In fact, they are right: nothing justify that you have it
- Workflow administration could be done by other users and/or responsibility. You can also delegate it ..
- I cannot see what cloning steps needs system administrator resp
- User management is better done and more secure by defining profile and rights on UMX
Of course you can still duplicate it and remove "sensitive parts" in the menu...
thank you Chris.
I dont want to delegate anything - that is a slippery slope to something I dont want to think about.
I need to do lots of functional updates following clone.
Is there a way I can remove the user management function from the responsibility?
Auditors will always ask you to do insane things they read from a script like expire and end date HR schema in an EBS instance because HR is one of the sample schemas created by DBCA.
I respond back with the DBA needs full access to Oracle Applications Manager dashboard, troubleshoot failed workflow notifications as SYSADMIN user in Workflow Manager, full access to Concurrent menu to start/stop diagnose issues with concurrent managers and requests.
You can always create a DBA System Administrator responsibility with Security->User->Define excluded.
To be fair, it doesn't really matter what responsibilities your DBA has... because they are DBA! They can see whatever they want on the back end database. You could argue their account could be compromised, but then you can also argue they are responsible for setting both the apps password and their own account password too.
I like mdtaylor's reply above. I would add one more thing - being the Oracle EBusiness Suite DBA - you already have sysdba, APPS, and other schema passwords thereby you have direct access to those tables for adding records anyway. Most likely these Auditors are not experienced with ERP systems especially Oracle EBusiness Suite. For any Oracle EBusiness Suite DBA menus of System Administrator responsibility are a must. If only 'User Management' (Responsibility key - UMX) is a concern - that is different from >Security>User>Define, then remove 'User Management' responsibility from your login.
OR if you want to keep 'User Management' (Resp key UMX), you can create a copy of this responsibility using Functiona Administrator and then query the newly created responsibility go to Menu Exclusions at the bottom of the form, Enter Type> Menu , Name> User Management : Top Level Menu and save. After this allocate the newly created resp to your login.
Seriously everytime I come across auditors who dont have experience with Oracle EBusiness Suite, it becomes a training session for auditors and I hope that when these auditors go to next EBusiness installation, they will do a better job.
Well, it's also Oracle fault...
I propose that they publish a manual named "Ebusiness suite audit for dummies" ....