Change their password upon first login/admin reset - ERP Risk Advisors
912
post-template-default,single,single-post,postid-912,single-format-standard,ajax_fade,page_not_loaded,,qode_grid_1300,footer_responsive_adv,hide_top_bar_on_mobile_header,qode-child-theme-ver-1.0.0,qode-theme-ver-16.7,qode-theme-bridge,wpb-js-composer js-comp-ver-5.5.2,vc_responsive
 

Change their password upon first login/admin reset

Change their password upon first login/admin reset

Got a question today about password resets:

“I am trying to figure something out. How do we validate that Oracle forces the user to change their password upon first login/admin reset? I thought it was something in the profile options. Thank you for the help.”

My response…
Inherent in the system. Can’t be turned off. Not controlled by Profile Options.

There are a lot of risk involved with password resets. With plenty of hacking / backdoor access to the database and privileged users that have the ability to reset passwords, this should be a critical control for your organization. You need a policy and related procedures on how/when p/w resets can be requested and who can reset the p/w. Then, because of the risk, the process owner (system or security administrator, security auditor, etc) should regularly check with the owner of the accounts to make sure the p/w resets were valid and not some nefarious behavior.

My two cents FWIW.

Regards,
Jeffrey T. Hare, CPA CIA CISA

Jeffrey T. Hare
jhare@erpra.net

Jeffrey Hare, CPA CIA CISA is the founder and CEO of ERP Risk Advisors. His extensive background includes public accounting (including Big 4 experience), industry, and Oracle Applications consulting experience. Jeffrey has been working in the Oracle Applications space since 1998 with implementation, upgrade, and support experience. Jeffrey is a Certified Public Accountant (CPA), a Certified Information Systems Auditor (CISA), and a Certified Internal Auditor (CIA).

3 Comments
  • Anonymous
    Posted at 15:39h, 01 April

    At our company, we have the workflow mailer send an email to the user indicating that their Oracle application password has been changed. Instructions to call our help desk are provided if the change was not authorized.

  • Anonymous
    Posted at 15:21h, 22 June

    Hi – I am definitely glad to discover this. Good job!

  • Anonymous
    Posted at 02:47h, 10 July

    Hey – I am really delighted to discover this. Good job!

Post A Comment