This post is more on revisiting EBS Application Module Security.

1. HRMS Security
In HRMS there are two major Securities concept

Standard

Security Groups Enabled

Standard HRMS Security is a simple security used within a single legislation and a single business
group. In this model, typically a Security Profile is created for each distinct group of employees
and it is assigned to a responsibility.Its very simple.
For enabling Standard HRMS Security, Security Profile screen (US Super HRMS Manager ->
Security -> Profile) can be used to create a Security Profile.
In Security Groups Enabled Security a single responsibility can be assigned to more than one
business group and so users can access records from multiple business groups. In this model,
multiple security profiles can be assigned to a single responsibility.
Typical example you can understand in this way : an HR Manager and Assistant HR Manager can
use the same responsibility, but will be able to view different data.
For Security Groups Enabled Security, use Global Security Profiles window.
2. Multi Organization Access Control (MOAC)
This means Role based access to Operating Units.
Single installation of EBS can support different types of organizations and this feature is ability to
access multiple organizations from a single responsibility, which is avaiable in majority of Oracle
application modules.
Typical example of MOAC may be similar to senario listed here:

Limit users to their relevant organizations through security profiles.

Assign inventory organizations to inventory users.

Enter Purchase Orders in one organization and receive goods into any other
organization.

Internal Requisitions from one organization and ship from another organization,
with Intercompany invoicing.

Now, Im going to explain how to define a security profile. Using Oracle HRMS, you can define your
security profile using two forms: The Security Profile form or the Global Security Profile form that
is shown here. Both forms look almost identical.
The Security Profile Form allows you to select operating units from only one Business Group. The
Global Security profile Form allows you to select operating units from multiple Business Groups.

The decision on which form to use is really up to you and depends on your HR implementation and
how you want to partition data. All you need to do is enter a name, and select the Security Type
called Secure organizations by organization hierarchy and/or organization list. This allows you to
assign multiple OUs. When assigning operating units, first select classification Operating Unit, and
then select the organization or Operating Unit name. You can assign as many operating units as
you want.

3 Bank Account Security

Bank Account Maintenance security secures the creation and update of bank accounts,
whereas Bank Account Access security secures the use of bank accounts.
Bank Account Maintenance Security, which secures the creation and update of bank accounts,
grants user the access to one or more legal entities. Users can create and update the bank
accounts whose owner legal entity is registered in the Bank Account Maintenance Security.
Users can create Bank accounts for which the list of legal entities in Bank Account Owner LOV will
be restricted by this security. Users can query and update only those bank accounts whose owner
is registered in this security.
The security setup is done in a wizard called Bank Account Security Management.
Define bank account use and link organization for every account.
Navigation: Cash management Superuser (R) -> Setup -> Banks -> Bank Accounts -> Click
Account Access (T).

Assign organization (Operating Units, Ledger Entities and Business Groups) and bank account use
to a Role.
Navigation: User Management ( R) -> Roles & Role Inheritance -> Security Wizards -> CE UMX
Security wizard.

Bank Account Access security rule is composed of 2 parts :

1.

Bank Account Access Setup => Bank Account Access setup defines organizations
that can use existing bank account

2.

Cash Management Security Profiles => Cash Management Security Profiles provide
a list of organizations where an user has access to.

4. Purchasing Security
Purchasing documents can have 4 levels of security:

Public: Any user may access these documents.

Private: Only the document owner and subsequent approvers can access the
document.

Purchasing: Document owner, subsequent approvers and users listed as buyers

can access.

Hierarchy: Document owner, team members, approvers and others in the security
hierarchy higher than document owner.

5.iSupplier Security
If you have created custom responsibilities that will be assigned to supplier users,securing
attributes must be included in your custom responsibility definition.
There are three securing attributes that can be used to control access. These attributes are all
seeded with the pre-defined Oracle iSupplier Portal responsibilities that are released with the
product:

ICX_SUPPLIER_ORG_ID - Identifier for the supplier.

ICX_SUPPLIER_SITE_ID - Identifier for the supplier site.

ICX_SUPPLIER_CONTACT_ID - Identifier for the supplier contact

You can enable them from Navigation: System Administrator ( R) -> Security -> Responsibility ->
Define.

