Background:

Oracle provides a form to allow users to maintain certain profile options. The form is “Personal Profile Values”, and the function is “Profile User Values”.

See an 11i screen shot of the form below:

And an R12 version of the same form:

This form allows an application user to set profile options to be changeable at the user level. Setting a profile option at the user level overrides any values set at ‘higher’ levels – Site, Application, and Responsibility levels.

See a screen shot of the “profile options defined” (via Application Developer responsibility) form below:

The profile option above (Account Generator:Run in Debug Mode) allows it to be overridden by a user in the Personal Profile Values form. I queried a 12.1.3 environment and noted that there are 8,485 different profile options (see screen shot below). While not all of these allow users to override the value at the User level through the Personal Profile Values form, there are likely thousands of profile options that provide a user the ability to override a profile value.

Here are some examples of profile options that typically organizations wouldn’t allow users to override:

Account Generator:Run in Debug Mode, Account Generator:Purge Runtime Data. In the 12.1.3 test environment, I scrolled through the Define Profile Options form and found hundreds, if not thousands, of profile options capable of manipulation by the user. Unless a thorough analysis is done on each of these that can be set at the User level through the User Profile Values form, it is prudent to restrict access to this form.

Recommendations:

Based on the risks associated with users having the ability to override these values, we do NOT recommend this form be accessible by users. All changes to profile options should go through a centralized process. Many profile options could have a significant impact on key controls and/or are critical to the design of the application. Accordingly, we recommend that most profile options go through a formal IT change management process. All profile options should go through a formal IT change management process, other than those specifically exempt from the policy. Some examples of low-impact profile options exempt from the change management process are: Java Color Scheme, Printer, and Concurrent:Report Copies. Only when a profile option’s risk is properly evaluated and deemed tolerable by management should it be exempt from the change management process.

Remediation:

If your organization uses R12, Oracle has (finally) provided a way to identify which responsibilities have access to this function. Here are the details…

Responsibility: Functional Administrator
Navigation: Core Services -> Functions

Query on the Name “Profile User Values” and you will receive this screen:

Click on the Profile User Values link and you will receive this screen:

Click on the Menus tab and you will receive this information:

This provides you with the menus that contain this function. In this 12.1.2 environment (public domain environment hosted by Solution Beacon – thanks to SB!!!) there are 194 menus that contain this function. This query does not show the main or top-level menus that contain these submenus. As such, we need further research to determine how to remove function access from end users. (This is if you decide to remove access to this function rather than personalizing the form.)

Contact:

Feel free to contact the author, Jeff Hare, CPA CISA CIA, at jhare@erpra.net with further questions or comments related to this subject.