Oracle apps security

Similar Messages

• Testing oracle apps security in reports

  Hi,
  I have a report which is running fine in Report builder 6i and also in Oracle apps(this is a customized report for oracle apps).
  Now I need to test the security in Oracle apps. As per the advice provided in metalink I added
  1) added a user parameter P_CONC_REQUEST_ID
  2) added "srw.user_exit('FND SRWINIT');" to the BeforeReport trigger
  3) added "srw.user_exit('FND SRWEXIT');" to the AfterReport trigger
  But now when I try to run in Oracle apps it gives below error
  REP-1416: 'beforereport': User exit 'FND'. IAF GET: unknown column 'P_CONC_REQUEST_ID'.
  Please help on how to solve this issue. Any help is appreciated

  Thanks for the reply. The problem still persists.
  The same metalink gives another solution as below but when I add the below to the report I couldn't compile. It gives "identifier hr_standard.event must be declared". Anyone used this before, if so how to use the same.
  3. If the issue is not resolved try placing the calls mentioned in 2 with
  hr_standard.event('BEFORE REPORT');
  hr_standard.event('AFTER REPORT');
  Metalink is
  How To Enable Hr Security on Custom Reports? [ID 369345.1]

• Oracle Apps secure code review

  Is any documentation available (either Oracle or third party based) to guide secure code reviews for Oracle Apps (or more specifically, Oracle Application Framework)?
  I'm aware of the usual sql injection bad practices (as related to JDBC and PLSQL). I'm curious about API abuse, as related to:
  - cross-site scripting concerns
  - client-side trust issues (e.g., hidden field values)
  - improper or inconsistent input validation
  - improper error handling
  - improper session management
  - inappropriate access control
  Thanks.

  Thanks... I looked at that and didn't think it was all in there, but I looked again after I got your reply and it appears to be what we are looking for (at least a starting point).

• Can VPD Virtual Private DB in 10g replace Oracle Apps security rules?

  I read the recent article in Oracle Magazine called 'Testing Database Security', especially the section on Virtual Private Database (VPD), caught my attention. Can this feature of the 10g database be used by the Oracle Apps to restrict access to data through the apps login? We just moved to 10g.
  Our current data security is enabled by leveraging security rules attached to responsibilities. Our security rules restrict by operating unit, of which there are 89. It would be great if VPD could be used, as it might replace the need to create 89 separate security rules. We would maintain just one set of policies.
  Does anyone know if this can be used on the applications level? If anyone has done this, do you know of a documentation link that would help?
  Thanks for your insight.

  Sebes,
  Thanks for the link...it sounds like it may be part of the Oracle future landscape, but for now, we will have to live with security rules.
  Sincerely,
  Brenda

• Validate Oracle Apps Username and Password via ADF?

  Hello. I'm trying to verify a persons user id and password in ADF 11g. I snagged the FND classes to be able to do this, and am calling it as follows:
  AppsContext ac = new AppsContext("/home/workspace/idev.dbc");
  boolean loginStatusCode = ac.getSessionManager().validateLogin(userName, password);
  if(loginStatusCode == true)
  return "success";
  else
  return "failure";
  This works in the Application Module tester, and works as a standalone program. However, when I run it in weblogic I get a class cast exception (this can be fixed by removing the ojdbc5 & 6 files in the lib folder and replacing them with the ojdbc14 jar) Unfortunately, it fixes that problem but then all the ADF stuff breaks.
  Has anyone used Oracles apps security for logging in a user? Or, is there a way to have Weblogic use the ojdbc14.jar for a singular deployment? Here's the class cast I get:
  oracle.jbo.JboException: JBO-29000: Unexpected exception caught: java.lang.IllegalAccessError, msg=tried to access class oracle.jdbc.driver.OraclePreparedStatement from class oracle.apps.fnd.common.ProfileCache
  Thanks in advance.

  Hi,
  you can also validate an FND login using the FND_WEB_SEC.validate_login package if it's easier.
  Brenden

• Implementing Function Security in Oracle apps.

  I wanted to restrict certain menus in Payables manager for a particular user. How should i implement it? Is there any live example of implementing function security in oracle apps? Please Help.

  Hi,
  One approach is to create a custom menu and attach to it all the menus and functions you want and the add this menu to a new responsibility. But this is not the best way to solve the issue because you have to define different menus + responsibilities for each different user. Other way is to create roles which can be assigned to users.
  Thanks,
  Bahchevanov.

