Hacking Access to Oracle e-Business Suite via Workflow

I recently worked with a client who did not like to give out additional EBS responsibilities without going through a convoluted approvals process.  Whilst I commend them for this approach to system security, they were let down in two key ways.

Firstly, this was a development system.  I appreciate that getting into practice with your development system is important, BUT employing a consultant on a daily rate, and then having them wait for four days before giving them access doesn’t make much sense to me!

Secondly, and most importantly, they gave me the APPS password for the database in ALL the environments! So, I had a database login for all the environments, but a query only
user for EBS access – quite how they intended for me to access the concurrent requests to change them was beyond me!

So, I started to look at how the responsibilities were assigned to the users in the database, which is defined within the Workflow directory service, specifically in WF_LOCAL_USER_ROLES.  So, on my own system (I can’t emphasize that enough – I would NEVER advocate running this on a system you shouldn’t), I put together an experiment to see if I could give any user ‘System Administrator’ responsibility.  The result of my experiment can be found in the attached files with this post.

Based on an inbound user ID (and the user needs to be setup within the Workflow Directory Service first), the code derives the originating system and system ID for the record (user, person or party) that you want to grant access.  The code then inserts a new record in the local user roles table for the system administrator role.  Checking the contents of the table afterwards shows that the user now has the appropriate responsibility.

Once the code has run, you will need to commit the transaction before continuing.  Logging into the system as that user will now show that they have System Administrator responsibility.

As mentioned above, NEVER run this in an environment that you shouldn’t.  I’m a little wary about releasing the code here, but not only does it highlight how to give yourself responsibilities through the database, I’m hoping that it will also help (or at least flag a warning) to DBAs and other system administrators – by giving out a database password, it opens up the whole system in this way.  If you are a DBA or responsible for an EBS implementation, it’s probably worthwhile checking on a regular basis who is a system administrator, and what other roles are being given out within your system.

As ever, comments always welcome!

SQL script

1 thought on “Hacking Access to Oracle e-Business Suite via Workflow

Comments are closed.

By continuing to use the site, you agree to the use of cookies. more information

In common with almost all professionally run websites, this website logs the IP address of each visitor in order to keep it running reliably. This is also essential for protecting the website and its visitors from malicious attacks, including infection with malware.

This website provides information as a service to visitors such as yourself, and to do this reliably and efficiently, it sometimes places small amounts of information on your computer or device (e.g. mobile phone). This includes small files known as cookies. The cookies stored by this website cannot be used to identify you personally.

We use cookies to understand what pages and information visitors find useful, and to detect problems such as broken links, or pages which are taking a long time to load.

We sometimes use cookies to remember a choice you make on one page, when you have moved to another page if that information can be used to make the website work better. For example:
- avoiding the need to ask for the same information several times during a session (e.g. when filling in forms), or
- remembering that you have logged in, so that you don’t have to re-enter your username and password on every page.

You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit.