7/23/2019 Oracle System Administration Practice Aid
1/89
Practice Aid
OracleSystem Administration
Release 12
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 1 o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
2/89
Oracle System Administration Practice AidTable of Contents
A. INTRODUCTION ......................................................................... 3
1. $ngage%ent &ools ..............................................................................................................................'
B. ORACLE ENGAGEMENT CONSIDERATIONS ................................... 6C. ORACLE APPLICATION HIGHLIGHTS ............................................ 7
1. Application (tructure ............................................................................................................... ............72. Oracle Application Release )istory ................................................................................................. ....#'. Oeriew o! (yste% Ad%inistration ...................................................................................................10
D. FLEXFIELDS ............................................................................ 14
1. Fle*!ield &ypes ......................................................................................................................... .........1+2. ,ey Fle*!ield Co%ponents .................................................................................................................1'. escriptie Fle*!ield Co%ponents .................................................................................................. ...21
E. AUDITING ............................................................................... 23
1. Oracle Auditing /ethods ...................................................................................................................2'
2. on-Audit ased Change Control ......................................................................................................2Con!iguration3Functionality Changes with i(etup ..................................................................................2
F. END USER ACCESS ................................................................... 26
1. Responsiility and (ecurity 4roup /anage%ent...............................................................................22. 5ser /anage%ent .............................................................................................................................'7'. Password /anage%ent .....................................................................................................................+7+. 6dentity /anage%ent .........................................................................................................................+#. /ulti organiation access control .......................................................................................................2
G. APPLICATION SUPPORT RESPONSIBILITIES AND USERS ............. 56
1. (upport Responsiilities ....................................................................................................................2. Application (upport 5ser 6s ............................................................................................................+
'. APP( ataase 6 ............................................................................................................................+H. SYSTEM PROFILE OPTIONS ...................................................... 70
1. (ite-8eel ...................................................................................................................................... ...702. Application-8eel ..............................................................................................................................70'. Responsiility-8eel ..........................................................................................................................70+. 5ser-8eel ........................................................................................................................................71. ,ey Pro!ile Options ............................................................................................................................72
I. SEGREGATION OF DUTIES CONCEPTS ......................................... 78
. RESTRICTED ACCESS!SEGREGATION OF DUTIES ......................... 80
1. Application (etups ............................................................................................................................."02. (tanding ata ..................................................................................................................................."0
'. (egregation o! uties ........................................................................................................................"0". RELE#ANT MODULES ............................................................... 84
1. i(etup ................................................................................................................................................"+2. A/$ .................................................................................................................................................."
L. FORMS THAT ACCEPT S$L ENTRY ............................................. 86
M. GLOSSARY ............................................................................. 8%
1. ,ey Oracle Functionality ...................................................................................................................."#
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 2 o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
3/89
A. Introduction
&his Practice Aid and the associated tools 9:or; Progra%9s< and 4A&$< are !or INTERNAL USE ONLY.As %anage%ent is responsile !or designing and i%ple%enting a syste% o! internal control= tis PracticeAid and its associated tools sould not be distributed to our clients.
&hese tools are intended to e used y PwC Oracle specialists per!or%ing an audit= attestation orconsulting engage%ent inoling the reiew o! the client>s Oracle application. For indiiduals intending touse this Practice Aid and 3 or related tools= they %ust hae su!!icient technical s;ills to conduct such wor;.6t is highly reco%%ended that at least one %e%er o! the tea% has speci!ic training or e*perience in the$RP whereer practicale.
1. Engagement Tools&he &ools noted elow proide a general oeriew o! the Oracle application= along with its relatedcontrol ris;s and co%%on application controls. :hen these tools are utilied= the !ollowing i%portantcaeats and re%inders should e considered prior to the use o! these tools?
Re!er to PwC Audit 4uide !or policy on understanding= ealuating and alidating internal controls.&his Practice Aid and related tools are not a sustitute !or PwC Audit.
&his Practice Aid and its related tools should only e used in con@unction with proper ris;-asedengage%ent planning and scoping. &he releance and i%portance to the engage%ent o!transaction processing= ris;s and controls associated with the noted %odules o! Oracle should eclearly understood e!ore wor; is egun= and the tools should e tailored to each clienteniron%ent.
&his Practice Aid and its associated :or; Progra%9s
7/23/2019 Oracle System Administration Practice Aid
4/89
For guidance on other %odules within Oracle !or which there is no PwC Practice Aid= please re!er toappropriate Oracle 5ser guides !or !urther details. &hese can e !ound athttp?33www.oracle.co%3technology3docu%entation3inde*.ht%l
$ach practice aid is speci!ically written !or Oracle>s Release 12 and is diided into %ain sections= asoutlined elow?
!.!.!. Introduction"En#a#ement A$$roac&he 6ntroduction section o! each practice aid outlines potential tools and engage%entapproaches that %ay e used when conducting an assess%ent o! an Oracle $RP syste%. 6naddition= this contains i%portant Ris; and Euality-related caeats and re%inders that shoulde !ollowed !or eery Oracle engage%ent.
!.!.%. &usiness Setu$s6n this section= ;ey set-ups and con!igurations that are generally only con!igured uponinstallation= upgrades= or %a@or usiness eents are discussed. e!initions o! the ;eycon!igurations are proided to gie the practitioner a asic understanding o! the setups.
!.!.'. Standin# (ata
:ithin the (tanding ata section= ;ey con!igurations that are su@ect to periodic changes arediscussed. Along with !unctionality de!initions= this section outlines how standing data isgenerally entered into the application. 6n addition= the lin;ages etween the standing data andusiness setups are outlined.
!.!.). Transactions&his section outlines the ;ey transactions within the usiness process. &his includes thede!inition o! the transactions= how transactions are generally entered into the syste%= as wellthe data !low etween transactions= standing data= and usiness setups.
!.!.*. Access and Se#re#ation of (uties&his section outlines the typical access and segregation o! duties ris;s within the Practice
Aid>s usiness process.
:ithin the (tanding ata and &ransactions sections o! the Practice Aid= BControlConsiderationsB are also outlined. $ach Control Consideration section is ro;en into + parts=as outlined elow?
o Dusiness Process ariales? &hese discuss the %ost co%%on
con!igurations3transactions that %ay e set up or used di!!erently depending upon theclient>s use o! Oracle>s !unctionality.o Control ependencies? &his section outlines how con!igurations or transactions
are dependent upon each other or other settings within the application.o Control 8i%itations? &his section outlines how syste% con!igurations or
transactions %ay e oerridden. 6n addition= this section highlights co%%on%isconceptions aout how the con!iguration or transaction operates.o &esting otes? &his section proides suggestions on how a practitioner %ight test
or assess con!igurations and3or transactions.
&he controls considerations section o! the Practice Aid !ocuses solely on high-leel concepts.For a listing o! controls= re!er to the %odule>s wor; progra%. &his Practice Aid does not list allOracle standard reports that e*ist !or this cycle. For a co%plete list o! this %odule>s standardOracle Reports= re!er to the Oracle user guide athttp?33www.oracle.co%3technology3inde*.ht%l. )oweer= !or the (A !unctionality the userguide does not coer all e*isting reports.
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page + o! "#
Internal use only -- U. S. Firm use only
http://www.oracle.com/technology/index.htmlhttp://www.oracle.com/technology/index.html7/23/2019 Oracle System Administration Practice Aid
5/89
!.%. +or, Pro#ram
&he :or; Progra% outlines the typical auto%ated controls within the Oracle application. For eachcontrol= this docu%ent proides a typical control description= usiness ris;= control o@ectie= !inancialstate%ent assertions= in!or%ation processing o@ecties= Oracle Application naigation path=alidation procedures= and e*pected results. $ach processes> wor; progra% is speci!ically designed!or a particular release o! the Oracle Application.
