What is Sensitive Administrator Functionality?
These are Administrator / Developer Functionality.Some of Oracle EBS forms and pages allow a user to modify the functionality of the applications by specifying values such as
- SQL statements or fragments
- HTML fragments
- OS commands
These are designed-in SQL injections or XSS injections.
These screens may constitute a security risk if used in an unauthorized fashion and should be disabled, controlled, and audited in production environments.
There are several types of these sensitive pages in EBS, and they are controlled by different mechanisms. These are typically grouped into the following categories:
- Oracle Forms Controlled by Function Security
- HTML Pages Controlled by Function Security
- Pages and Forms Controlled by Profile Options
- Pages Controlled by JTF Roles and Permissions Profiles
#3 as,Pages and Forms Controlled by Profile Options , typically Includes:
1) for the feature OA Framework Personalization
Profile Code :FND_CUSTOM_OA_DEFINTION ("Personalize Self service Defn")
Recommended Settings :No
If this profile option is set to Yes, the user can perform "Admin Personalization" for OA Framework-based pages.
2) for the feature Form Personalization/Examine
Profile Code :Combination of profiles:FND_HIDE_DIAGNOSTICS and DIAGNOSTICS
Recommended Settings :
- FND_HIDE_DIAGNOSTICS: Yes
- DIAGNOSTICS : No
These profiles control the Help->Diagnostics->Examine choice on the pulldown menu of Oracle Forms-based forms. The default value of FND_HIDE_DIAGNOSTICS (Hide Diagnostics menu entry) profile option is Yes, meaning the Diagnostics menu entry is hidden. If it is set to No, the Diagnostics menu entry is visible to the user.
If DIAGNOSTICS (Utilities:Diagnostics) is set to Yes, then users can automatically use these features. If Utilities:Diagnostics is set to No, then users must enter the password for the APPS schema to use the Diagnostics features.
You can refer to metalink note #1334930.1 and use the same SQL queries(sensitive_page_access.sql ) to determine who has access to these
- SQL scripts drive off of page and form names (not functions)
- Slower, but ensures we pick up custom functions that include these
You should reduce and eliminate access to these pages by admins.
You need to use Fine Grained Auditing to audit the tables associated with these pages.