Professional Documents
Culture Documents
30 Oracle E-Business Suite (EBS) Security Tips and Tricks
30 Oracle E-Business Suite (EBS) Security Tips and Tricks
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
This eBook takes you through 30 of these tips and tricks for
securing Oracle EBS across three areas: System Administration,
Automated Application Controls, and IT General Controls (ITGC).
The primary goal of this eBook is to equip you with deep Oracle
EBS Security ‘Power User’ knowledge to do the following:
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
System Administration
TIP #1: Disable Access to the Diagnostics Menu for All Users
Available from the Help screen, the Diagnostics menu lets users directly edit data and configurations
not visible or updatable in the typical forms, potentially bypassing controls (see Figure 1). Two profile
options control whether users can access the Diagnostics menu: Hide Diagnostics menu entry and
Utilities: Diagnostics:
Profile options in Oracle EBS can be set at multiple levels: Site, Application, Responsibility, or User.
Therefore, you must look at all levels to verify access is properly restricted. It is best practice to
hide the Diagnostics menu for all users of the EBS environment. To accomplish this, set Hide
Diagnostics menu entry to Yes and Utilities: Diagnostics to No at the Site level.
Once disabled for all users, the Diagnostics menu can then be enabled for specific users,
as needed. For more information on the Diagnostics menu, refer to the Oracle EBS System
Administrator’s Guide.
However, users can still access some submenus or functions even without a value populated in
the Prompt column. Figure 2 on the next page provides an example of this.
Therefore, configuring a No Prompt (a submenu or function without a value defined in the Prompt
column of the Menus form) does not necessarily prevent users from accessing the submenu or
function associated with that No Prompt.
Before navigating to Figure 2, here is a quick overview of the major fields in the Menus form,
which allows users to define new menus or modify existing menus:
Menu
A name that is intended by Oracle to “describe the purpose of the menu”; however many times this
is not the case. This is what we would call the “Technical Menu Name” since it is not what the user
sees but more what Oracle sees after being configured. When designing custom security, most
Oracle EBS implementers or organizations will start this field with “XX” to declare it is a custom vs.
seeded menu.
Sequence
Sequence number that specifies where a submenu entry appears relative to other submenu
entries in a menu. Translation = A submenu or function with a lower sequence number will appear
before submenus or functions with a higher sequence number in the Navigator window.
• Ex: In Figure 2, this means that the Journals prompt to access the GL_SU_JOURNAL
submenu (Seq 1) will simply appear first followed by the Budget prompt to access the GL_
SU_BUDGET (Seq 2) submenu and so on until the last Sequence Number is reached.
Prompt
As explained above, this represents what the user will see in the hierarchy list of the Navigator
window in order to click and access the related submenu or function.
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
Figure 2 shows the seeded top-level menu (GL_SUPERUSER) which is assigned to the General
Ledger Super User responsibility. Note the “Prompt” column.
While all the submenus in Seq #1-8 have values populated in the Prompt column, there is no value
for Seq #9, AZN_PR_GL (the GL Process Navigator menu). Therefore, in theory, there should not
be a Prompt for a user to click in order to access the GL Process Navigator menu from this top-
level menu (GL_SUPERUSER).
However, when assigned the General Ledger Super User responsibility, we find out that this is not
the case. This user just needs to click on the ‘Processes’ tab to open the GL Process Navigator
menu. From there, the user can click on any of the graphical icons to perform many sensitive
record to report activities including entering, posting and importing journals.
Figure 2 – Example showing the GL_SUPERUSER Menu with No Prompt to the AZN GL Process
Navigator submenu; users can still access this submenu and its resulting functions
Additionally, configuring and applying a ‘No Prompt’ automatic mitigation, a condition that
excludes all SoD results where there is not a prompt to the conflicting function or submenu, in
your GRC tool will exclude this legitimate access from reporting. Further, this will lead to:
• False negative sensitive access/segregation of duties (SoD) results
• Increased risk of occupational fraud caused by not detecting and remediating unauthorized
Oracle EBS access
Pay special attention to Responsibility, Menu, and other security settings, such as Form
Personalizations, as they will impact if a No Prompt leads to true or false positive access.
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
TIP #4: Maintain and Remediate No Prompt Testing Results
In terms of a manageable step-by-step process to periodically evaluate and test No Prompts for
access once you have identified and evaluated them in Tips #2 and #3 above, here is just one
possible step-by-step approach that you can use:
1. Build and run a SQL query to identify which responsibilities, menus, and functions have
changed in a given timeframe (e.g., month, quarter, year) using the Last Update Date field.