For the purposes o! an audit o! !inancial state%ents= an audit o! internal controls oer !inancial reportsor an integrated audit= tea%s should consider those controls which hae een classi!ied as Financialin nature. &he wor; progra% is currently aailale through the ,nowledge 4ateway in the 5(9accessile through ,nowledge Cure< or 4uardian 9http?33guardian.pwcinternal.co%< in otherterritories.
!.'. -ATE
Oracle 4A&$ is a proprietary we-ased tool deeloped to assist in the analysis o! Oraclecon!iguration and security. &he tool %ay e used in an audit o! !inancial state%ents= audit o! internalcontrols oer !inancial reporting or a consulting non-attest reiew o! the Oracle application. For Oraclereleases 11..7 and later= Oracle 4A&$ can assist with segregation o! duties analysis and %odulecon!iguration. &o use Oracle 4A&$= a series o! (E8 ueries are run against the client>s eniron%entsto pull data !ro% Oracle dataase tales. &he output !ro% these ueries is uploaded to the 4A&$serer and ueries can e run against the serer to otain in!or%ation aout how the client>s Oracle
Application is con!igured. &he Oracle 4A&$ tool can e accessed at oraclegate2.pwcinternal.co%.For indiiduals intending to use 4A&$= they %ust hae su!!icient technical s;ills to conduct such wor;.ote? Prior to running any co%%and or script on a client syste%= discuss with the client and otaineral consent. :ritten consent is also reco%%ended to the e*tent that this %ay e otained.
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page o! "#
Internal use only -- U. S. Firm use only
http://guardian.pwcinternal.com/http://guardian.pwcinternal.com/7/23/2019 Oracle System Administration Practice Aid
6/89
&. Oracle En#a#ement ConsiderationsPractitioners %ay want to consider the !ollowing ite%s during an audit o! !inancial state%ents= an audit o!internal controls oer !inancial reporting= or a consulting non-attest reiew o! the Oracle application.
1< eter%ine which ersion o! the so!tware your client is using. Chec; the ersion against theco%patiility tale in the BApplication )ighlightsB section o! this Practice Aid= to ensure theappropriate Practice Aid is utilied.
2< 6nuire o! the client>s usiness owners and syste% ad%inistrator i! any custo%iations to thestandard so!tware hae een %ade. Reuest a list o! these custo%iations to assess the e!!ect.
'< Con!ir% the nu%er o! instances 9separate Oracle dataases eniron%ents< that the client%aintains.
4) Con!ir% the nu%er o! 8edgers= Operating 5nits and /odules in scope within each Oracleinstance.
< 6nteriew the syste%s ad%inistrator or other suitale 6& personnel to gain ;nowledge andunderstanding o! the syste% design 9lin;age with e*ternal applications= dataases and networ;
7/23/2019 Oracle System Administration Practice Aid
7/89
C. Oracle A$$lication i#li#ts
1. Application Structure&he Oracle $-Dusiness (uite 9$D(< $nterprise Resource Planning 9$RP< syste% is an integrated
so!tware solution that runs o!! an Oracle dataase instance. An $RP consists o! applications orG%odulesH. /ost %odules hold transactional data !or each usiness process area 9!inancials= supplychain %anage%ent= custo%er relationship %anage%ent= %anu!acturing= hu%an resources= etc.
7/23/2019 Oracle System Administration Practice Aid
8/89
7/23/2019 Oracle System Administration Practice Aid
9/89
7/23/2019 Oracle System Administration Practice Aid
10/89
7/23/2019 Oracle System Administration Practice Aid
11/89
&here is no de!ault user access that is granted @ust y eing gien an account in Oracle $D(. &he
security ad%inistrator 9through the (yste% Ad%inistrator responsiility< %ust assign a 5ser 6 withresponsiilities !or the user to e granted ailities to per!or% tas;s3!unctions within Oracle.
ue to the newly introduced !unctionality %ulti-organiational access control 9/OAC< !unctionality=users can access %ultiple operating unit 9O5< data either within or across usiness groups !ro% asingle responsiility. 5sing /OAC= %ultiple operating units are assigned to a security pro!ile. &hissecurity pro!ile is then assigned either to responsiilities or directly to users. A typical usage would eresponsiility in a shared serice centre= which seres di!!erent operating units. For !urther details on/OAC please re!er to the section on /ultiple Organiation Access Control.
'.). System Profile O$tions(yste% Pro!ile Options can e grouped into three types? (ecurity= Organiation= and (erer types.Practitioners are %ainly concerned with (ecurity type pro!ile options that a!!ect the operation o!Oracle Applications. (ecurity type pro!ile options can e con!igured according to the needs o! theuser co%%unity= as they can e set at the (ite= Application= Responsiility= or 5ser leel. (ecuritypro!ile options are generally %aintained y the Application (yste% Ad%inistrators and %ay e set at%ore than one leel? (ite has the lowest priority= superseded y Application= then Responsiility= and!inally 5ser. )igher pro!ile option settings will oerride lower leel options. &he security syste% pro!ileoptions hierarchy is docu%ented elow in the diagra%. Please see the (yste% Pro!ile Optionssection o! this Practice Aid !or %ore details.
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 11 o! "#
Internal use only -- U. S. Firm use only
5ser 1 5ser 2
48 Controller AR 6nuiry
AP Pay%ent
(uperisor
Oracle Role9aailale in11..10s co%ponents and tie the ,ey Fle*!ield to the
Application. Delow= the Accounting Fle*!ield na%ed OperationsLAccounting 9the structure< is created.
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 1 o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
17/89
7/23/2019 Oracle System Administration Practice Aid
18/89
7/23/2019 Oracle System Administration Practice Aid
19/89
&he !ollowing window is used to con!igure the nu%er o! seg%ents= their appearance and%eaning as well as the alidation o! seg%ent alues= i! reuired. 6n the e*a%ple elow= theaccount seg%ent is assigned a alue set GOperations AccountH which restricts the range o!alues that can e de!ined !or the account seg%ent to a %a*i%u% sie o! + alphanu%ericcharacters.
Decause the conditions speci!ied !or alue sets deter%ine what alues can e used !or the%=oth alue sets and alues should e de!ined at the sa%e ti%e. For e*a%ple= i! alues aredesigned to e characters long ranging !ro% 000001= 000002 to ###### instead o! 1= 2= etc=the alue set would e de!ined to accept only alues with GRight-usti!y Sero-!illH set to GMesHand other alidation para%eters set accordingly as illustrated elow.
%.'.%. 4le7field Se#ment
7/23/2019 Oracle System Administration Practice Aid
20/89
Other applications= such as Oracle )u%an Resources= also use !le*!ield uali!iers. Oracle)u%an Resources uses !le*!ield uali!iers to control who has access to con!identialin!or%ation in !le*!ield seg%ents.
%.). 4le7field Se#ment 5alues&here are ' ;ey concepts to consider regarding Fle*!ield (eg%ent alues?
e!inition o! (eg%ent alues
(eg%ent alue Euali!iers
(eg%ent alue Co%inations
%.).!. (efinition of Se#ment 5alues(eg%ent alues are indiidual alues contained within the seg%ent that !urther de!ine theseg%ent de!inition. 6n the e*a%ple elow= &otal Assets 9account 1000Account>(eg%ent?
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 20 o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
21/89
%.).%. Se#ment 5alue s practice aid !or control considerations pertinent to that>s %odule>s speci!ic!le*!ields.
