The foundation of security is access control, which refers to how the system is being accessed and by whom. User security consists of three principal components: authentication, authorization and an audit trail.
Authentication validates the user's identity, authorization controls the user's access based on responsibilities assigned, and the audit trail keeps track of the user's transactions to ensure that the user's privileges are not being misused.
Identifying and verifying who is allowed to access the system is the first line of defense. The most common approach is password-based authentication: if the legitimate user is the only one who knows the password, then whoever just entered the correct password is very likely to be the person authorized to use the account.
In a single-sign on environment, a single password allows access to more than one application, so the consequences of it being discovered or divulged are
proportionately much more serious.
On entering the system, the user should only be granted access to the features and specific data needed to perform his job. Routine access to highly sensitive data should only be given to trusted users who need that level of access. The Function Security feature allows the System Administrator to manage the access privileges of individual users. By enforcing tighter security policies for more sensitive accounts, Function Security can mitigate the risk of unauthorized users' access to highly sensitive information
Even the most carefully planned user authentication and authorization policies cannot eliminate the risk of exploitation when the attacker is an authorized user. An audit trail can be used to keep track of a user's transactions to verify that the user is not misusing his access privileges. Oracle E-Business Suite can record details of every user's login,
including time stamp, session ID, and information about the Function Security rules applying to that session. Information about the identity of the user is also attached to all transactions. This provides a method for detecting the party responsible for any transaction, or determining which users viewed sensitive data in a given time period.
An organization may or may not have physical control over the network infrastructure in use. The Internet is the best example of a network where it will not have control, and where extra steps must be taken to ensure security is not compromised.
A common concern regarding use of a public network such as the Internet is the possibility of someone eavesdropping on password transmissions by using a network sniffer. In such a case, though, the concern should be wider, and reflect the possibility of someone eavesdropping on sensitive information in general. In such cases, HTTPS (secure HTTP) connection to the E-Business Suite is recommended. All current browser-based password login screens send the password as a parameter in the HTTP form submission. Using an HTTPS connection will encrypt this information. The best practice is therefore to use HTTPS for all web-based access. On the other hand, if you have control over your network to the point where you can rule out eavesdropping, then password interception should not be an issue.
The main reason not to run HTTPS by default is performance, since it does introduce some overhead. A more strategic way to address this concern is to integrate the Oracle E-Business Suite with Oracle Application Server 10g Single Sign-On (SSO). Here, the SSO server that is responsible for user authentication is a different Web server from the one used with the E-Business Suite. Hence you can run the SSO server in HTTPS mode, while running the E-Business Suite Web server in the better-performing HTTP mode.
Oracle User Management
Oracle User Management (UMX) is a secure and scalable system that enables organizations to define administrative functions and manage users based on specific requirements such as job role or geographic location.
With Oracle User Management, instead of exclusively relying on a centralized administrator to manage all its users, an organization can, if desired, create functional administrators and grant them sufficient privileges to manage a specific subset of the organization's users. This provides the organization with a more granular level of security, and the ability to make the most effective use of its administrative capabilities.
For example, a new feature in Release 12 provides a login assistance mechanism that is easily accessed from the E-Business Suite Login Page. A user simply clicks on the "Login Assistance" link located below the Login and Cancel buttons, and can then go to a Forgot Password section or Forgot User Name section to have the necessary action
taken automatically, without the need for an administrator to become involved.
Another new feature in Release 12 allows users with the relevant privileges to enable other users to act on their behalf, as delegates, without having to share the account password. For example, managers may need to grant peers or subordinates limited authority to act on their behalf while they are out of the office. This Proxy User feature allows control over the pages, functions, and data security policies that can be granted, and includes an on-screen display that indicates when a user is acting on behalf of another user.
Role Based Access Control
Oracle User Management implements several different layers of security, requiring organizations to specify:
- The set of users that will be granted access to specific areas of Oracle Applications
- The information these users will require to do their jobs
- The extent to which the users can use this information
Oracle's function and data security models constitute the base layers of this system, and contain the traditional ystem administrative capabilities.
Organizations can optionally add more layers to the system depending on the degree of flexibility they require. Role Based Access Control (RBAC) enables organizations to create roles based on specific job functions, and to assign these roles the appropriate permissions. With RBAC, administrative privileges and user access are determined by assigning individuals the appropriate roles.
Key features of RBAC include:
- Delegated Administration - Enables system administrators to delegate some of their administrative privileges to individuals that manage a subset of the organization's users.
- Registration Processes - Enable organizations to provide end-users with a method for requesting various levels of access to the system, based on their eligibility.
- Self-service Requests and Approvals - Enable end users to request initial access or additional access to the system by clicking on links embedded in a Web application.