Securing Flexfield Value Sets in EBS 12.2

Separation of Duties in Flexfield Value Set Security

Release 12.2 includes a new feature: flexfield value set security.

This new feature gives you additional options for ensuring that different administrators have non-overlapping responsibilities, which in turn provides checks and balances for sensitive activities.  Separation of Duties (SoD) is one of the key concepts of internal controls and is a requirement for many regulations including:

  • Sarbanes-Oxley (SOX) Act
  • Health Insurance Portability and Accountability Act (HIPAA)
  • European Union Data Protection Directive.
Its primary intent is to put barriers in place to prevent fraud or theft by an individual acting alone. Implementing Separation of Duties requires minimizing the possibility that users could modify data across application functions where the users should not normally have access.

For flexfields and report parameters in Oracle E-Business Suite, values in value sets can affect functionality such as the rollup of accounting data, job grades used at a company, and so on. Controlling access to the creation or modification of value set values can be an important piece of implementing Separation of Duties in an organization.

New Flexfield Value Set Security feature

Flexfield value set security allows system administrators to restrict users from viewing, adding or updating values in specific value sets. Value set security enables role-based separation of duties for key flexfields, descriptive flexfields, and report parameters. For example, you can set up value set security such that certain users can view or insert values for any value set used by the Accounting Flexfield but no other value sets, while other users can view and update values for value sets used for any flexfields in Oracle HRMS. You can also segregate access by Operating Unit as well as by role or responsibility.

Value set security uses a combination of data security and role-based access control in Oracle User Management. Flexfield value set security provides a level of security that is different from the previously-existing and similarly-named features in Oracle E-Business Suite:

  • Function security controls whether a user has access to a specific page or form, as well as what operations the user can do in that screen.
  • Flexfield value security controls what values a user can enter into a flexfield segment or report parameter (by responsibility) during routine data entry in many transaction screens across Oracle E-Business Suite.
  • Flexfield value set security (this feature, new in Release 12.2) controls who can view, insert, or update values for a particular value set (by flexfield, report, or value set) in the Segment Values form (FNDFFMSV).
The effect of flexfield value set security is that a user of the Segment Values form will only be able to view those value sets for which the user has been granted access. Further, the user will be able to insert or update/disable values in that value set if the user has been granted privileges to do so.  Flexfield value set security affects independent, dependent, and certain table-validated value sets for flexfields and report parameters.

Initial State of the Feature upon Upgrade

Because this is a new security feature, it is turned on by default.  When you initially install or upgrade to Release 12.2.2, no users are allowed to view, insert or update any value set values (users may even think that their values are missing or invalid because they cannot see the values).  You must explicitly set up access for specific users by enabling appropriate grants and roles for those users.

We recommend using flexfield value set security as part of a comprehensive Separation of Duties strategy. However, if you choose not to implement flexfield value set security upon upgrading to or installing Release 12.2, you can enable backwards compatibility--users can access any value sets if they have access to the Values form--after you upgrade.

The feature does not affect day-to-day transactions that use flexfields.  However, you must either set up specific grants and roles or enable backwards compatibility before users can create new values or update or disable existing values.

For more information, see:

Comments:

Dear Sara,
A good way to go, as a consultant I was looking for the best features offered by new up-gradation. You made it clear like daylight. Thanks for your narration and sharing. I believe in future you will continue this kind of write-up for all of us

Regards
M.Shukarno Bin Shareef
Bangladesh

Posted by guest on March 24, 2014 at 09:43 PM PDT #

I applaud the move because this is a common issue. However, as usual, Oracle does only half its job. Why didn't you develop an easy to use UI like was provided for Definition Access Sets or something similar to Security Rules where there is a define and assign form.

It doesn't matter to us what underlying technology secures the data, we just want it to be easy to use. What you have rolled out isn't easy. Having to derive the Value Set ID and develop a custom role for each job role that needs to maintain Value Sets. Poor, poor design.

Disappointed, but not surprised...

Regards,
Jeffrey T. Hare, CPA CIA CISA
jhare@erpra.net

Posted by Jeffrey T. Hare, CPA CIA CISA on February 04, 2015 at 06:08 PM PST #

Hi Jeffrey,

Yes, flexfield value set security is basically a feature without a user interface. I have to say that I am probably _even_more_ disappointed than you are that that feature has such a "Poor, poor design", since what you see is NOT the intended design. The intended design is actually meant to be user friendly. It would have been easier to document as well (besides working on the design, I also wrote all the documentation for it).

However, as I'm sure you understand, things happen, resources are limited, and priorities change. We had the choice of releasing it as is or yanking the enhancement out of the product altogether, and we decided that the feature could still be useful even if it wasn't easy to use.

We still have plans (and an existing design) to revise the user interface for flexfield value set security at some point. Like any other enhancement, it has to be high enough priority to get in the queue to be implemented.

Here is how you and others can help: We have several mechanisms for deciding enhancement priorities:

-- First, of course, is overall product strategy.
-- We also look at how many customer Service Requests (SRs) are attached to a particular enhancement. For this one, contact Oracle Support and ask for your organization to be added to ER/Bug 18530494 - NEED SETUP WIZARD FOR FLEXFIELD VALUE SET SECURITY FEATURE).
-- We also have a new "social" process on My Oracle Support Communities where customers can make suggestions and others can vote on them.
-- Customer Advisory Board (CAB) members and special interest groups (SIGs) can also provide input. This particular case falls under the User Management (UMX) SIG of OAUG.

All of these apply for any enhancement to Oracle E-Business Suite. Keep in mind that given our release schedules and priorities, it can take multiple years for an enhancement to make it out to released product. Given how long customers typically use Oracle E-Business Suite, though, it still makes sense to put in the request.

Thanks,

Sara

Posted by Sara Woodhull on February 06, 2015 at 02:07 PM PST #

Sara,

Thanks for your time on our call today. It sounds like you have a good sense of where this needs to go. I will be writing up a white paper on this topic and encouraging customers to log an enhancement request. This functionality is pretty usable for now, but a small change to the UI would make it even better.

Regards,
Jeffrey T. Hare, CPA CISA CIA

Posted by guest on February 18, 2015 at 03:36 PM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« March 2015
SunMonTueWedThuFriSat
1
2
3
5
6
7
8
9
10
11
12
13
14
15
16
18
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today