AZN Menus Pose Big Risks in EBS – And What to Do About It

AZN Menus Pose Big Risks in EBS – And What to Do About It

in Oracle E-Business Suite by Jeff Hare

AZN Menus Background

AZN menus were introduced by Oracle around 11.5.3 to help provide a more rapid implementation to the SMB business segment. They provide users with a graphical depiction of a process flow and the ability access the functions directly from the graphical navigation.

When an AZN menu is contained in a menu, the Processes tab appears on the Navigator as follows:

AZN Menu Processes Tab

When a user clicks on the Processes tab they see this:

AZN Menu Processes Tab 2

If they click on one of the icons, it launches the form. For example:

AZN Menu Procure to Pay Icon

When I click on the Pay Supplier icon, it takes me to this form:

AZN Menu Pay Supplier Icon

The AZN menus provide another way for a user to navigate to certain functions. Here is the menu associated with the above Responsibility:

AZN Menu Optional Navigation to Pay Supplier

The AZN_PR_PAYABLES menu is a ‘hidden’ menu in that it has no prompt. However, it is what ‘triggers’ the system to display the Processes tab that we illustrated earlier.

Here is the AZN_PR_PAYABLES menu:

AZN PR Payables Menu

Here is the menu extracted so you can see the details of the functions provided:

AZN PR Payments Menu Extracted

This submenu contains most functions necessary to process all transactions within the Accounts Payable department. Generally, a user having this many significant functions is in violation of various segregation of duties conflicts.

Here are some screen shots of other AZN menus:

Example AZN Menus 2

Example AZN Menus 1

Here is a list of Known AZN Menus from a 12.1.2 environment:

  • AZN_CASH_FORECASTING,
  • AZN_EDR_ERES_PROCESS,
  • AZN_EXPENSE_CYCLE,
  • AZN_MAIN,
  • AZN_PJM_PRJ_DEF,
  • AZN_PR_ASSET,
  • AZN_PR_ATO,
  • AZN_PR_CLASSIFY_TO_COUNT,
  • AZN_PR_GL,
  • AZN_PR_GL_G,
  • AZN_PR_GMD,
  • AZN_PR_GML,
  • AZN_PR_INTERNAL_REQUISITION,
  • AZN_PR_INVENTORY,
  • AZN_PR_MAIN,
  • AZN_PR_OE,
  • AZN_PR_ORDER_FULFILLMENT,
  • AZN_PR_PAYABLES,
  • AZN_PR_PAYABLES_G,
  • AZN_PR_PHYSICAL_INVENTORY,
  • AZN_PR_PROCUREMENT,
  • AZN_PR_PROPERTY_MANAGER,
  • AZN_PR_RECEIVABLES,
  • AZN_PR_RECEIVABLES_G,
  • AZN_REVENUE_CYCLE

AZN Menu Risks and Recommendations

Based on our experience, more often than not, users aren’t aware of the Processes tab. The fact that it just ‘magically’ appeared is part of what we refer to as upgrade risk. Upgrade risk occurs because patches add new functions and submenus to users’ access. This happens when standard menu and standard sub-menus are used to develop their security which is the case in about 99% of all E-Business Suite implementations. Most system integrators use this approach to developing security:

SI Approach to Developing Security

Instead of using the standard Payables Manager responsibility, they will set up a custom responsibility ABC Co Payables Manager, but use the same top level menu “AP_NAVIGATE_GUI12.” This leaves companies exposed to Upgrade Risk and AZN menus are a symptom of the underlying cause.

Where this is the case, we recommend a two-stage process.

The Fix: Phase 1

For all responsibilities check to see if there is one or more AZN menu contained within that responsibility. You can easily do this as follows:

Two-Stage Process - Step 1

Change the exclusion type to Menu and type %AZN% in the name field as shown above and press the
tab key to search where a menu contains AZN. Here are the results. Here is the results for this menu:

Two-Stage Process - Step 2

However, for other responsibilities such as Application Developer which has the AZN_MAIN menu, you will receive a lot more results:

Two-Stage Process - Stage 1 Step 3

Exclude all AZN menus.

The Fix: Phase 2

The second phase of the recommendation is something you may want to do in conjunction with your R12 upgrade or a major testing cycle. You will want to re-build menus to reduce upgrade risk. There are a variety of different options in establishing new menus in order to reduce risk as follows:

  1. Establish a new custom top-level menu, but use standard sub-menus, then exclude the same functions as you would have if you had used the standard top-level menu. This may look something like this:
    Two-Stage Process - Stage 2 Step 1
    In this approach, the menus and functions not needed for this role must be excluded at the Responsibility level. Overall, this reduces risk when compared to using the AP_NAVIGATE_GUI12 as the top-level menu, but there is still considerable risk – particularly with the Setup menu. Even if you exclude some sub-menus and functions that are not applicable for the role, Oracle may add new sub-menus and functions when patching. A good example of this is in the R12 upgrade patches, Oracle added the SLA setup submenu.
  2. A second approach would be to build a custom menu with just the submenus that are applicable for the role. That might look like this:
    Two-Stage Process - Stage 2 Step 2
    This approach significantly reduces risk because it eliminates various menus that are not applicable to this role (AP Manager). In particular, the removal of the SETUP menu reduces a significant amount of risk.
  3. A third option is the development of all custom sub-menus. This is not illustrated due to the time it takes to build such menus. If all custom sub-menus were used, the risk that a patch would add functionality that was not appropriate is minimal.

Contact Us

Feel free to contact the author, Jeffrey T. Hare, CPA CISA CIA, at jhare@erpra.net with further questions or comments related to this subject.

Share this post:
ERPRA Become Our Partner

Please select your preferred datasheet and download it: