Before we do a security comparison between Oracle Fusion and EBS, let us touch base on some fundamentals.
What is Authentication
Authentication is where the user needs to prove their identity using username and password
What is Authorization
Authorization identifies data and actions the user can access i.e. if the user has the correct permissions then they can perform the requested operation on the data or the screen or the report or the workflow.
Data Security
Controls which data can the users operate upon in the system.
In Oracle EBS, the product has been developed using predefined data security policies in the AOL module and also in each module that uses GL Ledgers or Value Sets or Multi Org Access control. In case of Oracle R12 E-Business Suite HCM, it uses product specific security called "Security Profiles" which are attached the a responsibility.
However in case of Oracle Fusion Cloud Applications, Oracle have developed a layer named APM. This APM layer sites above Oracle Identity Manager and Oracle Entitlement Server. The data security policies are stored in the data security policy store and are managed using screens APM, i.e. Authorization Policy Manager.
In Fusion you have Reference data sets, which allow business units to share reference data with one another. For example, you may wish to share certain payment terms globally across all business units, allowing you to enforce global payment policies. Reference data is managed by sets whilst the transactional data is managed by business units. This avoids the need to duplicate reference data for each business unit.
Summary of comparison
E-Business Suite |
Fusion Apps |
|
Authentication |
FND_USER Or via OID/OSSO/OAM if you buy licences for Single Signon |
Out of the box using Oracle Access Manager that comes bundled into Fusion. However you can federate out the authentication to other tools such as ADFS, Azure, etc |
Authorization |
AOL security model and with RBAC as an add on |
Roles are managed using OPSS, and permissions are placed in jazn files |
Role Security |
Custom developed for EBS |
Uses Oracle Platform Security Services (OPSS) from Oracle Fusion Middleware |
Technology |
SQL, PL/SQL, Forms and Reports |
Fusion Middleware |
Segregation Of Duties (SOD) |
No functionality unless you implement GRC module |
With Fusion R13, GRC for Segregation of Duties wil come bundled into Oracle Fusion Cloud |
HR specific data security |
Security Groups in EBS HCM |
Security Profiles in Fusion HCM |
Management of security (Roles/Responsibilities) |
Oracle forms and SQL |
OIM APM ADF Forms |
Multiple Organization data segregation |
Multi-Org using Operating units that are loaded into a global temp table during session initiation |
Similar to EBS, but uses business units |
Both E-Business Suite and Fusion Apps have similar capabilities to authenticate users but EBS uses proprietary system whereas Oracle Fusion Cloud takes advantage of the latest standards based methodology in Fusion Middleware.
Where can the authentication be delegated to in Fusion Public Cloud?
The responsibility to authenticate username and password can be delegated(federated) to other systems such as those listed below
Microsoft Active Directory Federation Services (ADFS)
Oracle Identity Federation (OIF)
Oracle Access Management
Shibboleth open source single sign-on software
Okta ( Cloud based auth provider )
Ping One and Ping Federate
Microsoft Azure Active Directory (Azure AD)
IBM Tivoli Access Manager
IBM Security Access Manager
OneLogin
Do the OTBI reports support data access set security ?
Yes, the reporting layer In OTBI, applies the same security as applied by Oracle Fusion screens.
The users can view the Fusion GL journals and Fusion Essbase Balances for all the ledgers which are attached to the user's data access sets. For example if a user has access to data access set DA1 (ledger A and ledger B are attached to data access set A) and data access set B (ledger C and ledger D are attached to data access set DA2) then in the OTBI the user can view the data for all the ledgers -> ledger A,B, C and D
Securing GL data
The GL data for balances is reported from Essbase Cubes in Fusion. The SmartView and OTBI reports used on Essbase respect the security policies for Ledgers and value set values.