Oracle System Administration Practice Aid

7/23/2019 Oracle System Administration Practice Aid

1/89

Practice Aid

OracleSystem Administration

Release 12

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 1 o! "#

Internal use only -- U. S. Firm use only


2/89

Oracle System Administration Practice AidTable of Contents

A. INTRODUCTION ......................................................................... 3

1. $ngage%ent &ools ..............................................................................................................................'

B. ORACLE ENGAGEMENT CONSIDERATIONS ................................... 6C. ORACLE APPLICATION HIGHLIGHTS ............................................ 7

1. Application (tructure ............................................................................................................... ............72. Oracle Application Release )istory ................................................................................................. ....#'. Oeriew o! (yste% Ad%inistration ...................................................................................................10

D. FLEXFIELDS ............................................................................ 14

1. Fle*!ield &ypes ......................................................................................................................... .........1+2. ,ey Fle*!ield Co%ponents .................................................................................................................1'. escriptie Fle*!ield Co%ponents .................................................................................................. ...21

E. AUDITING ............................................................................... 23

1. Oracle Auditing /ethods ...................................................................................................................2'

2. on-Audit ased Change Control ......................................................................................................2Con!iguration3Functionality Changes with i(etup ..................................................................................2

F. END USER ACCESS ................................................................... 26

1. Responsiility and (ecurity 4roup /anage%ent...............................................................................22. 5ser /anage%ent .............................................................................................................................'7'. Password /anage%ent .....................................................................................................................+7+. 6dentity /anage%ent .........................................................................................................................+#. /ulti organiation access control .......................................................................................................2

G. APPLICATION SUPPORT RESPONSIBILITIES AND USERS ............. 56

1. (upport Responsiilities ....................................................................................................................2. Application (upport 5ser 6s ............................................................................................................+

'. APP( ataase 6 ............................................................................................................................+H. SYSTEM PROFILE OPTIONS ...................................................... 70

1. (ite-8eel ...................................................................................................................................... ...702. Application-8eel ..............................................................................................................................70'. Responsiility-8eel ..........................................................................................................................70+. 5ser-8eel ........................................................................................................................................71. ,ey Pro!ile Options ............................................................................................................................72

I. SEGREGATION OF DUTIES CONCEPTS ......................................... 78

. RESTRICTED ACCESS!SEGREGATION OF DUTIES ......................... 80

1. Application (etups ............................................................................................................................."02. (tanding ata ..................................................................................................................................."0

'. (egregation o! uties ........................................................................................................................"0". RELE#ANT MODULES ............................................................... 84

1. i(etup ................................................................................................................................................"+2. A/$ .................................................................................................................................................."

L. FORMS THAT ACCEPT S$L ENTRY ............................................. 86

M. GLOSSARY ............................................................................. 8%

1. ,ey Oracle Functionality ...................................................................................................................."#




3/89

A. Introduction

&his Practice Aid and the associated tools 9:or; Progra%9s< and 4A&$< are !or INTERNAL USE ONLY.As %anage%ent is responsile !or designing and i%ple%enting a syste% o! internal control= tis PracticeAid and its associated tools sould not be distributed to our clients.

&hese tools are intended to e used y PwC Oracle specialists per!or%ing an audit= attestation orconsulting engage%ent inoling the reiew o! the client>s Oracle application. For indiiduals intending touse this Practice Aid and 3 or related tools= they %ust hae su!!icient technical s;ills to conduct such wor;.6t is highly reco%%ended that at least one %e%er o! the tea% has speci!ic training or e*perience in the$RP whereer practicale.

1. Engagement Tools&he &ools noted elow proide a general oeriew o! the Oracle application= along with its relatedcontrol ris;s and co%%on application controls. :hen these tools are utilied= the !ollowing i%portantcaeats and re%inders should e considered prior to the use o! these tools?

Re!er to PwC Audit 4uide !or policy on understanding= ealuating and alidating internal controls.&his Practice Aid and related tools are not a sustitute !or PwC Audit.

&his Practice Aid and its related tools should only e used in con@unction with proper ris;-asedengage%ent planning and scoping. &he releance and i%portance to the engage%ent o!transaction processing= ris;s and controls associated with the noted %odules o! Oracle should eclearly understood e!ore wor; is egun= and the tools should e tailored to each clienteniron%ent.

&his Practice Aid and its associated :or; Progra%9s


4/89

For guidance on other %odules within Oracle !or which there is no PwC Practice Aid= please re!er toappropriate Oracle 5ser guides !or !urther details. &hese can e !ound athttp?33www.oracle.co%3technology3docu%entation3inde*.ht%l

$ach practice aid is speci!ically written !or Oracle>s Release 12 and is diided into %ain sections= asoutlined elow?

!.!.!. Introduction"En#a#ement A$$roac&he 6ntroduction section o! each practice aid outlines potential tools and engage%entapproaches that %ay e used when conducting an assess%ent o! an Oracle $RP syste%. 6naddition= this contains i%portant Ris; and Euality-related caeats and re%inders that shoulde !ollowed !or eery Oracle engage%ent.

!.!.%. &usiness Setu$s6n this section= ;ey set-ups and con!igurations that are generally only con!igured uponinstallation= upgrades= or %a@or usiness eents are discussed. e!initions o! the ;eycon!igurations are proided to gie the practitioner a asic understanding o! the setups.

!.!.'. Standin# (ata

:ithin the (tanding ata section= ;ey con!igurations that are su@ect to periodic changes arediscussed. Along with !unctionality de!initions= this section outlines how standing data isgenerally entered into the application. 6n addition= the lin;ages etween the standing data andusiness setups are outlined.

!.!.). Transactions&his section outlines the ;ey transactions within the usiness process. &his includes thede!inition o! the transactions= how transactions are generally entered into the syste%= as wellthe data !low etween transactions= standing data= and usiness setups.

!.!.*. Access and Se#re#ation of (uties&his section outlines the typical access and segregation o! duties ris;s within the Practice

Aid>s usiness process.

:ithin the (tanding ata and &ransactions sections o! the Practice Aid= BControlConsiderationsB are also outlined. $ach Control Consideration section is ro;en into + parts=as outlined elow?

o Dusiness Process ariales? &hese discuss the %ost co%%on

con!igurations3transactions that %ay e set up or used di!!erently depending upon theclient>s use o! Oracle>s !unctionality.o Control ependencies? &his section outlines how con!igurations or transactions

are dependent upon each other or other settings within the application.o Control 8i%itations? &his section outlines how syste% con!igurations or

transactions %ay e oerridden. 6n addition= this section highlights co%%on%isconceptions aout how the con!iguration or transaction operates.o &esting otes? &his section proides suggestions on how a practitioner %ight test

or assess con!igurations and3or transactions.

&he controls considerations section o! the Practice Aid !ocuses solely on high-leel concepts.For a listing o! controls= re!er to the %odule>s wor; progra%. &his Practice Aid does not list allOracle standard reports that e*ist !or this cycle. For a co%plete list o! this %odule>s standardOracle Reports= re!er to the Oracle user guide athttp?33www.oracle.co%3technology3inde*.ht%l. )oweer= !or the (A !unctionality the userguide does not coer all e*isting reports.

