User Management: Self Service Registration

Chuck Kennedy
Solution Beacon
Jeffrey T. Hare, CPA CIA CISA
ERP Seminars

Introduction
The User Management (UMX) module was introduced by Oracle as its new security paradigm to address the RBAC
requirements from the NSIT1. Many of the new modules have taken advantage of new technology in UMX and
some have even required its use in order to implement proper security. Many companies are faced with using and
understanding two security models the original function security model and the UMX model. This is one white
paper in a series of white papers to help companies address this new paradigm.
In this white paper we are addressing the risks related to the self service registration process in the User
Management module. The self-service registration process could be configured to allow end users to request
access to one or more roles on a self-service basis. There are no seeded rules related to self-service registration roles
or responsibilities. The registration process can require or NOT require an approval process in order for the
requested roles to be provisioned. You need to be careful to configure the registration process to require approval
for requests made against most roles or responsibilities defined. In some cases, such as Employee Self Service, you
may not want an approval. However, likely for 99% of provisioning requests, an approval process will be required.
The definition of the approval process takes advantage of AMEs (Approvals Management) flexible approvals
engine.
Lets take a look at this issue

User Management Additional Requests

The Access Requests menu prompt can be found in the Preferences form which can be accessed from your home
page after logging in as follows:

http://csrc.nist.gov/groups/SNS/rbac/documents/design_implementation/csl95-12.txt

Copyright 2008 ERPS

Copyright 2008 Solution Beacon, LLC

From the Preferences page, you can access the Access Requests process as follows:

Before any roles can be self-served to a user, an Oracle User Management Registration Process must first be created.
Oracle User Management contains an Access Request Tool (ART) which is a background engine that processes
any self service requests made by the user that come through the Additional Request registration events and
processes. Lets look at how a registration process can be created that will make a responsibility available in the
users Access Request form for selection and how that unless integration with the Approvals Management Engine
(AME) occurs, the responsibility can be added without any approvals whatsoever.
First step is to go into Oracle User Management and select Registration Processes as below:

After hitting the Create Registration Process button, then you select the responsibility or role that you want to be
presented in the Access Request form in the following screenshot, we are selecting the US HRMS Manager
responsibility:

Copyright 2008 ERPS

Copyright 2008 Solution Beacon, LLC

Next step is to apply any and all of the business processes, approvals and workflows that you want to be executed
when a user selects the US HRMS Manager responsibility from his/her Access Requests form. Please note that
in this example, no approvals have been specified which means that the US HRMS Manager responsibility will be
added without any approvals. If you want approvals to be associated with the request, you will need to set up the
process and related hierarchy in Approvals Management. Also, notice that the one business event that is specified is
a seeded business event to launch the Access Request Tool (ART) engine:

Last step is to specify which users to make the US HRMS Manager responsibility available to for selection. In the
screenshot below, all users were specified which means that all users will be able to request additional access to the
US HRMS Manager responsibility (without any approvals I might add in this example):

Copyright 2008 ERPS

Copyright 2008 Solution Beacon, LLC

It should be noted that this would be a great place for a Role Based Access Control (RBAC) role to be specified.
Providing there are adequate controls surrounding the authorization process, this would be a good way to
decentralize administration of additional accesses based on RBAC roles that have been defined within the
organization. Once this registration process is saved, then the resulting effect is to have the responsibility served up
for self-service selection within all users Access Requests form as below:

Please note that it takes several minutes for the ART engine to provision or add the responsibility to the requesting
user, but be patient because it will show up there for the user to exercise all the available functions within that
responsibility. So, weve just seen an example where roles and responsibilities can be provisioned to ALL USERS
within the Release 12 footprint without any approvals being required / solicited. Please be sure to add this feature to

Copyright 2008 ERPS

Copyright 2008 Solution Beacon, LLC

your control radars and make sure there are mitigating controls in place should you find this type of access defined
within your environment.

Conclusion and Recommendations

User Managements self service feature can be used to automate the provisioning process if time, effort, and
planning is put into its development. However, if used, some additional monitoring needs to be put in place such as
monitoring of the approval workflows and hierarchies supporting the approvals as well as the definition of each role.
The last thing a company wants is to automate this process, then have an audit failure because the configuration of
the automation has been compromised. For more on risks related to automated application controls, read the white
paper Auditing Application Controls: Interpreting IIA's Guidance for Users of Oracle Applications which can be requested
from the Oracle Users Best Practices Board website (www.oubpb.com).

References

Release Content Document Release 12 Oracle Applications Technology

Auditing Application Controls: Interpreting IIA's Guidance for Users of Oracle Applications (www.oubpb.com)

About the Authors

Chuck Kennedy MBA CISA
Chuck is a versatile Enterprise Applications Analyst/Consultant with extensive experience in full life cycle project management,
design, development, implementation and support across multiple operating platforms. Strong focus on the alignment of Oracle
applications with established and/or new business processes. Unique blend of functional and technical expertise provides
leveraging insight into enterprise/project.

Over 15 years experience in management, design, development, implementation and support of enterprise applications
including 12 years in Oracle Financials, Discrete Manufacturing, Human Resources and Payroll

Combination of business acumen and technical expertise allows cost effective deployment of applications across the
enterprise with high degree of alignment with business processes

Accomplished leader and administrator with demonstrated team building skills and strong history of establishing productive,
actiondriven working relationships with client base and project team

Detailoriented with outstanding analytical, technical documentation and problem resolution skills

Focused, diligent and committed to excellence

Jeffrey T. Hare, CPA CISA CIA

Jeffrey is the founder of ERP Seminars (www.erpseminars.com) and the Oracle User Best Practices Board (www.oubpb.com)
and has written various white papers on Internal Controls and Security Best Practices in an Oracle Applications environment. He
has presented white papers to various users groups throughout the country as well as at OAUG and Appsworld conferences. He is
the author and presenter of the seminar Internal Controls and Security Best Practices in an Oracle Applications Environment.
His background includes Big 4 experience, over six years experience in CFO/Controller roles, and in the Oracle Applications
space since 1997. Jeffrey can be reached at jhare@erpseminars.com.

About Solution Beacon:

About ERP Seminars:
We recognize the need for companies to have continuing knowledge of industry Best Practices. We team with respected
independent consultants and firms to provide quality, relevant seminars based on these Best Practices prepared and presented by
well-rounded professionals with ERP expertise.
About Oracle Users Best Practices Board:
The mission of the OUBPB is the aggregation of willing writers and reviewers who will participate in a process to develop Best
Practices for the Oracle community. The end result will be a repository of "best practice" white papers and other content for end
users and consultants to reference in their projects and ongoing development.

Version Control
Date
01-Sep-08

Copyright 2008 ERPS

Author
Chuck Kennedy, Jeffrey Hare

Version
1.0

Copyright 2008 Solution Beacon, LLC

Reference
Initial publication