Skip Headers

Oracle Workflow Administrator's Guide
Release 2.6.4
Part Number B15852-05
Go to Table of Contents
Contents
Go to previous page
Previous
Go to next page
Next

Oracle Workflow Security

This chapter describes the architecture and configuration of security for Oracle Workflow.

This chapter covers the following topics:

Oracle Workflow Security

The ability to control user access to Web and application content and to protect your site against people breaking into your system is critical. This chapter describes the architecture and configuration of security for Oracle Workflow.

For additional information about security, refer to the following documents:

About Oracle Workflow Security

This section describes the Oracle Workflow security model.

Oracle Workflow Security Model

Oracle Workflow uses a password-based security model to protect Web and application content.

Classes of Users and Their Privileges

For purposes of accessing Oracle Workflow Web pages, Oracle Workflow defines two classes of users: Workflow administrators and Workflow users.

In standalone Oracle Workflow, access to Oracle Workflow administrator features is controlled by the workflow administrator role defined in the Global Preferences page. Users associated with this role have access to all Oracle Workflow Web pages, including administrator pages, and can perform the operations available there. Users who are not associated with the workflow administrator role have more limited access to Oracle Workflow features.

In Oracle Applications, access to Oracle Workflow administrator features is controlled both by responsibilities, which determine what pages a user can access, and by the workflow administrator role defined in the Workflow Configuration page, which determines what administrative operations a user can perform. To perform administrative operations, users must both have a responsibility that includes Oracle Workflow administrator Web pages and be associated with the workflow administrator role. If users have an appropriate responsibility but are not associated with the workflow administrator role, then they can only view the administrator Web pages. Users must also have an appropriate responsibility to access the Oracle Workflow self-service user Web pages. In some cases users who are associated with the workflow administrator role can perform additional administrative operations in the self-service Web pages as well.

Additionally, administrators who manage standalone Oracle Workflow must have the Oracle Application Server administrator role to access the Workflow Manager component within Oracle Enterprise Manager. Administrators who manage Oracle Workflow in Oracle Applications must have the Oracle Applications System Administrator responsibility to access Oracle Applications Manager, or must have an Oracle Workflow administrator responsibility that includes direct access to the Workflow Manager component within Oracle Applications Manager.

Also, administrators and developers who need to run Oracle Workflow scripts and programs or save workflow item type definitions to the database must have the password for the Oracle Workflow schema in the database.

Resources Protected

Oracle Workflow provides security to protect the following resources.

Authorization and Access Enforcement

Users are prompted for a username and password in order to access Oracle Workflow Web pages and Oracle Enterprise Manager or Oracle Applications Manager. In Oracle Applications, users must additionally be assigned a responsibility that includes Oracle Workflow Web pages before they can access these pages.

Users must provide the Oracle Workflow database schema username and password to run administrative scripts and programs and to access workflow definitions in the database through Oracle Workflow Builder.

For information about authorization and validation of e-mail notification responses, see: E-mail Notification Security.

Leveraging Oracle Application Server Security Services

Oracle Workflow leverages Oracle HTTP Server authentication to control access to Oracle Workflow Web pages. In standalone Oracle Workflow, a PL/SQL Database Access Descriptor (DAD) is created for the Oracle Workflow Web pages during installation. You can use either the HTTP or HTTPS protocol. HTTPS, which is HTTP over Secure Sockets Layer (SSL) is recommended. For instructions on configuring SSL with Oracle HTTP Server, please refer to the Oracle HTTP Server Administrator's Guide.

For information about use of Oracle HTTP Server by Oracle Applications, see: Administering Oracle HTTP Server, Oracle Applications System Administrator's Guide.

Leveraging Oracle Identity Management Infrastructure

For standalone Oracle Workflow, you can choose one of two predefined directory service implementations during installation.

In Oracle Applications, an Oracle Workflow directory service based on users and roles from the unified Oracle Applications environment is automatically implemented for you during installation. For information about setting up Oracle Applications to use Oracle Internet Directory and single sign-on, see: Implementing Single Sign-on for Oracle Applications 11i with Login Server Authentication Using Oracle Internet Directory, Oracle Applications System Administrator's Guide.

Configuring Oracle Application Server Security Framework for Oracle Workflow

This section describes configuration considerations in Oracle HTTP Server for standalone Oracle Workflow. For Oracle Applications, see: Oracle9i Application Server and Oracle Applications, Oracle Applications System Administrator's Guide.