• Multi security groups in Oracle apps hrms

  Hi All,
  Could you please let us know how to enable or disable multi security groups in Oracle Apps hrms?
  Thnaks,
  Anil

  If you have access to Oracle Help-on-line check it there
  <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Amit Das ([email protected]):
  Can you please tell me of any document/book etc which describes the security features in Oracle Apps specially on Oracle financials. <HR></BLOCKQUOTE>
  null

• Security features in Oracle Apps (Oracle Financuals)

  Can you please tell me of any document/book etc which describes the security features in Oracle Apps specially on Oracle financials.

  If you have access to Oracle Help-on-line check it there
  <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Amit Das ([email protected]):
  Can you please tell me of any document/book etc which describes the security features in Oracle Apps specially on Oracle financials. <HR></BLOCKQUOTE>
  null

• Implementing Security For ADF Pages when integrated with Oracle APPS

  Hi,
  Can anyone please let me know the solution to the below problem ?
  I have an ADF application that is deployed on a weblogic server. An URL is generated to access the ADF Pages.
  I have created one more simple jsp (Launch.jsp) which redirects to this URL on page load.
  I am using Oracle APPS where:
  ->I registered a form function referring to Launch.jsp
  ->I am referring form function in a responsibility , attaching that to a menu
  ->When the valid oracle user logs in, I am sending all oracle apps environment variables (User id , Responsibility id, application id ) for that session
  What my issue is :
  ->The URL along with the parameters that I am sending from the Launch.jsp to the ADF Page is visible to the user. So, even if the Oracle APPS user has not logged in, anybody who knows the URL can access the ADF Pages.
  ->So, Is there any way to implement the security so as, even if anyone knows the URL of the ADF Page cannot access the ADF Pages without the valid user being logged-in through the Oracle APPS.
  I am using Jdeveloper 11g.
  Please let me know if you need anymore details.
  Thanks in advance,
  Kavitha

  Please help me out if anyone has a solution to this problem.
  Thanks,
  Kavitha

• Oracle Apps roles in BO security

  Hi,
  I need help in understanding if we can import and use Oracle Apps roles of a user in BO security directly.
  Requirement is that roles which are presnt in Oracle apps for an oracle user can directly be imported to BO.
  We are using Oracle ebiz as a source to create our DWH and than we are doing reporting on this DWH.
  We have oracle apps ebiz roles defined in erp system, the same we want to use for BO user.
  Do we have to define all the users again with there security in BO or it can be imporrted directly by any means from Oracle Apps.
  I dont know how to achieve this.
  Can somebody help?
  Regards,
  Gaurav

  You can import users from OID Oracle Internet Directory LDAP server, and in theory any LDAP v 3 LDAP directory can be used (although a limited list or most common LDAP servers are tested and supported on our product).
  You can access the LDAP plugin from the CMC > authenitcation and configure the options based on your LDAP server.
  Regards,
  Tim

• Fusion Apps web service call fails with error access denied (oracle.wsm.security.WSFunctionPermission)

  Hello Guru,
  I am trying to call a supplier service from SOA/OSB.
  But while calling the service it is failing with the below error message
  access denied (oracle.wsm.security.WSFunctionPermission http://xmlns.oracle.com/apps/prc/poz/suppliers/supplierService/SupplierService#getSupplierVO invoke)
  As per OER cookbook i have attached the "oracle/wss_username_token_client_policy" to the Fusion  apps web service.
  I am trying to pass security credentials to the service by using all the methods... through composite ..through bpel through wsse header but in all cases i am getting similar error.
  Please let me know if some one has called the fusion apps web service to create a supplier of solution to my problem  as mentioned above.

  Hi Sai,
      Thanks for the quick and correct response. Yes, after doing the research, I'm also came to same conclusion. But what stops me here is that where exactly I need to check for this permission.
  I mean the theory what I built on this Authorization/Permission is that:
     For the resource - WebService (SupplierService), there is an assigned application role for which the Entitlement/Permission is provided.
  Pls. help me in the below items:
  a. What is the application role(in role hierarchy) assigned to this resource(Webservice). Which page I need to check(navigation) this and the required credentials..
  b. What is the Entitlement provided for this application role for this operation (getSupplierVO) invoke.. Which page I need to check(navigation) this and the required credentials..
  Thanks in Advance.
  Thanks & Regards
  Madhu