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page + o! "#

http://www.oracle.com/technology/index.htmlhttp://www.oracle.com/technology/index.html


5/89

!.%. +or, Pro#ram

&he :or; Progra% outlines the typical auto%ated controls within the Oracle application. For eachcontrol= this docu%ent proides a typical control description= usiness ris;= control o@ectie= !inancialstate%ent assertions= in!or%ation processing o@ecties= Oracle Application naigation path=alidation procedures= and e*pected results. $ach processes> wor; progra% is speci!ically designed!or a particular release o! the Oracle Application.

For the purposes o! an audit o! !inancial state%ents= an audit o! internal controls oer !inancial reportsor an integrated audit= tea%s should consider those controls which hae een classi!ied as Financialin nature. &he wor; progra% is currently aailale through the ,nowledge 4ateway in the 5(9accessile through ,nowledge Cure< or 4uardian 9http?33guardian.pwcinternal.co%< in otherterritories.

!.'. -ATE

Oracle 4A&$ is a proprietary we-ased tool deeloped to assist in the analysis o! Oraclecon!iguration and security. &he tool %ay e used in an audit o! !inancial state%ents= audit o! internalcontrols oer !inancial reporting or a consulting non-attest reiew o! the Oracle application. For Oraclereleases 11..7 and later= Oracle 4A&$ can assist with segregation o! duties analysis and %odulecon!iguration. &o use Oracle 4A&$= a series o! (E8 ueries are run against the client>s eniron%entsto pull data !ro% Oracle dataase tales. &he output !ro% these ueries is uploaded to the 4A&$serer and ueries can e run against the serer to otain in!or%ation aout how the client>s Oracle

Application is con!igured. &he Oracle 4A&$ tool can e accessed at oraclegate2.pwcinternal.co%.For indiiduals intending to use 4A&$= they %ust hae su!!icient technical s;ills to conduct such wor;.ote? Prior to running any co%%and or script on a client syste%= discuss with the client and otaineral consent. :ritten consent is also reco%%ended to the e*tent that this %ay e otained.

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page o! "#

http://guardian.pwcinternal.com/http://guardian.pwcinternal.com/


6/89

&. Oracle En#a#ement ConsiderationsPractitioners %ay want to consider the !ollowing ite%s during an audit o! !inancial state%ents= an audit o!internal controls oer !inancial reporting= or a consulting non-attest reiew o! the Oracle application.

1< eter%ine which ersion o! the so!tware your client is using. Chec; the ersion against theco%patiility tale in the BApplication )ighlightsB section o! this Practice Aid= to ensure theappropriate Practice Aid is utilied.

2< 6nuire o! the client>s usiness owners and syste% ad%inistrator i! any custo%iations to thestandard so!tware hae een %ade. Reuest a list o! these custo%iations to assess the e!!ect.

'< Con!ir% the nu%er o! instances 9separate Oracle dataases eniron%ents< that the client%aintains.

4) Con!ir% the nu%er o! 8edgers= Operating 5nits and /odules in scope within each Oracleinstance.

< 6nteriew the syste%s ad%inistrator or other suitale 6& personnel to gain ;nowledge andunderstanding o! the syste% design 9lin;age with e*ternal applications= dataases and networ;


7/89

C. Oracle A$$lication i#li#ts

1. Application Structure&he Oracle $-Dusiness (uite 9$D(< $nterprise Resource Planning 9$RP< syste% is an integrated

so!tware solution that runs o!! an Oracle dataase instance. An $RP consists o! applications orG%odulesH. /ost %odules hold transactional data !or each usiness process area 9!inancials= supplychain %anage%ent= custo%er relationship %anage%ent= %anu!acturing= hu%an resources= etc.


8/89


9/89


10/89


11/89

&here is no de!ault user access that is granted @ust y eing gien an account in Oracle $D(. &he

security ad%inistrator 9through the (yste% Ad%inistrator responsiility< %ust assign a 5ser 6 withresponsiilities !or the user to e granted ailities to per!or% tas;s3!unctions within Oracle.

ue to the newly introduced !unctionality %ulti-organiational access control 9/OAC< !unctionality=users can access %ultiple operating unit 9O5< data either within or across usiness groups !ro% asingle responsiility. 5sing /OAC= %ultiple operating units are assigned to a security pro!ile. &hissecurity pro!ile is then assigned either to responsiilities or directly to users. A typical usage would eresponsiility in a shared serice centre= which seres di!!erent operating units. For !urther details on/OAC please re!er to the section on /ultiple Organiation Access Control.

'.). System Profile O$tions(yste% Pro!ile Options can e grouped into three types? (ecurity= Organiation= and (erer types.Practitioners are %ainly concerned with (ecurity type pro!ile options that a!!ect the operation o!Oracle Applications. (ecurity type pro!ile options can e con!igured according to the needs o! theuser co%%unity= as they can e set at the (ite= Application= Responsiility= or 5ser leel. (ecuritypro!ile options are generally %aintained y the Application (yste% Ad%inistrators and %ay e set at%ore than one leel? (ite has the lowest priority= superseded y Application= then Responsiility= and!inally 5ser. )igher pro!ile option settings will oerride lower leel options. &he security syste% pro!ileoptions hierarchy is docu%ented elow in the diagra%. Please see the (yste% Pro!ile Optionssection o! this Practice Aid !or %ore details.



5ser 1 5ser 2

48 Controller AR 6nuiry

AP Pay%ent

(uperisor

Oracle Role9aailale in11..10s co%ponents and tie the ,ey Fle*!ield to the

Application. Delow= the Accounting Fle*!ield na%ed OperationsLAccounting 9the structure< is created.




17/89


18/89


19/89

&he !ollowing window is used to con!igure the nu%er o! seg%ents= their appearance and%eaning as well as the alidation o! seg%ent alues= i! reuired. 6n the e*a%ple elow= theaccount seg%ent is assigned a alue set GOperations AccountH which restricts the range o!alues that can e de!ined !or the account seg%ent to a %a*i%u% sie o! + alphanu%ericcharacters.

Decause the conditions speci!ied !or alue sets deter%ine what alues can e used !or the%=oth alue sets and alues should e de!ined at the sa%e ti%e. For e*a%ple= i! alues aredesigned to e characters long ranging !ro% 000001= 000002 to ###### instead o! 1= 2= etc=the alue set would e de!ined to accept only alues with GRight-usti!y Sero-!illH set to GMesHand other alidation para%eters set accordingly as illustrated elow.

%.'.%. 4le7field Se#ment


20/89

Other applications= such as Oracle )u%an Resources= also use !le*!ield uali!iers. Oracle)u%an Resources uses !le*!ield uali!iers to control who has access to con!identialin!or%ation in !le*!ield seg%ents.

%.). 4le7field Se#ment 5alues&here are ' ;ey concepts to consider regarding Fle*!ield (eg%ent alues?

e!inition o! (eg%ent alues

(eg%ent alue Euali!iers

(eg%ent alue Co%inations

%.).!. (efinition of Se#ment 5alues(eg%ent alues are indiidual alues contained within the seg%ent that !urther de!ine theseg%ent de!inition. 6n the e*a%ple elow= &otal Assets 9account 1000Account>(eg%ent?




21/89

%.).%. Se#ment 5alue s practice aid !or control considerations pertinent to that>s %odule>s speci!ic!le*!ields.

