AZN Menus Pose Big Risks in EBS – And What to Do About It
in Oracle E-Business Suite by Jeff HareAZN Menus Background
AZN menus were introduced by Oracle around 11.5.3 to help provide a more rapid implementation to the SMB business segment. They provide users with a graphical depiction of a process flow and the ability access the functions directly from the graphical navigation.
When an AZN menu is contained in a menu, the Processes tab appears on the Navigator as follows:
When a user clicks on the Processes tab they see this:
If they click on one of the icons, it launches the form. For example:
When I click on the Pay Supplier icon, it takes me to this form:
The AZN menus provide another way for a user to navigate to certain functions. Here is the menu associated with the above Responsibility:
The AZN_PR_PAYABLES menu is a ‘hidden’ menu in that it has no prompt. However, it is what ‘triggers’ the system to display the Processes tab that we illustrated earlier.
Here is the AZN_PR_PAYABLES menu:
Here is the menu extracted so you can see the details of the functions provided:
This submenu contains most functions necessary to process all transactions within the Accounts Payable department. Generally, a user having this many significant functions is in violation of various segregation of duties conflicts.
Here are some screen shots of other AZN menus:
Here is a list of Known AZN Menus from a 12.1.2 environment:
- AZN_CASH_FORECASTING,
- AZN_EDR_ERES_PROCESS,
- AZN_EXPENSE_CYCLE,
- AZN_MAIN,
- AZN_PJM_PRJ_DEF,
- AZN_PR_ASSET,
- AZN_PR_ATO,
- AZN_PR_CLASSIFY_TO_COUNT,
- AZN_PR_GL,
- AZN_PR_GL_G,
- AZN_PR_GMD,
- AZN_PR_GML,
- AZN_PR_INTERNAL_REQUISITION,
- AZN_PR_INVENTORY,
- AZN_PR_MAIN,
- AZN_PR_OE,
- AZN_PR_ORDER_FULFILLMENT,
- AZN_PR_PAYABLES,
- AZN_PR_PAYABLES_G,
- AZN_PR_PHYSICAL_INVENTORY,
- AZN_PR_PROCUREMENT,
- AZN_PR_PROPERTY_MANAGER,
- AZN_PR_RECEIVABLES,
- AZN_PR_RECEIVABLES_G,
- AZN_REVENUE_CYCLE
AZN Menu Risks and Recommendations
Based on our experience, more often than not, users aren’t aware of the Processes tab. The fact that it just ‘magically’ appeared is part of what we refer to as upgrade risk. Upgrade risk occurs because patches add new functions and submenus to users’ access. This happens when standard menu and standard sub-menus are used to develop their security which is the case in about 99% of all E-Business Suite implementations. Most system integrators use this approach to developing security:
Instead of using the standard Payables Manager responsibility, they will set up a custom responsibility ABC Co Payables Manager, but use the same top level menu “AP_NAVIGATE_GUI12.” This leaves companies exposed to Upgrade Risk and AZN menus are a symptom of the underlying cause.
Where this is the case, we recommend a two-stage process.
The Fix: Phase 1
For all responsibilities check to see if there is one or more AZN menu contained within that responsibility. You can easily do this as follows:
Change the exclusion type to Menu and type %AZN% in the name field as shown above and press the
tab key to search where a menu contains AZN. Here are the results. Here is the results for this menu:
However, for other responsibilities such as Application Developer which has the AZN_MAIN menu, you will receive a lot more results:
Exclude all AZN menus.
The Fix: Phase 2
The second phase of the recommendation is something you may want to do in conjunction with your R12 upgrade or a major testing cycle. You will want to re-build menus to reduce upgrade risk. There are a variety of different options in establishing new menus in order to reduce risk as follows:
- Establish a new custom top-level menu, but use standard sub-menus, then exclude the same functions as you would have if you had used the standard top-level menu. This may look something like this:
In this approach, the menus and functions not needed for this role must be excluded at the Responsibility level. Overall, this reduces risk when compared to using the AP_NAVIGATE_GUI12 as the top-level menu, but there is still considerable risk – particularly with the Setup menu. Even if you exclude some sub-menus and functions that are not applicable for the role, Oracle may add new sub-menus and functions when patching. A good example of this is in the R12 upgrade patches, Oracle added the SLA setup submenu. - A second approach would be to build a custom menu with just the submenus that are applicable for the role. That might look like this:
This approach significantly reduces risk because it eliminates various menus that are not applicable to this role (AP Manager). In particular, the removal of the SETUP menu reduces a significant amount of risk. - A third option is the development of all custom sub-menus. This is not illustrated due to the time it takes to build such menus. If all custom sub-menus were used, the risk that a patch would add functionality that was not appropriate is minimal.
Contact Us
Feel free to contact the author, Jeffrey T. Hare, CPA CISA CIA, at jhare@erpra.net with further questions or comments related to this subject.