SlideShare une entreprise Scribd logo

Accessing The Oracle Apps Database Without Having A Db Login

J
jhare

Ground-breaking white paper written by Jeffrey T. Hare, CPA CISA CIA on critical security issue for Oracle E-Business Suite.

1  sur  7
Télécharger pour lire hors ligne
Accessing the Oracle Applications Database Without Having a Database Login Overview Controlling access to the database is one of the most critical needs of a company and one of the most critical roles of the database administrator (DBA). There are several back door ways for an end user or developer to manipulate data in the database without using a database login. Two in particular will be discussed here: the Utilities: Diagnostics profile option and forms that allow SQL statements embedded in them. Control Objective The objective of this control is to provide the securing of the database changes without the use of a database login. Scope The scope of this document is the best practices related to the two methods of accessing the database without the use of a database login. Utilities: Diagnostics profile option The profile option Utilities: Diagnostics “determines whether a user can automatically use the Diagnostics features (excerpt from the SA Users Guide). If the profile option is set to No, the users must enter the password for the APPS schema in order to use the feature. The diagnostics features allow a user to see and change information in the database. By setting this profile option to ‘Yes’, the system allows a user to change data at the database level without requiring the Apps login. Therefore, they are allowed to manipulate the data or corrupt the database without a database login. Let me illustrate further. Here is the functionality in question: © 2008 ERPS
If the profile option is set to No, when you make this selection, you receive this box: The password required for the user to be able to use this is the Apps password, which no end user should have in a production environment and access should be controlled in non-production environments. © 2008 ERPS
If the profile option is set to Yes, when you make the selection, the following box pops up: In this illustration, I have selected the Supplier Sites form and used this feature. With this feature, it will allow me to update the data in this form. I can change the Field in this form by selecting a different field from the list of values as follows: In this case, I have selected the field ADDRESS_LINE1 and the value returned is 12345 Fraudulent Lane. Next, I am going to change the value in this to 123 Main Street as follows: © 2008 ERPS
If I press OK, it commits this change to the database and the data in the form reflects this as follows: This functionality allows me to update columns, like index fields and record IDs, in the database that aren’t displayed in this form and which could corrupt the database. © 2008 ERPS
Here are examples in this form: The bottom line is that no database updates should be allowed without going through change management. Certainly, end users shouldn’t be allowed to commit changes to the database. This profile option should be set to No in your production environment. Additionally, depending on the sensitive data throughout the application and the nature of your instances, you may want to limit such access in non-production environments. Most auditors would argue that your user-testing environment should be the same as your production environment and, therefore, this rule would certainly apply to that environment. Another alternative to close this loophole is to disable the Diagnostics Menu altogether by setting the profile option “Hide Diagnostics menu entry” to ‘Yes’. This may be a more secure solution because it removes the ability to try to hack into the database by trying the guess the password for the apps account. However, there are other functions in the Diagnostics menu that would no longer be available for the users to use. SQL query for profile option “Utilities: Diagnostics”: select decode(v.level_ value,0,' No',1,'Yes' ,'???') from fnd_profile_ option_values v, fnd_profile_ options o where o.profile_option_ id=v.profile_ option_id and o.profile_option_ NAME='DIAGNOSTICS' Forms that allow SQL statements embedded in them In Metalink document number 189367.1, Oracle outlines in Appendix B forms that allow SQL statements in them. By allowing SQL statements in them, updates can be made to the database. The Metalink document gives you the internal form function and form names. We have provided a cross reference to the User Function Name and application © 2008 ERPS
form name in the file which can be downloaded by signing up for the Oracle Internal Controls Repository at: http://groups.yahoo.com/group/oracleappsinternalcontrols/. This information is available in the Files section under the Internal Controls Content folder in a file called ‘Forms that Allow SQL Statements.xls.’ Examples of such forms are Define Alerts, Define Concurrent Programs, Define Pricing Formulas, Create QuickPaint Inquiry, Dynamic Trigger Maintenance and Attribute Mapping. Many of these forms are contained in Super User type menus like Purchasing Super User and US HR Manager. If you have used the menus or submenus underlying these responsibilities, end users may have access to these sensitive forms in Production. That Metalink document also has scripts that can help identify who has access to such forms. SQL scripts for this purpose can also be found at http://groups.yahoo.com/group/OracleSox/ in the Files section under a folder called SQL_Code. The file is called SQL Scripts.doc. Since these forms allow SQL statements to be embedded in them, they need to be tightly controlled. These forms should NOT be granted to anyone in a production environment. When it is necessary for new development to be registered in Prod, the form would be granted to the person authorized to make such a change, then revoked when the change was made. Auditing changes to these forms In order to have a proper audit trail for your change management process and to audit the changes to these forms, you should develop an advanced audit trail on these forms. This can be done via the advanced audit trail enabled through the System Administrator responsibility by setting the profile option “AuditTrail:Activate” to ‘Yes’ and then enabling such an audit for the underlying tables (see Metalink Note 189367.1 for the list of table names) or by using one of many third party products in the market (contact the author for a list of these companies). Caveats This white paper does not take into account the following: 1. Issues of viewing, inserting, or updating existing records at the database level. Database access controls are outside the scope of this document. 2. Mitigating or compensating controls that are not mentioned in this paper. 3. The possibility of collusion between two or more parties. You should also recognize the importance of discussing any controls you design and implement with your company’s senior management, including your signing officers, and legal representation as well as your external auditors. Comments and feedback regarding this paper should be addressed to the author at jhare@erpseminars.com or by completing and forwarding a reviewer feedback form that can be downloaded at http://oubpb.com/OUBPBWPReviewerFeedback.pdf. © 2008 ERPS
About the Author Jeffrey T. Hare, CPA is one of the world’s leading experts on the development of internal controls in an Oracle Applications environment. Jeff founded ERP Seminars and the Oracle Users Best Practices Board and is leading the efforts for the development of a public domain internal controls repository. See a full bio for Jeff at http://www.erpseminars.com/providers.html. Version Control Version Updated by Date Comments 1.0 Jeff Hare 23-Aug-06 Initial release to IC Repository group and for public review 1.1 Jeff Hare 20-Sep-06 Minor updates for reviewer comments. Added profile option “Hide Diagnostics menu entry” 1.2 Jeff Hare 26-Sep-06 Added SQL query for “Utilities: Diagnostics” profile option © 2008 ERPS