3. /escriptie Fle"iel# 'omponentsescriptie Fle*!ields 9FFs< use the sa%e concepts as ,ey Fle*!ields= including (tructure=(eg%ents= and (eg%ent alues. &he di!!erence with descriptie !le*!ield is that they use colu%nsthat are added on to a dataase tale. &he tale contains any colu%ns that its entity reuires= suchas a pri%ary ;ey colu%n and other in!or%ation colu%ns. For e*a%ple= a endors tale would containcolu%ns !or standard endor in!or%ation such as endor a%e= Address= and endor u%er. &hedescriptie !le*!ield colu%ns proide Hlan;H colu%ns that you can use to store in!or%ation that is notalready stored in another colu%n o! that tale. A descriptie !le*!ield reuires one colu%n !or eachpossile seg%ent and one additional colu%n in which to store structure




22/89

Once the FF>s structure is de!ined= co%piled and !roen= Oracle Applications su%its a concurrentreuest to generate a dataase iew o! the tale that contains the descriptie !le*!ield seg%entcolu%ns.

escriptie !le*!ields hae two di!!erent types o! seg%ents= gloal and conte*tTsensitie= that you candecide to use in a descriptie !le*!ield structure. A global segment is a seg%ent that always appearsin the descriptie !le*!ield popTup window= regardless o! context 9any other in!or%ation in your !or%


23/89


24/89

Le1el Profile O$tion 5alue Audit Trail Im$act

ased on the application selected and the a%ount o!

actiity in that application.

Responsiility one 3 lan; o auditing is speci!ically enaled to trac; when

responsiilities are accessed. Oracle will de!ault to the

application and site-leel alues.

5ser Auditing !or the speci!ied responsiility is enaled to

identi!y which users access that responsiility.

Responsiility At the responsiility leel= this setting appears to e

redundant with the 5ser alue.

For% Auditing is enaled that identi!ies the !or%s 3 screens

the user accesses !ro% within the responsiility. &he

sie o! the audit trail created y this setting 9site3!or%s auditing !unctionality is generally not enaled at clients ecause

it consu%es signi!icant co%puting resources.o A alance etween %onitoring too %uch and too little should eestalished. Clients who hae set (ign-On? Audit 8eel at the site leel with a alue o!For% is recording olu%inous in!or%ation that proaly is not proiding the audit orcontrol ene!it intended. Clients using this setting hae not per!or%ed a ris;-asedassess%ent to deter%ine the sensitie areas= users and responsiilities within $D( thatshould e %onitored.o For the %ost e!!icient auditing= a ris;-ased approach should e used to

identi!y the high ris; transactions and3or users.

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 2+ o! "#



25/89

!.'.%. Control (e$endencieso one

!.'.'. Control Limitationso one

!.'.). Testin# Noteso PwC sta!! reiewing Oracle-ased auditing should consider the client>s

reuire%ents !or %onitoring. Oracle-ased auditing should co%pli%ent thosereuire%ents.o Additionally= PwC sta!! should consider the relationship etween actiity-

ased auditing and the data-ased auditing that the client has enaled= i! any.

2. $on-Au#it ase# ')ange 'ontrol:ithout the auditing !eature turned on= Oracle only %aintains a %ini%al audit trail. :hen auditing isnot enaled= only the record creation date= record creator and the record>s last %odi!ication date arerecorded. Oracle does not auto%atically store any changes %ade etween the creation o! the recordand the last update= and Oracle does not record what data was changed during the last update 9onlythat the !or% was changeds usiness reuire%ents and con!igurations.

i(etup /igrator is the load !unctionality that populates the application setup tales with thereuested para%eter alues.

'on"igurationFunctionality ')anges !it) iSetup

iSetu$ 6i#rator= )ierarchical (election (ets




26/89


27/89



(ata -rou$--Name / (elected data group!or the responsiility. ote?&his ele%ent corresponds tothe security group on the5sers !or%.A$$lication- &he %oduleused in con@unction with thedata group na%e.

Re>uest -rou$--Name / selected reuestsecurity group associatedwith the responsiilityA$$lication- &he %odule

used in con@unction with thespeci!ied reuest securitygroup.

6enu-- selected %ain%enu !or the responsiility.

6enu E7clusions? E7cluded Items?Securin# Attributes-- additionalcon!igurale ele%ents that !urther restrict

the responsiility>s access

Res$onsibility Name-- 5niue5ser-created na%e !or theresponsiilityA$$lication-- selected application

9%odule< in which the responsiilityresidesRes$onsibility 8ey-- 5ser-created

@Effecti1e (ates-- range o!dates etween which theresponsiility is actie.


28/89

Fro% a !unctional perspectie= this would e indicated y?

!.!. 4orms and 4unctions

/enu Functions= or !unctions= are the lowest leel o! access. A !unction is a part o! an application>s!unctionality that is registered under a uniue na%e !or the purpose o! assigning it to= or e*cluding it!ro%= a responsiility. Fro% an end-user perspectie= the !unction is the window 9or screen< in whichdata is entered into the application.

:ithin Oracle &here are two types o! !unctions? !or% !unctions= and non-!or% !unctions. For clarity=Oracle re!ers to a !or% !unction as a !or%= and a non-!or% !unction as a su !unction= een thoughwithin the dataase= oth are @ust instances o! !unctions.

:ithin PwC>s 4A&$ tool= a !or% !unction is called a !or%= and the non-!or% !unction 9or su !unction or >inuiry could actually update and initiatetransactions. Clients should !ollow an appropriate na%ing conention so that e!!ectieresponsiility %anage%ent can e supported.

!.*.). Testin# Notes /o &o test (ecurity 4roups using 4A&$? Run the 4A&$ Responsiility Report

BResponsiilities y Reuest 4roupsB to identi!y the arious reuest security groupsde!ined and to which responsiilities they are assigned. Additionally= run the reportBReports within Reuest 4roupsB to identi!y which reports are associated with eachreuest security group. A speci!ic report !ocusing on the BAll ReportsB reuest securitygroup is also aailale -- BAll Reports Reuest 4roupB

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page ' o! "#



37/89


38/89

/anage%ent section o! this practice aid.< ote? the option to set password e*piration toBO$B will result in the user>s password to neer e*pire

%.!.'. Person 2o$tional3An Oracle user na%e can e lin;ed to a person 9e%ployee< listed within the )R tales. &his isdone y selecting a alue in the person !ield. &his is not reuired= as so%e users %ay needaccess who are not e%ployees 9te%porary wor;ers= e*ternal suppliers= etc


39/89

%.!.!. Personalisation&he personaliation !unctionality is accessily !or end-user ia the diagnostic !unctionality.&he o@ectie o! personaliation is to declaratiely tailor the user inter!ace 956< loo;-and-!eel=layout or isiility o! page content or a user pre!erence. Personaliation e*a%ples are?X &ailor the color sche%e o! the 56.X &ailor the order in which tale colu%ns are displayed.X &ailor a uery result

%.!.!!. Usa#e of roles:ith Release 12= the usage o! roles is widened. Please co%pare !or the i%plication thechapter aout Role Dased Access 9RDAC


40/89

speci!ic $D( !unctions. &he new %echanis% was designed to enale li%ited= auditaledelegation o! priilege !ro% delegators to their delegates.

%.%.'. E7am$les of (ele#ation

$*ecuties allowing their assistants to access selected usiness applications on their ehal!(i%ilarly= ut !or a %ore li%ited duration= %anagers %ay need to grant peers or suordinatesli%ited authority to act on their ehal! while they are out o! the o!!ice

5sers %ay need to grant help-des; sta!! li%ited duration access to their $D( accounts= sothat help des; sta!! can inestigate prole%s and proide assistance. &he Pro*y 5ser%echanis% allows such users to otain li%ited= auditale access to accounts such as(M(A/6 that %ight otherwise hae to e shared and there!ore harder to audit.

