Oracle Cloud offers a broad portfolio of software as a service applications, platform as a service, and social capabilities, all on a subscription basis. Oracle Cloud delivers instant value and productivity for end users, administrators, and developers alike through functionally rich, integrated, secure, enterprise cloud services.
 Get a Free Magzine ...Profit:The Executive's Guide to Oracle Applications

Subscribe to the OracleAppsHub to receive notifications when there are new posts:

 get RSS feed
 Oracle Fusion Applications (OFA) is a portfolio of next generation suite of software applications from Oracle Corporation. It is distributed across various product families; including financial management, human capital management, customer relationship management, supply chain management, procurement, governance, and project portfolio management
 Get a Free Magzine ...Profit:The Executive's Guide to Oracle Applications

SAP-ORCL: “Security”

Posted on January 12th, 2008 by Sanjit Anand ||Email This Post Email This Post

Have you tried OracleappsHub in ipad/iphone/smart Phone? Don't wait. try it today

sap oracle Over the coming weeks , I will feature a series(SAP-ORCL) of posts on some functionality gap among two great ERP product: SAP and Oracle.The posts will include comparative study ,answers in two product dimensions,the functionality gap and ofcourse end user/FinanceIT/ISD/IT department frustration with Oracle EBS which was replaced with SAP, as whole in term of initial acceptance.

Lets start with four question in ‘Security’ from end user prospective !

double arrowIs security defined by user, user group or a combination? Can this be set by Ledger/company/module or is it across the system?

port oracleIn oracle security is defined by user – Responsibility -menus ,request set , which can be easily customized or tailored able and can be reused so can use include/exclude functions.Menu Exclusion is also embedded to exclude from standard menu list.



  • oracleresResponsibilities using Menus and Function security in oracle function security is the mechanism by which user access to functionality is controlled, these are two type:executable functions (formerly called form functions in 11i), and non-executable functions (formerly called sub functions).
    • Executable functions are normally attached to a forms, with functions grouped together to create a menu (with menus then assigned to a responsibility).
    • Non-executable functions are executed from within a form and are frequently associated with buttons or other graphical elements on forms.
  • Request Groups : Request groups specify the reports, request sets, and concurrent programs that users can submit.
  • Data Access Set: The data access set assigned to a user responsibility controls whether or not a person can enter, modify, delete, post,
    and view journal batches in the General Ledger.
  • Session Timeouts: Means if for certain time period, there is no activity on session , the session get expired, thus user need to reenter the login and passport. This can be controlled by the ‘ICX:Session Timeout’ profile option.

SAPIn SAP ,a user id is linked to a user profile which takes care of the authorizations, More than one user can be attached to a user profile, Ledger , company etc are entities or authorization objects wherein we can specify that the user is authorized only for specified company codes.

As understood ,it is recommended by SAP to follow 3 roles be segregated:

  1. User administrator (defines and maintains user master records)
  2. Data administrator (creates/changes activity groups and authorizations)
  3. Profile administrator (display activity groups and their data).

A bit on knowing these elements in the SAP Authorizations concept:

  • Authorization : An instance of an authorization object, a combination of allowed values for each authorization field of an authorization object.
  • Authorization profile: Contains instances (authorizations) for different authorisap1 zation objects.
  • Role : Is a generated authorization profile. A role describes the activities of an SAP user.
  • Composite role: Consists of multiple roles. It cannot contain other composite roles.
  • User/User Master Record : Used for logging on to SAP systems and grants restricted access to functions and objects of the SAP system based on authorization profiles.

This can be best understood as:

In SAP authorization concept is based upon the logical relationship between a user ID and the range of system authorizations with which it can be associated. The architecture of the authorization system is based upon the utilization of several individuals but related logical components: Profiles, Objects, Fields, and Authorizations. The user ID refers exclusively to profiles. Each profile grants a set of specific system access authorizations to user. Figure in the right illustrates the hierarchical authorization concept in SAP with respect to a PO. You can see the authorization #1 is granted to company 1 where as authorization #2 is granted to access all company. #1 will have only create PO whereas #2 will have receiving activity.

peoplesoftIn peoplesoft a user security in PeopleSoft is based on access to functionality and access to data. Functional access is based on a security hierarchy, where users perform roles, and then each role can have one or more permission lists associated with it.This can be best understood as the figure below:

peoplesoftYou use the components in maintain Security to apply security to all of the users of your system. Your users can include employees, managers, customers, contractors, suppliers, and so on. This is where you divide your users according to roles. A role is an object that has properties, such as name, description, permission lists, and so on. One of the properties assigned to a role is the list of users assigned to it. For instance, there might be an Employee role, a Manager role, or an Administrator role. Users who belong to a particular role require a specific set of permissions, or authorizations, within your system so that they can complete their daily tasks.

