X

The Latest Oracle E-Business Suite Technology News direct from
Oracle E-Business Suite Development & Product Management

Using Audit Vault with Oracle E-Business Suite

Steven Chan
Senior Director
Oracle Audit Vault is a database option that automates the collection and consolidation of audit data to support regulatory compliance and reduce security risks.  Audit Vault provides compliance and entitle reports, alert notifications, and centralized audit policy management.  Audit Vault provides compliance reports to address regulatory requirements for database activity monitoring and auditing for:  
  • Sarbanes-Oxley (SOX) Act
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Payment Card Industry (PCI) Data Security Standards (DSS)

Conceptual diagram showing audit data tracked by Oracle Audit Vault

 From the Oracle Audit Vault FAQ:

Audit Vault extracts audit records produced by the database's native audit facility so no special certification is required by the application since it is transparent. Any packaged application such as Oracle E-Business Suite, PSFT, Siebel, and SAP work seamlessly with Audit Vault to collect the native audit records.

E-Business Suite suggests that auditing and monitoring of privileged users, user sessions, database links, and database changes is a key element in monitoring and securing your applications. Please see Metalink Note 189367.1. Audit Vault supports all versions of E-Business Suite that sit on top of Oracle database versions 9.2.x forward.

In addition, the Oracle database column, client_identifier, can be used to pass the end application user to the native audit record. E-Business Suite updates client_identifier automatically starting with version 12 of the application, PeopleTools starting with 8.50, and SAP kernal version starting with 7.10. The client_identifier value can be used in the Audit Vault reports to view the application user, OS user, and database connection user information for forensic analysis.

No special setups required for EBS

In other words, you can use Audit Vault's generic documentation for E-Business Suite databases.  No special EBS-specific documentation or setups are required to enable Audit Vault in EBS instances.

Related Articles

Join the discussion

Comments ( 18 )
  • Jay Weinshenker Thursday, July 14, 2011

    Does Audit Vault still require it be disabled when applying an Apps patch? If so, it still won't meet all of my clients' auditor requirements.


  • Steven Chan Friday, July 15, 2011

    Jay,

    I checked with our architects and nobody seems to understand the Audit Vault issue that you're alluding to.

    Are you thinking of *DATABASE* Vault? In an earlier version of Database Vault, you needed to disable it to apply patches. That's no longer the case today, though. You can apply patches to Database Vault-enabled EBS environments without disabling that option.

    Regards,

    Steven


  • Jay Weinshenker Friday, July 15, 2011

    Yep, I've got the products mixed up. My fault, sorry about that.

    Another question though - where does this fit in for a company running EBS compared to Oracle GRC (Governance Risk and Compliance) which is also for SOX auditing, compliance and entitle reports, alert notifications, and centralized audit policy management?

    I recall GRC is very specific to versions of Oracle Apps (or Peoplesoft, and I think another program) but as you wrote above this works with any version of the Apps as long as it's a 9.2.0.X DB or above..


  • Steven Chan Monday, July 18, 2011

    Jay,

    Audit compliance falls pretty far outside of my area of expertise. I can't really comment on the relative positioning of those two products for compliance coverage. I'd recommend asking your Oracle account manager to get a specialist in to brief you on the relative strengths of those two products for different audit requirements.

    Regards,

    Steven


  • guest Tuesday, July 26, 2011

    Does this show column before and after values on data updates.

    So If I change column abc from 1 to 2 does it record both values and who changed it.


  • Steven Chan Wednesday, July 27, 2011

    Hello, Guest,

    Our Audit Vault team replied:

    "The Audit Vault REDO collector will display both the old and new values of the column that changed, who changed it, and when.

    "In fact, the REDO collector will collect all 'inserts', which displays all values that were inserted. And on 'deletes', it will display the column values of the record before it was deleted.

    Based on the primary key values or a combination of columns, you can determine which record has been updated."

    Regards,

    Steven


  • Jay-A Friday, July 29, 2011

    Hi Steven,

    I am trying to implement audit vault to our E-Biz application (11.5.10.2). My problem right now is in audit vault report, data access show the schema user, not the application user.

    For example, user 'JHAVOC' updates the sales order, in Audit Vault report, the user who updated the sales order is 'APPS', not 'JHAVOC'.

    I already applied patch 11870353 and followed note 1130254.1 but still it was not solved.

    Do you have any idea on this??

