Oracle R12 EBusiness Suite Role Based Access Contr
Oracle R12 EBusiness Suite Role Based Access Contr
Sajid Rahim
Department of Computer Science/Software Engineering
McMaster University
Hamilton, Ontario, Canada
[email protected]
Abstract—Oracle E-Business Suite R12 is a widely used ERP RLM is essential for improved security controls for access and
solution that provides integrated view of information across Segregation of Duties (SOD) which assist with audit and
multiple functions and sources. It allows for simplified business control compliancy. Role based access control is not a one
process tools for Shared service model e.g. Centralized Operation type project as roles are dynamic and must evolve as business
where multiple operating units can be supported. Security
considerations are vital for such operations in large enterprises.
changes. Effective role management requires a continuous
R12 introduced Role Based Access Control security based on process for monitoring and managing.
ANSI RBAC standard. R12 RBAC implementation is challenged
with lack of Roles Lifecycle Management (RLM) process which The paper is motivated in proposing a Roles Lifecycle
also contributes to challenges such as Segregation of duty (SOD), Management process which can be used for effective controls
and controlling access to PII for multi-country operation for and audits for R12 EBS as a must have in order to assist with
common functional areas. The paper will propose a possible providing insights into which user has access to what.
Roles Lifecycle Management process.
II. BACKGROUND
Keywords—RBAC; Oracle; EBS; Roles Lifecycle Management;
RLM A. Roles and Definition
B. Proposed Methodology
D. 2. Role Engineering
Verify Roles process will be conducted jointly with Role Management will comprise of two processes which
business user; it will review Roles derived, memberships, work closely hand in hand; Role Deployment and Role
permissions and user groups are valid; any changes will be Administration, Fig 13. Starting with Role Deployment that
iterated back with Design Role process, prototyped and will focus on the implementing/deploying the Roles into
reviewed thereafter until accepted by Design Signoff process Production R12 EPS Production/Test Environment as defined
which will catalogue an affirmative Role Concept Model that and signed off in Roles Concept Models from Roles
is tuned and tagged with Permission selections and candidate Engineering phase. These implemented roles are stored within
user selection lists. Analysis Catalogue will be updated by the application metadata and noted as Roles Catalogue. Once
these findings. This collaboration is vital as it establishes a deployed, administering changes to deployed roles within the
common language and introduces the data model to business context of Roles Catalogue and Roles Concept Model as well
users. as user administration becomes the domain of Role
Administration process.
During the Design Role imperative to recognise that two
main categories of roles are present. Roles that are conferred
As noted before Role Administration focus will be on
designed roles that were catalogued from the design phase and
deployed. Some of the activities will be:
Fig 13. Role Management sub-processes. Role Administration itself as defined can be well
supported by period role check which can be partially
Role Deployment, illustrated in Fig 14, is the
automated; business changes affecting role definition can be
implementation of the Role Concept Model into role templates
preprocessed in order to identify the change which will affect
that are created as custom Roles with additional permissions
the catalogued roles.
and security rules using a custom Wizard application which
can be integrated with R12 EBS application; this new data is
The above activities are all within the given constraint of
identified as Roles Catalogue. Users and user groups are
an existing designed role. Any change related to an existing
assigned the appropriate roles from this Roles Catalogue.
catalogued role will be handled in this area. This work is
Metadata is ready for transfer and deployment using standard
solely the domain of designated Roles administrators with
Oracle EBS fndload utility first to R12 EBS Test Environment
Functional Administrator role.
for validation prior to repeating the process to R12 EBS
Production Environment.
D. 4. Roles Maintenance