Checklist for Review of Oracle Financials Security
• Have profiles been enabled at the user, responsibility, application or site level.
• Run the ‘User Profile Option Values Report’ for the following options below.
Examine the settings within this report
• Sign-on: notification – ‘yes’ displays a message at log-in indicating number of
failed requests since last session
• Signon Password Length – min/default of 5 if blank
• Audittrail:Activate – default is NO, not visible to the user, only to site and
• Concurrent:Active Request Limit – number of requests that may be run
simultaneously by each user. Default is unlimited. Only for site level.
• Sign-On: Audit Level – level at which to audit users. Four levels, none, user,
responsibility and Form. None is default. User level tracks who signs on, times
users log on and off and the terminals in use. Responsibility tracks user plus the
responsibilities chosen and how much time spent on each responsibility. Form
tracks responsibility plus the forms chosen, time spent on each form.
Users and Responsibilities
Identify all of the Oracle Usernames. Are there any additional usernames besides
those created by default in the system, and what is their purpose? Are they set up as
‘restricted’ (read-only), ‘enabled’ (all privileges) or ‘disabled’ (no privileges)?
• Have the default passwords been changed for all default Oracle usernames?
• Review each user’s settings which is either:
• Password expiration – number of days between password changes
• Password expiration – maximum allowed number of sign-ons allowed between
• Run the ‘Active Responsibilities Report’. Review the entries listed. Look for any
incompatible responsibilities for a user.
• Run the ‘Active Users Report’. Review the entries listed.
• Have any customized responsibilities been installed, or are predefined responsibilities
If there are customized responsibilities, under