• Oracle Apps 12.03 and dbf file under $FND_TOP/secure

  Hi All,
  I have a question. Back to 11i, there was a .dbc file under $FND_TOP/secure. To generate it or edit, you could use jre oracle.apps.fnd.security.AdminAppServer with the parameters.
  For R12 (R12.0.3 with a 10.2.0.2 DB), the file should be under $INST_TOP/apps/fnd/12.0.0/secure right? In my case, I do not have the apps folder under $INST_TOP.
  Is R12 still using a dbc file and if so, where should it be and how can I regenerate it?
  Thank you,
  Nayas
  aka Felix

  Hi Hsawwan,
  Thank you for the reply. I found the command and the parameters in the document suggested.
  Another quick question. From the document you suggested, the directory they us to save the file is $FND_TOP/secure. Shouldn't it be under $INST_TOP/appl/fnd/12.0.0/secure for R12?
  Thank you,
  Nayas
  aka Felix

• Error oracle.apps.xdo.security.ValidateException

  Hi,
  When trying to login in the BI Publisher, I am getting the following error:
  oracle.apps.xdo.security.ValidateException
  The username and password are correct and the xmlpserver is running. I am using the OC4J application server. Any ideas please?
  Thanks
  Marija

  I believe there is some problem with the BI Server security. Try changing the security to XDO in xmlp-server-config.xml file. I have blogged about it here http://oraclebizint.wordpress.com/2007/11/06/oracle-bi-publisher-and-bi-ee-invisible-admin-tab/. Though the blog entry was for some other issue but this should help you in changing the security.
  Thanks,
  Venkat
  http://oraclebizint.wordpress.com

• Creating security similar to Oracle Apps

  We have an application that has security similar to Oracle Apps. i.e. maintaining the users and roles (responsibilities) within our application. Discoverer has a special login mechanism for Oracle Apps users. Is there a way to configure Discoverer to work with other application which has similar secuirity mechanism?

  Hi Maruthi
  I'm afraid I have no documentation to point you at because this was done for a specific client and I have just not had the time to put together some generic documents. I can't use the client's documents because that would be unethical and has pictures of their data.
  Nevertheless, here is an overview.
  1. Look at all of the Oracle base tables and determine which ones have one of the following: ORG_ID, Set of Books ID (SOB_ID) or Chart of Accounts ID (COA_ID).
  2. Look at the same tables and run some scripts such as this: SELECT COUNT(*) FROM TABLE
  3. For all such tables that have more than say 200,000 rows add one partition for each ORG_ID, SOB_ID or COD_ID
  4. As you know, when a user logs in using an Apps account, the system sets a SYS_CONTEXT variable identifying the ORG_ID that user has access to. This is fine for tables that have an ORG_ID, but for those which only have a SOB_ID or COA_ID you can't use the ORG_ID. Therefore, what you do is create a new table, let's call it ORG_ORGANIZATIONS, that links an ORG_ID with its associated SOB_ID and COA_ID. The table is indexed on the ORG_ID.
  5. Create one function per type, thus one for ORG_ID, SOB_ID and COA_ID.
  For ORG_ID - function named 'DP_ORG_SECFUNC, the heart of the function is:
  select substr(userenv('CLIENT_INFO'),1,5) into x_org_id from dual;
  v_statement := 'ORG_ID = '||x_org_id;
  return (v_statement);
  For SOB_ID - function named 'DP_SOB_SECFUNC, the heart of the function is:
  select substr(userenv('CLIENT_INFO'),1,5) into x_org_id from dual;
  SELECT SET_OF_BOOKS_ID INTO v_set_of_books_id
  FROM ORG_ORGANIZATIONS WHERE ORG_ID = x_org_id;
  v_statement := 'SET_OF_BOOKS_ID = '||v_set_of_books_id;
  return (v_statement);
  For COA_ID - function named 'DP_COA_SECFUNC, the heart of the function is:
  select substr(userenv('CLIENT_INFO'),1,5) into x_org_id from dual;
  SELECT SET_OF_BOOKS_ID INTO v_chart_of_accounts_id
  FROM ORG_ORGANIZATIONS WHERE ORG_ID = x_org_id;
  v_statement :='CHART_OF_ACCOUNTS_ID = '||v_chart_of_accounts_id;
  return (v_statement);
  6. Create a view for each table you want to protect. For example, here is the code that creates a view for AP_INVOICES_ALL
  CREATE OR REPLACE VIEW DV_AP_INVOICES_ALL
  AS SELECT * FROM AP_INVOICES_ALL ;
  SHOW ERRORS
  EXEC DBMS_RLS.ADD_POLICY('APPS', 'DV_AP_INVOICES_ALL', 'SecByOrg', 'APPS', 'DP_ORG_SECFUNC', 'SELECT');
  Notice how this view is being protected by a policy that when anyone runs a SELECT against this view a VPD policy kicks in and calls the ORG security function.
  7. Change all of your code that Discoverer is pointing at to use new views similar to the above.
  I hope this helps
  Best wishes
  Michael Armstrong-Smith
  URL: http://learndiscoverer.com
  Blog: http://learndiscoverer.blogspot.com

