Oracle Workflow Administrator's Guide Release 2.6.4 Part Number B15852-05 | Contents | Previous | Next |
This chapter describes the architecture and configuration of security for Oracle Workflow.
This chapter covers the following topics:
The ability to control user access to Web and application content and to protect your site against people breaking into your system is critical. This chapter describes the architecture and configuration of security for Oracle Workflow.
For additional information about security, refer to the following documents:
The Oracle Application Server 10g Security Guide provides an overview of Oracle Application Server security and its core functionality.
The Oracle Identity Management Concepts and Deployment Planning Guide provides guidance for administrators of the Oracle security infrastructure.
The Oracle Database Security Overview provides information about Oracle Database security.
The Overview of Oracle Applications Security, Oracle Applications System Administrator's Guide provides information about Oracle Applications security.
This section describes the Oracle Workflow security model.
Oracle Workflow uses a password-based security model to protect Web and application content.
The standalone version of Oracle Workflow leverages the security architecture of Oracle Application Server and the Oracle Database.
The version of Oracle Workflow embedded in Oracle Applications is part of the Oracle Applications security model in which users' privileges and access to functionality are based on responsibilities.
For purposes of accessing Oracle Workflow Web pages, Oracle Workflow defines two classes of users: Workflow administrators and Workflow users.
In standalone Oracle Workflow, access to Oracle Workflow administrator features is controlled by the workflow administrator role defined in the Global Preferences page. Users associated with this role have access to all Oracle Workflow Web pages, including administrator pages, and can perform the operations available there. Users who are not associated with the workflow administrator role have more limited access to Oracle Workflow features.
In Oracle Applications, access to Oracle Workflow administrator features is controlled both by responsibilities, which determine what pages a user can access, and by the workflow administrator role defined in the Workflow Configuration page, which determines what administrative operations a user can perform. To perform administrative operations, users must both have a responsibility that includes Oracle Workflow administrator Web pages and be associated with the workflow administrator role. If users have an appropriate responsibility but are not associated with the workflow administrator role, then they can only view the administrator Web pages. Users must also have an appropriate responsibility to access the Oracle Workflow self-service user Web pages. In some cases users who are associated with the workflow administrator role can perform additional administrative operations in the self-service Web pages as well.
Workflow administrators - Standalone Oracle Workflow users who are associated with the workflow administrator role, or Oracle Applications users who have an Oracle Workflow administrator responsibility and are associated with the workflow administrator role, can:
Access the administrator version of the Oracle Workflow Home page in standalone Oracle Workflow or the Oracle Workflow Administrator Home page in Oracle Applications.
Set global workflow preferences and their own individual user preferences.
View and respond to any user's notifications through the Worklist pages.
Define rules to handle notifications automatically in a user's absence.
View and update any user's processes in the Workflow Monitor in standalone Oracle Workflow, or in the administrator Status Monitor in Oracle Applications.
View Workflow item type definitions and launch test processes.
Launch demonstration processes, in standalone Oracle Workflow.
Manage business events and event subscriptions.
Define worklist flexfields rules and perform rule simulations in Oracle Applications. Access to worklist flexfields rules functionality requires only an Oracle Workflow administrator responsibility.
Workflow users - Standalone Oracle Workflow users who are not associated with the workflow administrator role, or Oracle Applications users who have an Oracle Workflow user responsibility, can:
Access the user version of the Oracle Workflow Home page in standalone Oracle Workflow or the Oracle Workflow Self-service Home page in Oracle Applications.
Set their own individual user preferences.
View and respond to their own notifications through the Worklist pages.
Define rules to handle their own notifications automatically in their absence.
View and respond to notifications for other users who have granted access to their worklists.
View their own processes in the Workflow Monitor in standalone Oracle Workflow, or in the self-service Status Monitor in Oracle Applications. In Oracle Applications, users who are associated with the workflow administrator role can also reassign notifications or cancel workflows in the self-service Status Monitor.
View Workflow item type definitions, in standalone Oracle Workflow.
Additionally, administrators who manage standalone Oracle Workflow must have the Oracle Application Server administrator role to access the Workflow Manager component within Oracle Enterprise Manager. Administrators who manage Oracle Workflow in Oracle Applications must have the Oracle Applications System Administrator responsibility to access Oracle Applications Manager, or must have an Oracle Workflow administrator responsibility that includes direct access to the Workflow Manager component within Oracle Applications Manager.
