6 Replies Latest reply on Dec 16, 2016 4:12 PM by Chris Ortiz - Essilor

    system administrator responsibility

    1008771

      Hi

       

      We are being audited and they have asked: why does the DBA need the system administrator responsibility?

      I responded with, because I need to administer workflow, complete clone steps, and user management.

       

      They dont seem to like the "user management" bit, seeing that as the role of the sys admins and not the DBAs (fair enough).

       

      Is there a way that certain functions from this responsibility can be removed?

      If not, is there a better way for me to justify my having this responsibility?

       

      Thank you.

       

      EBS 12.1.3.

        • 1. Re: system administrator responsibility
          Chris Ortiz - Essilor

          In fact, they are right: nothing justify that you have it

          - Workflow administration could be done by other users and/or responsibility. You can also delegate it ..

          - I cannot see what cloning steps needs system administrator resp

          - User management is better done and more secure by defining profile and rights on UMX

           

          Of course you can still duplicate it and remove "sensitive parts" in the menu...

           

          Regards

          Chris

          • 2. Re: system administrator responsibility
            1008771

            thank you Chris.

             

            I dont want to delegate anything - that is a slippery slope to something I dont want to think about.

            I need to do lots of functional updates following clone.

            Is there a way I can remove the user management function from the responsibility?

            • 3. Re: system administrator responsibility
              mdtaylor

              Auditors will always ask you to do insane things they read from a script like expire and end date HR schema in an EBS instance because HR is one of the sample schemas created by DBCA.

               

              I respond back with the DBA needs full access to Oracle Applications Manager dashboard, troubleshoot failed workflow notifications as SYSADMIN user in Workflow Manager, full access to Concurrent menu to start/stop diagnose issues with concurrent managers and requests.

               

              You can always create a DBA System Administrator responsibility with Security->User->Define excluded.

              • 4. Re: system administrator responsibility
                John_K

                To be fair, it doesn't really matter what responsibilities your DBA has... because they are DBA! They can see whatever they want on the back end database. You could argue their account could be compromised, but then you can also argue they are responsible for setting both the apps password and their own account password too.

                • 5. Re: system administrator responsibility
                  DBA_EBiz_EBS

                  I like mdtaylor's reply above. I would add one more thing - being the Oracle EBusiness Suite DBA - you already have sysdba, APPS, and other schema passwords thereby you have direct access to those tables for adding records anyway. Most likely these Auditors are not experienced with ERP systems especially Oracle EBusiness Suite. For any Oracle EBusiness Suite DBA  menus of System Administrator responsibility are a must. If only 'User Management' (Responsibility key - UMX) is a concern - that is different from >Security>User>Define, then remove 'User Management' responsibility from your login.

                  OR if you want to keep 'User Management' (Resp key UMX), you can create a copy of this responsibility using Functiona Administrator and then query the newly created responsibility go to Menu Exclusions at the bottom of the form, Enter Type> Menu , Name> User Management : Top Level Menu and save. After this allocate the newly created resp to your login.

                   

                  Seriously everytime I come across auditors who dont have experience with Oracle EBusiness Suite, it becomes a training session for auditors and I hope that when these auditors go to next EBusiness installation, they will do a better job.

                  • 6. Re: system administrator responsibility
                    Chris Ortiz - Essilor

                    Well, it's also Oracle fault...

                    I propose that they publish a manual named "Ebusiness suite audit for dummies" ....