Auditing Oracle E-business Suite

 

Oracle's E-business Suite (EBS) is also commonly known as Oracle Applications, is a suite of business applications made up of a large number of distinct software modules, including Oracle Financials, Oracle Marketing, Oracle Supply Chain Management and Human Resources.  It is widely used in businesses and national and local government organisations.  The current version EBS 12 is based on the Oracle 11g database.

Auditing the E-business suite is a challenge - it has a large number of components and its internal security is not well documented.  In this intensive course, we will introduce you to the EBS architecture and show you how it interfaces with the Oracle database that supports it.  We will show you the underlying security mechanisms that control the activities of EBS users, and how to audit them.  Using hands-on access to a real EBS12 environment you will see how the system is administered, how rights and privileges are granted to users, where the security and control information is strode, and how to access it.  At the end of the course you will take away a detailed EBS audit program and a set of useful SQL scripts to query the EBS control tables.

Suggested duration: 3 days, but can be customised to your requirements.

Agenda

Oracle EBS main areas

System Overview

Oracle EBS multi-tier architecture

  • Security of the database server

  • Security of the application server

  • Server utility programs and their risks

Summary of Oracle EBS Risks

The EBS User Home Screen

  • Tailoring the Home Screen for division of duties

Responsibilities/menus

  • Security hierarchy

  • Responsibilities

  • What is a responsibility?

  • Defining a responsibility

  • Menus and their uses

Request groups and how they interact with EBS

Applications

Concurrent Programs – what are they?

Oracle EBS Logon Security and User Management

  • The Oracle EBS logon process

  • APPLSYSPUB

  • FNDCPASS utility

  • Direct SQL access to production database

  • Cloned databases

  • Foundation tables – FND_USER

  • Foundation tables – FND_ORACLE_USERID

  • FND_USER_VIEW

  • Security Issues

  • Security Profile Settings

  • Limit access to user information

  • SQL Access via Forms

  • Password encryption

  • The GUEST account

  • Checking for a secure GUEST account

  • Password management in R12

Oracle EBS Security Levels

  • Function Security

  • Data Security

  • Role-Based Access Control

  • Role Inheritance Hierarchy

  • Delegated Administration

Profile Options

  • Profile Options - Example

  • How do I audit profile options?

  • Control and audit of profiles

Server Authentication

Flexfields and their purposes

  • Key flexfields

  • Descriptive flexfields

Oracle EBS Auditing

  • Application level auditing

  • End User Access Auditing

  • Database Row Changes (AuditTrail)

Oracle EBS Security Checklist