View
262
Download
0
Embed Size (px)
Citation preview
世新大學 ERPERP 實驗室
Oracle ERP Application Security
電算中心 陳育亮資訊管理學系 莫明鳳
世新大學 ERPERP 實驗室
Agenda
• Managing Application Security• Managing Concurrent Programs and Reports• Administering Concurrent Managers• Auditing System Resources
世新大學 ERPERP 實驗室
Agenda
• Managing Application Security– Responsibility
• Definition• Component
– Create User account
• Managing Concurrent Programs and Reports• Administering Concurrent Managers• Auditing System Resources
世新大學 ERPERP 實驗室
Responsibility Definition
• Responsibility– A collection of authorizations.
user
Oracle application
responsibility
Windows
Windows
Reports
Reports
世新大學 ERPERP 實驗室
世新大學 ERPERP 實驗室
Agenda
• Managing Application Security– Responsibility
• Definition• Component
– Create User account
• Managing Concurrent Programs and Reports• Administering Concurrent Managers• Auditing System Resources
世新大學 ERPERP 實驗室
Responsibility Component
Data groupRequest security
group
menu
exclusions
世新大學 ERPERP 實驗室
Data Group Definition
• Data Group– A collection of pairings of an application with an
Oracle ID.– Specify the oracle application database accounts
to which a responsibility’s forms and concurrent programs connect.
世新大學 ERPERP 實驗室
Data Group
Responsibility xyzResponsibility xyz
Oracle IDCUS
Oracle IDAR
Oracle IDAP
Oracle IDGL
Data groupData group Form
Program
Server
Database Table
世新大學 ERPERP 實驗室
世新大學 ERPERP 實驗室
Responsibility Component
Data groupRequest security
group
menu
exclusions
世新大學 ERPERP 實驗室
Menu & Exclusions Definition
• Menu– The forms that a responsibility can display and the
functions it can access.
• Exclusions– Modify the responsibility’s access to the forms
and functions specified by a menu.
世新大學 ERPERP 實驗室
Menu
Menu Level 1
Function-A
Menu Level 2
Function-B
Function-C
Menu Level 3
Function-A
Function-D
世新大學 ERPERP 實驗室
Exclusion and Final Menu
Menu Level 1
Function-AFunction-A
Menu Level 2
Function-B
Function-C
Menu Level 3Menu Level 3
Function-AFunction-A
Function-D
Exclude function
Exclude Menu
Menu Level 1
Menu Level 2
Function-B
Function-C
Function-D
世新大學 ERPERP 實驗室
世新大學 ERPERP 實驗室
Responsibility Component
Data groupRequest security
group
menu
exclusions
世新大學 ERPERP 實驗室
Request Security Group Definition
• Request Security Group– A collection of reports and other concurrent progr
ams.– Request group lists the concurrent programs that
a responsibilityresponsibility can run. – Request group is assigned to a responsibility, it’s
refered to as a request security group.
世新大學 ERPERP 實驗室
世新大學 ERPERP 實驗室
Responsibility Component
Data groupRequest security
group
menu
exclusions
世新大學 ERPERP 實驗室
Using Responsibility
Using predefined responsibility
Define application user
Using custom responsibility
Define or modify responsibility
Exclude functions and menus
Define applications user
Define or modify data group
Define or modify menu
Define or modify request group
世新大學 ERPERP 實驗室
Agenda
• Managing Application Security– Responsibility
• Definition• Component
– Create User account
• Managing Concurrent Programs and Reports• Administering Concurrent Managers• Auditing System Resources• Applications DBA Duties
世新大學 ERPERP 實驗室
User and Responsibility
user
Oracle application
responsibility
Windows
Windows
Reports
Reports
世新大學 ERPERP 實驗室
Create User Account
Enter user name and password
Require password change limit access attempts
Enter user’s start and end dates
Assign one or more responsibilities
世新大學 ERPERP 實驗室
世新大學 ERPERP 實驗室
Practice 1 & 2
• Query Responsibility “System Administrator” and all it’s components.
• Create a User Account named “your username01” by assigning Responsibility “System Administrator”.
世新大學 ERPERP 實驗室
Agenda
• Managing Application Security• Managing Concurrent Programs and Reports
– Request– Request Group– Request Set
• Administering Concurrent Managers• Auditing System Resources• Applications DBA Duties
世新大學 ERPERP 實驗室
Request Overview
Request table
Run program…
Run program…
Run program abc
Run program…
User submits request to run program abc
Concurrent manager
Concurrent manager starts program abc
世新大學 ERPERP 實驗室
Submit Request Flow
Submit Request
Enter Information
Click Submit
Record RequestID
Enter Parameters
Define Submission Schedule
Completion OptionsOptional
May be required
Optional
世新大學 ERPERP 實驗室
世新大學 ERPERP 實驗室
Agenda
• Managing Application Security• Managing Concurrent Programs and Reports
– Request– Request Group– Request Set
• Administering Concurrent Managers• Auditing System Resources• Applications DBA Duties
世新大學 ERPERP 實驗室
Request Group
• A collection of reports and other concurrent programs within a responsibility.
• One of responsibility’s components.• Responsibility level.• Include
– Application– Program– Set
世新大學 ERPERP 實驗室
Agenda
• Managing Application Security• Managing Concurrent Programs and Reports
– Request– Request Group– Request Set
• Administering Concurrent Managers• Auditing System Resources
世新大學 ERPERP 實驗室
Request Set
• A collection of reports and other concurrent programs that user group together themselves.
• User level.• Include
– Stage• A component of a request set used to group
requests within the set.
