Oracle Cloud offers a broad portfolio of software as a service applications, platform as a service, and social capabilities, all on a subscription basis. Oracle Cloud delivers instant value and productivity for end users, administrators, and developers alike through functionally rich, integrated, secure, enterprise cloud services.
 Get a Free Magzine ...Profit:The Executive's Guide to Oracle Applications

Subscribe to the OracleAppsHub to receive notifications when there are new posts:

 get RSS feed
 Oracle Fusion Applications (OFA) is a portfolio of next generation suite of software applications from Oracle Corporation. It is distributed across various product families; including financial management, human capital management, customer relationship management, supply chain management, procurement, governance, and project portfolio management
 Get a Free Magzine ...Profit:The Executive's Guide to Oracle Applications

What is Sensitive Administrator Functionality in EBS?

Posted on October 7th, 2011 by Sanjit Anand |Print This Post Print This Post |Email This Post Email This Post

Have you tried OracleappsHub in ipad/iphone/smart Phone? Don't wait. try it today

dgreybarrow What is Sensitive Administrator Functionality?

These are Administrator / Developer Functionality.Some of Oracle EBS forms and pages allow a user to modify the functionality of the applications by specifying values such as

  • SQL statements or fragments
  • HTML fragments
  • OS commands

These are designed-in SQL injections or XSS injections.

These screens may constitute a security risk if used in an unauthorized fashion and should be disabled, controlled, and audited in production environments.

There are several types of these sensitive pages in EBS, and they are controlled by different mechanisms. These are typically grouped into the following categories:

  1. Oracle Forms Controlled by Function Security
  2. HTML Pages Controlled by Function Security
  3. Pages and Forms Controlled by Profile Options
  4. Pages Controlled by JTF Roles and Permissions Profiles

#3 as,Pages and Forms Controlled by Profile Options , typically Includes:

1) for the feature OA Framework Personalization

Profile Code :FND_CUSTOM_OA_DEFINTION ("Personalize Self service Defn")

Recommended Settings :No

If this profile option is set to Yes, the user can perform "Admin Personalization" for OA Framework-based pages.

2) for the feature Form Personalization/Examine

Profile Code :Combination of profiles:FND_HIDE_DIAGNOSTICS and DIAGNOSTICS

Recommended Settings :

  • FND_HIDE_DIAGNOSTICS: Yes
  • DIAGNOSTICS : No

These profiles control the Help->Diagnostics->Examine choice on the pulldown menu of Oracle Forms-based forms. The default value of FND_HIDE_DIAGNOSTICS (Hide Diagnostics menu entry) profile option is Yes, meaning the Diagnostics menu entry is hidden. If it is set to No, the Diagnostics menu entry is visible to the user.

If DIAGNOSTICS (Utilities:Diagnostics) is set to Yes, then users can automatically use these features. If Utilities:Diagnostics is set to No, then users must enter the password for the APPS schema to use the Diagnostics features.

dgreybarrow Wrap-up

You can refer to metalink note #1334930.1 and use the same SQL queries(sensitive_page_access.sql ) to determine who has access to these

  • SQL scripts drive off of page and form names (not functions)
  • Slower, but ensures we pick up custom functions that include these

You should reduce and eliminate access to these pages by admins.

You need to use Fine Grained Auditing to audit the tables associated with these pages.

Related Posts

Posted in Security | No Comments »Email This Post Email This Post | Print This Post Print This Post

Have you tried OracleappsHub in ipad/iphone/smart Phone? Don't wait. try it today
Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.