&he aility !or users to access the pro*y !eature is controlled y a (ecurity Ad%inistrator role.5sers with this role deter%ine which set o! users can create delegates who can act on theirehal!. Following screenshots depicts the !unctionality. &he !irst picture shows how to assignpro*ies as a separate role and then how to run the report in the user %anage%ent %odule?

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page +0 o! "#



41/89


42/89

Role Dased Access Control 9RDAC< is an A(6 standard 9A(6 6C6&( '#-200+< supportedy the ational 6nstitute o! (tandards N &echnology 96(&s own suordinate roles. &he!ollowing e*a%ple illustrates this?

6n this e*a%ple= so%e roles such as B$%ployeeB or B/anagerB are assigned generalper%issions !or a gien !unction. For e*a%ple= the $%ployee role %ay proide access to%enus generally aailale to all e%ployees= while the /anager role proides access to%enus that should only e accessile y %anagers. Decause the $%ployee role is tosuordinate to the /anager role= anyone assigned the /anager role auto%atically otains theper%issions associated with the $%ployee role. Other roles in this e*a%ple pertain to %orespeci!ic @o !unctions= such as (ales /anager and (ales Representatie= or (upport /anagerand (upport Agent. &hese roles %ay proide access to @o-speci!ic %enus and data such asthe (ales Forecasting %enu= or the (upport application. )ierarchies within the roles!unctionality is granted ia the Oracle user %anage%ent application.

Responsiilities are also a type o! role and the sa%e principal with regards to inheritancehierarchies as detailed aoe applies to responsiilities. :hen responsiilities are structuredin the !or% o! a hierarchy= assigning the top leel responsiility to a user will result in allinherited responsiilities also eing auto%atically assigned to the user. One o! the e!!ects o!this is that i! the top leel responsiility assign%ent is end-dated !or a speci!ic user= all lowerleel responsiilities will also e end-dated. :hen this occurs it has the e!!ect that it will not




43/89

e possile to directly assign any o! the lower leel responsiilities to the user without eitherdis%antling the hierarchy or assigning the top-leel responsiility to the user again.

%.'.%. Su$$ortin# functionality= (ele#ated Administrationelegated Ad%inistration is a priilege %odel that uilds on the RDAC syste% to proideorganiations with the aility to assign the reuired access rights !or %anaging roles and useraccounts. :ith delegated ad%inistration= instead o! relying on a central ad%inistrator to%anage all its users= an organiation can create local ad%inistrators and grant the% su!!icientpriileges to %anage a speci!ic suset o! the organiation>s users and roles. &his proidesorganiations with a tighter= %ore granular leel o! security= and the aility to easily scale theirad%inistratie capailities. For e*a%ple= organiations could internally designatead%inistrators at diision or een depart%ent leels= and then delegate ad%inistration o!e*ternal users to people within those 9e*ternal< organiations. elegation policies are de!inedas data security policies. &he set o! data policies that are de!ined as part o! delegatedad%inistration are ;nown as Ad%inistration Priileges.

&he ad%inistratie priileges that can e delegated could e o! the !ollowing priilegecategories?

o 5ser Ad%inistration Priileges

o Role Ad%inistration Priileges

o Organiation Priileges

elegation policies are de!ined as data security policies. &he set o! data policies that arede!ined as part o! delegated ad%inistration are ;nown as the Ad%inistration Priileges.

Ad%inistration Priileges deter%ine what users and roles the delegated ad%inistrator can%anage. &here are three aspects to ad%inistration priileges? roles= users= and organiation.$ach priilege is granted separately= yet the three wor; together to proide the co%plete seto! ailities !or the delegated ad%inistrator. &hese priileges can e de!ined along with the rolede!inition in the Role N Role 6nheritance user inter!ace in Oracle 5ser /anage%ent.

(ee the !ollowing screens in the user %anage%ent %odule= where you can see the search!unction and an e*a%ple o! a delegated ad%inistration !unction.

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page +' o! "#



44/89


45/89


46/89

o (ecurity %ay e ad%inistered in a centralied or decentralied %anner.

$ach %ethod has its own ris;s.o 5ser Ad%inistration 9creating3disaling user 6s and assigning accesss aility to iew and update data. Please re!er tothese Practice Aids !or %ore in!or%ation.o :heneer a role concept is !ollowed= it should e thoroughly considered

that the roles and responsiilities do not represent a (o con!lict.o Pro*y 5ser !unctionality gies all-or-nothing delegation capaility.

)oweer= start and end dates can e de!ined to li%it the duration o! pro*y access.

%.*.'. Control Limitationso 6! a pro*y user access is gien= this %ight iolate the e*isting (O and

cause a possile con!lict= which would not haen een there without this pro*y gien.

%.*.). Testin# Noteso (ecuring Attriutes could e a signi!icant security co%ponent o! the client>s user

population i! i&i%e= i$*pense= or iProcure%ent are used. PwC should understand thereuire%ents !or securing attriutes and consider testing those con!igurations.o Appropriately co%pleted authorisation reuest !or%s should acco%pany any

additions3changes to a user 6. &his authorisation !or% should clearly indicate the speci!icOracle access 9e.g.= which Responsiility< that should e granted. Periodic reiew y%anage%ent o! all actie users and their currently assigned Responsiilities should occur.o /onitoring controls oer Roles= Responsiilities and user assign%ent throughout the

period should e used to understand the nature o! any te%porary changes to theseele%ents.o Co%panies %ay create a speci!ic user 9the auditor< access to e%ployees> $D(

accounts= nor%ally on a read-only asis.o Accessing the granted pro*y users enales the auditor to analye the usage o!

delegated responsiilities 9usage o! the pro*y user report


47/89

3. &ass!or# 0anagementOracle $D( proides %ultiple con!igurations to support the client>s corporate security policy. &heOracle $-Dusiness suite password con!igurations are as !ollows?

Confi#uration Name Ty$e ofconfi#uration

(efaultSettin#

(escri$tion

(ign on PasswordCusto%

(yste%Pro!ile Option

not set 6! the client has %ore adanced passwordrestrictions= custo% aa classes can e used toi%ple%ent these restrictions. &he (ign onPassword Custo%pro!ile option %ust e set toe the !ull na%e o! the @aa class.

(ign on PasswordFailure 8i%it


not set &his para%eter setting identi!ies the nu%er o!!ailed login atte%pts a!ter which an $D( login isdisaled. &he de!ault is unli%ited !ailures. ote?&his pro!ile option eca%e aailale in Release11..7 or ia patch 201"72.

(ign on Password

)ard to 4uess

(yste%

Pro!ile Option

not set &he pro!ile option (ign on Password )ard to

4uess is used to help ensure that the passwordis Bhard to guess.B A password is consideredhard-to-guess i! it !ollows these rules?

&he password contains at least one letterand at least one nu%er.

&he password does not contain theuserna%e.

&he password does not contain repeatingcharacters.

(ign on Password8ength


&he %ini%u% length o! Oracle $D( userpasswords can e set using the pro!ile option(ign on Password 8ength.

