The app uses roles-based access control to set permissions that define a user's access. The app's security model is powerful and flexible, allowing you to define fine-grained access control by role, at row-level, attribute-level, and method-level security on almost everything.
Roles-based access control is used to define:
- What menu items are a user sees
- What pages and blocks does a user have access to
- The data that is shown within those blocks
- The REST APIs and methods that can be called
This security model is actually using Oracle's own security model. It's standard Oracle E-Business Suite functionality and is typically accessed via the Functional Administrator, Functional Developer, and User Management roles. It's a combination of the more familiar responsibility-menu-function model (available under Systems Administrator and Application Developer responsibilities) with additional capabilities such as Roles, Role Inheritance, Permissions, Permission Sets, Objects, Object Instance Sets, and Grants.
The key advantages of roles-based access over the more traditional responsibility-menu-function include:
- Access is determined at the user level, not responsibility. This means a user does not need to switch responsibilities to gain access to the right set of functions and data; merely signing in provides the correct permissions.
- It supports row-level access on anything (instance sets)
- It supports role inheritance
Although roles-based access is standard Oracle capability, in practice only a small number of Oracle products utilize the features. Such roles-based access features are used in minority across iRecruitment, Approvals Management, Learning Management, and a number of other Oracle products.
The app uses these features extensively to provide powerful and flexible authorization with the confidence of standard Oracle's functionality.
To learn more about the app's access control, please see Blocks and Available block types. To learn more about Oracle's role-based access control, please refer to Oracle documentation Access Control with Oracle User Management, Oracle E-Business Suite System Administrator's Guide - Security, Part Number E12843-05.
Data in transit
The app reads and writes data directly from and to Oracle E-Business Suite using Applaud REST APIs. See Technical whitepaper - Product Architecture. The REST APIs are hosted in the same java container as standard Oracle Applications Framework components (oacore in 12.1.3, WebLogic in 12.2+). This means that data transferred between the app and Oracle E-Business Suite use whatever HTTP or HTTPS transport protocol is already configured.
It's essential that your Oracle E-Business Suite environments are configured to use HTTPS issued with an official certificate authority and support both TLS 1.2 and iOS App Transport Security (ATS). While desktop browsers will generally work with HTTP or less secure HTTPS certificates (this is obviously insecure), native apps will not connect at all unless the HTTPS certificate is official, strong and supports both TLS 1.2 and iOS App Transport Security (ATS).
You can use an online tool like this one to check if your HTTPS certificate supports iOS App Transport Security. Please replace go.applaudcloud.com with your Oracle E-Business Suite domain: https://apptransport.info/go.applaudcloud.com
To check for TLS 1.2 support, you can run this UNIX/Linux command and check there are no errors in the output:
openssl s_client -connect ebshost.domain.com:443 -tls1_2
You can also use various other online tools to assess the strength and configuration of your HTTPS certificate.
The app also interacts with Applaud Cloud to download web assets and branding information, which uses strong A-grade HTTPS encryption. See Technical whitepaper - Applaud Cloud.
Data at rest
In most cases, the app reads data from standard Oracle E-Business Suite tables and writes data using standard Oracle E-Business Suite APIs. The app does use some of its own Oracle tables to store metadata or to supplement standard Oracle functionality. These are stored in a custom XXAS schema. See Technical whitepaper - Custom schema.
The app will work with any Oracle database encryption technologies that are certified by Oracle for use with E-Business Suite.
Auditing
Because the app re-uses the same session management that Oracle uses, you can continue to audit Oracle E-Business Suite logins and access using existing Oracle capabilities.
Additionally, the app provides you with additional auditing options that are described in Usage tracking, auditing, and trace.