ERP 世新大學 ERP 實驗室 Oracle ERP Application Security 電算中心陳育亮資訊管理學系莫明鳳

世新大學 ERPERP 實驗室

Oracle ERP Application Security

電算中心陳育亮資訊管理學系莫明鳳


Agenda

• Managing Application Security• Managing Concurrent Programs and Reports• Administering Concurrent Managers• Auditing System Resources


Agenda

• Managing Application Security– Responsibility

• Definition• Component

– Create User account

• Managing Concurrent Programs and Reports• Administering Concurrent Managers• Auditing System Resources


Responsibility Definition

• Responsibility– A collection of authorizations.

user

Oracle application

responsibility

Windows

Windows

Reports

Reports



Agenda




• Managing Concurrent Programs and Reports• Administering Concurrent Managers• Auditing System Resources


Responsibility Component

Data groupRequest security

group

menu

exclusions


Data Group Definition

• Data Group– A collection of pairings of an application with an

Oracle ID.– Specify the oracle application database accounts

to which a responsibility’s forms and concurrent programs connect.


Data Group

Responsibility xyzResponsibility xyz

Oracle IDCUS

Oracle IDAR

Oracle IDAP

Oracle IDGL

Data groupData group Form

Program

Server

Database Table





group

menu

exclusions


Menu & Exclusions Definition

• Menu– The forms that a responsibility can display and the

functions it can access.

• Exclusions– Modify the responsibility’s access to the forms

and functions specified by a menu.


Menu

Menu Level 1

Function-A

Menu Level 2

Function-B

Function-C

Menu Level 3

Function-A

Function-D


Exclusion and Final Menu

Menu Level 1

Function-AFunction-A

Menu Level 2

Function-B

Function-C

Menu Level 3Menu Level 3

Function-AFunction-A

Function-D

Exclude function

Exclude Menu

Menu Level 1

Menu Level 2

Function-B

Function-C

Function-D





group

menu

exclusions


Request Security Group Definition

• Request Security Group– A collection of reports and other concurrent progr

ams.– Request group lists the concurrent programs that

a responsibilityresponsibility can run. – Request group is assigned to a responsibility, it’s

refered to as a request security group.





group

menu

exclusions


Using Responsibility

Using predefined responsibility

Define application user

Using custom responsibility

Define or modify responsibility

Exclude functions and menus

Define applications user

Define or modify data group

Define or modify menu

Define or modify request group


Agenda




• Managing Concurrent Programs and Reports• Administering Concurrent Managers• Auditing System Resources• Applications DBA Duties


User and Responsibility

user

Oracle application

responsibility

Windows

Windows

Reports

Reports


Create User Account

Enter user name and password

Require password change limit access attempts

Enter user’s start and end dates

Assign one or more responsibilities



Practice 1 & 2

• Query Responsibility “System Administrator” and all it’s components.

• Create a User Account named “your username01” by assigning Responsibility “System Administrator”.


Agenda

• Managing Application Security• Managing Concurrent Programs and Reports

– Request– Request Group– Request Set

• Administering Concurrent Managers• Auditing System Resources• Applications DBA Duties


Request Overview

Request table

Run program…

Run program…

Run program abc

Run program…

User submits request to run program abc

Concurrent manager

Concurrent manager starts program abc


Submit Request Flow

Submit Request

Enter Information

Click Submit

Record RequestID

Enter Parameters

Define Submission Schedule

Completion OptionsOptional

May be required

Optional



Agenda



• Administering Concurrent Managers• Auditing System Resources• Applications DBA Duties


Request Group

• A collection of reports and other concurrent programs within a responsibility.

• One of responsibility’s components.• Responsibility level.• Include

– Application– Program– Set


Agenda



• Administering Concurrent Managers• Auditing System Resources


Request Set

• A collection of reports and other concurrent programs that user group together themselves.

• User level.• Include

– Stage• A component of a request set used to group

requests within the set.