(ign on Password oReuse


not set &he %ini%u% nu%er o! days that a user %ustwait e!ore eing allowed to reuse a passwordcan e set with the (ign on Password o Reusepro!ile option.

Password $*piration 5ser Record not set (ays- the nu%er o! days etween passwordchangesAccesses - the nu%er o! success!ul loginsuntil the ne*t password change

Password casesensitiity

Pro!ile option disaled Passwords are either case sensitie or not casesensitie

Functionality !or G8ogin AssistanceH sel! serice has een introduced in place o! the ForgottenPassword ad%inistratie !unction.

6t is not unco%%on !or syste% ad%inistrators to hae to reset a user>s !orgotten password= or eenadise a user o! the account>s user 9login< na%e. &his is unproductie !or oth the user= who cannotdo any wor; in the %eanti%e= and !or the ad%inistrator. 6n addition= a user will occasionally reuest




48/89


49/89


50/89

6d/

5ser Creation andProisioning should e

sourced at the 6d/ solution

Oracle $RP (yste% 2(yste% 1

Responsi1ilities

5sers

5sers

Acc

ess

4rou

p5sers

Acce

ss4roup

&echnical and 3or %onitoringcontrols should e enaled

to pro%ote user creation andassign%ent !ro% the 6d/

solution

).%. Identity mana#ement 9itin Oracle E&S

Oracle $D( as part o! the oerall Oracle identity %anage%ent !ra%ewor; can e considered asone additional application to e included. 6n principle users created in Oracle $D( are proisionedto O6 9and ice ersa


51/89

)oweer with the usage o! the new RDAC !unctionality= there %ight e enhanced usage o!proisioning within Oracle $D(. &here!ore new !unctionalities are introduced in the new ersionR12.

Proisioning serices are %odelled as registration processes that enale end users to per!or%so%e o! their own registration tas;s= such as reuesting new accounts or additional access to thesyste%. &hey also proide ad%inistrators with a !aster and %ore e!!icient %ethod o! creating newuser accounts= as well as assigning roles. Registration Processes create Role Assign%ents=which are euialent to RDAC policies= as these Role Assign%ents control the actions or access!or a user.

6ntroduction o! G5ser /anage%ent? (ecurity Ad%inistration (et 5pH :iard !or per!or%ing the!ollowing syste% ad%inistration !unctions?

o e!ining 5ser Ad%inistration Priileges !or Roles

o e!ining Role Ad%inistration Priileges !or Roles

o e!ining Organisation Ad%inistration Priileges !or Roles

&he !unctionality o! GAd%inistrator assisted reuest !or additional accessH is added as the !ourthtype o! user registration process.



6t is i%portant to understand how the login and synchroniation process wor;s. )ere is a rie!description !or the si%plest cases. Please see the %ain docu%entation !or %ore details.

A. Autentication Pase= 5alidatin# a userGs identity5ser atte%pts to access a protected page !ro% Oracle Applications Release 12. 5ser is redirected

to (ingle (ign-On (erer site. (ingle (ign-On (erer eri!ies i! user is already authenticated9alidates the coo;ie ((OL6 presented to this site


52/89


53/89

*.!. 4unctionality

6n the Oracle 11i eniron%ent= the $-Dusiness (uite 9$D(< uses the pro!ile option /O? Operating 5nitto lin; an operating unit to a particular responsiility. &his process creates one-to-one relationshipetween the responsiility and the operating unit. &he syste% ad%inistrator %ust set this pro!ileoption !or each responsiility. $D( allows a user to see only the in!or%ation !or that particularoperating unit is assigned to the responsiility. 6! a user wants to enter transactions or per!or% setup

!unctions across seeral usiness units= then that user %ust e assigned %ultiple responsiilities withaccess to each o! the releant usiness units. &he user %ust switch etween responsiilities toper!or% updates to di!!erent usiness units.

&he old %odel o! %anaging %ulti-organiation access in Oracle 11..10 has een enhanced= ut notreplaced= y the /OAC. &he option to use /O? Operating 5nit pro!ile option to en!orce one-to-onerelationship etween responsiilities and usiness units can still e used. Optionally= i! anorganiation wants to proide %ultiple organiation access !ro% a single responsiility= then thoseorganiations will use /OAC. $D( introduces a new pro!ile option that enales /OAC -- /O?(ecurity Pro!ile

/OAC proides the !ollowing two security pro!iles that enale users to access= process= and reportdata in %ultiple operating units !ro% a single responsiility?

o 6O= Security Profile- Allows the assign%ent o! %ultiple operating units !or the sa%e

usiness group.o 6O= -lobal Security Profile- Allows the assign%ent %ultiple operating units across

%ultiple usiness groups.

&he !ollowing pro!ile options are releant to /OAC?o /O? (ecurity Pro!ile

o /O? e!ault Operating 5nit

o /O? Operating 5nit 9legacy !unctionalitys ownwor;!lows. &o i%pact syste%-wide wor;!lows= the :or;!low Ad%inistrator role %ust e assigned tothe user. &his access is granted through the Ad%inistration ta in Oracle :or;!low. :or;!lowad%inistrator capailities are reuired to assign another indiidual this role.

&he aility to iew and update anyone>s wor;!low has signi!icant i%plications. 6! an indiidual hadaccess to the wor;!low ad%inistrator role= sensitie transactions could e initiated directly in wor;!low.&he !ollowing e*a%ple identi!ies how to create a new sales order through wor;!low? &he indiidualselects the order entry process wor;!low and selects the BRunB option.



&he Alert /anager canenale3disale the

Alert.

&he Alert /anager can%odi!y what is eing%onitored.


58/89


59/89


60/89


61/89


62/89

Choose the Order to Cash !low



&he wor;!lows appear elow theusiness !low


63/89


64/89


65/89


66/89

'.%. Potential Automated Solutions&he inherent auditing %echanis% in the Oracle dataase 9and related Application Progra%%ing

6nter!aces - AP6s such as the BAudit AP6B< can e used to help %onitor changes to the dataase and

is discussed later. )oweer these auditing %echanis%s in the application and in dataase are not

su!!icient to allow !or e!!ectie %onitoring o! the APP( 6.

Oracle is currently introducing its 6& Auditor %odule !or the $-Dusiness suite which will !urther helpwith change control. Oracle is also introducing ataase ault which addresses segregation o! duties

within the dataase. Oracle ataase ault addresses so%e o! the %ost co%%on dataase security

prole%s and internal threats y?

Restricting the DA and other priileged users !ro% accessing application data

Preenting the Application DA !ro% %anipulating the dataase and accessing other applications

Proides etter control oer who= when N where an application can e accessed

Additionally= !unctionality in other third party tools proides tighter control oer Oracle $-Dusiness

(uite change control procedures. Re!er to Oracle /etalin; at https?33%etalin;.oracle.co%3.

&o aug%ent asic %onitoring procedures oer the APP( 6= other !eatures can e i%ple%ented tohelp ensure that access to the dataase is controlled. $ither approach indiidually or collectiely arecontrols we reco%%end. &hrough the use o! natie Oracle security !eatures !ound within (E8$&

9slnet.ora con!iguration !ile< and the 86(&$$R 9listener.ora con!iguration !ile


67/89

5nless the client has a ery strong reason to the contrary 9e*ceptions should e discussed

with the PwC Oracle (/$ tea%


68/89


69/89

access to DAIs can proide su!!icient access to ad%inister the dataase ut preentupdates to the audit trail.