• Unable to get 'InitialContext' using Java Client in Oracle App 10.0.2.0

  Scenario & Problem Description: Unable to get 'Initial Context' using Simple Java Client in Oracle Application Server 10.0.2.0
  I'm having an issue while I try to initialize the Initial Context for an EJB lookup from a simple Java Client [local lookup], but the same code snippet works fine when I try from Servlet. I have enclosed the Exception Stack Trace and the Code Snippet for your reference.
  1. .NET Client ---> Servlet --> LookupUtility --> EJB --> DB - Issue
  2. .NET Client ---> Servlet --> EJB --> DB - Works
  Exception: java.lang.InstantiationException: Error communicating with server: Lookup error: javax.naming.AuthenticationException: Invalid username/password for Config (guest); nested exception is: nested exception is: Exception in InitialContext: javax.naming.NamingException: Lookup error: javax.naming.AuthenticationException: Invalid username/password for Config (guest) at com.evermind.server.ApplicationClientInitialContextFactory.getInitialContext(ApplicationClientInitialContextFactory.java:149)
  at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
  at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
  at javax.naming.InitialContext.init(InitialContext.java:219)
  at javax.naming.InitialContext.<init>(InitialContext.java:195)
  at com.seagate.edcs.config.util.LookupUtility.getInitialContext(LookupUtility.java:123)
  at com.seagate.edcs.config.util.LookupUtility.getConfiguration (LookupUtility.java:69)
  at com.seagate.edcs.config.util.LookupUtility.main(LookupUtility.java:135)
  Code Snippet:
  * This method returns the Configuration for the properties set.
  public ArrayList getConfiguration ( ) throws Exception {
  ArrayList arrayList = null;
  try {
  Context context = getInitialContext();
  System.out.println("Context : " + context);
  Object home = context.lookup("java:comp/env/ejb/com.seagate.edcs.config.ejb.ConfigSessionEJBHome");
  System.out.println("Object home : " + home);
  ConfigSessionEJBHome configSessionEJBHome = (ConfigSessionEJBHome)PortableRemoteObject.narrow(home, ConfigSessionEJBHome.class);
  System.out.println("ConfigSessionEJBHome configSessionEJBHome : " + configSessionEJBHome);
  ConfigSessionEJB configSessionEJB =(ConfigSessionEJB)PortableRemoteObject.narrow(configSessionEJBHome.create(), ConfigSessionEJB.class);
  System.out.println("ConfigSessionEJB configSessionEJB : " + configSessionEJB);
  arrayList = configSessionEJB.getAllConfig();
  System.out.println("Context : " + context);
  } catch (Exception ex) {
  System.out.println("Exception Occured");
  throw ex;
  return arrayList;
  * Get an initial context from the JNDI tree.
  private Context getInitialContext() throws NamingException {
  try {
  Hashtable hashtable = new Hashtable();
  hashtable.put("java.naming.factory.initial", "com.evermind.server.ApplicationClientInitialContextFactory");
  hashtable.put("java.naming.provider.url", "ormi://seagate.mil-shivas-270.am.ad.seagate.com/home"); // if we won't specify the port, it considers the default port
  hashtable.put("java.naming.security.principal","ias_admin");
  hashtable.put("java.naming.security.credentials","ias123");
  return new InitialContext(hashtable);
  } catch (NamingException ne) {
  System.out.println("Exception in InitialContext.");
  throw ne;
  Note:
  1. The user "ias_admin" & password "ias123" are the credential provided for the 'Admin' while installing the Oracle App Server and using these credentials I'm able to bring the Admin Console. Also, added new user 'guest/guest' - assigned this user to the 'admin' group ...
  2. Since its a local lookup, there is no need to specify the credentials, but at runtime a dialog box pops up prompting to enter the 'userid/password' and when I enter the crendtials, I get the exception as stated. [In case of Servlet - EJB lookup, I'm not specifying any credentials]
  Are there are any configuration parameters which I need to provide in any of the .xml? Could you please let me know the fix for the same.
  Regards,
  Kafeel/-

  Please use the OS {forum:id=210}