Recommandé

Step by step exercise for bw 365
Step by step exercise for bw 365Step by step exercise for bw 365
Step by step exercise for bw 365Siva Pradeep Bolisetti
 
R12 opm api
R12 opm apiR12 opm api
R12 opm apiDheeraj Thapa
 
How to analyzing sap critical authorizations
How to analyzing sap critical authorizationsHow to analyzing sap critical authorizations
How to analyzing sap critical authorizationsAnywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
Oracle Payables R12 ivas
Oracle Payables R12 ivasOracle Payables R12 ivas
Oracle Payables R12 ivasAli Ibrahim
 
User creation
User creationUser creation
User creationgsriramsunil
 
Customized security roles
Customized security rolesCustomized security roles
Customized security rolesAhmed Elshayeb
 
Oracle Purchasing ivas
Oracle Purchasing ivasOracle Purchasing ivas
Oracle Purchasing ivasAli Ibrahim
 
Metamorphosis from Forms to Java: A technical lead's perspective, part II
Metamorphosis from Forms to Java: A technical lead's perspective, part IIMetamorphosis from Forms to Java: A technical lead's perspective, part II
Metamorphosis from Forms to Java: A technical lead's perspective, part IIMichael Fons
 

Recommandé

Step by step exercise for bw 365
Step by step exercise for bw 365Step by step exercise for bw 365
Step by step exercise for bw 365Siva Pradeep Bolisetti
 
