Home / APPS DBA / How to Restrict Application Users in Oracle EBS
OracleEBSConfig

How to Restrict Application Users in Oracle EBS

How to Restrict Application Users to a Single Session in Oracle E-Business Suite

Introduction:

Maintaining security in an Oracle E-Business Suite (EBS) environment is crucial to protect sensitive data and ensure a secure user experience. One important security measure is restricting users to be signed in only once at any time. This prevents unauthorized access and enhances accountability. In this blog post, we will discuss how to implement this restriction using the oracle.apps.icx.security.session.created business event.

Enabling the oracle.apps.icx.security.session.created Event:

Before we can enforce the restriction, we need to load and enable the oracle.apps.icx.security.session.created event.

Follow these steps:

Check for the presence of Bug #7174340 in the database. This bug affects the functionality of the event in Oracle EBS 12.0.2.

select name, status from wf_events evt where name = ‘oracle.apps.icx.security.session.created’;

no rows selected

If the above event is not present apply the patch 3861070 and load the event using the below command This patch installs the event and the event subscription to enable a single login per user in the file system. If a specific user logs in to the application and a previous, valid session is still active, the previous session(s) are immediately invalidated by the event oracle.apps.icx.security.session.created.

java oracle.apps.fnd.wf.WFXLoad -u apps <appspassword> <db_host>:<db-port>:<DB-SID> thin US $FND_TOP/patch/115/xml/US/icxevte.wfx

Verify the event’s status by executing the SQL query:

select name, status from wf_events evt where name = ‘oracle.apps.icx.security.session.created’;

The event should now appear with a status of “ENABLED.”

Enabling Event Subscriptions:

To complete the restriction, we also need to enable the event subscription. Follow these steps:

Load the event subscription using the following command:

java oracle.apps.fnd.wf.WFXLoad -u apps appsproddg1 drdgdb.hqcaa.net:1521:PROD thin US $FND_TOP/patch/115/xml/US/icxevts.wfx

Verify the status of the event subscription by executing the SQL query:

select status from wf_event_subscriptions where rule_function = ‘icx_sec.doNewSessionEvent’;

The status should be “ENABLED.”

How to enable or disable the event oracle.apps.icx.security.session.created

1. Login to E-Business and navigate to Workflow Administrator Web Application > Business Event.Search for oracle.apps.icx.security.session.created

2. Then click on clock symbol under the Subscription column. Use the pencil beside subscription icx_sec.doNewSessionEvent to access its definition and enable or disable it.

3. Shutdown and restart the Workflow Agent Listener Service.

Additional Steps to check

1. Determine the USER_ID from FND_USER for the user you are testing with (make sure this is *not* SYSADMIN, since that user is excluded from this feature…)

2. Start the first session for this user

3. Run the following SQL to check sessions created for that user in the last day

select session_id, disabled_flag, to_char(first_connect,’dd-mm-yyyy hh24:mi:ss’) first_connect, to_char(last_connect,’dd-mm-yyyy hh24:mi:ss’) last_connect from ICX_SESSIONS where user_id= <user_id> and first_connect > sysdate – 1 order by first_connect desc;

Save the output

4. Start the second session (from other desktop or browser type)

5. Run the following SQL to check sessions created for that user in the last day

select session_id, disabled_flag, to_char(first_connect,’dd-mm-yyyy hh24:mi:ss’) first_connect, to_char(last_connect,’dd-mm-yyyy hh24:mi:ss’) last_connect from ICX_SESSIONS where user_id= <user_id> and first_connect > sysdate – 1 order by first_connect desc;

Now you should see that new session is created compared 3. and apart from the new session all other should have disabled_flag=Y Check on previous session you can perform any operations.

Important Considerations:

Bug #7174340: If you are using Oracle EBS 12.0.2, the oracle.apps.icx.security.session.created event may not function correctly. Upgrading to a point release where the bug is fixed is recommended.

Patch 9340077: To ensure proper session restriction functionality, apply this patch. It allows you to restrict multiple simultaneous logins to the same EBS username.

Conclusion:

Restricting users to a single session in Oracle E-Business Suite is a valuable security measure. By enabling the oracle.apps.icx.security.session.created event and event subscription, you can prevent unauthorized access and enhance the overall security of your EBS environment. Remember to check for any related bugs and apply the necessary patches to ensure the smooth implementation of this restriction.

 

  • 5

About Abdul Khalique Siddique

In addition to my proficiency in Oracle Database, I have also specialized in Oracle E-Business Suite. I have hands-on experience in implementing, configuring, and maintaining EBS applications, enabling organizations to streamline their business processes and achieve operational efficiency. Also I have hands-on experience in Oracle Cloud Infrastructure (OCI). I have worked with OCI services such as compute, storage, networking, and database offerings, leveraging the power of the cloud to deliver scalable and cost-effective solutions. My knowledge of OCI architecture and deployment models allows me to design and implement robust and secure cloud environments for various business requirements. Furthermore, I have specialized in disaster recovery solutions for Oracle technologies. I have designed and implemented comprehensive disaster recovery strategies, including backup and recovery procedures, standby databases, and high availability configurations. My expertise in data replication, failover mechanisms, and business continuity planning ensures that organizations can quickly recover from disruptions and maintain uninterrupted operations.

Check Also

OracleEBSConfig

Changing IP Address in an Oracle EBS R12 Environment

Changing IP Address in an Oracle EBS R12 Environment 1. First, Change the IP Address …

Leave a Reply