Request Set Stages

Stage 3Stage 3

Request 4Request 5

Stage 1Stage 1

Request SetRequest Set

Request 1Request 2

Stage 2Stage 2

Request 3


Defining a Request Set

Enter Request Set Names

Define Stages

Link Stages

Save

Enter Requests for Stage

Enter Request Parameter



Request Set Privileges

PrivilegePrivilege CreateCreate EditEdit Sets ContainSets Contain OwnOwn

CreatedCreated

SetsSets

Change Change

OwnersOwners

UserUser Yes Own Request Group’s Reports

Yes No

SysAdmSysAdm Yes All Any Reports No Yes


Agenda

• Managing Application Security• Managing Concurrent Programs and Reports• Administering Concurrent Managers

– Concurrent Manager– Transaction Manager– Conflict Domain

• Auditing System Resources


Request Overview

Request table

Run program…

Run program…

Run program abc

Run program…

User submits request to run program abc

Concurrent manager

Concurrent manager starts program abc


Concurrent Manager

Concurrent Manager

Specialization Rules Work Shifts

Target ProcessesProgram AProgram A

Program BProgram B


Work Shifts & Priorities

PriorityPriority Work Shift DefinitionWork Shift Definition ExampleExample

1Specific date & range of times

April 15,20018:00am~5:00PM

2Specific date but no range of times

April 15,2001

3Range of days &

range of timesMon~Fri

8:00am~5:00pm

4Range of days but no range of times

Mon~Fri

5Range of times but

no date and no range of days8:00am~5:00pm

6Standard work shift:

no dates,days , or time defined24 hrs a day

365 days a year


Specialization Rule

ActionAction Action TypeAction Type ApplicationApplication NameName

NameInclude

Exclude

Combined Rule

Oracle ID

Program

Request Type

User

Application

N/A

◎ Specialization Rule:for a particular manager ◎ Combined Rule:generally for multiple managers



Agenda





Transaction Manager

• Transaction managers handle synchronous requests.

• Each transaction manager is associated with a particular data group.



Agenda





Conflicts Domains

LogicalDataBase

LogicalDataBase

Program AProgram A Program BProgram B Program AProgram A Program BProgram B

Domain 1 Domain 2


Processing Conflict Domain

• Hierarchy– A program parameter– The system profile option “Concurrent:Conflicts

Domains”– Standard Default Domain


Agenda


– Sign On Audit– AuditTrail


Types of Auditing Oracle Application

• Auditing user activity(Sign on Audit)

• Auditing database row changes(AuditTrail)

Database tableAudit table


Auditing User Activity

Sign On Audit System Profile Option

Sign On Audit Report

Monitor User Form


System Profile – Audit Level

None

User

Responsibility

Form

System Profile display bySystem Profile display by

Application

Responsibility

User

Site

Audit LevelAudit Level


Sign On Audit Reports

Sign On Audit Forms Report

Sign On Audit Users Report

Sign On Audit Responsibilities

Sign On Audit Concurrent Requests Report

Sign On Audit Unsuccessful Login Report


Online Monitor

• Use this window to monitor what your application users are currently doing.


Agenda


– Sign On Audit– AuditTrail


AuditTrail

Auditing Database Changes

Database tableAudit tableInsert

Update

Delete


Steps of AuditTrail

• Identify tables and columns to be audited.• Create audit group.• Specify columns for auditing.• Identify Oracle IDs to be audited.• Run AuditTrail Update Tables Report .


Create Audit Group


Specify Column for Auditing


Run AuditTrail Update Tables Report


Practice 3 & 4

• Concurrent Manager Admin Window to query concurrent managers status.

• Auditing– Open your Sign-On:Audit Level to Form Level by

Displaying User.– Run Sign On Audit User Report. (Request)– Monitor online user status.

Documents

ERP 世新大學 ERP 實驗室 Oracle ERP Application Security 電算中心 陳育亮 資訊管理學系 莫明鳳

ERP 世新大學 ERP 實驗室 Oracle ERP Application Security 電算中心陳育亮資訊管理學系莫明鳳