R12 opm api
R12 opm apiR12 opm api
R12 opm apiDheeraj Thapa
 
How to analyzing sap critical authorizations
How to analyzing sap critical authorizationsHow to analyzing sap critical authorizations
How to analyzing sap critical authorizationsAnywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
Oracle Payables R12 ivas
Oracle Payables R12 ivasOracle Payables R12 ivas
Oracle Payables R12 ivasAli Ibrahim
 
User creation
User creationUser creation
User creationgsriramsunil
 
Customized security roles
Customized security rolesCustomized security roles
Customized security rolesAhmed Elshayeb
 
Oracle Purchasing ivas
Oracle Purchasing ivasOracle Purchasing ivas
Oracle Purchasing ivasAli Ibrahim
 
Metamorphosis from Forms to Java: A technical lead's perspective, part II
Metamorphosis from Forms to Java: A technical lead's perspective, part IIMetamorphosis from Forms to Java: A technical lead's perspective, part II
Metamorphosis from Forms to Java: A technical lead's perspective, part IIMichael Fons
 
Configuration Management Database System on High-Performance Computing
Configuration Management Database System on High-Performance ComputingConfiguration Management Database System on High-Performance Computing
Configuration Management Database System on High-Performance ComputingRusif Eyvazli
 
Oracle Fixed assets ivas
Oracle Fixed assets ivasOracle Fixed assets ivas
Oracle Fixed assets ivasAli Ibrahim
 
Esm rel notes_5.5
Esm rel notes_5.5Esm rel notes_5.5
Esm rel notes_5.5Protect724v2
 
Customizing User Profiles
Customizing User ProfilesCustomizing User Profiles
Customizing User ProfilesTraction Software
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security conceptsSiva Pradeep Bolisetti
 
05 asp.net session07
05 asp.net session0705 asp.net session07
05 asp.net session07Mani Chaubey
 
View
ViewView
ViewLakshmiSamivel
 
DRM
DRMDRM
DRMAnkurAggarwal89
 
CAD Report
CAD ReportCAD Report
CAD ReportJyoti Tyagi
 
Bw training 7 bw reporting b ex 1
Bw training 7 bw reporting b ex 1Bw training 7 bw reporting b ex 1
Bw training 7 bw reporting b ex 1Joseph Tham
 
Ar user guide
Ar user guideAr user guide
Ar user guideVenkatesh Gurusamy
 
Microsoft dynamics ax 2012 development introduction part 1/3
Microsoft dynamics ax 2012 development introduction part 1/3Microsoft dynamics ax 2012 development introduction part 1/3
Microsoft dynamics ax 2012 development introduction part 1/3Ali Raza Zaidi
 
F04302053057
F04302053057F04302053057
F04302053057ijceronline
 
4) databases
4) databases4) databases
4) databasestechbed
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questionsSiva Pradeep Bolisetti
 
RMsis Overview
RMsis OverviewRMsis Overview
RMsis OverviewOptimizory Technologies Pvt. Ltd.
 
Oracle apps-interview-questions
Oracle apps-interview-questionsOracle apps-interview-questions
Oracle apps-interview-questionsPakeera Mekala
 
Less18 Patching oracle dba 11g
Less18 Patching oracle dba 11gLess18 Patching oracle dba 11g
Less18 Patching oracle dba 11gvivaankumar
 
ASP.MVC Training
ASP.MVC TrainingASP.MVC Training
ASP.MVC TrainingMahesh Sikakolli
 
Developer's guide to customization
Developer's guide to customizationDeveloper's guide to customization
Developer's guide to customizationAhmed Farag
 
Bug Tracking Java Project
Bug Tracking Java ProjectBug Tracking Java Project
Bug Tracking Java ProjectTutorial Learners
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsTL Technologies - Thoughts Become Things
 

Contenu connexe

Tendances

Configuration Management Database System on High-Performance Computing
Configuration Management Database System on High-Performance ComputingConfiguration Management Database System on High-Performance Computing
Configuration Management Database System on High-Performance ComputingRusif Eyvazli
 
