Tuesday, May 28, 2013

Oracle e-Business suite notification mailer security


Oracle e-business suite makes use of workflows for the business processes. In some cases the workflows make use of the workflow notification mailer. This can for example be used to inform someone that a purchase order is pending approval and that this person needs to approve the purchase order can continue in the process. 

The workflow engine and the workflow notification mailer are great options in Oracle e-Business suite and is used for standard functionality and for custom workflows specifically created to tend to a companies need. 

There is however a security risk associated with the notification mailer. There is a SEND_ACCESS_KEY option. When you set this option to Y the mail generated and send to the user will contain a link with an access key in it. This will enable the user to directly access the notification in the system when clicked on the link. While this makes good sense from a user friendly point of view it is a bad thing when we look at it from a security point of view. 

People who intercept the mail or gain access to a mailbox will be able to click on the link and access the notification without the need to know the users username and/or password. 

For this reason it is highly advisable to set SEND_ACCESS_KEY to N. When set to N the user will receive a mail which contains a link which will not contain a access key and the user will be forced to enter his credentials before he can access the notification details page. 

Making the decision to put SEND_ACCESS_KEY to Y or to N is for some parts a business decision. How friendly do we want to make the system? In another part it is a security related question, “do we want to provide access to information without the need for authentication?”.

Advisable is to set SEND_ACCESS_KEY to N. 

No comments: