Securing Oracle EBS can be a bit painful. Here are five quick tips to help you enhance Oracle E-Business Suite (EBS) application security, prevent more SoD conflicts, and help alleviate the pain.
Secure Your Oracle EBS
Implementing an Oracle EBS system architecture is no small feat. It requires extra effort to secure your EBS app correctly, but is necessary for keeping your system safe and protecting your sensitive or confidential information from your competitors and unauthorized users within your organization.
For instance, you might not have known that some responsibilities that appear to be set up for only querying tables for transactional or master data may actually allow the creation of manual journals, giving those users the capability to update or alter transactional or master data in fields and forms.
While managing sound Oracle EBS security and controls is not always simple, there are many practical steps you can take to help secure your application environment and mitigate the risk of unauthorized access. To start, here are 5 of those tips:
Identify key user responsibilities
Not everyone needs equal access to your system. Your system administrator and application developer will require full access to critical administrative functionality in Oracle EBS. But be sure you assign those responsibilities only to team members who legitimately need access to the information and then review those decisions from time to time to determine that they are still valid.
- Limit use of the diagnostics menu
The Diagnostics menu, which can be accessed through the Help screen, allows users to add or edit data not typically shown on forms. This has the potential of allowing users to bypass security controls.
Two profile options: Hide Diagnostics menu entry and Utilities: Diagnostics will control which users can access the Diagnostics menu.
Profile options can be established at various levels: Site, Application, Responsibility, or User. An excellent practice is to hide the Diagnostics menu for all users of the EBS environment. To that end, the Hide Diagnostics menu entry should be set to Yes and Utilities: Diagnostics should be set to No at the site level. If access is legitimately required, you may enable the Diagnostics menu for a few specific users.
- Watch out for cross-module accessibility
Some pre-configured responsibilities in Oracle EBS may allow interdependent access across multiple applications. For instance, those with Order Management Super User responsibilities can access Customer Master Data via one of the options from the Actions button, Add Customer, in the standard Sales Orders form.
This backdoor approach to data may allow users who should have limited access to certain functions in specific business processes to change other parts of the system, potentially circumventing your system’s internal controls.
- Don’t assume that inquiry in the name means it’s inquiry only.
Some pre-configured (or “seeded”) responsibilities and menus with “Inquiry” as part of the name have access to critical functionality.
For instance, the Payables Inquiry responsibility allows users to create or edit Supplier Master Data.
Also, the Receivables Inquiry role allows users to create manual journal entries via the Subledger module.
It is recommended for ALL ERP systems (not just Oracle EBS) to NEVER assume that seeded responsibilities with Inquiry (or View Only, etc.) in the name do not have access to edit transactional or master data within the application.
- Freeze journals
Journal Sources identify the origins of journal entries. The Freeze Journals setting in the Journal Sources allows you to control whether or not journals may be modified before they are posted.
If Freeze Journals is disabled, users can change GL accounts or debit/credit amounts on journals created from these sources. There is the potential for financial statement fraud, for instance, overstatement or understatement of net income. Make it standard policy to freeze all systematic journal sources (Receivables, Assets, etc.) and unfreeze all manual journal sources.
These are just a few tips for securing your Oracle E-Business Application. Learn even more at my live webinar: “30 Security Tips n’ Tricks for Oracle EBS by Fastpath” on October 28, 2020 @11:00am ET.