Oracle Fixed assets ivas
Oracle Fixed assets ivasOracle Fixed assets ivas
Oracle Fixed assets ivasAli Ibrahim
 
05 asp.net session07
05 asp.net session0705 asp.net session07
05 asp.net session07Mani Chaubey
 
Bw training 7 bw reporting b ex 1
Bw training 7 bw reporting b ex 1Bw training 7 bw reporting b ex 1
Bw training 7 bw reporting b ex 1Joseph Tham
 
Microsoft dynamics ax 2012 development introduction part 1/3
Microsoft dynamics ax 2012 development introduction part 1/3Microsoft dynamics ax 2012 development introduction part 1/3
Microsoft dynamics ax 2012 development introduction part 1/3Ali Raza Zaidi
 
4) databases
4) databases4) databases
4) databasestechbed
 
Oracle apps-interview-questions
Oracle apps-interview-questionsOracle apps-interview-questions
Oracle apps-interview-questionsPakeera Mekala
 
Less18 Patching oracle dba 11g
Less18 Patching oracle dba 11gLess18 Patching oracle dba 11g
Less18 Patching oracle dba 11gvivaankumar
 
Developer's guide to customization
Developer's guide to customizationDeveloper's guide to customization
Developer's guide to customizationAhmed Farag
 

Tendances (20)

Configuration Management Database System on High-Performance Computing
Configuration Management Database System on High-Performance ComputingConfiguration Management Database System on High-Performance Computing
Configuration Management Database System on High-Performance Computing
 
Oracle Fixed assets ivas
Oracle Fixed assets ivasOracle Fixed assets ivas
Oracle Fixed assets ivas
 
Esm rel notes_5.5
Esm rel notes_5.5Esm rel notes_5.5
Esm rel notes_5.5
 
Customizing User Profiles
Customizing User ProfilesCustomizing User Profiles
Customizing User Profiles
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security concepts
 
05 asp.net session07
05 asp.net session0705 asp.net session07
05 asp.net session07
 
View
ViewView
View
 
DRM
DRMDRM
DRM
 
CAD Report
CAD ReportCAD Report
CAD Report
 
Bw training 7 bw reporting b ex 1
Bw training 7 bw reporting b ex 1Bw training 7 bw reporting b ex 1
Bw training 7 bw reporting b ex 1
 
Ar user guide
Ar user guideAr user guide
Ar user guide
 
Microsoft dynamics ax 2012 development introduction part 1/3
Microsoft dynamics ax 2012 development introduction part 1/3Microsoft dynamics ax 2012 development introduction part 1/3
Microsoft dynamics ax 2012 development introduction part 1/3
 
F04302053057
F04302053057F04302053057
F04302053057
 
4) databases
4) databases4) databases
4) databases
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questions
 
RMsis Overview
RMsis OverviewRMsis Overview
RMsis Overview
 
Oracle apps-interview-questions
Oracle apps-interview-questionsOracle apps-interview-questions
Oracle apps-interview-questions
 
Less18 Patching oracle dba 11g
Less18 Patching oracle dba 11gLess18 Patching oracle dba 11g
Less18 Patching oracle dba 11g
 
ASP.MVC Training
ASP.MVC TrainingASP.MVC Training
ASP.MVC Training
 
Developer's guide to customization
Developer's guide to customizationDeveloper's guide to customization
Developer's guide to customization
 

Similaire à Accessing The Oracle Apps Database Without Having A Db Login

Document defect tracking for improving product quality and productivity
Document defect tracking for improving product quality and productivityDocument defect tracking for improving product quality and productivity
Document defect tracking for improving product quality and productivitych_tabitha7
 
Migration approachquestionnaire checklist
Migration approachquestionnaire checklistMigration approachquestionnaire checklist
Migration approachquestionnaire checklistNandeep Nagarkar
 
Saphelp erp2004 en_9d_76563cc368b60fe10000000a114084_content
Saphelp erp2004 en_9d_76563cc368b60fe10000000a114084_contentSaphelp erp2004 en_9d_76563cc368b60fe10000000a114084_content
Saphelp erp2004 en_9d_76563cc368b60fe10000000a114084_contentmgassperera
 
