Oracle EBS access controls quick win: proving that users haven’t used their assigned access

Oracle EBS access controls quick win: proving that users haven’t used their assigned access

Getting user access controls right in Oracle E-Business Suite isn’t easy. Even if you’ve undertaken a piece of work to identify what each Oracle Responsibility can do (which is almost impossible to do manually) and you’ve then identified which of these have high risk or ‘toxic’ combinations of privileges, actually getting business management sign off to take these away from individual users can feel like a lot of effort. Few users will voluntarily give up their privileges, even if they seem excessive – “we definitely need those Responsibilities for our normal work”.


An approach I’ve taken with a couple of my recent clients to address this challenge (we’d already identified the high risk/toxic Responsibilities and their users, through the use of SRS Access Analytics – segregation of duties) was to run the default concurrent request ‘Signon Audit Responsibilities’, for a selection of high risk Responsibilities that we thought were less likely to be used.


This concurrent request is part of the default System Administrator request group. It shows you all the users that have opened up the Responsibility, along with the start and end times. Whilst I’d agree that there are a few challenges (the profile option ‘SIGNONAUDIT:LEVEL’ needs to be set be as Form or Responsibility [which it is by default], the end time is unreliable, the data will only go back as far as the Concurrent Manager holds, and it doesn’t show you what any user actually did in the Responsibility), what the report does allow you to say is:


Anybody that isn’t listed on the report hasn’t used the Responsibility


That can be a pretty powerful fact to present back to users – most organisations require individuals to have the minimum privileges required for their job roles, and if they haven’t used a high risk privilege in (say) 3 months, it’s difficult to argue that this access is still required. In all likelihood, if is hasn’t been used in three months, the users probably won’t notice the privilege disappearing anyway!


Using this approach can be a quick way to help your role remediation and clean up exercise. I’d love to have a conversation about how I help other organisations address this tricky challenge and how I might help you and your organisation.