2. Create a test username and assign to it a sample of responsibilities which represent all the
security changes noted above.
3. Validate if you can access the submenu or function by any means necessary only from the
front-end (i.e., no database access. This process applies only to the application layer.).
4. For each responsibility tested, track your results and perform the following actions as needed:
• Yes = True Access – Perform one of the following actions:
a. Keep the submenu or function in the menu if needed for valid business purposes.
b. Remove the submenu or function from the menu if not needed for valid business
purposes via the Menus form
• No = False Positive Access – Perform one of the following actions:
a. Remove the No Prompt submenu or function from the menu in the Menus form
b. Exclude the No Prompt submenu or function from the menu via a Function/Menu
exclusion in the Responsibilities form
c. ONLY if needed for valid business purposes: Keep the No Prompt submenu or function
and add a mitigating control, rule, or condition in your GRC tool to exclude this No
Prompt from future sensitive access and SoD conflict reporting
Figure 3 – System Administrator and Application Developer responsibilities provide full access to key
administrative functionality in Oracle EBS
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
TIP #6: Design and Use Custom Responsibilities for User Access (Seeded Responsibilities NOT
Recommended)
Oracle EBS comes with pre-defined (or “seeded”) responsibilities upon installation. Most of these
seeded responsibilities provide “keys to the kingdom” access to many parts of the system and
create inherent SoD conflicts across all major business processes.
As such, it is best practice to use seeded responsibilities only as a starting point for designing and
building custom responsibilities. If you must use the seeded responsibilities, it is recommended
they are only for the following reasons:
• Emergency account access
• Service accounts that need to process jobs in the background
• Other truly valid business purposes
Be sure to end-date all seeded responsibilities not required for valid business purposes after
designing, implementing and assigning custom responsibilities!
For example, the Order Management Super User responsibility can access Customer Master Data
via the Actions button (Add Customer option) in the standard Sales Orders form.
Additionally, several responsibilities allow the creation of manual journal entries via the subledger
modules (i.e. Receivables, Payables, etc.). Among them are: Cash Management, Payables
Manager, Receivables Inquiry. More on subledger manual journals in Tip #20.
Figure 4 shows that users assigned the Receivables Inquiry responsibility can create manual
journal entries within one of the subledger modules.
The risk here is that users you thought had none or limited access to functions within certain
business processes can make changes to other parts of the system, potentially circumventing
internal controls.
Figure 4 – Users with Receivables Inquiry responsibility can create manual journal entries within
one of the Subledger modules.
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
TIP #8: Just Because it Says Inquiry Does Not Mean it is ONLY Inquiry!
Some seeded responsibilities and menus with “Inquiry” in the name have full access to critical
functionality. For example, the Payables Inquiry responsibility allows users to create or edit
Supplier Master Data.
In addition, as illustrated in the prior Tip, the Receivables Inquiry responsibility allows users to
create manual journal entries via the Subledger module.
Recommendation for ALL ERP systems (not just Oracle EBS): NEVER assume that seeded roles
or responsibilities with Inquiry (or View Only, etc.) in the name do not have access to process
transactional data or create/modify master data within the application.
As shown in Figure 5, if a user clicks on one of the icons from the graphical navigation, EBS will
launch the form associated with that icon as if the user clicked on the prompt for that menu or
function in the Functions tab. For example, clicking on the “Enter Journals” icon will launch the
Enter Journals form and allow users to create journal entries.
Since this can create severe security risks, it is best practice to remove all AZN menus from all
responsibilities utilizing menu exclusions and other means to eliminate this backdoor access.
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
TIP #10: Continuously Monitor Users and Responsibilities for AZN Menu Access
Since access to AZN Menus (Figure 6) can be re-introduced via upgrades, it is a good practice to
continuously monitor active users and responsibilities for unintended AZN Menu access.
Oracle’s Preventive Controls Governor (PCG) product, part of the Oracle Advanced Controls Suite,
can be leveraged to build Form and Flow rules which, when configured appropriately, can quickly
detect and exclude all AZN menus from all responsibilities on an ad-hoc or periodic basis.
TIP #11: Check Your Credit Before You Wreck Your Credit!