Salesforce Spring 14 Release Developer Overview
Salesforce Spring 14 Release Developer OverviewSalesforce Spring 14 Release Developer Overview
Salesforce Spring 14 Release Developer OverviewRoy Gilad
 
CHAPTER FOUR buugii 2023.docx
CHAPTER FOUR buugii 2023.docxCHAPTER FOUR buugii 2023.docx
CHAPTER FOUR buugii 2023.docxRUKIAHASSAN4
 
Salesforce Summer ’22 Release Notes - Highlights
Salesforce Summer ’22 Release Notes - HighlightsSalesforce Summer ’22 Release Notes - Highlights
Salesforce Summer ’22 Release Notes - HighlightsSkyPlanner
 
02 software test plan template
02 software test plan template02 software test plan template
02 software test plan templateAndrei Hortúa
 
CaseStudy-MohammedImranAlam-Xcelsius
CaseStudy-MohammedImranAlam-XcelsiusCaseStudy-MohammedImranAlam-Xcelsius
CaseStudy-MohammedImranAlam-XcelsiusMohammed Imran Alam
 
Application Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsApplication Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsCAST
 
Inventory management system
Inventory management systemInventory management system
Inventory management systemAshrafee rakhi
 
PURPOSE of the project is Williams Specialty Company (WSC) reque.docx
PURPOSE of the project is Williams Specialty Company (WSC) reque.docxPURPOSE of the project is Williams Specialty Company (WSC) reque.docx
PURPOSE of the project is Williams Specialty Company (WSC) reque.docxamrit47
 
Salesforce Miami User Group Event - WrapUp
Salesforce Miami User Group Event - WrapUpSalesforce Miami User Group Event - WrapUp
Salesforce Miami User Group Event - WrapUpSkyPlanner
 
Auditing Oracle Applications Primer For Internal Auditors
Auditing Oracle Applications Primer For Internal AuditorsAuditing Oracle Applications Primer For Internal Auditors
Auditing Oracle Applications Primer For Internal Auditorsjhare
 
Bus information live monitoring system
Bus information live monitoring systemBus information live monitoring system
Bus information live monitoring systemVenkat Projects
 

Similaire à Accessing The Oracle Apps Database Without Having A Db Login (20)

Bug Tracking Java Project
Bug Tracking Java ProjectBug Tracking Java Project
Bug Tracking Java Project
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systems
 
Magento Data Entry.pdf
Magento Data Entry.pdfMagento Data Entry.pdf
Magento Data Entry.pdf
 
Document defect tracking for improving product quality and productivity
Document defect tracking for improving product quality and productivityDocument defect tracking for improving product quality and productivity
Document defect tracking for improving product quality and productivity
 
oracle
oracleoracle
oracle
 
Migration approachquestionnaire checklist
Migration approachquestionnaire checklistMigration approachquestionnaire checklist
Migration approachquestionnaire checklist
 
Saphelp erp2004 en_9d_76563cc368b60fe10000000a114084_content
Saphelp erp2004 en_9d_76563cc368b60fe10000000a114084_contentSaphelp erp2004 en_9d_76563cc368b60fe10000000a114084_content
Saphelp erp2004 en_9d_76563cc368b60fe10000000a114084_content
 
Salesforce Spring 14 Release Developer Overview
Salesforce Spring 14 Release Developer OverviewSalesforce Spring 14 Release Developer Overview
Salesforce Spring 14 Release Developer Overview
 
CHAPTER FOUR buugii 2023.docx
CHAPTER FOUR buugii 2023.docxCHAPTER FOUR buugii 2023.docx
CHAPTER FOUR buugii 2023.docx
 
Oracle_Procurement_Cloud_Release_8_Whats_New
Oracle_Procurement_Cloud_Release_8_Whats_NewOracle_Procurement_Cloud_Release_8_Whats_New
Oracle_Procurement_Cloud_Release_8_Whats_New
 
