Oracle Workflow Security (Oracle Workflow Administrator's Guide)

Oracle Workflow Administrator's Guide
Release 2.6.3
Part Number B10283-02


	Previous	Next		Contents	Index	Glossary

Oracle Workflow Security

The ability to control user access to Web and application content and to protect your site against people breaking into your system is critical. This chapter describes the architecture and configuration of security for Oracle Workflow.

About Oracle Workflow Security

This section describes the Oracle Workflow security model.

Oracle Workflow Security Model

Oracle Workflow uses a password-based security model to protect Web and application content.

The standalone version of Oracle Workflow leverages the security architecture of Oracle Application Server and the Oracle Database.

The version of Oracle Workflow embedded in Oracle Applications is part of the Oracle Applications security model in which users' privileges and access to functionality are based on responsibilities.

Classes of Users and Their Privileges

For purposes of accessing Oracle Workflow Web pages, Oracle Workflow defines two classes of users: Workflow administrators and Workflow users.

Workflow administrators - The workflow administrator role is defined in the Global Workflow Preferences page. Users associated with this role can:

Access the administrator version of the Oracle Workflow Home page in standalone Oracle Workflow or the Oracle Workflow Administrator Home page in Oracle Applications.

Set global Workflow preferences and their own individual user preferences.

View and respond to their own notifications through the Worklist pages.

Access any user's notifications through the Worklist pages in standalone Oracle Workflow. In Oracle Applications users must have the Personal Worklist added to the menu for one of their responsibilities in order to search for notifications sent to another user.

View and update any user's processes in the Workflow Monitor in standalone Oracle Workflow, or in the administrator Status Monitor in Oracle Applications.

View Workflow item type definitions and launch test processes.

Launch demonstration processes, in standalone Oracle Workflow.

Access the Business Event System pages.

Workflow users - Workflow users who are not associated with the workflow administrator role have more limited access to Oracle Workflow features. These users can:

Access the user version of the Oracle Workflow Home page in standalone Oracle Workflow or the Oracle Workflow Self-service Home page in Oracle Applications.

Set their own individual user preferences.

View and respond to their own notifications through the Worklist pages.

View their own processes in the Workflow Monitor in standalone Oracle Workflow, or in the self-service Status Monitor in Oracle Applications.

View Workflow item type definitions, in standalone Oracle Workflow.

In addition to being associated with the role specified in the Workflow Administrator global preference, administrators who manage Oracle Workflow must have the Oracle Application Server administrator role to access the Workflow Manager component within Oracle Enterprise Manager for standalone Oracle Workflow, or have the Oracle Applications System Administrator responsibility to access the Workflow Manager component within Oracle Applications Manager for Oracle Applications.

Also, administrators and developers who need to run Oracle Workflow scripts and programs or save workflow item type definitions to the database must have the password for the Oracle Workflow schema in the database.

Resources Protected

Oracle Workflow provides security to protect the following resources.

Oracle Workflow Web pages - Standalone Oracle Workflow users must log in using Oracle HTTP Server authentication before they can access Oracle Workflow Web pages. Oracle Applications users must log into Oracle Applications before they can access Oracle Workflow Web pages.

Workflow Manager - An Oracle Application Server or Oracle Database administrator must log into Oracle Enterprise Manager in order to access the Workflow Manager component. Similarly, an Oracle Applications system administrator must log into Oracle Applications Manager in order to access the Workflow Manager component.

Oracle Workflow Builder - No login is required to run the Oracle Workflow Builder development tool on a client PC. However, in order to view or save item type definitions in the database using Oracle Workflow Builder, a developer must provide the Oracle Workflow schema name and password.

Administrative scripts and programs - An administrator must provide the Oracle Workflow schema name and password before running Oracle Workflow administrative scripts, the Workflow Definitions Loader, the Workflow XML Loader, or the standalone Java Function Activity Agent. Additionally, an Oracle Applications system administrator must log into Oracle Applications before running Oracle Workflow concurrent programs.

E-mail notifications - Oracle Workflow supports sending e-mail notifications to users and processing e-mail responses to update workflow processes. Ultimately, the security of e-mail notifications and responses depends on the security of your e-mail application. Oracle Workflow also provides several features to validate e-mail responses and protect application content from unauthorized updates. For more information, see: E-mail Notification Security.

Authorization and Access Enforcement

Users are prompted for a username and password in order to access Oracle Workflow Web pages and Oracle Enterprise Manager or Oracle Applications Manager. In Oracle Applications, users must additionally be assigned a responsibility that includes Oracle Workflow Web pages before they can access these pages.

Users must provide the Oracle Workflow database schema username and password to run administrative scripts and programs and to access workflow definitions in the database through Oracle Workflow Builder.

For information about authorization and validation of e-mail notification responses, see: E-mail Notification Security.

Leveraging Oracle Application Server Security Services

Oracle Workflow leverages Oracle HTTP Server authentication to control access to Oracle Workflow Web pages. In standalone Oracle Workflow, a PL/SQL Database Access Descriptor (DAD) is created for the Oracle Workflow Web pages during installation. You can use either the HTTP or HTTPS protocol. HTTPS, which is HTTP over Secure Sockets Layer (SSL) is recommended. For instructions on configuring SSL with Oracle HTTP Server, please refer to the Oracle HTTP Server Administrator's Guide.

