Oracle EBS, Null Menu Prompts and SoD Violations Manager
Dear SoD VM Customers,
A customer and I just had a productive meeting regarding confusion over “accessible” menus and functions in Oracle E-Business Suite (EBS) and how Segregation of Duties Violations Manager (SoD VM) identifies accessibility with respect to function conflicts. Therefore, I thought it might be a good idea to share the issue and conclusion with all of you.
The customer found that the SoD VM violations report identified the “Master Items” function, designated as restricted in SoD VM, in their EBS instance as accessible to the user and thus reported such as an access violation. Yet, the customer, upon logging in to Oracle as the user and selecting the designated responsibility, could find no way to access the Master Items function. Thus, they contacted Absolute for an explanation.
The customer had defined the Master Items function as a “restricted” function in SoD VM, which indicated that any user with access to this function would be in violation of SoD policy.
The following menu path to the Master Items function was identified by SoD VM for the user in question:
MFG_MGMT_II -> “Main Menu” (Menu)
VIEW ONLY -> “View Only” (SubMenu)
EGO_MANAGER_MENU -> “Item/ECO/BOM” (SubMenu)
EGO_ITEMS_MENU -> “Item Catalog” (SubMenu)
EGO_OPER_ATT_MAINT -> “Operational Attributes Maintenance” (SubMenu) [Menu Entry Prompt = null]
INV_INVIDITM -> “Master Items” (Function)
However, the end user couldn’t access Master Items via their Responsibility. Why not?
- We found that although the user can access as far as the “Item Catalog” sub-menu, they were unable to access the EGO_OPER_ATT_MAINT sub-menu and thus the Master Items form.
- The reason they could not access the EGO_OPER_ATT_MAINT sub-menu was because the “menu entry” containing that sub-menu was not defined with a “prompt”. In other words, the menu entry was a “null prompt”. Without a prompt defined, Oracle EBS could not build that portion of the menu and thus simply ignored it. Thus, the user had no access to that menu or the submenus and functions within.
*An interesting side note, although the “Item/ECO BOM” menu entry was flagged as “not granted”, it, and its components, are still accessible to the user as Oracle does not enforce the Grant Flag value for menu entries designated with only a sub menu. Only menu entries with a designated function name are impacted by the Grant Flag option.
So, does this mean there is a bug in SoD VM?
Yes and No.
Having been developed to minimize false positive violations, SoD VM has reporting parameters that allow the user to exclude “null prompts” from report output, thereby eliminating any “false positives” relating to submenu entries without a defined prompt. However, this binary designation may again lead to “false negatives”, where violations are not properly identified, as there are several types of “null prompts”, some of which are accessible to the user while others are not. Therefore, SOD VM could and should better distinguish between the different types of null prompts.
Null Prompt Classification
- Standard Null Prompt
A menu entry which is assigned either a submenu or a form function that has a null prompt and is not the child of an “AZN” menu is NOT ACCESSIBLE.
- AZN Null Prompt
A menu entry which is assigned either a submenu or a form function that has a null prompt and is the child of an “AZN” menu is ACCESSIBLE as a part of an EBS “Process”.
- Sub-Function Null Prompt
A menu entry which is assigned a sub-function that has a null prompt and is the child of a menu entry which contains both a submenu and a form function is ACCESSIBLE. In this case, by accessible, I really mean that the sub-function plays a role in activating or deactivating functionality on the parent form function. It is usually not a form in and of itself.
Therefore, for now, customers can take advantage of the “Exclude Null Prompts” report parameter to avoid “Standard Null Prompt” false positives. Absolute will also look to enhance SoD VM to incorporate the different nuances of Null Prompts to reduce the possibility of false positives and negatives.Best Regards,
Absolute Technologies, Inc.