Oracle E-Business Suite 12.0.6 - Security Enhancements
The Oracle E-Business Suite R12 Release Update Pack (RUP6 or 12.0.6) was released on November 7, 2008. This is the latest cumulative update patch for all product families including Applications Technology (ATG). The patch is 2GB in size and can be applied on top of any R12 version. The only prerequisite step is to apply R12.AD.A.DELTA.6 (7305220). See Metalink Note ID 743368.1 for more information.
From a security perspective, there are security related changes and enhancements included in the 12.0.6 RUP patch.
Cumulative Oracle Critical Patch Updates for Oracle E-Business Suite R12
12.0.6 is cumulative and includes Critical Patch Update (CPU) October 2008 and all previous CPU patches for R12. Although, most organizations should look to apply the CPU patches using the standalone CPU patch rather with 12.0.6 as the RUP patch will take much longer to functionally test.
Record History for OA Framework Pages
Just as with the Forms, OA Framework pages now can display information on who and when a record was created or last updated. It is important to note that as with the Forms, this information is only create and last update and no history of changes between the create and last update is saved. The new profile option "FND: Record History Enabled" controls access to this feature.
AutoConfig Support for 11g Access Control Lists Support
For customers running R12 with 11g, AutoConfig has been enhanced to support the new fine-grained access control for the UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, or UTL_INADDR packages. This will eliminate access to these packages from accounts such as APPLSYSPUB.
Oracle E-Business Suite Diagnostics Role Based Access Control (RBAC)
The Diagnostics features has been rewritten to fully utilize RBAC. This will allow for the diagnostics security to be much more granular. A secondary change is that test sensitivity level can be set at the test-level instead of the group-level. These changes are most useful for customers that allow end-users and super-users access to the Diagnostic tests. After applying 12.0.6, the functionality and security of Diagnistics should be reviewed to determine if the level of access to the tests is appropriate and the new roles "Diagnostics Super User", "Application Super User", and "Application End User" are assigned appropriately.