Also, administrators and developers who need to run Oracle Workflow scripts and programs or save workflow item type definitions to the database must have the password for the Oracle Workflow schema in the database.
Oracle Workflow provides security to protect the following resources.
Oracle Workflow Web pages - Standalone Oracle Workflow users must log in using Oracle HTTP Server authentication before they can access Oracle Workflow Web pages. Oracle Applications users must log into Oracle Applications before they can access Oracle Workflow Web pages.
Workflow Manager - An Oracle Application Server or Oracle Database administrator must log into Oracle Enterprise Manager in order to access the Workflow Manager component. Similarly, an Oracle Applications system administrator must log into Oracle Applications Manager in order to access the Workflow Manager component.
Oracle Workflow Builder - No login is required to run the Oracle Workflow Builder development tool on a client PC. However, in order to view or save item type definitions in the database using Oracle Workflow Builder, a developer must provide the Oracle Workflow schema name and password.
Administrative scripts and programs - An administrator must provide the Oracle Workflow schema name and password in order to run Oracle Workflow administrative scripts, the Workflow Definitions Loader, the Workflow XML Loader, or the standalone Java Function Activity Agent. Additionally, an Oracle Applications system administrator must log into Oracle Applications or Oracle Applications Manager before running Oracle Workflow concurrent programs.
E-mail notifications - Oracle Workflow supports sending e-mail notifications to users and processing e-mail responses to update workflow processes. Ultimately, the security of e-mail notifications and responses depends on the security of your e-mail application. Oracle Workflow also provides several features to validate e-mail responses and protect application content from unauthorized updates. For more information, see: E-mail Notification Security.
Notifications - In Oracle Applications, Oracle Workflow supports electronic signatures for users' responses to notifications. You can optionally require notification responses to be authenticated by either a password-based signature or a certificate-based signature. See: #WF_SIG_POLICY Attribute, Oracle Workflow Developer's Guide.
Users are prompted for a username and password in order to access Oracle Workflow Web pages and Oracle Enterprise Manager or Oracle Applications Manager. In Oracle Applications, users must additionally be assigned a responsibility that includes Oracle Workflow Web pages before they can access these pages.
Users must provide the Oracle Workflow database schema username and password to run administrative scripts and programs and to access workflow definitions in the database through Oracle Workflow Builder.
For information about authorization and validation of e-mail notification responses, see: E-mail Notification Security.
Oracle Workflow leverages Oracle HTTP Server authentication to control access to Oracle Workflow Web pages. In standalone Oracle Workflow, a PL/SQL Database Access Descriptor (DAD) is created for the Oracle Workflow Web pages during installation. You can use either the HTTP or HTTPS protocol. HTTPS, which is HTTP over Secure Sockets Layer (SSL) is recommended. For instructions on configuring SSL with Oracle HTTP Server, please refer to the Oracle HTTP Server Administrator's Guide.
For information about use of Oracle HTTP Server by Oracle Applications, see: Administering Oracle HTTP Server, Oracle Applications System Administrator's Guide.
For standalone Oracle Workflow, you can choose one of two predefined directory service implementations during installation.
You can integrate with Oracle Internet Directory as your directory repository. This option is recommended in order to leverage Oracle Internet Directory management tools and to support single sign-on through LDAP external authentication with Oracle Application Server Single Sign-On Server.
If you do not choose integrate with Oracle Internet Directory, you can use Oracle Database users and roles as your directory repository, with login authentication through Oracle HTTP Server.
In Oracle Applications, an Oracle Workflow directory service based on users and roles from the unified Oracle Applications environment is automatically implemented for you during installation. For information about setting up Oracle Applications to use Oracle Internet Directory and single sign-on, see: Implementing Single Sign-on for Oracle Applications 11i with Login Server Authentication Using Oracle Internet Directory, Oracle Applications System Administrator's Guide.
This section describes configuration considerations in Oracle HTTP Server for standalone Oracle Workflow. For Oracle Applications, see: Oracle9i Application Server and Oracle Applications, Oracle Applications System Administrator's Guide.
If you install Oracle Workflow shipped with Oracle Application Server and you choose to implement Oracle Internet Directory and single sign-on integration in the Workflow Configuration Assistant, the DAD created for Oracle Workflow in Oracle HTTP Server is automatically protected in the mod_osso configuration file during installation. For more information, see the installation documentation for your installation of Oracle Workflow.
You can configure the following options in Oracle Workflow to take advantage of the security features you want.