To enforce credit checking in Oracle EBS, multiple configurations, at different levels, must be set
appropriately to:
9 Perform a credit check on sales orders at the time the orders are booked
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
While there may be others specific to your organization, correctly setting the following
configurations at these 4 levels will greatly help your organization properly enforce credit checking:
1. System
• AR Payment Terms
• Customer Profile Classes
• Holds
2. Operating Unit
• Credit Check Rules
• Credit Profiles
• ONT Transaction Types
3. Customer
• Credit Limit
• Order Amount Limit
4. Customer Site
• Credit and Collection
• Profile Amounts
NOTE: Don’t try to set everything right all at once! Instead, take a structured, practical approach to
address/test/validate one configuration setting at a time before moving on to the next one.
We recommend this for any application control that requires setting and synchronizing multiple
configurations in order for the control to address the applicable risks.
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
TIP #12: Age Those Buckets
If your organization uses and relies on AR Aging Reports, make sure your Aging Buckets (Figure
7) are configured appropriately for overdue invoices to appear in the correct AR Aging Reports
used by the business.
For example, in the Collections aging bucket below, someone could delete Sequence Number 3,
then change the Days To setting from “60” to “90” but leave the Column Heading as “31-60 Days”
in Sequence Number 2. This would provide someone like an AR Manager reading the report a
false impression that some overdue AR invoices are not delinquent debt when in fact they are.
Under this scenario, an AR invoice overdue by 70 days would appear to the AR Manager end user
as being only 31-60 days overdue. This can lead to problems with collections and cash flow.
Multiple configurations at the Operating Unit level must be set appropriately in order for Oracle
EBS to enforce this approval hierarchy for purchase requisitions & purchase orders based on the
total requisition & PO value, respectively, as well as disallow them to be approved by the same
user who entered them.
Three of these configurations that will help you enforce this approval hierarchy are:
• Approval Groups
• Approval Assignments
• Document Types
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
TIP #14: Match, match, match!
3-Way Matching helps ensure that purchase orders, invoices, and receipts are validated from
both a pricing and quantity perspective as you go through the procurement process. Like Credit
Checking (See Tip #11), multiple configurations at different levels must be set appropriately in
order for Oracle EBS to:
9 Require matching on all AP invoices
9 Place any AP Invoices that don’t comply with these configurations on hold
Appropriately setting these configurations will help to achieve these and other purchasing and
payables control objectives:
• Tolerances
• Payables Options
• Invoice Release Holds
Oracle has published many MoS (My Oracle Support) Documents on how to detect and secure
this supplier access, however, actually securing it can still be a challenge.
Review MoS Documents, build Forms Personalizations, or talk to consultants with Oracle EBS
technical expertise to help you design, build and validate custom supplier inquiry responsibilities.
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
TIP #16: Identify Supplier Creation/Inquiry Access
Oracle provides a diagnostic script to help detect supplier creation and inquiry access in your EBS
environment (see Figure 8).
TIP #17: Oracle EBS Does NOT Prevent All Duplicate Invoice Payments
While Oracle EBS will prevent certain duplicate invoice payments, it will not stop all of them. For
example, the payments of two invoices with the same invoice number & amount within two
different operating units would be allowed to process without an error or warning message.
Oracle EBS does not look across operating units and as such, will not flag these as duplicate
invoices.
The solution is to design and deploy technology that seamlessly interrogates invoices across
operating units for duplicate invoice numbers as well as other variables that can lead to erroneous
or fraudulent duplicate invoice payments.
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
Disabling Freeze Journals on journal sources will allow users to change GL accounts or debit/
credit amounts on journals created from these sources. This could lead to financial statement
fraud such as net income overstatements or understatements. Best practice is to freeze all
systematic journal sources (Receivables, Assets, etc.) and unfreeze all manual journal sources.
Therefore, no user should be able to create manual journal entries within the subledgers unless
management has designed controls to detect and identify these manual subledger journals.
Enabling journal approval will also help mitigate this risk.
Figure 10 – Users with access to the Subledger Journal Entries screen can create manual journal entries
and make them look like system-generated journals
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
IT General Controls (ITGC)
Instead, you should establish and implement a formal user provisioning process which contains
the following high-level steps for your organization:
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
TIP #22: Establish a Formal User Termination Process
Likewise, there should be a formal process for terminating users:
NOTE: Make sure Oracle EBS and all key/in-scope systems are integrated appropriately with
Active Directory (network access). Integration with Active Directory ensures IT will know when an
employee has been terminated and not have to wait for HR to inform them.
