Audit Features in E-Business Suite

1. Set Sign-On Audit Level

The valid settings for the profile option SIGNONAUDIT:LEVEL are None, User, Responsibility and
Form. At site level, set this profile option to Form to enable as much auditing as possible. At this setting, the
system logs all user sign-ons, responsibility selections and form accesses to APPLSYS.FND_LOGINS, APPLSYS.
FND_LOGIN_RESPONSIBILITIES and APPLSYS.FND_LOGIN_RESP_FORMS, respectively.

Profile Option Name	Description	Recommend
Sign-On:Audit Level	Set at site-level to track actions starting when the user logs on	Form

2. Monitor System Activity With OAM

Oracle Application Manager (OAM) provides screens for monitoring current and past system activity. In addition,
OAM provides a framework extensible for running custom OAM reports. Monitoring features include current
and historic user activity down to the page access level and current and historical Concurrent Manager
activity. See OAM documentation for complete product information.
Regarding Page Access Tracking, it tracks Oracle Applications usage statistics non-intrusively and with negligible
performance impact. It tracks Web-based and Form-based accesses across technology stacks and correlates
them for each user session. See MOS Note 402116.1 for more detailed information about Page Access Tracking

3. Retrieve Audit Records Using Reports

Oracle E-Business Suite ships standard reports to access signon, unsuccessful signon, responsibility usage, form
usage and concurrent request usage. Access these reports through the system administrator responsibility.
Signon Audit Concurrent Requests
Signon Audit Forms
Signon Audit Responsibilities
Signon Audit Unsuccessful Logins
Signon Audit Users

4. Retrieve Audit Records Using SQL

The system stores end-user access data in the following tables. Develop SQL scripts to query these tables to
generate reports.
APPLSYS.FND_LOGINS
APPLSYS.FND_LOGIN_RESPONSIBILITIES
APPLSYS.FND_LOGIN_RESP_FORMS
APPLSYS.FND_UNSUCCESSFUL_LOGINS
FND_CONCURRENT_REQUESTS
ICX.ICX_FAILURES

5. Purge Audit Records

Purge end-user access data using the Purge Signon Audit Data concurrent program. The current program purges
all audit records older than a user supplied date. Run this concurrent program between once a week and once a
month, retaining 30 to 90 days of records. This concurrent program purges the following tables:
FND_LOGIN_RESP_FORMS
FND_LOGIN_RESPONSIBILITIES
FND_LOGINS
FND_UNSUCCESSFUL_LOGINS

Purge concurrent request data using the Purge Concurrent Request and/or Manager Data concurrent program.
Run this concurrent program at least once a week and retain 14 to 90 days of records.
Periodically archive and truncate the FND_LOGIN% tables

6. Review Data Tracked (No Reports Available)

Some data tracked by the system do not have associated reports. Nevertheless, these audit records contain valuable
information.
Who Columns
For most E-Business Suite tables, database rows are updated with the creation and last update information. The
system stores this information in the following columns (known as “Who Columns”):

Who Column Name	Description
CREATE_DATE	Date and Time row was created
CREATE_BY	Oracle Applications user ID from FND_USER
LAST_UPDATE_LOGIN	Login ID from FND_LOGINS
LAST_UPDATE_DATE	Date and Time row as last updated
LAST_UPDATE_BY	Oracle Applications user ID from FND_USERS

Join with FND_USERS and FND_LOGINS tables to identify the application user tracked in the audit record.
Note, only the last update to record is saved. To save the entire history of a row, enable Oracle E-Business Suite
Audit Trail.

7. Unsuccessful Logins

The system automatically stores unsuccessful logon attempts in the APPLSYS.FND_UNSUCCESSFUL_LOGINS
and ICX.ICX_FAILURES tables. The ICX_FAILURES table holds more information than the
FND_UNSUCCESSFUL_LOGINS. Both the FND_UNSUCCESSFUL_LOGINS and ICX_FAILURES tables contain
unsuccessful logins via the Personal Home Page (Self Service/Web Interface). Failed Forms logins are logged
only to the FND_UNSUCCESSFUL_LOGINS table. This functionality cannot be disabled.