For%al !ire-call 3 reuest procedures !or the use o! de!ault DA 6 such as (M( and(M(&$/.

As a precaution against de!ault DA 6s updating the audit trail= enale auditing oerthe audit trail. :hile detailed in!or%ation %ight not e aailale regarding the update=

enaling auditing oer the audit trail will at least identi!y that the audit trail was %odi!ied.Follow-up actiities should then e per!or%ed to understand why the audit trail wasupdated.

&he audit trail should e sent to the operating syste% away !ro% the control o! theDA. 6deally= the audit trail would e sent through the syste% logging !acility on theoperating syste%. &his approach would !urther separate the audit trail !ro% the DAIs.&he !reuency y which the audit trail is sent to the operating syste% should e assessedagainst the !easiility o! en!orcing indiidual user 6s and custo% roles. 6! the audit trail iscopied out o! the dataase in!reuently= greater need is realised to en!orce indiidualuser 6s and custo% roles in the dataase.

ote? (eeral o! our clients hae considered this approach. &he i%ple%ented status o!

this approach= howeer= is not currently ;nown.

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page # o! "#



70/89

. System Profile O$tions(yste% Pro!ile Options are syste% para%eters that can hae a gloal i%pact on Oracle $D(. &hosesa%e para%eters can also only hae li%ited e!!ect on the syste%. &he oerall e!!ect o! the para%eters onthe syste% is dependent on which leel the para%eters are con!igured -- site= application= responsiilityand user.

1. Site-*eel(yste% Pro!ile Options at the site leel hae gloal i%pact to Oracle $D(. For e*a%ple= the de!ault8edger na%e is set at the site leel. 6! Oracle responsiilities are not e*plicitly assigned to 8edgerna%es= then= y de!ault= they are assigned to the site-leel de!ault 8edger na%e.

!.!. Control Considerations

!.!.!. &usiness Process 5ariableso one

!.!.%. Control (e$endencieso one

!.!.'. Control Limitationso one

!.!.). Testin# Noteso (yste% pro!ile options at the site leel can e e!!ectiely tested online.

4A&$ reports can also e used.

2. Application-*eel(yste% Pro!ile Options at the application leel only hae i%pact on the application associated withthe particular para%eter. For e*a%ple= seuential nu%ering could e set to BPartially 5sedB at the

site leel= ut set to B4aplessB in Payales. 6n this situation= B4aplessB seuential nu%ering will eused in Payales= ut BPartially 5sedB will e en!orced in the other Oracle %odules. Application-leelsyste% pro!ile options oerride site-leel syste% pro!ile options.

%.!. Control Considerations

%.!.!. &usiness Process 5ariableso one

%.!.%. Control (e$endencieso one

%.!.'. Control Limitations

o one

%.!.). Testin# Noteso (yste% pro!ile options can e tested online !or applications in-scope.

4A&$ reports can also e used.

3. Responsiility-*eel(yste% Pro!ile Options at the responsiility leel only hae i%pact on the responsiility associatedwith the particular para%eter. Oracle responsiilities are generally associated with a speci!ic 8edger




71/89


72/89

custo% uery %ade y the client will e reuired to otain pro!ile options set at the userleel.

4. ey &ro"ile Options&he !ollowing section highlights the ;ey syste% pro!ile options to reiew !or audit and consultingengage%ents. &he BReleantB colu%n indicates i! the pro!ile option is applicale !or audit 9A< and

consulting 9C< pro@ects.

*.! Profile o$tions

Profile O$tion Settin# If ne9 for R!%?

9at is itH

A1ailable O$tions Rele1ant

APP(L((OL86,L&

R5&)L(RC

Applications ((O

8in;ing (ource o!

&ruth

Applications ((O

8in;ing (ource o!

&ruth

$-Dusiness (uite=

Oracle 6nternet

irectory

C

APP(L((OLPO(&8

O4O5&L)O/$L5R8

Applications ((O

Post 8ogout 5R8

Applications ((O

Post 8ogout 5R8

5ser e!ined C

APP(L((OLO6L6

$&6&M

Applications ((O

$nale O6

6dentity Add

$ent

:hen a user is

created in O6= the

6$&6&MLA

eent is sent to all

registered

instances.

&his eent controls

whether an $-

Dusiness (uite

instance should

create the user in

response to

6$&6&MLA

$nale= disale C

APP(L((OLA5&OL8

6,L5($R

Applications ((O

Auto 8in; 5ser

6! a user

authenticated y

((O has no

corresponding user

in $-Dusiness

(uite= it will loo; !or

a local user with

the sa%e user

na%e. 6! !ound= it

will e per%anently

lin;ed

$nale= disale &D

APP(L((OLA88O:

L/58&6P8$LACCO5

&(

Applications ((O

Allow /ultiple

Accounts

At user leel= it

enales a user to

hae %ultiple $-

Dusiness (uite

accounts lin;ed to

a single ((O user

na%e.

$nale= disale &D




73/89


9at is itH


(election o! which

account is actie is

done ia the

Pre!erences page.

At site leel= itindicates the

de!ault !or users

without this speci!ic

setting.

FL$WPOR&LA88L

D8OC,LA&A

F $*port All

Dloc; ata

&he pro!ile control

what data is

e*ported !ro% a

!or%>s loc;.

Mes= o &D

FLF6W$L($CL,

$M

F? Fi*ed ,ey &he !i*ed security

;ey to e used in

Fra%ewor; i! the

pro!ile F Fi*ed

,ey $naled is set

to M !or the user.

&he ;ey should e

a )e*adeci%al

string o! sie +.

5ser e!ined C

FLF6W$L,$ML$

AD8$

F? Fi*ed ,ey

$naled

&his pro!ile

deter%ines i! a

!i*ed ;ey will e

used !or security

purposes inFra%ewor;.

Mes= o C

FLCAC)$LPOR&

LRA4$

FLCAC)$LP

OR&LRA4$

Opening up a

range o! ports so

that %achine can

tal; across /S

5ser e!ined C

OA/L(CRA/LA88

O:$

OA/? ata

(cra%ling

Allowed

Pro!ile option to

allow data

scra%ling

5ser e!ined C

OA/L(CRA/L$A

D8$

OA/? ata

(cra%ling$naled

Pro!ile to enale or

disale datascra%ling

5ser e!ined C

OA/L:(LA56&L$

AD8$

OA/L:(LA56

&L$AD8$

$nale or isale

:e (erice

Auditing

5ser e!ined C

(64OLPA((:OR

LCA($

(ignon Password

Case

$nales or

isales Password

$naled= isaled ANC

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 7' o! "#



74/89


9at is itH


Case (ensitiity

OA/L$AD8$L(M(

&$/LA8$R&

(yste% Alert

$nale 8eel

(yste% Alert

$nale 8eel

All= Critical and $rror=

Critical= one

C

(64OLPA((:OR

LCA($

(ignon Password

Case

$nales or

isales Password

Case (ensitiity

6nsensitie= (ensitie ANC

(64OLPA((:OR

LC5(&O/

(ignon Password

Custo%

Pro!ile option that

speci!ies the !ull

na%e o! the class

containing custo%

password alidation

logic.

5ser e!ined ANC

(64OLPA((:OR

LFA685R$L86/6&

(ignon Password

Failure 8i%it

A positie integer

indicating the

%a*i%u% nu%er

o! logon atte%pts

e!ore the user>s

account is disaled.