Less11 Security
Less11 SecurityLess11 Security
Less11 Security
 
Salesforce Summer ’22 Release Notes - Highlights
Salesforce Summer ’22 Release Notes - HighlightsSalesforce Summer ’22 Release Notes - Highlights
Salesforce Summer ’22 Release Notes - Highlights
 
02 software test plan template
02 software test plan template02 software test plan template
02 software test plan template
 
CaseStudy-MohammedImranAlam-Xcelsius
CaseStudy-MohammedImranAlam-XcelsiusCaseStudy-MohammedImranAlam-Xcelsius
CaseStudy-MohammedImranAlam-Xcelsius
 
Application Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsApplication Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical Systems
 
Inventory management system
Inventory management systemInventory management system
Inventory management system
 
PURPOSE of the project is Williams Specialty Company (WSC) reque.docx
PURPOSE of the project is Williams Specialty Company (WSC) reque.docxPURPOSE of the project is Williams Specialty Company (WSC) reque.docx
PURPOSE of the project is Williams Specialty Company (WSC) reque.docx
 
Salesforce Miami User Group Event - WrapUp
Salesforce Miami User Group Event - WrapUpSalesforce Miami User Group Event - WrapUp
Salesforce Miami User Group Event - WrapUp
 
Auditing Oracle Applications Primer For Internal Auditors
Auditing Oracle Applications Primer For Internal AuditorsAuditing Oracle Applications Primer For Internal Auditors
Auditing Oracle Applications Primer For Internal Auditors
 
Bus information live monitoring system
Bus information live monitoring systemBus information live monitoring system
Bus information live monitoring system
 