3. /escriptie Fle"iel# 'omponentsescriptie Fle*!ields 9FFs< use the sa%e concepts as ,ey Fle*!ields= including (tructure=(eg%ents= and (eg%ent alues. &he di!!erence with descriptie !le*!ield is that they use colu%nsthat are added on to a dataase tale. &he tale contains any colu%ns that its entity reuires= suchas a pri%ary ;ey colu%n and other in!or%ation colu%ns. For e*a%ple= a endors tale would containcolu%ns !or standard endor in!or%ation such as endor a%e= Address= and endor u%er. &hedescriptie !le*!ield colu%ns proide Hlan;H colu%ns that you can use to store in!or%ation that is notalready stored in another colu%n o! that tale. A descriptie !le*!ield reuires one colu%n !or eachpossile seg%ent and one additional colu%n in which to store structure
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 21 o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
22/89
Once the FF>s structure is de!ined= co%piled and !roen= Oracle Applications su%its a concurrentreuest to generate a dataase iew o! the tale that contains the descriptie !le*!ield seg%entcolu%ns.
escriptie !le*!ields hae two di!!erent types o! seg%ents= gloal and conte*tTsensitie= that you candecide to use in a descriptie !le*!ield structure. A global segment is a seg%ent that always appearsin the descriptie !le*!ield popTup window= regardless o! context 9any other in!or%ation in your !or%
7/23/2019 Oracle System Administration Practice Aid
23/89
7/23/2019 Oracle System Administration Practice Aid
24/89
Le1el Profile O$tion 5alue Audit Trail Im$act
ased on the application selected and the a%ount o!
actiity in that application.
Responsiility one 3 lan; o auditing is speci!ically enaled to trac; when
responsiilities are accessed. Oracle will de!ault to the
application and site-leel alues.
5ser Auditing !or the speci!ied responsiility is enaled to
identi!y which users access that responsiility.
Responsiility At the responsiility leel= this setting appears to e
redundant with the 5ser alue.
For% Auditing is enaled that identi!ies the !or%s 3 screens
the user accesses !ro% within the responsiility. &he
sie o! the audit trail created y this setting 9site3!or%s auditing !unctionality is generally not enaled at clients ecause
it consu%es signi!icant co%puting resources.o A alance etween %onitoring too %uch and too little should eestalished. Clients who hae set (ign-On? Audit 8eel at the site leel with a alue o!For% is recording olu%inous in!or%ation that proaly is not proiding the audit orcontrol ene!it intended. Clients using this setting hae not per!or%ed a ris;-asedassess%ent to deter%ine the sensitie areas= users and responsiilities within $D( thatshould e %onitored.o For the %ost e!!icient auditing= a ris;-ased approach should e used to
identi!y the high ris; transactions and3or users.
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 2+ o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
25/89
!.'.%. Control (e$endencieso one
!.'.'. Control Limitationso one
!.'.). Testin# Noteso PwC sta!! reiewing Oracle-ased auditing should consider the client>s
reuire%ents !or %onitoring. Oracle-ased auditing should co%pli%ent thosereuire%ents.o Additionally= PwC sta!! should consider the relationship etween actiity-
ased auditing and the data-ased auditing that the client has enaled= i! any.
2. $on-Au#it ase# ')ange 'ontrol:ithout the auditing !eature turned on= Oracle only %aintains a %ini%al audit trail. :hen auditing isnot enaled= only the record creation date= record creator and the record>s last %odi!ication date arerecorded. Oracle does not auto%atically store any changes %ade etween the creation o! the recordand the last update= and Oracle does not record what data was changed during the last update 9onlythat the !or% was changeds usiness reuire%ents and con!igurations.
i(etup /igrator is the load !unctionality that populates the application setup tales with thereuested para%eter alues.
'on"igurationFunctionality ')anges !it) iSetup
iSetu$ 6i#rator= )ierarchical (election (ets
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 2 o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
26/89
7/23/2019 Oracle System Administration Practice Aid
27/89
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 27 o! "#
Internal use only -- U. S. Firm use only
(ata -rou$--Name / (elected data group!or the responsiility. ote?&his ele%ent corresponds tothe security group on the5sers !or%.A$$lication- &he %oduleused in con@unction with thedata group na%e.
Re>uest -rou$--Name / selected reuestsecurity group associatedwith the responsiilityA$$lication- &he %odule
used in con@unction with thespeci!ied reuest securitygroup.
6enu-- selected %ain%enu !or the responsiility.
6enu E7clusions? E7cluded Items?Securin# Attributes-- additionalcon!igurale ele%ents that !urther restrict
the responsiility>s access
Res$onsibility Name-- 5niue5ser-created na%e !or theresponsiilityA$$lication-- selected application
9%odule< in which the responsiilityresidesRes$onsibility 8ey-- 5ser-created
@Effecti1e (ates-- range o!dates etween which theresponsiility is actie.
7/23/2019 Oracle System Administration Practice Aid
28/89
Fro% a !unctional perspectie= this would e indicated y?
!.!. 4orms and 4unctions
/enu Functions= or !unctions= are the lowest leel o! access. A !unction is a part o! an application>s!unctionality that is registered under a uniue na%e !or the purpose o! assigning it to= or e*cluding it!ro%= a responsiility. Fro% an end-user perspectie= the !unction is the window 9or screen< in whichdata is entered into the application.
:ithin Oracle &here are two types o! !unctions? !or% !unctions= and non-!or% !unctions. For clarity=Oracle re!ers to a !or% !unction as a !or%= and a non-!or% !unction as a su !unction= een thoughwithin the dataase= oth are @ust instances o! !unctions.
:ithin PwC>s 4A&$ tool= a !or% !unction is called a !or%= and the non-!or% !unction 9or su !unction or >inuiry could actually update and initiatetransactions. Clients should !ollow an appropriate na%ing conention so that e!!ectieresponsiility %anage%ent can e supported.
!.*.). Testin# Notes /o &o test (ecurity 4roups using 4A&$? Run the 4A&$ Responsiility Report
BResponsiilities y Reuest 4roupsB to identi!y the arious reuest security groupsde!ined and to which responsiilities they are assigned. Additionally= run the reportBReports within Reuest 4roupsB to identi!y which reports are associated with eachreuest security group. A speci!ic report !ocusing on the BAll ReportsB reuest securitygroup is also aailale -- BAll Reports Reuest 4roupB
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page ' o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
37/89
7/23/2019 Oracle System Administration Practice Aid
38/89
/anage%ent section o! this practice aid.< ote? the option to set password e*piration toBO$B will result in the user>s password to neer e*pire
%.!.'. Person 2o$tional3An Oracle user na%e can e lin;ed to a person 9e%ployee< listed within the )R tales. &his isdone y selecting a alue in the person !ield. &his is not reuired= as so%e users %ay needaccess who are not e%ployees 9te%porary wor;ers= e*ternal suppliers= etc
7/23/2019 Oracle System Administration Practice Aid
39/89
%.!.!. Personalisation&he personaliation !unctionality is accessily !or end-user ia the diagnostic !unctionality.&he o@ectie o! personaliation is to declaratiely tailor the user inter!ace 956< loo;-and-!eel=layout or isiility o! page content or a user pre!erence. Personaliation e*a%ples are?X &ailor the color sche%e o! the 56.X &ailor the order in which tale colu%ns are displayed.X &ailor a uery result
%.!.!!. Usa#e of roles:ith Release 12= the usage o! roles is widened. Please co%pare !or the i%plication thechapter aout Role Dased Access 9RDAC
7/23/2019 Oracle System Administration Practice Aid
40/89
speci!ic $D( !unctions. &he new %echanis% was designed to enale li%ited= auditaledelegation o! priilege !ro% delegators to their delegates.
%.%.'. E7am$les of (ele#ation
$*ecuties allowing their assistants to access selected usiness applications on their ehal!(i%ilarly= ut !or a %ore li%ited duration= %anagers %ay need to grant peers or suordinatesli%ited authority to act on their ehal! while they are out o! the o!!ice
5sers %ay need to grant help-des; sta!! li%ited duration access to their $D( accounts= sothat help des; sta!! can inestigate prole%s and proide assistance. &he Pro*y 5ser%echanis% allows such users to otain li%ited= auditale access to accounts such as(M(A/6 that %ight otherwise hae to e shared and there!ore harder to audit.