5ser e!ined ANC

(64OLPA((:OR

L)ARL&OL45$(

(

(ignon Password

)ard &o 4uess

Pro!ile that gets set

to BtrueB i! hard-to-

guess password

alidation rules

should e en!orced

!or new passwords.

Mes= o ANC

(64OLPA((:OR

L8$4&)

(ignon Password

8ength

/ini%u% length o!

Applications user

password

5ser e!ined ANC

(64OLPA((:OR

LOLR$5($

(ignon Password

o Reuse

Pro!ile to speci!y

the nu%er o! days

a user %ust wait

e!ore eing

allowed to reuse a

password.

Mes= o ANC

(64OA56&?8$$

8

(ign-On? Audit

8eel

8eel at which to

audit !oundationusage

O$= 5($R=

R$(PO(6D686&M=FOR/

ANC

(64OA56&?O&6

FM

(ign-On?

oti!ication

oti!y 5ser

Concurrent

Progra% Failures

and 6nalid Printers

Mes= o ANC

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 7+ o! "#



75/89


9at is itH


FL6A4O(&6C( F? iagnostics $nales

iagnostics 4loal

Dutton

Mes= o ANC

FL)6$L6A4O(&6C(

)ide iagnostics%enu entry

)ides the )elp?iagnostics /enu

entry

Mes= o ANC

56E5$?($EL5/D

$R(

(euential

u%ering

(euential

u%ering

Always 5sed= ot

5sed= Partially 5sed

ANC

COCLR$POR&LAC

C$((L 8$$8

Concurrent?

Report Access

8eel

Proides controlled

access o!

log3output !iles o!

reuests to group

o! users ased on

the current

responsiility o! the

user ased on this

pro!ile option alue

Responsiility= 5ser C

PR6&$R Printer Output Printer Registered Printers e.g.

9 noprint= 8aelPFs Practice Aid.

!.'. Control Considerations

!.'.!. &usiness Process 5ariableso one

!.'.%. Control (e$endencieso &he Custo%.pll lirary is a standard Oracle For%s P83(E8 lirary that is

supplied y the Oracle Applications. &his is OracleKs uilt-in !eature that allows the custo%erto enhance the standard !unctionality o! the Applications y i%ple%enting site-speci!icusiness rules. $ery Oracle For%s -ased eDusiness screen= and any custo% !or%deeloped using the Oracle Application deelop%ent standards= will access the C5(&O/

lirary. &his allows custo%ers to create usiness rules that e!!ect the entire organiation.Custo%ers %ay use this !unctionality to hide certain tas !ro% users 9i.e. Process &a< oren!orce een %ore granular controls in !or%s and !unctions access. PwC should inuire i! theclient is using Custo%.P88 to !urther control user access during (O testing and alidation.

!.'.'. Control Limitationso Oracle is installed with de!ault responsiilities that help the client enter

and post transactions. &hese responsiilities were uilt y Oracle without any considerationo! (egregation o! uties principles.

!.'.). Testin# Noteso Personalisation is not currently analysed y Oracle 4A&$.

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page 7# o! "#



80/89

. Restricted Access"Se#re#ation of (uties

:hen conducting an Oracle restricted access 3 segregation o! duties reiew= there are three %ain accessconsiderations?

Application (etups

(tanding ata

(egregation o! uties

1. Application SetupsApplication (etups are de!ined as con!igurations that change the ehaiour o! the application. &hesesetups are generally only con!igured upon installation= upgrades= or %a@or usiness eents. Changesin usiness process setups could cause syste% !ailure and3or data inconsistencies. &here!ore=access to these setups should e restricted to the 6& depart%ent or si%ilar technical role.

6n addition= ecause o! the potential i%pact on ;ey !inancial controls associated with these setups=any changes to these should e i%ple%ented ia the clientKs stated change %anage%ent process Ncontrols. Please note that the de!inition o! what constitutes application setups will ary !ro% client to

client= and practitioners should discuss these concepts with clients prior to co%%encing any Oraclewor;.

2. Stan#ing /ata(tanding ata are de!ined as either setup that a!!ect the processing o! transactions or is used in theprocessing o! transactions that could hae a !inancial state%ent i%pact. &hese setups are generallycon!igured upon installation= upgrades= or %a@or usiness eents. )oweer= they %ay also need to echanged periodically to re!lect ongoing changes to the usiness eniron%ent. Changes in standingdata could cause !inancial processing di!!iculties and3or changes to standard transaction accountingprocedures. &here!ore= access to these setups should e li%ited to a select !ew usiness process or6& owners who do not hae transactional access.

Changes to standing data setups should e approed prior to i%ple%entation due to their potentiali%pact on ;ey !inancial controls and3or processes. Please note that the de!inition o! what constitutesstanding data will ary !ro% client to client= and practitioners should discuss these concepts withclients prior to co%%encing any Oracle wor;.

3. Segregation o" /uties(egregation o! uties is de!ined as segregating access to two or %ore sensitie !unctions that= whenco%ined= could present a ris; o! %aterial %isstate%ent= %anage%ent oerride= !raud or the!t.

'.!. (esi#nin# So(

(egregation o! uties and Restricted access design could e co%ple* and is dependent upon eachclient>s eniron%ent. Clients should ac;nowledge the inherent accounting and uniue usiness ris;sthat reuire certain actiities to e per!or%ed y di!!erent indiiduals. 6n either circu%stance= the rulesand related docu%entation deeloped should e associated with the client>s signi!icant !inancial ris;s.

(egregation o! uties and Restricted access design could include a alance etween separating allcon!licting actiities and %itigating all segregation o! duties iolations. &his decision %a;ing processshould include !or%al ele%ents o! (o analysis. :hen designing (o principles= the !ollowing shoulde ;ept in %ind?

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page "0 o! "#



81/89


82/89


83/89

o Processes &a Access? BASB %enus are those %enus that are associated

with the Process aigator &a. :hen testing !or segregation o! duties= the reportsgenerated !ro% the tool will identi!y the %enus associated with the issue.o :ithout understanding the %enu eing used and the i%plications with the

BASB %enu= the segregation o! duties analysis will appear to contain %any !alseposities. Practitioners should e aware o! the AS %enu and help the client understand

where the e*cessie or con!licting access e*ists.o As %any concurrent processes hae the si%ilar !inancial i%pact as the direct

entry o! transactions 9Auto6noice= Auto%atic ournal Posting= Reenue Recognition


84/89

8. Rele1ant 6odules

1. iSetup

i(etup is a data %anage%ent product that helps in auto%ating %igration and %onitoring o! $D( setupdata. i(etup helps in the %igration o! data etween di!!erent instances o! Oracle.

i(etup is coered in this docu%ent= as this %odule %ight in!luence the setup o! Oracle $D( and cane used !or analying the oerall setup o! Oracle $D(. For detailed analytics re!er to the i(etup 5ser4uide.

!.!. Usa#e of iSetu$

i(etup is a two-part application?

o i(etup Con!igurator runs on the we and proides an interactie uestionnaire to

capture usiness reuire%ents and con!iguration decisions.

o i(etup /igrator is the load !unctionality that populates the application setup taleswith the detailed para%eter alues.

&he !ollowing graph depicts the process o! using i(etup to support the creation and e*traction o! thetrans!or%ation !iles= which then can e trans!erred to any output.

Clients could use this !or %igrating data etween?

