Professional Documents
Culture Documents
User Management Self Service Registration
User Management Self Service Registration
User Management Self Service Registration
Chuck Kennedy
Solution Beacon
Jeffrey T. Hare, CPA CIA CISA
ERP Seminars
Introduction
The User Management (UMX) module was introduced by Oracle as its new security paradigm to address the RBAC
requirements from the NSIT1. Many of the new modules have taken advantage of new technology in UMX and
some have even required its use in order to implement proper security. Many companies are faced with using and
understanding two security models the original function security model and the UMX model. This is one white
paper in a series of white papers to help companies address this new paradigm.
In this white paper we are addressing the risks related to the self service registration process in the User
Management module. The self-service registration process could be configured to allow end users to request
access to one or more roles on a self-service basis. There are no seeded rules related to self-service registration roles
or responsibilities. The registration process can require or NOT require an approval process in order for the
requested roles to be provisioned. You need to be careful to configure the registration process to require approval
for requests made against most roles or responsibilities defined. In some cases, such as Employee Self Service, you
may not want an approval. However, likely for 99% of provisioning requests, an approval process will be required.
The definition of the approval process takes advantage of AMEs (Approvals Management) flexible approvals
engine.
Lets take a look at this issue
http://csrc.nist.gov/groups/SNS/rbac/documents/design_implementation/csl95-12.txt
From the Preferences page, you can access the Access Requests process as follows:
Before any roles can be self-served to a user, an Oracle User Management Registration Process must first be created.
Oracle User Management contains an Access Request Tool (ART) which is a background engine that processes
any self service requests made by the user that come through the Additional Request registration events and
processes. Lets look at how a registration process can be created that will make a responsibility available in the
users Access Request form for selection and how that unless integration with the Approvals Management Engine
(AME) occurs, the responsibility can be added without any approvals whatsoever.
First step is to go into Oracle User Management and select Registration Processes as below:
After hitting the Create Registration Process button, then you select the responsibility or role that you want to be
presented in the Access Request form in the following screenshot, we are selecting the US HRMS Manager
responsibility:
Next step is to apply any and all of the business processes, approvals and workflows that you want to be executed
when a user selects the US HRMS Manager responsibility from his/her Access Requests form. Please note that
in this example, no approvals have been specified which means that the US HRMS Manager responsibility will be
added without any approvals. If you want approvals to be associated with the request, you will need to set up the
process and related hierarchy in Approvals Management. Also, notice that the one business event that is specified is
a seeded business event to launch the Access Request Tool (ART) engine:
Last step is to specify which users to make the US HRMS Manager responsibility available to for selection. In the
screenshot below, all users were specified which means that all users will be able to request additional access to the
US HRMS Manager responsibility (without any approvals I might add in this example):
It should be noted that this would be a great place for a Role Based Access Control (RBAC) role to be specified.
Providing there are adequate controls surrounding the authorization process, this would be a good way to
decentralize administration of additional accesses based on RBAC roles that have been defined within the
organization. Once this registration process is saved, then the resulting effect is to have the responsibility served up
for self-service selection within all users Access Requests form as below:
Please note that it takes several minutes for the ART engine to provision or add the responsibility to the requesting
user, but be patient because it will show up there for the user to exercise all the available functions within that
responsibility. So, weve just seen an example where roles and responsibilities can be provisioned to ALL USERS
within the Release 12 footprint without any approvals being required / solicited. Please be sure to add this feature to
your control radars and make sure there are mitigating controls in place should you find this type of access defined
within your environment.
References
Over 15 years experience in management, design, development, implementation and support of enterprise applications
including 12 years in Oracle Financials, Discrete Manufacturing, Human Resources and Payroll
Combination of business acumen and technical expertise allows cost effective deployment of applications across the
enterprise with high degree of alignment with business processes
Accomplished leader and administrator with demonstrated team building skills and strong history of establishing productive,
actiondriven working relationships with client base and project team
Detailoriented with outstanding analytical, technical documentation and problem resolution skills
Version Control
Date
01-Sep-08
Author
Chuck Kennedy, Jeffrey Hare
Version
1.0
Reference
Initial publication