&he aility !or users to access the pro*y !eature is controlled y a (ecurity Ad%inistrator role.5sers with this role deter%ine which set o! users can create delegates who can act on theirehal!. Following screenshots depicts the !unctionality. &he !irst picture shows how to assignpro*ies as a separate role and then how to run the report in the user %anage%ent %odule?
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page +0 o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
41/89
7/23/2019 Oracle System Administration Practice Aid
42/89
Role Dased Access Control 9RDAC< is an A(6 standard 9A(6 6C6&( '#-200+< supportedy the ational 6nstitute o! (tandards N &echnology 96(&s own suordinate roles. &he!ollowing e*a%ple illustrates this?
6n this e*a%ple= so%e roles such as B$%ployeeB or B/anagerB are assigned generalper%issions !or a gien !unction. For e*a%ple= the $%ployee role %ay proide access to%enus generally aailale to all e%ployees= while the /anager role proides access to%enus that should only e accessile y %anagers. Decause the $%ployee role is tosuordinate to the /anager role= anyone assigned the /anager role auto%atically otains theper%issions associated with the $%ployee role. Other roles in this e*a%ple pertain to %orespeci!ic @o !unctions= such as (ales /anager and (ales Representatie= or (upport /anagerand (upport Agent. &hese roles %ay proide access to @o-speci!ic %enus and data such asthe (ales Forecasting %enu= or the (upport application. )ierarchies within the roles!unctionality is granted ia the Oracle user %anage%ent application.
Responsiilities are also a type o! role and the sa%e principal with regards to inheritancehierarchies as detailed aoe applies to responsiilities. :hen responsiilities are structuredin the !or% o! a hierarchy= assigning the top leel responsiility to a user will result in allinherited responsiilities also eing auto%atically assigned to the user. One o! the e!!ects o!this is that i! the top leel responsiility assign%ent is end-dated !or a speci!ic user= all lowerleel responsiilities will also e end-dated. :hen this occurs it has the e!!ect that it will not
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page +2 o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
43/89
e possile to directly assign any o! the lower leel responsiilities to the user without eitherdis%antling the hierarchy or assigning the top-leel responsiility to the user again.
%.'.%. Su$$ortin# functionality= (ele#ated Administrationelegated Ad%inistration is a priilege %odel that uilds on the RDAC syste% to proideorganiations with the aility to assign the reuired access rights !or %anaging roles and useraccounts. :ith delegated ad%inistration= instead o! relying on a central ad%inistrator to%anage all its users= an organiation can create local ad%inistrators and grant the% su!!icientpriileges to %anage a speci!ic suset o! the organiation>s users and roles. &his proidesorganiations with a tighter= %ore granular leel o! security= and the aility to easily scale theirad%inistratie capailities. For e*a%ple= organiations could internally designatead%inistrators at diision or een depart%ent leels= and then delegate ad%inistration o!e*ternal users to people within those 9e*ternal< organiations. elegation policies are de!inedas data security policies. &he set o! data policies that are de!ined as part o! delegatedad%inistration are ;nown as Ad%inistration Priileges.
&he ad%inistratie priileges that can e delegated could e o! the !ollowing priilegecategories?
o 5ser Ad%inistration Priileges
o Role Ad%inistration Priileges
o Organiation Priileges
elegation policies are de!ined as data security policies. &he set o! data policies that arede!ined as part o! delegated ad%inistration are ;nown as the Ad%inistration Priileges.
Ad%inistration Priileges deter%ine what users and roles the delegated ad%inistrator can%anage. &here are three aspects to ad%inistration priileges? roles= users= and organiation.$ach priilege is granted separately= yet the three wor; together to proide the co%plete seto! ailities !or the delegated ad%inistrator. &hese priileges can e de!ined along with the rolede!inition in the Role N Role 6nheritance user inter!ace in Oracle 5ser /anage%ent.
(ee the !ollowing screens in the user %anage%ent %odule= where you can see the search!unction and an e*a%ple o! a delegated ad%inistration !unction.
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page +' o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
44/89
7/23/2019 Oracle System Administration Practice Aid
45/89
7/23/2019 Oracle System Administration Practice Aid
46/89
o (ecurity %ay e ad%inistered in a centralied or decentralied %anner.
$ach %ethod has its own ris;s.o 5ser Ad%inistration 9creating3disaling user 6s and assigning accesss aility to iew and update data. Please re!er tothese Practice Aids !or %ore in!or%ation.o :heneer a role concept is !ollowed= it should e thoroughly considered
that the roles and responsiilities do not represent a (o con!lict.o Pro*y 5ser !unctionality gies all-or-nothing delegation capaility.
)oweer= start and end dates can e de!ined to li%it the duration o! pro*y access.
%.*.'. Control Limitationso 6! a pro*y user access is gien= this %ight iolate the e*isting (O and
cause a possile con!lict= which would not haen een there without this pro*y gien.
%.*.). Testin# Noteso (ecuring Attriutes could e a signi!icant security co%ponent o! the client>s user
population i! i&i%e= i$*pense= or iProcure%ent are used. PwC should understand thereuire%ents !or securing attriutes and consider testing those con!igurations.o Appropriately co%pleted authorisation reuest !or%s should acco%pany any
additions3changes to a user 6. &his authorisation !or% should clearly indicate the speci!icOracle access 9e.g.= which Responsiility< that should e granted. Periodic reiew y%anage%ent o! all actie users and their currently assigned Responsiilities should occur.o /onitoring controls oer Roles= Responsiilities and user assign%ent throughout the
period should e used to understand the nature o! any te%porary changes to theseele%ents.o Co%panies %ay create a speci!ic user 9the auditor< access to e%ployees> $D(
accounts= nor%ally on a read-only asis.o Accessing the granted pro*y users enales the auditor to analye the usage o!
delegated responsiilities 9usage o! the pro*y user report
7/23/2019 Oracle System Administration Practice Aid
47/89
3. &ass!or# 0anagementOracle $D( proides %ultiple con!igurations to support the client>s corporate security policy. &heOracle $-Dusiness suite password con!igurations are as !ollows?
Confi#uration Name Ty$e ofconfi#uration
(efaultSettin#
(escri$tion
(ign on PasswordCusto%
(yste%Pro!ile Option
not set 6! the client has %ore adanced passwordrestrictions= custo% aa classes can e used toi%ple%ent these restrictions. &he (ign onPassword Custo%pro!ile option %ust e set toe the !ull na%e o! the @aa class.
(ign on PasswordFailure 8i%it
(yste%Pro!ile Option
not set &his para%eter setting identi!ies the nu%er o!!ailed login atte%pts a!ter which an $D( login isdisaled. &he de!ault is unli%ited !ailures. ote?&his pro!ile option eca%e aailale in Release11..7 or ia patch 201"72.
(ign on Password
)ard to 4uess
(yste%
Pro!ile Option
not set &he pro!ile option (ign on Password )ard to
4uess is used to help ensure that the passwordis Bhard to guess.B A password is consideredhard-to-guess i! it !ollows these rules?
&he password contains at least one letterand at least one nu%er.
&he password does not contain theuserna%e.
&he password does not contain repeatingcharacters.
(ign on Password8ength
(yste%Pro!ile Option
&he %ini%u% length o! Oracle $D( userpasswords can e set using the pro!ile option(ign on Password 8ength.
(ign on Password oReuse
(yste%Pro!ile Option
not set &he %ini%u% nu%er o! days that a user %ustwait e!ore eing allowed to reuse a passwordcan e set with the (ign on Password o Reusepro!ile option.
