topic Re: SOX user access review control for Oracle EBS database in Governance, Risk, Compliance

SOX user access review control for Oracle EBS database

Midude2000 — Mon, 17 Mar 2025 21:11:08 GMT

Hello:

we have to review user access to the oracle database as part of our quarterly user access review process.

what database tables and accounts have you reviewed? can someone share a sample of the queries to run to get this information? what have you excluded and why (for example people with select and view ready only can be deselected).

Re: SOX user access review control for Oracle EBS database

akkem — Mon, 17 Mar 2025 22:53:56 GMT

The process should be documented in the Access Control Policy and Procedures, detailing how user access is managed at the organizational level, IMO.

Re: SOX user access review control for Oracle EBS database

nkeaton — Tue, 18 Mar 2025 03:21:13 GMT

You may not get an answer for that here. Those of us who work in cybersecurity have a responsibility to protect our organizations. That kind of information could potentially be used in a way that could help identify vulnerabilities and be acted upon.

Re: SOX user access review control for Oracle EBS database

dcontesti — Tue, 18 Mar 2025 16:38:01 GMT

@nkeaton

I believe your statement to be totally untrue. The Community was created for folks to share, ask questions and generally connect with others, so PLEASE do not speak for everyone here on the Community.

@Midude2000 First, I am not a DBA, so not able to supply the exact query (usually I request this from an administrator) but limited knowledge is that you would First:

Select ADMIN > MANAGEMENT > USERS

This should allow you to view the USERS Page which will provide you with FIELD (which shows the user's name and their DISPLAY name) along with ACTIONS (which details what the user may do)

Having lived through quarterly SOX audits, you can request an account from the DBAs, such that you may run the query in front otfthe auditors so they can see what the query is, document that they saw it run, and then can attest to the results. Being able to do this has assisted us.

I hope this helps a little. Here is a link that may assist you:

https://docs.oracle.com/en/database/oracle/oracle-database/19/ladbi/oracle-database-system-privileges-accounts-and-passwords.html

Additionally, I recommend that you pull down the ORACLE documentation on doing this as a back up.

OTHERS?

Regards

Re: SOX user access review control for Oracle EBS database

nkeaton — Tue, 18 Mar 2025 21:59:42 GMT

@dconesti I am not sure why you feel it necessary to lecture me. It is my opinion, but this is true in cybersecurity. We would have real issues if our folks just started giving out details on any part of our infrastructure. Our folks know that they are not to do this. Loose tweets sink fleets. Protecting our organizations is what we are paid to do. So I respectfully disagree with you.

Re: SOX user access review control for Oracle EBS database

dcontesti — Tue, 18 Mar 2025 22:02:00 GMT

@nkeaton And I am not sure why you felt the need to reply for all of us.

Re: SOX user access review control for Oracle EBS database

nkeaton — Tue, 18 Mar 2025 22:20:02 GMT

@dcontesti I never did speak for anyone but myself and never said that did. I was just letting them know why they might not get answers. Responsible cybersecurity personnel don’t just give out details. We protect our organizations. I am still not sure why you are taking offense and still respectfully disagree with you which is fine. No hard feelings, just don’t agree with you.