Oracle Applications Profile Options Details

Profile Option	Setting	If new for R12, what is it?	Available Options
APPS_SSO_LINK_TRUTH_SRC	Applications SSO Linking Source of Truth	Applications SSO Linking Source of Truth	E-Business Suite, Oracle Internet Directory
APPS_SSO_POSTLOGOUT_HOME_URL	Applications SSO Post Logout URL	Applications SSO Post Logout URL	User Defined
APPS_SSO_OID_IDENTITY	Applications SSO Enable OID Identity Add Event	When a user is created in OID, the IDENTITY_ADD event is sent to all registered instances. This event controls whether an E-Business Suite instance should create the user in response to IDENTITY_ADD	Enable, disable
APPS_SSO_AUTO_LINK_USER	Applications SSO Auto Link User	If a user authenticated by SSO has no corresponding user in E-Business Suite, it will look for a local user with the same user name. If found, it will be permanently linked	Enable, disable
APPS_SSO_ALLOW_MULTIPLE_ACCOUNTS	Applications SSO Allow Multiple Accounts	At user level, it enables a user to have multiple E-Business Suite accounts linked to a single SSO user name. Selection of which account is active is done via the Preferences page. At site level, it indicates the default for users without this specific setting.	Enable, disable
FND_EXPORT_ALL_BLOCK_DATA	FND Export All Block Data	The profile control what data is exported from a form's block.	Yes, No
FND_FIXED_SEC_KEY	FND: Fixed Key	The fixed security key to be used in Framework if the profile FND Fixed Key Enabled is set to Y for the user. The key should be a Hexadecimal string of size 64.	User Defined
FND_FIXED_KEY_ENABLED	FND: Fixed Key Enabled	This profile determines if a fixed key will be used for security purposes in Framework.	Yes, No
FND_CACHE_PORT_RANGE	FND_CACHE_PORT_RANGE	Opening up a range of ports so that machine can talk across DMZ	User Defined
OAM_DSCRAM_ALLOWED	OAM: Data Scrambling Allowed	Profile option to allow data scrambling	User Defined
OAM_DSCRAM_ENABLED	OAM: Data Scrambling Enabled	Profile to enable or disable data scrambling	User Defined
OAM_WS_AUDIT_ENABLED	OAM_WS_AUDIT_ENABLED	Enable or Disable Web Service Auditing	User Defined
SIGNON_PASSWORD_CASE	Signon Password Case	Enables or Disables Password Case Sensitivity	Enabled, Disabled
OAM_ENABLE_SYSTEM_ALERT	System Alert Enable Level	System Alert Enable Level	All, Critical and Error, Critical, None
SIGNON_PASSWORD_CASE	Signon Password Case	Enables or Disables Password Case Sensitivity	Insensitive, Sensitive
SIGNON_PASSWORD_CUSTOM	Signon Password Custom	Profile option that specifies the full name of the class containing custom password validation logic.	User Defined
SIGNON_PASSWORD_FAILURE_LIMIT	Signon Password Failure Limit	A positive integer indicating the maximum number of logon attempts before the user's account is disabled.	User Defined
SIGNON_PASSWORD_HARD_TO_GUESS	Signon Password Hard To Guess	Profile that gets set to "true" if hard-to-guess password validation rules should be enforced for new passwords.	Yes, No
SIGNON_PASSWORD_LENGTH	Signon Password Length	Minimum length of Applications user password	User Defined
SIGNON_PASSWORD_NO_REUSE	Signon Password No Reuse	Profile to specify the number of days a user must wait before being allowed to reuse a password.	Yes, No
SIGNONAUDIT:LEVEL	Sign-On: Audit Level	Level at which to audit foundation usage	NONE, USER, RESPONSIBILITY, FORM
SIGNONAUDIT:NOTIFY	Sign-On: Notification	Notify User Concurrent Program Failures and Invalid Printers	Yes, No
FND_DIAGNOSTICS	FND: Diagnostics	Enables Diagnostics Global Button	Yes, No
FND_HIDE_DIAGNOSTICS	Hide Diagnostics menu entry	Hides the Help: Diagnostics Menu entry	Yes, No
UNIQUE:SEQ_NUMBERS	Sequential Numbering	Sequential Numbering	Always Used, Not Used, Partially Used
CONC_REPORT_ACCESS_ LEVEL	Concurrent: Report Access Level	Provides controlled access of log/output files of requests to group of users based on the current responsibility of the user based on this profile option value	Responsibility, User
PRINTER	Printer	Output Printer	Registered Printers e.g. ( noprint, LabelPDF)
FA_WF_GENERATE_CCIDS	FA WF GENERATE	FA: use workflow account generation notification for new assets.	Yes, No
Workflow activity settings: Request Approval From Approver timeout		The standard setting is 7 days. After this time has expired, Journal Approval notifies the preparer that no approver response has been received.	Days
UMX: Enable ICM Validation"	Enabled/disable access to override violation is restricted or not allowed at all	Oracle User Management is now integrated with Oracle Internal Controls Manager (ICM) for the prevention, detection, enforcement, and resolution of separation-of-duties constraints during the assignment of roles by administrators to users.	Yes, No
MO: Security Profile	(Global or just Security Profile)	Required for MOAC:  To enable MOAC, assign this profile option to an application responsibility.  This responsibility will then allow the assigned users the access to multiple operating units. In Release 12, a Security Profile is created in the HR module.  Multiple operating units are then assigned to the profile.  The Security Profile is then assigned to a responsibility using the profile option MO: Security Profile	Yes, No
MO: Default Operating Unit	Operating unit	(Optional) This profile option defines the default operating unit for users when they perform activities in the sub-ledgers.	Yes, No
SLA: Enable Data Access Set Security in Sub ledger		This profile option needs to be set to “Yes” in order to enable data access set security in the sub-ledger. If this is not set regardless of the data access set that is assigned to the responsibility or even if the responsibility is restricted to a specific ledger using the “GL Ledger Name” profile option, the user will be able to create and post any journal in any ledger through the sub-ledger.	Yes, No