Implementing your Oracle EBS system architecture was hard enough. Now, securing your EBS application environment, if done correctly, will be an ongoing additional effort! You are not only responsible for keeping the system safe from prying eyes outside the organization, but also need to be aware of users within the company who might have unauthorized access to sensitive company data or confidential, proprietary information.
For example, you might be surprised to learn that some responsibilities that appear to be set up for only querying tables for transactional or master data, actually have the ability to create manual journals! Or that some users may be able to directly update transactional or master data in fields and forms via a Diagnostics menu.
While maintaining robust Oracle EBS security and controls is anything but simple, the good news is that there are some manageable actions you can take right now that will help secure your application environment and mitigate users having unauthorized access in sensitive areas.
Identify and minimize access to key user responsibilities
Not all responsibilities are created equal. For example, the System Administrator and Application Developer responsibilities provide full access to key administrative functionality in Oracle EBS. Make sure you are only assigning these responsibilities to the users who genuinely need them and that you are, periodically, reviewing which users have this type of access.
Disable access to the Diagnostics menu for all users.
Available from the Help screen, the Diagnostics menu lets users directly edit data not visible or updatable in the typical forms, potentially bypassing controls.
Two profile options control whether users can access the Diagnostics menu: Hide Diagnostics menu entry and Utilities: Diagnostics.
Profile options can be set at multiple levels: Site, Application, Responsibility, or User. It is best practice to hide the Diagnostics menu for all users of the EBS environment. To accomplish this, the Hide Diagnostics menu entry should be set to Yes and Utilities: Diagnostics should be set to No at the site level. Then, only if access is truly needed, the Diagnostics menu can be enabled for a small number of specific users.
Beware of cross-module access!
Some pre-configured (or “seeded”) responsibilities in Oracle EBS have interdependent access across multiple applications.
For example, the Order Management Super User responsibility can access Customer Master Data via one of the options from the Actions button, Add Customer, in the standard Sales Orders form.
The risk here is that users you thought only had limited access to functions within certain business processes can actually make changes to other parts of the system, potentially circumventing some internal controls you have in place.
Just because it says Inquiry in the name does not mean it is ONLY Inquiry!
Additionally, some pre-configured (or “seeded”) responsibilities and menus with “Inquiry” in the name have access to critical functionality.
For example, the Payables Inquiry responsibility allows users to create or edit Supplier Master Data.
In addition, the Receivables Inquiry responsibility allows users to create manual journal entries via the subledger module.
Recommended for ALL ERP systems (not just Oracle EBS): NEVER assume that seeded responsibilities with Inquiry (or View Only, etc.) in the name do not have access to edit transactional or master data within the application.
Journal Sources identify the origin of a journal entry. For each source, the Freeze Journals setting in the Journal Sources form controls whether journals can be modified or not prior to posting.
Disabling Freeze Journals on journal sources will allow users to change GL accounts or debit/credit amounts on journals created from these sources. This could lead to financial statement fraud such as net income overstatements or understatements. Best practice is to freeze all systematic journal sources (Receivables, Assets, etc.) and unfreeze all manual journal sources.
These are just a handful of tips that came from the Fastpath webinar, 30 Oracle EBS Security Tips and Tricks in 30 Minutes, which covers securing Oracle EBS in three areas: System Administration, Automated Application Controls, and IT General Controls (ITGC).
You can view all 30 tips and tricks by watching our GRCDays on-demand webinar.