, , , , , ,

User and Data Auditing

There are two types of auditing in Oracle Applications: auditing users, and auditing database row changes.
Auditing User Activity
Auditing users is supported by:
• Sign-On:Audit Level profile option setting
• Audit Reports
Based on the audit level you choose, Sign-On audit records usernames, dates, and times of users accessing the system, as well as what responsibilities, forms, and terminals users are using.
Auditing Database Row Changes
Auditing database row changes is supported by:
• From the Help menu, About This Record
• AuditTrail:Activate profile option setting
• Audit forms
/by
, , , , , ,

User Session in R12

Using the following profile options you can specify limits on user sessions.
ICX:Session Timeout
Use this profile option to enforce an inactivity time-out. If a user performs no Oracle Applications operation for a time period longer than the time-out value (specified in minutes), the user’s session is disabled. The user is provided an opportunity to re-authenticate and re-enable a timed-out session. If re-authentication is successful, the session is re-enabled and no work is lost. Otherwise, Oracle Applications exits without saving pending work.
If this profile option to 0 or NULL, then user sessions will never time out due to inactivity.
ICX: Limit time
Use this profile option to specify the absolute maximum length of time (in hours) of any user session, active or inactive.


/by
, , , , , ,

Objects in AOL


Data Security uses the concept of an Object to define the data records that are secured.
Object
Data security permissions are managed on objects. Business entities such as Projects and Users are examples of objects. Only a securable business-level concept should be registered as an object. An object definition includes the business name of the object and identifies the main table and primary key columns used to access the object.
Object Instance
An object instance is a specific example of an object, such as Project Number 123 or User JDOE. An object instance generally corresponds to a row in the database. An instance is identified by a set of one or more primary key values as defined by the object. In addition, “All Rows” for an object indicates all data rows of the object.
Users and Groups
Users and groups are Oracle Workflow roles. See the Oracle Workflow documentation for more information on roles.
Privileges given to users and groups determine their access to secured objects.
The data security system allows you to assign privileges to groups of users instead of assigning privileges to each user individually.
Users
Users are individuals who have access to software applications at a particular enterprise. A user must have a unique name and should map one-to-one with an individual human or system. “Group” accounts are not correct uses of the user entity.
Groups
Users can belong to Groups. The grouping can come from position or organization relationships modeled in applications such as Oracle Human Resources. Alternatively, ad-hoc groups can be created explicitly for security purposes. A group is sometimes referred to as a role.

Creating Objects

Use these pages to find, create, and edit data objects. You define objects to be secured in the Data Security system. Objects can be tables or views. An object must be queryable in SQL, and the combination of primary key columns specified must be a unique key.
In these pages, objects are described with the following

  • The Name is the name that appears in the Object Instance Set and Grants pages. This name should be user-friendly.
  • The Code is the internal name of the object.
  • The Application Name is the owning application.
  • The Database Object Name is the name of the underlying database object
/by
, , , , ,

How Function Security Works

Executable functions are selected using the Navigate window. The arrangement of form names in the Navigate window is defined by the menu structure assigned to the current responsibility.
The following types of menu entries are not displayed by the Navigate window:

  • Non-executable functions
  • Menus without Entries
  • Menu Entries without a Prompt

If none of the entries on a menu are displayed by the Navigate window, the menu itself is not displayed.

Menu Entries with a Submenu and Functions
If a menu entry has both a submenu and a function defined on the same line, then the behavior depends on whether or not the function is executable. If it is executable, then the submenu on the same line is treated as content to be rendered by the function. The submenu will not appear on a navigation tree, but will be available in function security
tests (FND_FUNCTION.TEST calls). If the function is not executable, then it is treated as a “tag” for enforcing exclusion rules, and the submenu on the same line is displayed in the navigation tree.
A function is considered executable if it can be executed directly from the current running user interface. For example, an Oracle Applications form using Oracle Forms is an executable function from within Oracle Forms, but not within the Self Service applications.
Registering Functions
• Developers can require parts of their Oracle Forms code to look up a unique function name, and then take some action based on whether the function is available in the current responsibility. Function names are unique.
• Developers can register functions. They can also register parameters that pass values to a function. For example, a form may support data entry only when a function parameter is passed to it.
Warning: In general, you should not modify names, parameters, or other material features of predefined functions for Oracle Applications products. The few exceptions are documented in the  relevant manuals or product notes.
Excluding Functions
Each Oracle Applications product is delivered with one or more predefined menu hierarchies. System Administrators can assign a predefined menu hierarchy to a responsibility. To tailor a responsibility, System Administrators exclude functions or menus of functions from that responsibility using exclusion rules.
Note: The ability to exclude functions is to be used for backward compatibility only. Menu exclusions do not apply to grants.
Available Functions for a User
Functions are available to a user through responsibilities (as well as grants).
When a user first selects or changes their responsibility, a list of functions obtained from the responsibility’s menu structure is cached in memory.
Functions a System Administrator has excluded from the current responsibility are marked as unavailable.
Executable functions in the function hierarchy (i.e. menu hierarchy) are displayed in the Navigate window. Available non-executable functions are accessed by working with the application’s forms.
Menu Compilation
The Compile Security (FNDSCMPI) concurrent program is used to compile menus so that the system can more quickly check if a particular function is available to a particular responsibility/menu.
You should compile your menus after you make changes to your menu data. A request for this concurrent program is automatically submitted after you make changes using the Menus form.

/by
, , , , ,

Function Security

Function security is the mechanism by which user access to applications functionality is controlled.
Function security can be considered as “global data security”, in that it grants access to a function regardless of the current row of data. Oracle Applications architecture aggregates several related business functions into a single form. Because all users should not have access to every business function in a form, Oracle Applications provides the ability to identify pieces of  applications logic as functions. When part of an application’s functionality is identified as a function, it can be secured (i.e., included or excluded from a responsibility).
Application developers register functions when they develop forms. A System Administrator administers function security by creating responsibilities that include or exclude particular functions.
Function
A function is a part of an application’s functionality that is registered under a unique name for the purpose of assigning it to, or excluding it from, a responsibility. There are two types of functions: executable functions (formerly called form functions), and non-executable functions (formerly called subfunctions).
Executable Function
Executable functions have the unique property that you may navigate to them using the Navigate window.

Non-executable Function
A non-executable function) is a securable subset of a form’s functionality: in other words, a function executed from within a form.
A developer can write a form to test the availability of a particular non-executable function, and then take some action based on whether the non-executable function is available in the current responsibility.
Non-executable functions are frequently associated with buttons or other graphical elements on forms. For example, when a non-executable function is enabled, the corresponding button is enabled.
However, a non-executable function may be tested and executed at any time during a form’s operation, and it need not have an explicit user interface impact. For example, if a non-executable function corresponds to a form procedure not associated with a graphical element, its availability is not obvious to the form’s user.
Menu
A menu is a hierarchical arrangement of functions and menus of functions. Each responsibility has a menu assigned to it.
Menus can map to permission sets as well.
Menu Entry
A menu entry is a menu component that identifies a function or a menu of functions. In some cases, both a function and a menu of functions correspond to the same menu entry. For example, both a form and its menu of subfunctions can occupy the same menu entry
Responsibility
A responsibility defines an application user’s current privileges while working with Oracle Applications. When an application user signs on, they select a responsibility that grants certain privileges, specifically:

  • The functions that the user may access. Functions are determined by the menu assigned to the responsibility.
  • The concurrent programs, such as reports, that the user may run.
  • The application database accounts that forms, concurrent programs, and reports connect to.
/by