This is the seventh posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.
Once traffic is accepted and passed by the URL Firewall, WebLogic initiates the standard Oracle E-Business Suite authentication and authorization procedures. Web services are authenticated and authorized no differently than for end-users.
Authorization rules for web services are relatively easy to configure in that all web services are defined as functions. The Oracle E-Business Suite's function security scheme and rules engine apply the same to GUI forms as for web services. In other words, the table APPLSYS.FND_FORM_FUNCTIONS defines all the forms that users use as well as defines all web services deployed. Menus then are built referencing these functions and Oracle E-Business Suite user accounts (APPLSYS.FND_USER) are given responsibilities with the menus of functions. These user accounts can be staff members or can be generic accounts (e.g. to support specific web services). Ensuring that appropriate users and responsibilities can call and use specific web services is the same critical step as ensuring that only appropriate users can use specific forms.
There are two authentication options for web services, local FND_USER passwords and tokens. Tokens can be SAML send vouchers/E-Business Suite Session Ids). Whichever is used, ensure that accounts are not inappropriately over privileged and the passwords and tokens not widely known and/or shared.
If you have any questions, please contact us at firstname.lastname@example.org
-Michael Miller, CISSP-ISSMP, CCSP, CCSK
- Oracle E-Business Suite Mobile and Web Services Security - Integrigy Whitepaper
- Oracle E-Business Suite Mobile and Web Services Security - Integrigy Webinar
- Oracle E-Business Suite Release 12.2 Configuration in a DMZ (Note 1375670.1)