Accessing The Oracle Apps Database Without Having A Db Login

  • 1. Accessing the Oracle Applications Database Without Having a Database Login Overview Controlling access to the database is one of the most critical needs of a company and one of the most critical roles of the database administrator (DBA). There are several back door ways for an end user or developer to manipulate data in the database without using a database login. Two in particular will be discussed here: the Utilities: Diagnostics profile option and forms that allow SQL statements embedded in them. Control Objective The objective of this control is to provide the securing of the database changes without the use of a database login. Scope The scope of this document is the best practices related to the two methods of accessing the database without the use of a database login. Utilities: Diagnostics profile option The profile option Utilities: Diagnostics “determines whether a user can automatically use the Diagnostics features (excerpt from the SA Users Guide). If the profile option is set to No, the users must enter the password for the APPS schema in order to use the feature. The diagnostics features allow a user to see and change information in the database. By setting this profile option to ‘Yes’, the system allows a user to change data at the database level without requiring the Apps login. Therefore, they are allowed to manipulate the data or corrupt the database without a database login. Let me illustrate further. Here is the functionality in question: © 2008 ERPS
  • 2. If the profile option is set to No, when you make this selection, you receive this box: The password required for the user to be able to use this is the Apps password, which no end user should have in a production environment and access should be controlled in non-production environments. © 2008 ERPS
  • 3. If the profile option is set to Yes, when you make the selection, the following box pops up: In this illustration, I have selected the Supplier Sites form and used this feature. With this feature, it will allow me to update the data in this form. I can change the Field in this form by selecting a different field from the list of values as follows: In this case, I have selected the field ADDRESS_LINE1 and the value returned is 12345 Fraudulent Lane. Next, I am going to change the value in this to 123 Main Street as follows: © 2008 ERPS
  • 4. If I press OK, it commits this change to the database and the data in the form reflects this as follows: This functionality allows me to update columns, like index fields and record IDs, in the database that aren’t displayed in this form and which could corrupt the database. © 2008 ERPS
  • 5. Here are examples in this form: The bottom line is that no database updates should be allowed without going through change management. Certainly, end users shouldn’t be allowed to commit changes to the database. This profile option should be set to No in your production environment. Additionally, depending on the sensitive data throughout the application and the nature of your instances, you may want to limit such access in non-production environments. Most auditors would argue that your user-testing environment should be the same as your production environment and, therefore, this rule would certainly apply to that environment. Another alternative to close this loophole is to disable the Diagnostics Menu altogether by setting the profile option “Hide Diagnostics menu entry” to ‘Yes’. This may be a more secure solution because it removes the ability to try to hack into the database by trying the guess the password for the apps account. However, there are other functions in the Diagnostics menu that would no longer be available for the users to use. SQL query for profile option “Utilities: Diagnostics”: select decode(v.level_ value,0,' No',1,'Yes' ,'???') from fnd_profile_ option_values v, fnd_profile_ options o where o.profile_option_ id=v.profile_ option_id and o.profile_option_ NAME='DIAGNOSTICS' Forms that allow SQL statements embedded in them In Metalink document number 189367.1, Oracle outlines in Appendix B forms that allow SQL statements in them. By allowing SQL statements in them, updates can be made to the database. The Metalink document gives you the internal form function and form names. We have provided a cross reference to the User Function Name and application © 2008 ERPS
  • 6. form name in the file which can be downloaded by signing up for the Oracle Internal Controls Repository at: http://groups.yahoo.com/group/oracleappsinternalcontrols/. This information is available in the Files section under the Internal Controls Content folder in a file called ‘Forms that Allow SQL Statements.xls.’ Examples of such forms are Define Alerts, Define Concurrent Programs, Define Pricing Formulas, Create QuickPaint Inquiry, Dynamic Trigger Maintenance and Attribute Mapping. Many of these forms are contained in Super User type menus like Purchasing Super User and US HR Manager. If you have used the menus or submenus underlying these responsibilities, end users may have access to these sensitive forms in Production. That Metalink document also has scripts that can help identify who has access to such forms. SQL scripts for this purpose can also be found at http://groups.yahoo.com/group/OracleSox/ in the Files section under a folder called SQL_Code. The file is called SQL Scripts.doc. Since these forms allow SQL statements to be embedded in them, they need to be tightly controlled. These forms should NOT be granted to anyone in a production environment. When it is necessary for new development to be registered in Prod, the form would be granted to the person authorized to make such a change, then revoked when the change was made. Auditing changes to these forms In order to have a proper audit trail for your change management process and to audit the changes to these forms, you should develop an advanced audit trail on these forms. This can be done via the advanced audit trail enabled through the System Administrator responsibility by setting the profile option “AuditTrail:Activate” to ‘Yes’ and then enabling such an audit for the underlying tables (see Metalink Note 189367.1 for the list of table names) or by using one of many third party products in the market (contact the author for a list of these companies). Caveats This white paper does not take into account the following: 1. Issues of viewing, inserting, or updating existing records at the database level. Database access controls are outside the scope of this document. 2. Mitigating or compensating controls that are not mentioned in this paper. 3. The possibility of collusion between two or more parties. You should also recognize the importance of discussing any controls you design and implement with your company’s senior management, including your signing officers, and legal representation as well as your external auditors. Comments and feedback regarding this paper should be addressed to the author at jhare@erpseminars.com or by completing and forwarding a reviewer feedback form that can be downloaded at http://oubpb.com/OUBPBWPReviewerFeedback.pdf. © 2008 ERPS
  • 7. About the Author Jeffrey T. Hare, CPA is one of the world’s leading experts on the development of internal controls in an Oracle Applications environment. Jeff founded ERP Seminars and the Oracle Users Best Practices Board and is leading the efforts for the development of a public domain internal controls repository. See a full bio for Jeff at http://www.erpseminars.com/providers.html. Version Control Version Updated by Date Comments 1.0 Jeff Hare 23-Aug-06 Initial release to IC Repository group and for public review 1.1 Jeff Hare 20-Sep-06 Minor updates for reviewer comments. Added profile option “Hide Diagnostics menu entry” 1.2 Jeff Hare 26-Sep-06 Added SQL query for “Utilities: Diagnostics” profile option © 2008 ERPS