Password $*piration 5ser Record not set (ays- the nu%er o! days etween passwordchangesAccesses - the nu%er o! success!ul loginsuntil the ne*t password change
Password casesensitiity
Pro!ile option disaled Passwords are either case sensitie or not casesensitie
Functionality !or G8ogin AssistanceH sel! serice has een introduced in place o! the ForgottenPassword ad%inistratie !unction.
6t is not unco%%on !or syste% ad%inistrators to hae to reset a user>s !orgotten password= or eenadise a user o! the account>s user 9login< na%e. &his is unproductie !or oth the user= who cannotdo any wor; in the %eanti%e= and !or the ad%inistrator. 6n addition= a user will occasionally reuest
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page +7 o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
48/89
7/23/2019 Oracle System Administration Practice Aid
49/89
7/23/2019 Oracle System Administration Practice Aid
50/89
6d/
5ser Creation andProisioning should e
sourced at the 6d/ solution
Oracle $RP (yste% 2(yste% 1
Responsi1ilities
5sers
5sers
Acc
ess
4rou
p5sers
Acce
ss4roup
&echnical and 3or %onitoringcontrols should e enaled
to pro%ote user creation andassign%ent !ro% the 6d/
solution
).%. Identity mana#ement 9itin Oracle E&S
Oracle $D( as part o! the oerall Oracle identity %anage%ent !ra%ewor; can e considered asone additional application to e included. 6n principle users created in Oracle $D( are proisionedto O6 9and ice ersa
7/23/2019 Oracle System Administration Practice Aid
51/89
)oweer with the usage o! the new RDAC !unctionality= there %ight e enhanced usage o!proisioning within Oracle $D(. &here!ore new !unctionalities are introduced in the new ersionR12.
Proisioning serices are %odelled as registration processes that enale end users to per!or%so%e o! their own registration tas;s= such as reuesting new accounts or additional access to thesyste%. &hey also proide ad%inistrators with a !aster and %ore e!!icient %ethod o! creating newuser accounts= as well as assigning roles. Registration Processes create Role Assign%ents=which are euialent to RDAC policies= as these Role Assign%ents control the actions or access!or a user.
6ntroduction o! G5ser /anage%ent? (ecurity Ad%inistration (et 5pH :iard !or per!or%ing the!ollowing syste% ad%inistration !unctions?
o e!ining 5ser Ad%inistration Priileges !or Roles
o e!ining Role Ad%inistration Priileges !or Roles
o e!ining Organisation Ad%inistration Priileges !or Roles
&he !unctionality o! GAd%inistrator assisted reuest !or additional accessH is added as the !ourthtype o! user registration process.
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 1 o! "#
Internal use only -- U. S. Firm use only
6t is i%portant to understand how the login and synchroniation process wor;s. )ere is a rie!description !or the si%plest cases. Please see the %ain docu%entation !or %ore details.
A. Autentication Pase= 5alidatin# a userGs identity5ser atte%pts to access a protected page !ro% Oracle Applications Release 12. 5ser is redirected
to (ingle (ign-On (erer site. (ingle (ign-On (erer eri!ies i! user is already authenticated9alidates the coo;ie ((OL6 presented to this site
7/23/2019 Oracle System Administration Practice Aid
52/89
7/23/2019 Oracle System Administration Practice Aid
53/89
*.!. 4unctionality
6n the Oracle 11i eniron%ent= the $-Dusiness (uite 9$D(< uses the pro!ile option /O? Operating 5nitto lin; an operating unit to a particular responsiility. &his process creates one-to-one relationshipetween the responsiility and the operating unit. &he syste% ad%inistrator %ust set this pro!ileoption !or each responsiility. $D( allows a user to see only the in!or%ation !or that particularoperating unit is assigned to the responsiility. 6! a user wants to enter transactions or per!or% setup
!unctions across seeral usiness units= then that user %ust e assigned %ultiple responsiilities withaccess to each o! the releant usiness units. &he user %ust switch etween responsiilities toper!or% updates to di!!erent usiness units.
&he old %odel o! %anaging %ulti-organiation access in Oracle 11..10 has een enhanced= ut notreplaced= y the /OAC. &he option to use /O? Operating 5nit pro!ile option to en!orce one-to-onerelationship etween responsiilities and usiness units can still e used. Optionally= i! anorganiation wants to proide %ultiple organiation access !ro% a single responsiility= then thoseorganiations will use /OAC. $D( introduces a new pro!ile option that enales /OAC -- /O?(ecurity Pro!ile
/OAC proides the !ollowing two security pro!iles that enale users to access= process= and reportdata in %ultiple operating units !ro% a single responsiility?
o 6O= Security Profile- Allows the assign%ent o! %ultiple operating units !or the sa%e
usiness group.o 6O= -lobal Security Profile- Allows the assign%ent %ultiple operating units across
%ultiple usiness groups.
&he !ollowing pro!ile options are releant to /OAC?o /O? (ecurity Pro!ile
o /O? e!ault Operating 5nit
o /O? Operating 5nit 9legacy !unctionalitys ownwor;!lows. &o i%pact syste%-wide wor;!lows= the :or;!low Ad%inistrator role %ust e assigned tothe user. &his access is granted through the Ad%inistration ta in Oracle :or;!low. :or;!lowad%inistrator capailities are reuired to assign another indiidual this role.
&he aility to iew and update anyone>s wor;!low has signi!icant i%plications. 6! an indiidual hadaccess to the wor;!low ad%inistrator role= sensitie transactions could e initiated directly in wor;!low.&he !ollowing e*a%ple identi!ies how to create a new sales order through wor;!low? &he indiidualselects the order entry process wor;!low and selects the BRunB option.
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 7 o! "#
Internal use only -- U. S. Firm use only
&he Alert /anager canenale3disale the
Alert.
&he Alert /anager can%odi!y what is eing%onitored.
7/23/2019 Oracle System Administration Practice Aid
58/89
7/23/2019 Oracle System Administration Practice Aid
59/89
7/23/2019 Oracle System Administration Practice Aid
60/89
7/23/2019 Oracle System Administration Practice Aid
61/89
7/23/2019 Oracle System Administration Practice Aid
62/89
Choose the Order to Cash !low
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 2 o! "#
Internal use only -- U. S. Firm use only
&he wor;!lows appear elow theusiness !low
7/23/2019 Oracle System Administration Practice Aid
63/89
7/23/2019 Oracle System Administration Practice Aid
64/89
7/23/2019 Oracle System Administration Practice Aid
65/89
7/23/2019 Oracle System Administration Practice Aid
66/89
'.%. Potential Automated Solutions&he inherent auditing %echanis% in the Oracle dataase 9and related Application Progra%%ing
6nter!aces - AP6s such as the BAudit AP6B< can e used to help %onitor changes to the dataase and
is discussed later. )oweer these auditing %echanis%s in the application and in dataase are not
su!!icient to allow !or e!!ectie %onitoring o! the APP( 6.
Oracle is currently introducing its 6& Auditor %odule !or the $-Dusiness suite which will !urther helpwith change control. Oracle is also introducing ataase ault which addresses segregation o! duties
within the dataase. Oracle ataase ault addresses so%e o! the %ost co%%on dataase security
prole%s and internal threats y?
Restricting the DA and other priileged users !ro% accessing application data
Preenting the Application DA !ro% %anipulating the dataase and accessing other applications
Proides etter control oer who= when N where an application can e accessed
Additionally= !unctionality in other third party tools proides tighter control oer Oracle $-Dusiness
(uite change control procedures. Re!er to Oracle /etalin; at https?33%etalin;.oracle.co%3.
