Let us discuss data security from Oracle Applications point of view. IT Controls can be grouped into General IT Controls and Application Controls. General IT controls include common IT services like disaster recover, data backup, change management, system development. Application Controls are embedded in the application and designed to achieve accuracy, data validation, authorization, reconciliation and approvals.

IT controls can be viewed in the form of following Matrix:

We will discuss few of the points mentioned in the matrix which impact Oracle Apps technical development and the way to address these control/security requirements.

There should be unique user account for accessing oracle applications for all individuals. There should not be existence of generic user accounts which are used by many persons. This is naturally helpful for auditing and tracking.

Oracle Application manages this requirement through creation of various responsibilities based on the duties performed by individuals. For example Purchasing Operation head who has authority to approve Purchase Order of highest amount need not have authority to create a purchase order.

System Administrators and Developers can have Query-Only/Read-Only functional responsibilities.

Developers should not have privileges to change profile options, concurrent programs and anything related to application setup. All changes to these things should go through proper change control mechanism and approval process.

There can be many Oracle Applications instances e.g. Development instance, Patch Instance, Integration/Test instance and Production Instance. Developers generally get access to all the screens except user creation and responsibility assignment screen on development instance. Access to all other instances is restricted. Even in development instance if access is needed for developer then it needs approval from IT Manager. This helps to maintain to control over data. It’s frustrating for developers but its mandatory.

APPS account/schema: APPS account and all the Oracle Applications database accounts should be restricted to DBAs only for Production and other restricted instances except the development instance. For Production instance, individual DBAs and support staff are given will read-only database access. There is should not be any Custom Program development in APPS schema.

Custom Schema:For customization/interface development, custom applications are registered in Oracle E-Business Suite with its own custom schema e.g. Custom INV Application is registered with schema XXINV.

Database security and segregation of responsibilities can be clubbed together to have multiple custom schemas i.e. one schema each for each custom application so custom purchasing schema should perform operations relate to purchasing and not inventory.

SOX talks about data security so naturally it talks about un-authorized data changes by custom developed objects which need to be restricted. To achieve this requirement, Customer Schemas like XXINV (Custom Inventory Application) doesn’t have INSERT/UPDATE/DELETE on Oracle APPS base tables. Now Oracle EBS always communicates with external systems through interfaces and APIs. So, custom schemas are given INSERT/UPDATE/DELETE permissions on Oracle Apps Open Interface tables, which allow external data to be imported to Oracle EBS. Seeded Oracle Import APIs and concurrent programs validate this data before importing it into Oracle EBS thus fulfilling SOX requirements.

To implement more control on data, Custom Application schema is given access module specific interface tables e.g. XXINV schema is given with INSERT/UPDATE/DELETE sprivileges on inventory (INV) interface tables, similarly XXPO schema is given with INSERT/UPDATE/DELETE privileges on purchasing (PO) interface tables.

There are cases when just interface tables are not sufficient to bring external data to Oracle Apps and/or to implement specific business requirement. In this case generally developers should TAR with Oracle and try to get solution/seeded API for updating base tables.

Since SOX talks about restricting un-authorized access to data, proper authorization by IT Higher Management can authorize INSERT/UPDATE on base tables and/or execute privileges to APIs which update base tables as exception. Proper change control mechanism is necessary for SOX compliance.

All access to the standard Oracle operating system accounts oracle and applmgr should be controlled and the appropriate logs maintained to identify the individual accessing these shared accounts.

We talked about custom applications, custom schemas, now on Operating system level Custom Applications have custom directory structures are maintained. All users other than oracle and applmgr have read-only access to all directories. In developers get WRITE access only to custom directory structures and that too only on development machines/instances. On restricted instances developer access can be strictly read-only.

On production instances write access is given to interface unix accounts only on those directories which interact with external systems through ASCII files. e.g. Item data files are received from external system called mapics, then we can have a interface user account called mapics which will have read/write access to directory $XXINV_TOP/datafiles/in etc. etc.

All access to interface accounts should be controlled and the appropriate logs maintained and monitored to ensure only authorized processes and users are transmitting interface files.

Migration from development instances to protected instances (viz. UAT Instance, PROD Instance) should go through change management process i.e Application Change Request and Approval process. This holds good for all changes

• Application Object Migration (Forms/Reports)
• Application Changes (LOOKUPs, PROFILEs,CONC Programs,MENUs etc)
• Patch Application
• Database Objects (Tables, indexes, Packages, functions etc)
• Operating system directory changes (e.g. new directories for new interface requirements)

Even in a well-controlled change management process, emergency changes are perfectly acceptable as long as there is a defined and documented process for such changes.

Monitoring and troubleshooting is often included in the scope of SOX compliance because a poorly managed environment could affect the accuracy and completeness of financial reporting. As an example, a daily interface program for journal entries that does not complete successfully and is not detected, may result in a misstatement (probably not material) of financials results.

1. No Custom Program Development in APPS schema of Oracle E-Business Suite instance.
2. One custom schema per custom application (e.g. XXINV for Custom Inventory Application) where all Custom Programs/Objects can be created.
3. Custom schemas should not have WRITE access (INSERT/UPDATE/DELETE privileges) on Oracle Apps Base Tables
4. Custom Schemas should have WRITE access only to interface tables related to respective application which is being customized e.g. Custom Inventory Application schema (XXINV) should have WRITE privileges to Inventory (INV) interface tables e.g. MTL_SYSTEM_ITEMS_INTERFACE and not Purchasing Interface table. This is required for building inbound interfaces to Oracle E-Business Suite.
5. In case business requirement needs a custom program to update Oracle Apps base table, it has to be done through an seeded API (This privilege should be approved by the IT management)
6. In case seeded API is not available to update base table, developers should raise Service Request (SR/TAR) with Oracle to confirm the non-availability of seeded API to update base table. To fulfill the business requirement formal IT higher management approval is needed as (Exception) to allow WRITE access on certain Oracle Apps Base Table.
7. Proper Monitoring should be incorporated in design/development of interface programs to track failures and build audit trail.
8. Change Control mechanism should be in place to perform any change in restricted Oracle Apps instances like User Acceptance Testing Instance/Production Instance etc.
9. Developer cannot have System Administrator responsibility on any Oracle E-Business Suite instance.
10. Support Staff can have read-only functional responsibilities to Oracle Applications.
11. Developers can have functional responsibilities in development instance through formal approval from IT higher Management.

Prasad Bhogle is a independent Oracle Apps Technical consultant with overall 13+ Years of experience in Oracle Technologies which includes 8+ Years in Oracle Applications. Currently working for Pune based organization as handling various roles like Project Manager/Solutions Architect for multiple Oracle Apps projects.