Friday, October 1, 2021

Is It Safe To Lock The Listed Applications Accounts? (Doc ID 1357196.1)

 

APPLIES TO:

Oracle Application Object Library - Version 11.5.0 to 12.2 [Release 11.5 to 12.2]
Information in this document applies to any platform.

GOAL

Is it safe to lock/ deactivate the listed users?

APPLSYSPUB username OPEN
DMSYS username OPEN
JMF username OPEN
MTH username OPEN
QPR username OPEN
DDR username OPEN
INL username OPEN
IBW username OPEN
DPP username OPEN
RRS username OPEN
ITA username OPEN
FTP username OPEN
PFT username OPEN
GMO username OPEN
DNA username OPEN
IPM username OPEN
IZU username OPEN
SYSMAN username OPEN
MGMT_VIEW username OPEN
CTXSYS username OPEN
DBSNMP username OPEN
DMSYS username OPEN
OUTLN username OPEN
SYSTEM username OPEN
WH username OPEN


SOLUTION

Actually, it is each module's responsibility to provide the mechanism to de-activate obsolete products!

Here follows a generic answer and some guidelines:

-The applications schemas are listed in FND_ORACLE_USERID table. Any schema not listed here do not belong to applications.

-An applications schema should not be deactivated unless you are sure that the related product is obsoleted and not in use .
You should also ensure that no other product is depended on it and share its objects.

-For products not being obsoleted, there is no released document and no product team that can answer this question.
The products within eBS may share objects from each other and there is no given answer for which product share and is depended on which other products.
In general it is not recommended to lock any account belonging to eBS, due to advanced object relationship, even when using only few products e.g. GL and AP.

-Oracle does not remove the schema for the obsoleted products, considering that the customers may have custom codes based on them.

-APPLSYSPUB is the generic internal application user for login functionality and should not be deactivated.
Please see Note 403537.1, Revoke unnecessary grants GIVEN to APPLSYSPUB

-DMSYS:
This is an RDBMS related schema not related to applications.
From Bug 12388178:
In Oracle Database 11g, the DMSYS schema is no longer used. The Data Mining option is installed in the SYS schema.

-FPT: Obsolete, documented in Note 743513.1. Handling on Note 403537.1

-For other schemas listed here please execute following script to see the product behind.
The related product team should be able to tell you if it is safe or not to de-activate these accounts.

SQL> select ORACLE_USERNAME, DESCRIPTION from FND_ORACLE_USERID
where ORACLE_USERNAME=upper('&username');

 

REFERENCES

NOTE:403537.1 - Secure Configuration for Oracle E-Business Suite Release 12.1

No comments:

Post a Comment

Database Options/Management Packs Usage Reporting for Oracle Databases 11.2 and later (Doc ID 1317265.1)

  Database Options/Management Packs Usage Report You can determine whether an option is currently in use in a database by running options_pa...