&o aug%ent asic %onitoring procedures oer the APP( 6= other !eatures can e i%ple%ented tohelp ensure that access to the dataase is controlled. $ither approach indiidually or collectiely arecontrols we reco%%end. &hrough the use o! natie Oracle security !eatures !ound within (E8$&
9slnet.ora con!iguration !ile< and the 86(&$$R 9listener.ora con!iguration !ile
7/23/2019 Oracle System Administration Practice Aid
67/89
5nless the client has a ery strong reason to the contrary 9e*ceptions should e discussed
with the PwC Oracle (/$ tea%
7/23/2019 Oracle System Administration Practice Aid
68/89
7/23/2019 Oracle System Administration Practice Aid
69/89
access to DAIs can proide su!!icient access to ad%inister the dataase ut preentupdates to the audit trail.
For%al !ire-call 3 reuest procedures !or the use o! de!ault DA 6 such as (M( and(M(&$/.
As a precaution against de!ault DA 6s updating the audit trail= enale auditing oerthe audit trail. :hile detailed in!or%ation %ight not e aailale regarding the update=
enaling auditing oer the audit trail will at least identi!y that the audit trail was %odi!ied.Follow-up actiities should then e per!or%ed to understand why the audit trail wasupdated.
&he audit trail should e sent to the operating syste% away !ro% the control o! theDA. 6deally= the audit trail would e sent through the syste% logging !acility on theoperating syste%. &his approach would !urther separate the audit trail !ro% the DAIs.&he !reuency y which the audit trail is sent to the operating syste% should e assessedagainst the !easiility o! en!orcing indiidual user 6s and custo% roles. 6! the audit trail iscopied out o! the dataase in!reuently= greater need is realised to en!orce indiidualuser 6s and custo% roles in the dataase.
ote? (eeral o! our clients hae considered this approach. &he i%ple%ented status o!
this approach= howeer= is not currently ;nown.
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page # o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
70/89
. System Profile O$tions(yste% Pro!ile Options are syste% para%eters that can hae a gloal i%pact on Oracle $D(. &hosesa%e para%eters can also only hae li%ited e!!ect on the syste%. &he oerall e!!ect o! the para%eters onthe syste% is dependent on which leel the para%eters are con!igured -- site= application= responsiilityand user.
1. Site-*eel(yste% Pro!ile Options at the site leel hae gloal i%pact to Oracle $D(. For e*a%ple= the de!ault8edger na%e is set at the site leel. 6! Oracle responsiilities are not e*plicitly assigned to 8edgerna%es= then= y de!ault= they are assigned to the site-leel de!ault 8edger na%e.
!.!. Control Considerations
!.!.!. &usiness Process 5ariableso one
!.!.%. Control (e$endencieso one
!.!.'. Control Limitationso one
!.!.). Testin# Noteso (yste% pro!ile options at the site leel can e e!!ectiely tested online.
4A&$ reports can also e used.
2. Application-*eel(yste% Pro!ile Options at the application leel only hae i%pact on the application associated withthe particular para%eter. For e*a%ple= seuential nu%ering could e set to BPartially 5sedB at the
site leel= ut set to B4aplessB in Payales. 6n this situation= B4aplessB seuential nu%ering will eused in Payales= ut BPartially 5sedB will e en!orced in the other Oracle %odules. Application-leelsyste% pro!ile options oerride site-leel syste% pro!ile options.
%.!. Control Considerations
%.!.!. &usiness Process 5ariableso one
%.!.%. Control (e$endencieso one
%.!.'. Control Limitations
o one
%.!.). Testin# Noteso (yste% pro!ile options can e tested online !or applications in-scope.
4A&$ reports can also e used.
3. Responsiility-*eel(yste% Pro!ile Options at the responsiility leel only hae i%pact on the responsiility associatedwith the particular para%eter. Oracle responsiilities are generally associated with a speci!ic 8edger
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 70 o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
71/89
7/23/2019 Oracle System Administration Practice Aid
72/89
custo% uery %ade y the client will e reuired to otain pro!ile options set at the userleel.
4. ey &ro"ile Options&he !ollowing section highlights the ;ey syste% pro!ile options to reiew !or audit and consultingengage%ents. &he BReleantB colu%n indicates i! the pro!ile option is applicale !or audit 9A< and
consulting 9C< pro@ects.
*.! Profile o$tions
Profile O$tion Settin# If ne9 for R!%?
9at is itH
A1ailable O$tions Rele1ant
APP(L((OL86,L&
R5&)L(RC
Applications ((O
8in;ing (ource o!
&ruth
Applications ((O
8in;ing (ource o!
&ruth
$-Dusiness (uite=
Oracle 6nternet
irectory
C
APP(L((OLPO(&8
O4O5&L)O/$L5R8
Applications ((O
Post 8ogout 5R8
Applications ((O
Post 8ogout 5R8
5ser e!ined C
APP(L((OLO6L6
$&6&M
Applications ((O
$nale O6
6dentity Add
$ent
:hen a user is
created in O6= the
6$&6&MLA
eent is sent to all
registered
instances.
&his eent controls
whether an $-
Dusiness (uite
instance should
create the user in
response to
6$&6&MLA
$nale= disale C
APP(L((OLA5&OL8
6,L5($R
Applications ((O
Auto 8in; 5ser
6! a user
authenticated y
((O has no
corresponding user
in $-Dusiness
(uite= it will loo; !or
a local user with
the sa%e user
na%e. 6! !ound= it
will e per%anently
lin;ed
$nale= disale &D
APP(L((OLA88O:
L/58&6P8$LACCO5
&(
Applications ((O
Allow /ultiple
Accounts
At user leel= it
enales a user to
hae %ultiple $-
Dusiness (uite
accounts lin;ed to
a single ((O user
na%e.
$nale= disale &D
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 72 o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
73/89
Profile O$tion Settin# If ne9 for R!%?
9at is itH
A1ailable O$tions Rele1ant
(election o! which
account is actie is
done ia the
Pre!erences page.
At site leel= itindicates the
de!ault !or users
without this speci!ic
setting.
FL$WPOR&LA88L
D8OC,LA&A
F $*port All
Dloc; ata
&he pro!ile control
what data is
e*ported !ro% a
!or%>s loc;.
Mes= o &D
FLF6W$L($CL,
$M
F? Fi*ed ,ey &he !i*ed security
;ey to e used in
Fra%ewor; i! the
pro!ile F Fi*ed
,ey $naled is set
to M !or the user.
&he ;ey should e
a )e*adeci%al
string o! sie +.
5ser e!ined C
FLF6W$L,$ML$
AD8$
F? Fi*ed ,ey
$naled
&his pro!ile
deter%ines i! a
!i*ed ;ey will e
used !or security
purposes inFra%ewor;.
Mes= o C
FLCAC)$LPOR&
LRA4$
FLCAC)$LP
OR&LRA4$
Opening up a
range o! ports so
that %achine can
tal; across /S
5ser e!ined C
OA/L(CRA/LA88
O:$
OA/? ata
(cra%ling
Allowed
Pro!ile option to
allow data
scra%ling
5ser e!ined C
OA/L(CRA/L$A
D8$
OA/? ata
(cra%ling$naled
Pro!ile to enale or
disale datascra%ling
5ser e!ined C
OA/L:(LA56&L$
AD8$
OA/L:(LA56
&L$AD8$
$nale or isale
:e (erice
Auditing
5ser e!ined C
(64OLPA((:OR
LCA($
(ignon Password
Case
$nales or
isales Password
$naled= isaled ANC
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 7' o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
74/89
Profile O$tion Settin# If ne9 for R!%?
9at is itH
A1ailable O$tions Rele1ant
Case (ensitiity
OA/L$AD8$L(M(
&$/LA8$R&
(yste% Alert
$nale 8eel
(yste% Alert
$nale 8eel
All= Critical and $rror=
Critical= one
C
(64OLPA((:OR
LCA($
(ignon Password
Case
$nales or
isales Password
Case (ensitiity
6nsensitie= (ensitie ANC
(64OLPA((:OR
LC5(&O/
(ignon Password
Custo%
Pro!ile option that
speci!ies the !ull
na%e o! the class
containing custo%
password alidation
logic.
