Skip to main content

Oracle E-Business Suite Security

Introduction to Oracle E-Business Suite Security

Oracle E-Business Suite contains many aspects of security, some of which are consistent across the product and others which apply only in relevant areas. This document provides a brief explanation of each aspect of Oracle E-Business Suite security currently relevant to Financials, Purchasing, Projects and the HR modules. The document will also provide an explanation of the Hubble for EBS security features and how these relate to the Oracle security.

Oracle E-Business Suite includes several aspects of security designed to control what a user can view, update and do within the system. Some security aspects apply to all modules while some apply to specific modules. The security features are designed to allow an organization to mirror the way they are structured and the company/departmental security they require along with internal control.

There are also additional security features which can be applied at the database level and through technology tools but these are not considered here.

Users and Responsibilities

Each user is assigned a username and password to control their access to the system. Each user may have access to one or more Responsibilities. It is the Responsibilities that control which areas of the system the user may access and also the links to the other security features within the system. Often a user with a broad role is required to change Responsibilities as they work through the modules within Oracle. Once a Responsibility is created, a range of profile options are completed which link and restrict that Responsibility to specific data areas.

The following diagram illustrates the key links:

 

  1. Business Group, Ledgers and HR Orgs: The highest element in the organization structure is the Business Group. A client may have more than one Business Group if they need to separate companies within their structure. A Responsibility is linked to just one Business Group using the profile option HR:Business Group. Although HR Business Groups are specified for Responsibilities, they do not play an active part in security over the Financial modules but will restrict down data in the HR module. The next elements to be defined are the Ledgers (or Set of Books in 11i) and the HR Orgs. The Ledgers govern the financial controls of the system, for example the calendars, chart of accounts, etc. are attached to a ledger. Again, profile options govern to which ledger a Responsibility is linked. In R12 a new feature has been introduced which allows a single Responsibility to have access to multiple ledgers using Ledger Sets. This is controlled through Data Access Security and Profile Options.
  2. Operating Units (OUs): Operating Units provide the separation of companies or departments within an organization. The Operating Unit is linked to the Responsibility through a Profile Option which can be set directly at the Responsibility level, or can be set at the site level and the Responsibilities will then pick it up from there. In 11i a Responsibility is linked to just one OU. This controls the data a user can see, some of the process controls, etc. Operating Units are also often referred to as “Organizations” or “Orgs” within Oracle. In R12, security was changed to allow one Responsibility to be attached to multiple OUs, for example, where users work in a shared service center supporting multiple companies or departments. This is known as Multi Org Access Control (MOAC). Different modules use these OUs or ORGs to a greater or lesser degree; for example, General Ledger does not refer to OUs but Payables, Receivables, etc. do. Inventory is slightly different as it has its own Inventory ORGS as an additional layer below the operating units. In R12, many of the input and inquiry workbenches have been changed to allow the input or default of the relevant operating unit. This means that users are more likely to have different OUs available to them as they drill through EBS transactions; for example at the GL level, OUs are not needed for security but they may have access to 2 or 3 in Payables and the same or a different number of OUs in Receivables.
  3. GL Security Rules: For the General Ledger, there is also Data Security. Security can also be applied to control access to specific ranges within a chart of account segment (or multiple segments). For example, a business unit manager may only see data for her cost center. This is known as GL Security Rules. Profile Options enable the client to specify whether that security should be carried through to the subledgers.
  4. Data Access Sets: This data security has been added to in R12 with the introduction of Data Access sets. This means security can also be applied by ledger set, balancing segment or management segment. This only applies to the General Ledger and is secured by assigning an additional profile, the GL: Data Access Set profile. Before you can use a system-generated or user-defined data access set for General Ledger processing, you must have your System Administrator assign it to the profile option GL: Data Access Set at the General Ledger Application, or Responsibility, level. This Profile Option controls the ledgers that can be accessed by Oracle General Ledger (not the subledgers). Where data access sets are used to control access to the General Ledger, a ledger name which is included in that ledger set must be assigned too so users can view subledger data transferred to the General Ledger.
  5. HRMS: Where clients have implemented HRMS, they have the choice of using the standard security or security groups. Security groups use a combination of the user, security group and responsibility to restrict the data, this is less common and not currently supported by insightsoftware.com. Standard security makes use of a Security Profile which is added to a responsibility via a profile option. The Security Profile can contain many layers to restrict the data including Business Group, HR ORGS, Supervisor, Payroll and some additional configuration options. Hubble will respect the security configuration within the profile options when accessing the HR templates. This configuration has no impact on the Financial modules.
  6. Menus: Finally, the main control over the functions a user can access is controlled via the Responsibility links to the menus. There are a vast range of menu hierarchies seeded with the system to ensure users do not have access to the wrong functions or wrong combination of functions. Each menu can include many functions as many of the activities within modules are presented as workbenches with multiple functions available from one screen. To ensure granular control, inclusions and exclusions to specific functions can be applied at the Responsibility level so a generic menu can be applied but specific items included or excluded.