Overview of Oracle Applications Security
As APPS DBA, you define Oracle Applications users, and assign one or more responsibilities to each user
File System
APPL_TOP, COMMON_TOP, ORACLE_HOME and iAS_Home should be writtable ONLY by applications DBA or System Administrators. $APPL_TOP/admin should be only read and writtable by applications DBA or System Administrator, no one else can even read $APPL_TOP/admin because all adpatch logfiles are stored in this directory and adpatch log file includes SYSTEM and APPS password.
Responsibilities define Application Privileges
A responsibility is a level of authority in Oracle Applications that lets users access only those Oracle Applications functions and data appropriate to their roles in an organization. Each responsibility allows access to:
A specific application or applications, such as GL.
A set of books, such as U.S Operations or German Sales.
A restricted list of windows that a user can navigate to
A restricted list of functions a user can perform.
Reports in a specific application
Each user has at least one or more responsibilities and several users can share the same responsibility. An APPS DBA can assign users any of the standard responsibilities provided with Oracle Applications, or create new custom responsibilities.
Defining Application Users
You allow a new user to sign-on to Oracle Applications by defining an application user. An application user has a username and a password. You define an initial password, then the first time the application user signs on, they must enter a new ( secret ) password.
When you define an application user, you assign to the user one or more responsibilities. If you assign only one responsibility, the user, after signing on, immediately enters an application.
If you assign two or more responsibilities, the user, after signing on, sees a window listing available responsibilities.
DBC File
A DBC (Database Connection) file is a text file which stores all the information required to connect to a particular database. It allows a user or administrator to easily load groups of environment variable settings. At the minimum it contains the value of the GWYUID, FNDNAM, TWO_TASK and GUEST_USER_PWD
How to close the environment or change the passwords od APPS, APPLSYS, SYSADMIN and other product users.
The utility FNDCPASS (FNDChangePASSword) allows you to maintain passwords from the command line for all three classes of Apps users:
* apps system level users (applsys and apps)
* apps oracle level users (apps users with corresponding db accounts like psb, gms, etc).
* regular apps user accounts - FND users (opsauser, guest, user, sysadmin, etc.)
For maintaining user passwords this is a great alternative to running the Forms interface which has more dependencies (web listener, forms listener, jinitiator,etc).
All you need for FNDCPASS is a telnet session with the appropriate environment settings.
The syntax for FNDCPASS is:
FNDCPASS apps/<apps_passwd> 0 Y system/<system_passwd> <user_class> <user_name> <new_passwd>
where <user_class> is either system, oracle or user.
Again, the environment must be set before using FNDCPASS to maintain passwords for users within that environment.
How to define the FND users
Create the FND users (Navigate to security à userà define from system administrator responsibility) .
Can change the password for FND users from same screen also.
No comments:
Post a Comment