5ser e!ined ANC
(64OLPA((:OR
LFA685R$L86/6&
(ignon Password
Failure 8i%it
A positie integer
indicating the
%a*i%u% nu%er
o! logon atte%pts
e!ore the user>s
account is disaled.
5ser e!ined ANC
(64OLPA((:OR
L)ARL&OL45$(
(
(ignon Password
)ard &o 4uess
Pro!ile that gets set
to BtrueB i! hard-to-
guess password
alidation rules
should e en!orced
!or new passwords.
Mes= o ANC
(64OLPA((:OR
L8$4&)
(ignon Password
8ength
/ini%u% length o!
Applications user
password
5ser e!ined ANC
(64OLPA((:OR
LOLR$5($
(ignon Password
o Reuse
Pro!ile to speci!y
the nu%er o! days
a user %ust wait
e!ore eing
allowed to reuse a
password.
Mes= o ANC
(64OA56&?8$$
8
(ign-On? Audit
8eel
8eel at which to
audit !oundationusage
O$= 5($R=
R$(PO(6D686&M=FOR/
ANC
(64OA56&?O&6
FM
(ign-On?
oti!ication
oti!y 5ser
Concurrent
Progra% Failures
and 6nalid Printers
Mes= o ANC
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 7+ o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
75/89
Profile O$tion Settin# If ne9 for R!%?
9at is itH
A1ailable O$tions Rele1ant
FL6A4O(&6C( F? iagnostics $nales
iagnostics 4loal
Dutton
Mes= o ANC
FL)6$L6A4O(&6C(
)ide iagnostics%enu entry
)ides the )elp?iagnostics /enu
entry
Mes= o ANC
56E5$?($EL5/D
$R(
(euential
u%ering
(euential
u%ering
Always 5sed= ot
5sed= Partially 5sed
ANC
COCLR$POR&LAC
C$((L 8$$8
Concurrent?
Report Access
8eel
Proides controlled
access o!
log3output !iles o!
reuests to group
o! users ased on
the current
responsiility o! the
user ased on this
pro!ile option alue
Responsiility= 5ser C
PR6&$R Printer Output Printer Registered Printers e.g.
9 noprint= 8aelPFs Practice Aid.
!.'. Control Considerations
!.'.!. &usiness Process 5ariableso one
!.'.%. Control (e$endencieso &he Custo%.pll lirary is a standard Oracle For%s P83(E8 lirary that is
supplied y the Oracle Applications. &his is OracleKs uilt-in !eature that allows the custo%erto enhance the standard !unctionality o! the Applications y i%ple%enting site-speci!icusiness rules. $ery Oracle For%s -ased eDusiness screen= and any custo% !or%deeloped using the Oracle Application deelop%ent standards= will access the C5(&O/
lirary. &his allows custo%ers to create usiness rules that e!!ect the entire organiation.Custo%ers %ay use this !unctionality to hide certain tas !ro% users 9i.e. Process &a< oren!orce een %ore granular controls in !or%s and !unctions access. PwC should inuire i! theclient is using Custo%.P88 to !urther control user access during (O testing and alidation.
!.'.'. Control Limitationso Oracle is installed with de!ault responsiilities that help the client enter
and post transactions. &hese responsiilities were uilt y Oracle without any considerationo! (egregation o! uties principles.
!.'.). Testin# Noteso Personalisation is not currently analysed y Oracle 4A&$.
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 7# o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
80/89
. Restricted Access"Se#re#ation of (uties
:hen conducting an Oracle restricted access 3 segregation o! duties reiew= there are three %ain accessconsiderations?
Application (etups
(tanding ata
(egregation o! uties
1. Application SetupsApplication (etups are de!ined as con!igurations that change the ehaiour o! the application. &hesesetups are generally only con!igured upon installation= upgrades= or %a@or usiness eents. Changesin usiness process setups could cause syste% !ailure and3or data inconsistencies. &here!ore=access to these setups should e restricted to the 6& depart%ent or si%ilar technical role.
6n addition= ecause o! the potential i%pact on ;ey !inancial controls associated with these setups=any changes to these should e i%ple%ented ia the clientKs stated change %anage%ent process Ncontrols. Please note that the de!inition o! what constitutes application setups will ary !ro% client to
client= and practitioners should discuss these concepts with clients prior to co%%encing any Oraclewor;.
2. Stan#ing /ata(tanding ata are de!ined as either setup that a!!ect the processing o! transactions or is used in theprocessing o! transactions that could hae a !inancial state%ent i%pact. &hese setups are generallycon!igured upon installation= upgrades= or %a@or usiness eents. )oweer= they %ay also need to echanged periodically to re!lect ongoing changes to the usiness eniron%ent. Changes in standingdata could cause !inancial processing di!!iculties and3or changes to standard transaction accountingprocedures. &here!ore= access to these setups should e li%ited to a select !ew usiness process or6& owners who do not hae transactional access.
Changes to standing data setups should e approed prior to i%ple%entation due to their potentiali%pact on ;ey !inancial controls and3or processes. Please note that the de!inition o! what constitutesstanding data will ary !ro% client to client= and practitioners should discuss these concepts withclients prior to co%%encing any Oracle wor;.
3. Segregation o" /uties(egregation o! uties is de!ined as segregating access to two or %ore sensitie !unctions that= whenco%ined= could present a ris; o! %aterial %isstate%ent= %anage%ent oerride= !raud or the!t.
'.!. (esi#nin# So(
(egregation o! uties and Restricted access design could e co%ple* and is dependent upon eachclient>s eniron%ent. Clients should ac;nowledge the inherent accounting and uniue usiness ris;sthat reuire certain actiities to e per!or%ed y di!!erent indiiduals. 6n either circu%stance= the rulesand related docu%entation deeloped should e associated with the client>s signi!icant !inancial ris;s.
(egregation o! uties and Restricted access design could include a alance etween separating allcon!licting actiities and %itigating all segregation o! duties iolations. &his decision %a;ing processshould include !or%al ele%ents o! (o analysis. :hen designing (o principles= the !ollowing shoulde ;ept in %ind?
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page "0 o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
81/89
7/23/2019 Oracle System Administration Practice Aid
82/89
7/23/2019 Oracle System Administration Practice Aid
83/89
o Processes &a Access? BASB %enus are those %enus that are associated
with the Process aigator &a. :hen testing !or segregation o! duties= the reportsgenerated !ro% the tool will identi!y the %enus associated with the issue.o :ithout understanding the %enu eing used and the i%plications with the
BASB %enu= the segregation o! duties analysis will appear to contain %any !alseposities. Practitioners should e aware o! the AS %enu and help the client understand
where the e*cessie or con!licting access e*ists.o As %any concurrent processes hae the si%ilar !inancial i%pact as the direct
entry o! transactions 9Auto6noice= Auto%atic ournal Posting= Reenue Recognition
7/23/2019 Oracle System Administration Practice Aid
84/89
8. Rele1ant 6odules
1. iSetup
i(etup is a data %anage%ent product that helps in auto%ating %igration and %onitoring o! $D( setupdata. i(etup helps in the %igration o! data etween di!!erent instances o! Oracle.
i(etup is coered in this docu%ent= as this %odule %ight in!luence the setup o! Oracle $D( and cane used !or analying the oerall setup o! Oracle $D(. For detailed analytics re!er to the i(etup 5ser4uide.
!.!. Usa#e of iSetu$
i(etup is a two-part application?
o i(etup Con!igurator runs on the we and proides an interactie uestionnaire to
capture usiness reuire%ents and con!iguration decisions.
o i(etup /igrator is the load !unctionality that populates the application setup taleswith the detailed para%eter alues.
