Anda di halaman 1dari 22

The following is intended to outline our general product direction.

It is intended
for information purposes only, and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or functionality, and should
not be relied upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle’s products
remains at the sole discretion of Oracle.

1 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Agenda

• What is Auditing?
• Security Audit in Fusion Applications
• Audit Framework
• Audit Configuration
• Viewing Audit History
• Fusion Business Objects
• Additional Information

2 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Terminology
• Security Audit
– Manual or automated technical assessment of a system or application. It is a
systematic evaluation of the security of a company’s information system by
measuring how well it conforms to a set of established criteria.
• OPSS
– Oracle Platform Security Services is the underlying security platform that provides
security to FMW including WLS, SOA, WebCenter, ADF, OES, etc.

3 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Audit Trail – Objectives

Satisfying Compliance Scalable and Secure


Regulations
• Fusion Security
• Compliance with SOX, PCI, HIPAA
• Other industry standards

Extensible
Mitigating Security Risks
• Custom Objects
• Who did What to Which data When • Extended Attributes
• Includes all create, update, delete operations
Seamlessly Integrated with Fusion
Applications
Ease of Use and Setup • Flexible infrastructure for auditing any Fusion
object
• Minimal configuration • Reporting available for inclusion in page

4 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


What to Audit?
• Basic Premise – WHO has changed WHAT and WHEN
• Goal is to be able to audit anything in fusion applications alongwith
the middleware components
– System configuration changes
– Security Access changes
– Business data changed by an end user
• Customers decide on what needs to be audited
– ‘WHO’ changed the approval rule from 2 levels to auto-approve
– ‘WHEN’ did ‘X’ promote ‘Y’ from ‘Job A’ to ‘Job B’
– ‘WHAT’ entitlements are granted to / revoked from a specific user and by ‘WHOM’
and ‘WHEN’
– Page X is customized by User ‘Y’ on Date ‘n’

5 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Audit Framework
• Fusion Auditing starts with a combination of different technologies both
for capture as well as reporting aspects.
• Capture
– Fusion Applications – The transactional data is captured using the “shadow”
approach. Here for every table being audited, there will be a shadow table to
capture the changes.
– Fusion Middleware – Based on OPSS framework, audit data is captured by
events raised during applications processing. For instance, a failed login will
have an event that records the user, time and that it was a failed attempt.

6 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Audit Framework (Contd…)
• Reporting (also called Audit History)
– Fusion Applications and Middleware show their history merged together in
our Fusion Applications Reporting UI

7 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Audit Framework (Contd…)
• Fusion Application Audit
– Fusion Application Business Objects

• Fusion Middleware Audit


– Oracle SOA Suite
• SOA Metadata Customizations
– Pages and Business Objects Extensibility
• Extensibility changes via composers to pages and business objects
– BI Publisher
• User sessions, Report requests, Report executions
– ESS
• ESS Metadata changes, ESS requests, Admin operations to ESS request processor and dispatcher
– ODI
• Metadata changes in ODI

8 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Audit Framework (Contd…)
• Fusion Middleware Audit
– MDS
• Metadata changes like sandbox publish, import
– OPSS
• Security Authorization, User Authentication and assertion, credential store and key store services

• Audit Vault
– Anything not enabled for Auditing using the above, these can be audited at the table level using, Audit
Vault, a separate Oracle product (separate install)

9 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Audit Configuration
• Setup UI Manage Audit Policies – Launched from Functional Setup
Manager.
• Application Administrator (Job Role)
• Audit Management Duty (Duty Role)
• Manage Audit Policies (Task)
• Choose the application and then pick the objects and attributes to be
audited. Objects are shown in a tree hierarchy.
• There is a master switch to turn on all VOs for auditing. Or can turn
off at the VO level.

10 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Audit Config (Contd…)

On/Off toggle
For Fusion
Applications

High/Med/Low
Levels for FMW

11 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Audit Config (Contd…)

12 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Audit Config (Contd…)
• Additional Attributes (Flex Fields) – Flex Fields can be audited
by selecting the checkbox
• Actions > Synchronize - Attributes of objects that are being
audited are tracked. On a patch or update, or if attributes have
been added, they must be tracked if they are meant to be included
in the audit.

13 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Audit History

• Search by date (can be a date range) AND specify the User OR Product
• Can further filter by:
• Event Type (create, update, delete, or FMW event)
• Business Object (of the Product)
• Description (this allows search by a specific instance)
• Show Attribute Details – shows the attribute that changed with old/new values
• Show Extended Object ID – shows context columns that help identify the exact
object. Usually used when there is multi part primary keys .

14 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Audit History (Contd…)
• Allows to report on all business object within the same product.
• Allows to report on business objects and specific operations (insert,
update and delete) over periods of time.
• Allows to report on what a specific user did over a period of time.
• Allows to report and show parent / child relationship within business
objects.
• Additional search capabilities to filter on results as well as saved
search capability to retrieve audit history.

15 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Audit History (Contd...)
• Audit History is launched from the Navigator menu
• Internal Auditor (Job Role)
• Audit Reporting Duty (Duty Role)
• View Audit History (Task)

• Data security is always enforced, so user must be granted data access to


all objects to see audit history of all objects.
• Reports use lookup codes and foreign keys for better descriptions.
• Reports will show the latest lookup values.

16 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Audit History – Sample Output

17 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Auditing – Some Technical details
• For every entity being audited in Fusion Applications, a shadow table is
created for each underlying base table to capture the change data.
• Fusion Middleware uses event payloads which are recorded in a central
audit table
• Only changes are recorded in the audit table, though date effectivity inserts
a full new record in the base table.
• Deleted records will remain in the shadow tables, though removed from the
base tables
• All flexfield types (DFFs, KFFs and EFFs) are supported.
• Support for audit outside ADFbc
– ODI Support & PL/SQL Support

18 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Audit – Fusion Business Objects
Team Business Object
Fin Bank Account, Payment Document, Payable System Options, Payment System,
Bank Account Payment Document, Receivables System Options, Customer
HCM Person, Person Documentation, Worker Employment, Organization, Job, Position,
Grade, Location
PRC Supplier
SCM Receiving Parameter
PRJ Key Performance Indicator
CRM Customer, Contact, Partner, Opportunity, Lead, Account, Resource Profiles

19 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Additional Information
• Technical Overview of Audit Trail
– http://oukc.oracle.com/static12/opn/login/?t=checkusercookies%7Cr=-1%7Cc=1370767594
• Auditing in Fusion Applications
– http://oukc.oracle.com/static12/opn/login/?t=checkusercookies%7Cr=-1%7Cc=1379372395
• Security Audit and Reporting in Fusion Applications
– http://oukc.oracle.com/static12/opn/login/?t=checkusercookies%7Cr=-1%7Cc=1414145167
• Functional Architecture Blog
– https://blogs.oracle.com/FunctionalArchitecture/

20 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


21 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
22 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.