Production instance to another production instance

&est or deelop%ent eniron%ent to the production eniron%ent

!.%. Control Considerations

%.!.!. &usiness Process 5ariableso one


%.!.'. Control Limitationso one

%.!.). Testin# Noteso &he reports= either standalone !or a single instance= or co%parison

etween %ultiple instances can e used to retriee and co%pare setup data.

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page "+ o! "#



85/89

o &he history o! e*ecuted %igrations can e used !or analytics o! the

change %anage%ent process.

2. A0EOracle Approals /anage%ent 9A/$< is a sel!-serice :e application that enales client to de!ine

usiness rules goerning the process !or approing transactions in Oracle applications.

A/$ is coered in this docu%ent= as the usage o! A/$ %ight i%pact the analytics o! approalprocesses and controls ased on approals. For detailed analytics re!er to the Oracle A/$ userguide. Oracle A/$ is also integrated with Oracle user %anage%ent.

!.!. Usa#e of A6E

&he purpose o! Oracle Approals /anage%ent 9A/$< is to de!ine approal rules that deter%ine theapproal processes !or Oracle applications. &he !ollowing graphic illustrates the typical approalprocess used in an organiation.

An approal rule is a usiness rule that helps deter%ine a transaction>s approal process such aswho gets to approe certain transactions= dollar a%ount li%its= and noti!ication routing. Rules areconstructed !ro% conditions and actions.

For e*a%ple an approal rule can e as !ollows?

6! the transaction>s total cost is less than 1=000 5(= and the transaction is !or trael e*penses= thenget approals !ro% the i%%ediate superisor o! the person su%itting the transaction. Otherwise getapproal !ro% the co%pany trael %anger.

Oracle Approals /anage%ent enales usiness users to speci!y the approal rules !or anapplication without haing to write code or custo%ie the application. Once the rules are de!ined !oran application= the application co%%unicates directly with A/$ to %anage the approals !or theapplication>s transactions. Client can de!ine rules to e speci!ic to one application or shared etweendi!!erent applications. As A/$ recalculates the chain o! approals a!ter each approal= a transactionis assured to e approed under the latest conditions= regardless o! organiational changes= changes

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page " o! "#



86/89

to transaction alues= rule changes= or currency conersions. A/$ has uilt-in testing !eatures thatenale you to con!ir% the ehaior o! new or edited usiness rules e!ore lie e*ecution.

!.%. Control Considerations

%.!.!. &usiness Process 5ariables

o /any clients %ight rely on %anual approals or sign-o!!s sheets as their;ey controls oer account procedures. Fro% an e!!iciency= e!!ectieness perspectie=PwC practioners should e on the loo; out !or areas o! process i%proe%ent where a%anual approal process can e auto%ated in Oracle.


%.!.'. Control Limitationso one

%.!.). Testin# Noteso &he use o! A/$ gies auditors the aility to test the approal process

syste%atically and gain co%!ort oer estalished ;ey controls.

L. 4orms tat acce$t S


87/89

4unction 0 Internal Name 4unction 0 (is$lay

Name

4orm 0 Internal

Name

4orm 0 (is$lay Name

FLF(C/O5 ORAC8$ 5serna%es F(C/O5 Register ORAC8$ 6s

P(DLP(D(&P&M Attriute /apping etails P(D(&P&M Attriute /apping etails

/(C(F e!ine ata (trea% /(C(F e!ine ata (trea%

/(C(FA Custo% (trea%Adanced (etup

/(C(FA Custo% (trea% Adanced (etu

/(L/(A56& Audit (tate%ents /(A56& Audit (tate%ents

&FR(4R e!ine yna%icResource 4roups

&FR(4R e!ine yna%ic Resource4roups

&FDR:,D Dusiness Rule

:or;ench

&FDR:,D Dusiness Rule :or;ench

O&LO$WPCF& alidation &e%plates O$WPCF& e!ine alidation &e%plates

O&LO$W$F:,=

EPLO$W$F:,

e!aulting Rules=

Attriute /apping

O$W$F:, e!aulting Rules

&F&,OD& O@ects /eta-data &F&,OD& Foundation O@ects

&FL4R6LA/6 (preadtale /etadataAd%inistration

&F4R/ (preadtale /etadataAd%inistration

&F46A4 (pread&ale iagnostics &F46A4 (pread&ale iagnostic For%

&F4A&& &F4A&& &F4A&& &F4A&&

:/(L:/(R58$F e!ine :/( Rules :/(R58$F e!ine :/( Rules

EPLEPWPRFOR Create Pricing For%ulas EPWPRFOR e!ine Pricing For%ulas

EPLEPWP&/AP ew Attriute /apping EPWP&/AP Attriute /apping

4/A:FPC8LF :or;!low ProcessCon!iguration Fra%ewor;

4/A:FPC8 :or;!low Process Con!iguratioFra%ewor;

4/A:FCO8LF :or;!low ActiityApproal Con!igurationFra%ewor;

4/A:FCO8 :or;!low Actiity ApproalCon!iguration Fra%ewor;

A/$L:$DLAPPROA8( Approals /anage%ent &D &D

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page "7 o! "#



88/89

4unction 0 Internal Name 4unction 0 (is$lay

Name

4orm 0 Internal

Name

4orm 0 (is$lay Name

P$R:(AP6 P83(E8 tester P$R:(AP6 P83(E8 tester

FFW:(/4 :rite For%ula FFW:(/4 :rite For%ula

FFW:(FF e!ine Function FFW:(FF e!ine Function

FFW:(DER Create Euic;paint 6nuiry FFW:(DER Create Euic;Paint 6nuiry

PAM:(A( e!ine Assign%ent (et PAM:(A( e!ine Assign%ent (et

PAM:(M4 yna%ic &rigger/aintenance

PAM:(M4 yna%ic &rigger /aintenance

P$R:((CP e!ine (ecurity Pro!ile P$R:((CP e!ine (ecurity Pro!ile

PricewaterhouseCoopers-For internal use only 2007 PricewaterhouseCoopers. All rights resered. Page "" o! "#



89/89

6. -lossary

1. ey Oracle Functionality

A nu%er o! ter%s that are used within the Oracle (yste% Ad%inistration %odule are listed elowwith an associated de!inition.

Term (escri$tion

Alert A %echanis% that chec;s your dataase !or a speci!ic e*ception condition. An alert ischaracterised y the S$% S&%&CT state%ent it contains. A (E8 ($8$C& state%enttells the application what dataase e*ception to identi!y as well as what output toproduce !or that e*ception.

Alert Action An action the alert is to per!or%. An alert action can depend on the output !ro% thealert. An action can include sending an electronic %ail %essage to a %ail 6= runningan Oracle Applications progra%= running a progra% or script !ro% your operating

syste%= or running a (E8 script to %odi!y in!or%ation in your dataase.

Audit Trail Audit &rail trac;s which rows in a dataase tale9s< were updated at what ti%e andwhich user was logged in using the !or%9suest

A co%%and to start a concurrent progra%. An e*a%ple o! a concurrent reuest is aco%%and to generate and print a report.

(ata -rou$ A data group is a group list o! Oracle Applications and the Oracle 6 each application isassigned to. An Oracle 6 grants access priileges to tales in an Oracle dataase.

6enu A hierarchical arrange%ent o! application !unctions 9!or%s< that is displayed within the%ain naigate window

Documents

Oracle System Administration Practice Aid