Configuring Oracle Application Server Security Framework Options for Oracle Workflow

If you install Oracle Workflow shipped with Oracle Application Server and you choose to implement Oracle Internet Directory and single sign-on integration in the Workflow Configuration Assistant, the DAD created for Oracle Workflow in Oracle HTTP Server is automatically protected in the mod_osso configuration file during installation. For more information, see the installation documentation for your installation of Oracle Workflow.

Configuring Oracle Workflow Security

You can configure the following options in Oracle Workflow to take advantage of the security features you want.

Configuring Oracle Workflow Security Options

You can set the following global workflow preferences related to security.

See: Setting Global User Preferences.

For information about configuring e-mail notification security options, see: E-mail Notification Security.

Configuring Standalone Oracle Workflow Options for Oracle Application Server Security Framework

During installation of standalone Oracle Workflow, the Workflow Configuration Assistant lets you enter LDAP preferences in order to integrate with Oracle Internet Directory. If you do choose to integrate with Oracle Internet Directory, the Workflow Configuration Assistant automatically installs the appropriate version of the Workflow PL/SQL security package, called WFA_SEC, and a directory service implementation based on Oracle Internet Directory.

For Oracle Workflow shipped with Oracle Application Server, Oracle Internet Directory integration also enables Oracle Workflow to participate in Oracle Application Server single sign-on.

If you choose to integrate with Oracle Internet Directory, you must perform the following steps:

  1. Perform an initial synchronization of the user information in your Workflow directory service with Oracle Internet Directory.

  2. Schedule synchronization periodically between your Workflow directory service and Oracle Internet Directory.

See: Integrating an Oracle Workflow Directory Service with Oracle Internet Directory and Synchronizing Workflow Directory Services with Oracle Internet Directory.

Configuring Standalone Oracle Workflow Options for Database Security

If you do not enter LDAP preferences in the Workflow Configuration Assistant during installation, then a directory service implementation based on Oracle Database users and roles is automatically installed, along with the appropriate version of the Workflow PL/SQL security package, called WFA_SEC.

In this case, you should modify the default directory service views to add e-mail addresses for the database users if you want them to be able to receive e-mail notifications. See: Integrating an Oracle Workflow Directory Service with Oracle Database Users.

Note: You can also implement a custom version of the WFA_SEC security package, if you want to implement your own application-specific security. However, note that only the predefined versions of the WFA_SEC security package provided by Oracle Workflow are supported by Oracle. See: Oracle Workflow Support Policy, Oracle Workflow Developer's Guide.

Configuring Oracle Workflow Options for Oracle Applications Security

If you are using the version of Oracle Workflow embedded in Oracle Applications, directory service views for users and roles from the unified Oracle Applications environment are automatically implemented for you during installation. In Oracle Applications, Oracle Workflow uses a directory service model in which denormalized information is maintained in the Workflow local tables for performance gain. The local Workflow directory service tables store user and role information originating from various other Oracle Applications modules, as well as ad hoc users and roles, so that the Workflow directory service views can access this information with good performance. You should maintain synchronization between the user and role information stored in application tables by the source modules and the information stored in the Workflow local tables. See: Setting Up a Directory Service for Oracle Workflow Embedded in Oracle Applications.

Also, in Oracle Applications, you can optionally give users access to the Advanced Worklist and Personal Worklist Web pages from any responsibility you choose. To make a Worklist available from a particular responsibility, you must add the appropriate function to the menu associated with that responsibility. Then you can assign that responsibility to your users. See: Adding Worklist Functions to User Responsibilities.

Similarly, you can give users access to the Workflow Monitor Test Application from a responsibility that you choose. To make the Workflow Monitor Test Application available from a particular responsibility, you must add its menu to a top-level menu for that responsibility. Then you can assign that responsibility to your users. See: Testing Status Monitor Access.

You can use a special message attribute with the internal name #WF_SIG_POLICY to require that a user's response to a notification be authenticated by an electronic signature. Otherwise, the response will not be considered valid.

See: #WF_SIG_POLICY Attribute, Oracle Workflow Developer's Guide.

Additionally, in Oracle Applications a user can grant access to his or her worklist to another user. That user can then act as a proxy to handle notifications on the owner's behalf. The worklist access feature lets one user allow another user to handle his or her notifications without giving the second user access to any other privileges or responsibilities that the first user has in Oracle Applications. However, note that a user who has access to another user's worklist can view all the details of that user's notifications and take most actions that the owner can take on the notifications. Ensure that your users take all necessary security considerations into account when they choose to grant worklist access to another user. See: Worklist Access, Oracle Workflow User's Guide.