You can set the following global workflow preferences related to security.
Workflow administrator, which defines the role that has administrator privileges in accessing Oracle Workflow Web pages.
LDAP preferences, if you are integrating with Oracle Internet Directory. LDAP preferences include LDAP host, LDAP port, LDAP password, LDAP changelog base directory, and LDAP user base directory. LDAP password values are masked as asterisks in the display and are stored in encrypted form.
See: Setting Global User Preferences.
For information about configuring e-mail notification security options, see: E-mail Notification Security.
During installation of standalone Oracle Workflow, the Workflow Configuration Assistant lets you enter LDAP preferences in order to integrate with Oracle Internet Directory. If you do choose to integrate with Oracle Internet Directory, the Workflow Configuration Assistant automatically installs the appropriate version of the Workflow PL/SQL security package, called WFA_SEC, and a directory service implementation based on Oracle Internet Directory.
For Oracle Workflow shipped with Oracle Application Server, Oracle Internet Directory integration also enables Oracle Workflow to participate in Oracle Application Server single sign-on.
If you choose to integrate with Oracle Internet Directory, you must perform the following steps:
Perform an initial synchronization of the user information in your Workflow directory service with Oracle Internet Directory.
Schedule synchronization periodically between your Workflow directory service and Oracle Internet Directory.
See: Integrating an Oracle Workflow Directory Service with Oracle Internet Directory and Synchronizing Workflow Directory Services with Oracle Internet Directory.
If you do not enter LDAP preferences in the Workflow Configuration Assistant during installation, then a directory service implementation based on Oracle Database users and roles is automatically installed, along with the appropriate version of the Workflow PL/SQL security package, called WFA_SEC.
In this case, you should modify the default directory service views to add e-mail addresses for the database users if you want them to be able to receive e-mail notifications. See: Integrating an Oracle Workflow Directory Service with Oracle Database Users.
Note: You can also implement a custom version of the WFA_SEC security package, if you want to implement your own application-specific security. However, note that only the predefined versions of the WFA_SEC security package provided by Oracle Workflow are supported by Oracle. See: Oracle Workflow Support Policy, Oracle Workflow Developer's Guide.
If you are using the version of Oracle Workflow embedded in Oracle Applications, directory service views for users and roles from the unified Oracle Applications environment are automatically implemented for you during installation. In Oracle Applications, Oracle Workflow uses a directory service model in which denormalized information is maintained in the Workflow local tables for performance gain. The local Workflow directory service tables store user and role information originating from various other Oracle Applications modules, as well as ad hoc users and roles, so that the Workflow directory service views can access this information with good performance. You should maintain synchronization between the user and role information stored in application tables by the source modules and the information stored in the Workflow local tables. See: Setting Up a Directory Service for Oracle Workflow Embedded in Oracle Applications.
Also, in Oracle Applications, you can optionally give users access to the Advanced Worklist and Personal Worklist Web pages from any responsibility you choose. To make a Worklist available from a particular responsibility, you must add the appropriate function to the menu associated with that responsibility. Then you can assign that responsibility to your users. See: Adding Worklist Functions to User Responsibilities.
Similarly, you can give users access to the Workflow Monitor Test Application from a responsibility that you choose. To make the Workflow Monitor Test Application available from a particular responsibility, you must add its menu to a top-level menu for that responsibility. Then you can assign that responsibility to your users. See: Testing Status Monitor Access.
You can use a special message attribute with the internal name #WF_SIG_POLICY to require that a user's response to a notification be authenticated by an electronic signature. Otherwise, the response will not be considered valid.
If you define a notification to require a password-based signature, users must confirm their response by entering their Oracle Applications user name and password.
If you define a notification to require a certficate-based signature, users must sign their response with a valid X.509 certificate issued by a certificate authority.
See: #WF_SIG_POLICY Attribute, Oracle Workflow Developer's Guide.
Additionally, in Oracle Applications a user can grant access to his or her worklist to another user. That user can then act as a proxy to handle notifications on the owner's behalf. The worklist access feature lets one user allow another user to handle his or her notifications without giving the second user access to any other privileges or responsibilities that the first user has in Oracle Applications. However, note that a user who has access to another user's worklist can view all the details of that user's notifications and take most actions that the owner can take on the notifications. Ensure that your users take all necessary security considerations into account when they choose to grant worklist access to another user. See: Worklist Access, Oracle Workflow User's Guide.