For information about use of Oracle HTTP Server by Oracle Applications, see: Administering Oracle HTTP Server, Oracle Applications System Administrator's Guide.

Leveraging Oracle Identity Management Infrastructure

For standalone Oracle Workflow, you can choose one of two predefined directory service implementations during installation.

You can integrate with Oracle Internet Directory (OID) as your directory repository. This option is recommended in order to leverage OID management tools and to support single sign-on through LDAP external authentication with Oracle Application Server Single Sign-On Server.

If you do not choose integrate with OID, you can use Oracle Database users and roles as your directory repository, with login authentication through Oracle HTTP Server.

In Oracle Applications, an Oracle Workflow directory service based on users and roles from the unified Oracle Applications environment is automatically implemented for you during installation. For information about setting up Oracle Applications to use Oracle Internet Directory and single sign-on, see: Implementing Single Sign-on for Oracle Applications 11i with Login Server Authentication Using Oracle Internet Directory, Oracle Applications System Administrator's Guide.

Configuring Oracle Application Server Security Framework for Oracle Workflow

This section describes configuration considerations in Oracle HTTP Server for standalone Oracle Workflow. For Oracle Applications, see:

Oracle9i Application Server and Oracle Applications, Oracle Applications System Administrator's Guide.

Configuring Oracle Application Server Security Framework Options for Oracle Workflow

If you choose to implement OID and single sign-on integration in the Workflow Configuration Assistant, the DAD created for Oracle Workflow in Oracle HTTP Server is automatically protected in the mod_osso configuration file during installation. For more information, see the installation documentation for your installation of Oracle Workflow.

Configuring Oracle Workflow Security

You can configure the following options in Oracle Workflow to take advantage of the security features you want.

Configuring Oracle Workflow Security Options

You can set the following global workflow preferences related to security.

Workflow Administrator, which defines the role that has administrator privileges in accessing Oracle Workflow Web pages.

LDAP preferences, if you are integrating with Oracle Internet Directory. LDAP preferences include LDAP host, LDAP port, LDAP password, LDAP changelog base directory, and LDAP user base directory. LDAP password values are masked as asterisks in the display and are stored in encrypted form.

See: Setting Global User Preferences.

For information about configuring e-mail notification security options, see: E-mail Notification Security.

Configuring Standalone Oracle Workflow Options for Oracle Application Server Security Framework

During installation of standalone Oracle Workflow, the Workflow Configuration Assistant lets you enter LDAP preferences in order to integrate with OID. If you do choose to integrate with OID, the Workflow Configuration Assistant automatically installs the appropriate version of the Workflow PL/SQL security package, called WFA_SEC, and a directory service implementation based on OID.

OID integration also enables Oracle Workflow to participate in Oracle Application Server single sign-on.

If you choose to integrate with OID, you must perform the following steps:

1. Perform an initial synchronization of the user information in your Workflow directory service with OID.

2. Schedule synchronization periodically between your Workflow directory service and OID.

See: Integrating an Oracle Workflow Directory Service with Oracle Internet Directory and Synchronizing Workflow Directory Services with Oracle Internet Directory.

Configuring Standalone Oracle Workflow Options for Database Security

If you do not enter LDAP preferences in the Workflow Configuration Assistant during installation, then a directory service implementation based on Oracle Database users and roles is automatically installed, along with the appropriate version of the Workflow PL/SQL security package, called WFA_SEC.

In this case, you should modify the default directory service views to add e-mail addresses for the database users if you want them to be able to receive e-mail notifications. See: Integrating an Oracle Workflow Directory Service with Oracle Database Users.

Note: You can also implement a custom version of the WFA_SEC security package, if you want to implement your own application-specific security. However, note that only the predefined versions of the WFA_SEC security package provided by Oracle Workflow are supported by Oracle. See: Oracle Workflow Support Policy, Oracle Workflow Developer's Guide.

Configuring Oracle Workflow Options for Oracle Applications Security

If you are using the version of Oracle Workflow embedded in Oracle Applications, directory service views for users and roles from the unified Oracle Applications environment are automatically implemented for you during installation. In Oracle Applications, Oracle Workflow uses a directory service model in which denormalized information is maintained in the Workflow local tables for performance gain. The local Workflow directory service tables store user and role information originating from various other Oracle Applications modules, as well as ad hoc users and roles, so that the Workflow directory service views can access this information with good performance. You should maintain synchronization between the user and role information stored in application tables by the source modules and the information stored in the Workflow local tables. See: Setting Up a Directory Service for Oracle Workflow Embedded in Oracle Applications.

Also, in Oracle Applications, you can optionally give users access to the Worklist, Advanced Worklist, and Personal Worklist Web pages from any responsibility you choose. To make a Worklist available from a particular responsibility, you must add the appropriate function to the menu associated with that responsibility. Then you can assign that responsibility to your users. See: Adding Worklist Functions to User Responsibilities.


	Previous	Next		Contents	Index	Glossary