which operating units can use them for pricing transactions.
- Create entity sets (a set consists of grouped pricing entities) and assign access privileges to the entire set. The Entity Set function is available only with license to Advanced Pricing.
- Setting default rules for security access for new pricing entities.
Take a Note , before turning on pricing security, you must create privileges for existing pricing entities.
Navigate (N) Oracle Pricing Administrator Setup --> Security --> Privileges
Hope this post will surly help you in address some of security and audit need for Clients/Customer.