12 Oct Oracle E-Business Suite: Why Personal Profile Values Form Needs to be Removed from all Users
Oracle EBS Personal Profile Values Form
Time to revisit this topic.
This is easy pickins for external auditors to lead to a control deficiency. Take a look back at this topic I posted on last year:
This blog should give you all the detail you need to understand the risks. Following are several examples of profile options that can be maintained via the Personal Profiles Values form.
As a reminder, if a user can set a profile option at the User level, it overrides all other levels including those set at the Site level. If the Site level is set to No and the user sets it to Yes through this form, they have the capability provided by the profile option.
Example 1: The ability to apply or remove Personalizations can be overwritten by the User.
From the Users Guide: Used to enable Oracle Apps Personalization link on JSP pages.
Example 2: The ability to set a longer session timeout for the user – overriding the corporate policy. This is a favorite profile option for Deloitte to pick on.
Example 3: Workflow example 1: There are two profile options that have huge implications on the design of workflow
WF: Guest Access to Notifications
Enables approval of workflow approvals via email – does not require the user to authenticate with their credentials in order to make the approval.
From Oracle Users Guide: This profile option helps control whether users must log in before they can access the Notification Details Web page from a notification. To enable guest access, which does not require an individual login, you must both set this profile option to Enabled and create a grant assigning the “Workflow Guest User permission set” to the GUEST user.
WF: Notification Reassign Mode
This profile option controls how users can reassign notifications. See: Setting the WF: Notification Reassign Mode Profile Option.
Delegate – Provides users access to delegate a notification to another user while still retaining ownership of the notification.
Transfer – Provides users access to transfer complete ownership of a notification to another user.
Reassign – Provides users access to both the Delegate and Transfer reassign modes. This setting is the default value for this profile option.
Example 4: Workflow example 2:
WF: Plain text sign-on – from the book “The ABCs of Workflow for E-Business Suite Release 11i and Release 12” “Set this profile option to “Yes” to allow electronic signing to only occur on Plain Text notifications”
Example 5: Example related to a few GL profile options. The profile option GL: Journal Review Required – we’ll let your imagination wonder what this could be controlling… If the Site level is set to Yes (opposite of screen shot) and the User set theirs to No, this would be a serious control design issue.
Recommended Services from ERP Risk Advisors related to this topic:
We offer a health check that includes reviewing how your organization has set many of the high risk profile options. See more about this free service at: http://erpra.net/Services.html.
If you are an auditor, keep in mind that we also do outsourced IT audit work.
We are thorough, risk-based, and will work with you to develop a scope that fits your budget.