There may be a legitimate reason why IT was not told about an employee’s termination, but SOX
auditors are generally not interested in the explanation.
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
TIP #23: Plan For And Remove Emergency Access
There are times when access privileges must be temporarily granted to some individuals in
emergency or temporary situations (vacation, sick, troubleshooting, etc.). Make sure you have a plan
in place for approving, assigning, and removing emergency access privileges when the need arises.
The following illustrates Fastpath’s Access Certification automated user access review process:
1. Fastpath generates a report of users and their access privileges based on the configured Review
Type. In the case of Oracle EBS, the most commonly used report type is user-responsibility
assignments.
2. Managers review these reports and accept or reject each item (e.g. user-responsibility
assignment) as follows:
• If accepted, the user access is authorized, and no further action is required.
• If rejected, the user access is unauthorized and remediation or corrective action must
be taken to remove the user’s access. Fastpath has a workflow option available where
reviewers can send the results of their reviews to their organization’s IT Security Team
responsible for adding or removing user access in Oracle EBS. From there, the IT Security
Team can use the results to perform the remedial or corrective actions.
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
TIP #27: Redesign Business Processes for SoD
Users should not have access to multiple parts of a process. Whenever you are performing a
business process walkthrough, make sure you identify vulnerabilities in your business processes,
an essential requirement for SOX compliance. This can be hard to do without a GRC tool.
TIP #28: Establish a Process to Track All Configuration Changes You Make to the System
Auditors might ask you for a list of all configuration changes over the past year, and Oracle EBS
does not provide this for you. One common misperception about ITGC-Change Management
testing is that viewing the last update will show all previous updates.
Unfortunately, this is not correct and there is no easy or reliable way to obtain a report of all Oracle
EBS application configuration changes out of the box. The Last Update Date (see Figure 11) will
not tell you how many times a field has been updated, simply when it was last updated.
Custom reports from GRC tools such as Fastpath’s Audit Trail solution are much better
alternatives that can help provide this information and allow you to maintain reporting to ensure
you track all key configuration changes to the system.
Figure 11 – The Last Update Date will not tell you how many times a field has been updated,
simply when it was last updated
TIP #30: Security is More Than Just Oracle EBS – Look Beyond the Application Itself
There are multiple layers to the Oracle EBS architecture other than the application layer, and each
layer has unique security issues and mitigating actions. These layers, or Rings of Security, are the:
• Database
• Application
• Network / Infrastructure
• Users
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com
As an administrator, you are responsible for asking the difficult questions – and continuing to ask
them – to make sure that your organization’s overall security is maintained, such as:
• Why does the controller need to process AP?
• Why did the accountant make changes to our suppliers?
• What system does the functionality for this high-risk business process activity come from?
Also, look for any other systems that integrate with Oracle EBS, such as Salesforce and Workday for
CRM and HR activities. Transactional and master data flow between all of these systems can create
SoD issues across applications that may be hard to find without a dedicated search or tool that can
provide robust SoD insights and reporting across multiple applications.
Conclusion
As mentioned in the Introduction, securing your Oracle E-Business Suite (EBS) application is an
ongoing and evolving task. It is not something you perform once on installation and never need to
worry about again. Maintaining a secure environment requires consistent, diligent monitoring.
Accomplishing the tips and tricks outlined in this eBook will significantly help you achieve optimal
and robust Oracle EBS application security. Additionally, it will achieve more sound governance and
remediation of key business and IT risks for your organization.
To watch an on-demand session on this topic presented by Fastpath, please visit this link, “30
Security Tips n’ Tricks for Oracle EBS in 30 Minutes”.
About Fastpath
Founded in 2004, Fastpath has deep expertise in audit, security, and compliance, with multiple
Certified Internal Auditors, CISAs, and CPAs on the team. Fastpath has global partnerships with
several audit firms and a client base which spans across multiple industries within both publicly
traded and privately held companies. Fastpath Assure® is a cloud-based audit platform that can
track, review, approve, and mitigate access risks across multiple systems from a single dashboard.
Visit our website for additional resources like this eBook, on-demand webinars, and more.
For a live demonstration which targets your specific requirements, please contact us.
© 2020 Fastpath Solutions, LLC. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779 gofastpath.com