&he !ollowing graph depicts the process o! using i(etup to support the creation and e*traction o! thetrans!or%ation !iles= which then can e trans!erred to any output.
Clients could use this !or %igrating data etween?
Production instance to another production instance
&est or deelop%ent eniron%ent to the production eniron%ent
!.%. Control Considerations
%.!.!. &usiness Process 5ariableso one
%.!.%. Control (e$endencieso one
%.!.'. Control Limitationso one
%.!.). Testin# Noteso &he reports= either standalone !or a single instance= or co%parison
etween %ultiple instances can e used to retriee and co%pare setup data.
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page "+ o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
85/89
o &he history o! e*ecuted %igrations can e used !or analytics o! the
change %anage%ent process.
2. A0EOracle Approals /anage%ent 9A/$< is a sel!-serice :e application that enales client to de!ine
usiness rules goerning the process !or approing transactions in Oracle applications.
A/$ is coered in this docu%ent= as the usage o! A/$ %ight i%pact the analytics o! approalprocesses and controls ased on approals. For detailed analytics re!er to the Oracle A/$ userguide. Oracle A/$ is also integrated with Oracle user %anage%ent.
!.!. Usa#e of A6E
&he purpose o! Oracle Approals /anage%ent 9A/$< is to de!ine approal rules that deter%ine theapproal processes !or Oracle applications. &he !ollowing graphic illustrates the typical approalprocess used in an organiation.
An approal rule is a usiness rule that helps deter%ine a transaction>s approal process such aswho gets to approe certain transactions= dollar a%ount li%its= and noti!ication routing. Rules areconstructed !ro% conditions and actions.
For e*a%ple an approal rule can e as !ollows?
6! the transaction>s total cost is less than 1=000 5(= and the transaction is !or trael e*penses= thenget approals !ro% the i%%ediate superisor o! the person su%itting the transaction. Otherwise getapproal !ro% the co%pany trael %anger.
Oracle Approals /anage%ent enales usiness users to speci!y the approal rules !or anapplication without haing to write code or custo%ie the application. Once the rules are de!ined !oran application= the application co%%unicates directly with A/$ to %anage the approals !or theapplication>s transactions. Client can de!ine rules to e speci!ic to one application or shared etweendi!!erent applications. As A/$ recalculates the chain o! approals a!ter each approal= a transactionis assured to e approed under the latest conditions= regardless o! organiational changes= changes
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page " o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
86/89
to transaction alues= rule changes= or currency conersions. A/$ has uilt-in testing !eatures thatenale you to con!ir% the ehaior o! new or edited usiness rules e!ore lie e*ecution.
!.%. Control Considerations
%.!.!. &usiness Process 5ariables
o /any clients %ight rely on %anual approals or sign-o!!s sheets as their;ey controls oer account procedures. Fro% an e!!iciency= e!!ectieness perspectie=PwC practioners should e on the loo; out !or areas o! process i%proe%ent where a%anual approal process can e auto%ated in Oracle.
%.!.%. Control (e$endencieso one
%.!.'. Control Limitationso one
%.!.). Testin# Noteso &he use o! A/$ gies auditors the aility to test the approal process
syste%atically and gain co%!ort oer estalished ;ey controls.
L. 4orms tat acce$t S
7/23/2019 Oracle System Administration Practice Aid
87/89
4unction 0 Internal Name 4unction 0 (is$lay
Name
4orm 0 Internal
Name
4orm 0 (is$lay Name
FLF(C/O5 ORAC8$ 5serna%es F(C/O5 Register ORAC8$ 6s
P(DLP(D(&P&M Attriute /apping etails P(D(&P&M Attriute /apping etails
/(C(F e!ine ata (trea% /(C(F e!ine ata (trea%
/(C(FA Custo% (trea%Adanced (etup
/(C(FA Custo% (trea% Adanced (etu
/(L/(A56& Audit (tate%ents /(A56& Audit (tate%ents
&FR(4R e!ine yna%icResource 4roups
&FR(4R e!ine yna%ic Resource4roups
&FDR:,D Dusiness Rule
:or;ench
&FDR:,D Dusiness Rule :or;ench
O&LO$WPCF& alidation &e%plates O$WPCF& e!ine alidation &e%plates
O&LO$W$F:,=
EPLO$W$F:,
e!aulting Rules=
Attriute /apping
O$W$F:, e!aulting Rules
&F&,OD& O@ects /eta-data &F&,OD& Foundation O@ects
&FL4R6LA/6 (preadtale /etadataAd%inistration
&F4R/ (preadtale /etadataAd%inistration
&F46A4 (pread&ale iagnostics &F46A4 (pread&ale iagnostic For%
&F4A&& &F4A&& &F4A&& &F4A&&
:/(L:/(R58$F e!ine :/( Rules :/(R58$F e!ine :/( Rules
EPLEPWPRFOR Create Pricing For%ulas EPWPRFOR e!ine Pricing For%ulas
EPLEPWP&/AP ew Attriute /apping EPWP&/AP Attriute /apping
4/A:FPC8LF :or;!low ProcessCon!iguration Fra%ewor;
4/A:FPC8 :or;!low Process Con!iguratioFra%ewor;
4/A:FCO8LF :or;!low ActiityApproal Con!igurationFra%ewor;
4/A:FCO8 :or;!low Actiity ApproalCon!iguration Fra%ewor;
A/$L:$DLAPPROA8( Approals /anage%ent &D &D
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page "7 o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
88/89
4unction 0 Internal Name 4unction 0 (is$lay
Name
4orm 0 Internal
Name
4orm 0 (is$lay Name
P$R:(AP6 P83(E8 tester P$R:(AP6 P83(E8 tester
FFW:(/4 :rite For%ula FFW:(/4 :rite For%ula
FFW:(FF e!ine Function FFW:(FF e!ine Function
FFW:(DER Create Euic;paint 6nuiry FFW:(DER Create Euic;Paint 6nuiry
PAM:(A( e!ine Assign%ent (et PAM:(A( e!ine Assign%ent (et
PAM:(M4 yna%ic &rigger/aintenance
PAM:(M4 yna%ic &rigger /aintenance
P$R:((CP e!ine (ecurity Pro!ile P$R:((CP e!ine (ecurity Pro!ile
PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page "" o! "#
Internal use only -- U. S. Firm use only
7/23/2019 Oracle System Administration Practice Aid
89/89
6. -lossary
1. ey Oracle Functionality
A nu%er o! ter%s that are used within the Oracle (yste% Ad%inistration %odule are listed elowwith an associated de!inition.
Term (escri$tion
Alert A %echanis% that chec;s your dataase !or a speci!ic e*ception condition. An alert ischaracterised y the S$% S&%&CT state%ent it contains. A (E8 ($8$C& state%enttells the application what dataase e*ception to identi!y as well as what output toproduce !or that e*ception.
Alert Action An action the alert is to per!or%. An alert action can depend on the output !ro% thealert. An action can include sending an electronic %ail %essage to a %ail 6= runningan Oracle Applications progra%= running a progra% or script !ro% your operating
syste%= or running a (E8 script to %odi!y in!or%ation in your dataase.
Audit Trail Audit &rail trac;s which rows in a dataase tale9s< were updated at what ti%e andwhich user was logged in using the !or%9suest
A co%%and to start a concurrent progra%. An e*a%ple o! a concurrent reuest is aco%%and to generate and print a report.
(ata -rou$ A data group is a group list o! Oracle Applications and the Oracle 6 each application isassigned to. An Oracle 6 grants access priileges to tales in an Oracle dataase.
6enu A hierarchical arrange%ent o! application !unctions 9!or%s< that is displayed within the%ain naigate window