    Thanks,

    Jay


  • Steven Chan Friday, July 29, 2011

    Hi, Jay,

    I'm sorry to hear that you've encountered an issue with this.

    No idea, I'm afraid. I don't have any personal experience with Audit Vault.

    We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

    Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

    Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

    Regards,

    Steven


  • anton dsilva Thursday, February 2, 2012

    Hello Steven,

    Considering the fact the the Security analyst who defines/monitors AV may not be an apps DBA, are there any out of the box templates for Ebiz that will enable them to monitor activies based on business transactions without having knowledge of underlying tables.

    Regards,

    Anton


  • Steven Chan Thursday, February 9, 2012

    Hello, Anton,

    Sorry for the delay in responding to this.

    No, we don't have any prebuilt Audit Vault templates for the E-Business Suite right now. We're evaluating this project, but other security-related initiatives are the focus of our development activities at this point.

    Regards,

    Steven


  • Martin Zangger Wednesday, April 25, 2012

    Hi,

    I have been searching "high and low" without success and will now try my luck with this blog.

    I would like to know if it is possible using Audit Vault to accomplish the following:

    - Track EBS user usage of all responsibilities.

    The thing is that I have created a concurrent request automatically end dating all combinations of user / responsibilities not used within the last 90 days - it works fine when it comes to "Forms responsibilities", but I cannot seem to find information about last usage of either Self Service - or Discoverer responsibilities.

    I'm looking in tables "APPLSYS.FND_LOGINS" and "APPLSYS.FND_LOGIN_RESPONSIBILITIES".

    So my question is - will setting up Audit Vault do the trick or will you recommend a different approach to track usage of Self Service - and Discoverer responsibilities? Or do you have some other suggestion where I can find more information about this issue?

    In my opinion it should be a standard feature as with Forms responsibilities - and maybe it is and just me not being able to find out how to (if so, it is very well hidden in all available documentation...;-)

    BR Martin


  • Martin Zangger Friday, April 27, 2012

    Hi again

    Ok - doing a little more research and getting help from Oracle Support I found a solution to my problem: "Page Access tracking"

    Enabling this for both "Web" and "Form" gives me the possibility to track all users usage of all responsibilities. Standard feature of course - nice ;-)

    If someone has a similar problem or just wants to know about Page Access Tracking more information can be found looking up this document: [ID 402116.1]

    BR Martin


  • Steven Chan Monday, April 30, 2012

    Martin,

    I ran this by our security architects. Page Access Tracking under Oracle Application Manager was added for OA Framework-based pages. In addition, George Buzsaki (the grandfather of AOL) noted:

    <snip>

    The Sign-on Audit feature should allow you to track user access to responsibilities. Forms or OAF should not matter, the auditing should work in all cases. You don't need audit vault for this, Sign-on Audit is built into EBS. We don't ship a report of "responsibilities not accessed in a long time", but it should be possible to write this query by looking at the FND_LOGIN_RESPONSIBILITIES table.

    </snip>

    Regards,

    Steven


  • guest Wednesday, October 24, 2012

    Hello Experts,

    Would you please provide any reference or whitepaper to integrate EBS R12 with Audit Vault?


  • Steven Chan Wednesday, October 24, 2012

    Hello, Guest,

    The article above states:

    No special setups required for EBS

    In other words, you can use Audit Vault's generic documentation for E-Business Suite databases. No special EBS-specific documentation or setups are required to enable Audit Vault in EBS instances.

    Regards,

    Steven


  • guest Sunday, September 28, 2014

    Dear,

    I have successfully installed oracle AVDF and deployed its agent on EBS and enabled auditing on some tables now I am able to see the audit reports from audit vault webpage but it is not tracing client ip and the sql statements is there any other specific configurations required to get these.

    Thanks & Regards


  • Steven Chan Monday, October 6, 2014

    Hello, Guest,

    I'm sorry to hear that you've encountered an issue with this.

    We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

    Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

    Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

    Regards,

    Steven


  • Shah Saturday, December 27, 2014

    Hello Steven,

    Oracle EBS lacks many basic information to be forwarded to Audit Vault, for example the client IP address or hostname, program_name, application username, transaction numbers etc. To be frank using Oracle Audit vault for Oracle EBS is not a good idea. Oracle EBS team has to work with Audit Vault team to make it a useful tool for auditors.

    Regards,

    Shah


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.