6.Flexfield Security Rules

Flexfield Value Security gives you the capability to restrict the set of values a user can use during
data entry. With easy-to-define security rules and responsibility level control, you can quickly set
up data entry security on your flexfield segments and report parameters.
Flexfield Value Security lets you determine who can use flexfield segment values and report
parameter values. Based on your responsibility and access rules that you define, Flexfield Value
Security limits what values you can enter in flexfield pop-up windows and report parameters.
Security rules for the Accounting Flexfield also restrict query access to segment values in the
Account Inquiry, Funds Available, and Summary Account Inquiry windows. In these windows, you
cannot query up any combination that contains a secure value. However in all other forms, you will
be able to query up a value even if it is restricted to the user.
In order to use, you just need to define Security Rules window to define value security rules for
ranges of flexfield and report parameter values.
Navigation: Application -> Validation -> Security -> Define.
Use Assign Security Rules window to assign the flexfield security rules to an application
responsibility.
Navigation: Application -> Validation -> Security -> Assign.
7.Fixed Assets Security
You can manage your Asset Book Security, as mention in one of previous post.This Functionality
you can understood as:

Secure access to each depreciation book / Ledger

Create a flexible hierarchy of asset organizations

Associate a responsibility with one or more depreciation books

Asset Book Security allows multiple asset books/registers to be manage/administered

independently
Fixed Assets responsibility can be secured by linking a Fixed Asset Book / Ledger, by executing the
following steps:

Link an Asset organization to the Fixed Asset Set of Book/Ledger.

Establish an Organization hierarchy for the asset organization.

Navigation: Fixed Assets Manager ( R) -> Setup -> Security -> Organization ->
Description -> Query Asset Organization -> Select Asset

Organization -> Click Others -> Assign FA Book.

8. Oracle Projects Security

Oracle Projects provides several integrated security mechanisms to help you define user access to
organization, project, and resource information, as well as a variety of Oracle Projects functions.
These mechanisms are all based on function security, which is the foundation of Oracle
Applications security.
Using these integrated security mechanisms, you can define Oracle Projects security at the
following levels:

Responsibility level, across projects.

Project level, using project roles.

Organization level, using predefined organization authority roles.

9. Inventory Organization Access

Inventory organizations can be assigned to responsibilities with inventory screens, thereby
restricting the access to only those inventory organizations.
Navigation: Inventory ( R) -> Setup -> Organizations -> Organization Access.

It is a very straight forward Form that you can assign which Inventory Organization(s) available to
a responsibility. The Rule behind this Form is that once a responsibility is used, the default is that
this responsibility does not allow to access all Inv. Org., unless you explicitly assign it. The good
side is that this setting is effective immediately; no need to submit what-is-the-name-again
process, setup all-look-like-the-same profile options
10. Manufacturing Organization Access
Manufacturing organizations can be assigned to responsibilities with manufacturing screens,
thereby restricting the access to only those organizations.
your Navigation is: Advanced Planning Administrator ( R) -> Admin -> Organization Security.
11. Shipping Grants & Warehouse Access
Shipping roles can enable or disable access to individual functions within Shipping.
Navigation: Order Management ( R) -> Setup -> Shipping -> Grants and Role Definitions ->
Define Roles.

Then you can assocaite shipping roles then can be assigned to individual users.
Navigation: Order Management ( R) -> Setup -> Shipping -> Grants and Role Definitions ->
Grants.
12. Order Holds
In Order Management, when further processing has to be prevented on an order, a hold can be
placed and released later.
Navigation: Order Management ( R) -> Setup -> Orders -> Holds.

13. Advance pricing

Pricing security enables you to restrict pricing activities such as updating and viewing pricing
entities to users who are granted specific access privileges. Pricing entities include price lists,
pricing agreements, and modifiers.
Pricing security can be set up and maintained in the HTML user interface by a user who is assigned
the Oracle Pricing Administrator responsibility. The Oracle Pricing Administrator has the
authorization to access and update all pricing entities for all functional users.
With pricing security, you can implement a higher level of control by:

Assigning pricing entities to operating units: A pricing entity can be assigned

ownership to a specific operating unit. You can restrict usage to one operating unit
or by all operating units.

Assigning privileges that control which grantee (Global, Operating Unit,

Responsibility, or User level) can view or maintain the specified entity: You can use
security privileges to control user's access to pricing entities in the following ways:
o

Grant view-only or maintain access privileges to functional users at the

Global, Operating Unit, Responsibility, or User level.
Assign or reassign Operating Unit ownership to price lists and modifiers
and control which operating units can use them for pricing transactions.

Create entity sets (a set consists of grouped pricing entities) and assign
access privileges to the entire set. The Entity Set function is available only
with license to Advanced Pricing.

Setting default rules for security access for new pricing entities.

Take a Note , before turning on pricing security, you must create privileges for existing pricing
entities.
Navigate (N) Oracle Pricing Administrator Setup --> Security --> Privileges

Hope this post will surly help you in address some of security and audit need for Clients/Customer.