世新大學 ERPERP 實驗室
Request Set Stages
Stage 3Stage 3
Request 4Request 5
Stage 1Stage 1
Request SetRequest Set
Request 1Request 2
Stage 2Stage 2
Request 3
世新大學 ERPERP 實驗室
Defining a Request Set
Enter Request Set Names
Define Stages
Link Stages
Save
Enter Requests for Stage
Enter Request Parameter
世新大學 ERPERP 實驗室
世新大學 ERPERP 實驗室
Request Set Privileges
PrivilegePrivilege CreateCreate EditEdit Sets ContainSets Contain OwnOwn
CreatedCreated
SetsSets
Change Change
OwnersOwners
UserUser Yes Own Request Group’s Reports
Yes No
SysAdmSysAdm Yes All Any Reports No Yes
世新大學 ERPERP 實驗室
Agenda
• Managing Application Security• Managing Concurrent Programs and Reports• Administering Concurrent Managers
– Concurrent Manager– Transaction Manager– Conflict Domain
• Auditing System Resources
世新大學 ERPERP 實驗室
Request Overview
Request table
Run program…
Run program…
Run program abc
Run program…
User submits request to run program abc
Concurrent manager
Concurrent manager starts program abc
世新大學 ERPERP 實驗室
Concurrent Manager
Concurrent Manager
Specialization Rules Work Shifts
Target ProcessesProgram AProgram A
Program BProgram B
世新大學 ERPERP 實驗室
Work Shifts & Priorities
PriorityPriority Work Shift DefinitionWork Shift Definition ExampleExample
1Specific date & range of times
April 15,20018:00am~5:00PM
2Specific date but no range of times
April 15,2001
3Range of days &
range of timesMon~Fri
8:00am~5:00pm
4Range of days but no range of times
Mon~Fri
5Range of times but
no date and no range of days8:00am~5:00pm
6Standard work shift:
no dates,days , or time defined24 hrs a day
365 days a year
世新大學 ERPERP 實驗室
Specialization Rule
ActionAction Action TypeAction Type ApplicationApplication NameName
NameInclude
Exclude
Combined Rule
Oracle ID
Program
Request Type
User
Application
N/A
◎ Specialization Rule:for a particular manager ◎ Combined Rule:generally for multiple managers
世新大學 ERPERP 實驗室
世新大學 ERPERP 實驗室
Agenda
• Managing Application Security• Managing Concurrent Programs and Reports• Administering Concurrent Managers
– Concurrent Manager– Transaction Manager– Conflict Domain
• Auditing System Resources
世新大學 ERPERP 實驗室
Transaction Manager
• Transaction managers handle synchronous requests.
• Each transaction manager is associated with a particular data group.
世新大學 ERPERP 實驗室
世新大學 ERPERP 實驗室
Agenda
• Managing Application Security• Managing Concurrent Programs and Reports• Administering Concurrent Managers
– Concurrent Manager– Transaction Manager– Conflict Domain
• Auditing System Resources
世新大學 ERPERP 實驗室
Conflicts Domains
LogicalDataBase
LogicalDataBase
Program AProgram A Program BProgram B Program AProgram A Program BProgram B
Domain 1 Domain 2
世新大學 ERPERP 實驗室
Processing Conflict Domain
• Hierarchy– A program parameter– The system profile option “Concurrent:Conflicts
Domains”– Standard Default Domain
世新大學 ERPERP 實驗室
Agenda
• Managing Application Security• Managing Concurrent Programs and Reports• Administering Concurrent Managers• Auditing System Resources
– Sign On Audit– AuditTrail
世新大學 ERPERP 實驗室
Types of Auditing Oracle Application
• Auditing user activity(Sign on Audit)
• Auditing database row changes(AuditTrail)
Database tableAudit table
世新大學 ERPERP 實驗室
Auditing User Activity
Sign On Audit System Profile Option
Sign On Audit Report
Monitor User Form
世新大學 ERPERP 實驗室
System Profile – Audit Level
None
User
Responsibility
Form
System Profile display bySystem Profile display by
Application
Responsibility
User
Site
Audit LevelAudit Level
世新大學 ERPERP 實驗室
Sign On Audit Reports
Sign On Audit Forms Report
Sign On Audit Users Report
Sign On Audit Responsibilities
Sign On Audit Concurrent Requests Report
Sign On Audit Unsuccessful Login Report
世新大學 ERPERP 實驗室
Online Monitor
• Use this window to monitor what your application users are currently doing.
世新大學 ERPERP 實驗室
Agenda
• Managing Application Security• Managing Concurrent Programs and Reports• Administering Concurrent Managers• Auditing System Resources
– Sign On Audit– AuditTrail
世新大學 ERPERP 實驗室
AuditTrail
Auditing Database Changes
Database tableAudit tableInsert
Update
Delete
世新大學 ERPERP 實驗室
Steps of AuditTrail
• Identify tables and columns to be audited.• Create audit group.• Specify columns for auditing.• Identify Oracle IDs to be audited.• Run AuditTrail Update Tables Report .
世新大學 ERPERP 實驗室
Create Audit Group
世新大學 ERPERP 實驗室
Specify Column for Auditing
世新大學 ERPERP 實驗室
Run AuditTrail Update Tables Report
世新大學 ERPERP 實驗室
Practice 3 & 4
• Concurrent Manager Admin Window to query concurrent managers status.
• Auditing– Open your Sign-On:Audit Level to Form Level by
Displaying User.– Run Sign On Audit User Report. (Request)– Monitor online user status.