Data security is primarily based on the application of row level security. To establish security, you must first decide the level you want, which key fields to secure, and whether security will be defined through user IDs or permission lists. With row-level support, you can implement security to restrict individual users or permission lists from specific rows of data that are controlled by the following key fields:

  • Business unit
  • SetID
  • Ledger (and ledger group)
  • Book (SOB)
  • Project
  • Pay cycle(HRMS)

You can also limit access to specific subsets of rows. For example, you can specify user ID security to limit an auditor in Singapore to the business unit for your APAC division. Or, if you have a team of auditors, you can assign them all to one Primary Permission list and then specify permission list security to enforce appropriate limits on the information they can access.

double arrowWhat type of access levels can be set for users and user groups e.g. enquiry only/ create/ delete/ update?

port oracleIn oracle the access can be read only or read/write. Read my earlier post .

SAPAccess levels can also be controlled through the Authorizations within the SAP system. A user can be further controlled as to the activities they can perform for an object, i.e. further controls can be used to specify if a user can create, change or only display an object.

double arrowHow does the system prevent multiple failed login attempts? Can this be linked to a business alert?

port oracleIn oracle after 3 attempts the system can exclude a user and send a notification to the system administrator to reset the password. At the first login they are then prompted to update the password (i.e. so the system administrator cannot view /report all passwords)

SAP Within SAP certain parameters can be set by the administrator to control and monitor failed login attempts. Login Lock-outs can be set to occur for example after three failed attempts. Typically a system administrator would manage this process. Pre-defined reports monitor security parameters and highlight potential areas of concern.


In peoplesoft this system includes a management screen for the signon process, where system level defaults such as the number of failed login attempts before logout are well controlled.


double arrowDoes the system enforce password changes? How often can this be done, and can passwords be re-used?

port oracleIn oracle changes can enforced at whatever frequency you chose and typically you can enforce items such as upper/lower case and a mixture of alpha/numeric (if required). New passwords must be different to the 2 previous ones.

SAPIn the SAP system can be configured to enforce password changes. This can be set dependent on the requirement from the business. The system can also be configured to remember the last ‘X’ number of passwords a user has used. There is also an exception table which holds common or easily guessed passwords, therefore not allowing the use in the system of such entries within this table.Seems very smart.

double arrowOther Releated post:

double arrowAdvance Reading for Oracle EBS 11i/R12

… Post Disclaimer …

The information collected in this post is based on the feedback ,input , information shared by SAP user and peoplesoft user. They are subject to change with versions , please check the latest update from there latest release.

Related Posts

Posted in Oracle Application | 4 Comments »Email This Post Email This Post |

Have you tried OracleappsHub in ipad/iphone/smart Phone? Don't wait. try it today
4 Responses
  1. syed Says:


    can u discuss with us the implementaion issues and upgrading issues

  2. Sanjit Anand Says:

    are u you looking any specfic area that need to address here.Please do let me know.


  3. Chris Boughner Says:

    I have tried implementing the ‘failed Login Attempts’ in password controls and i am still not locked out after surpassing the max number. (PS 8.9)
    I have enabled signon peoplecode (FUNCLIB_PWDCNTL) and have experimented with various components of the PSWDEXPR permission list.

    Is there a component that needs to be enabled, is there another permission list that I need to look at, are there processes that need to be run…?

    Any information to help me get this functionality up and running would be appreciated.


  4. Sanjit Anand Says:

    Dear Chris,

    I am really afraid to help this time. I donot have Peoplesoft skill to address your issue. Meantime, I have forwarded your email to one of good friend of mine who is dealing with PS, you will get a answer offline.


Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.