Profile Options is a part of the overall configuration of your E-Business Suite Application, used effectively they allow for fine grained control of how the Application 'behaves'. From the color scheme of Forms, through to how Transactions are carried out - Profile Options have a wide array of uses.
As well as the many thousands of Profile Options, there is a hierarchy to how they can be deployed. Want a Responsibility to have a distinct setting? Maybe a User? Going up you may want the whole Application to inherit a certain Profile Option. You can set user profile options at different levels: Site, Application, Responsibility, User, Server, and Organization.
As well as forming part of the foundation for Oracle's E-Business Suite, there are Risks associated with their use that Organizations should be implementing Controls for.
These Controls should be monitoring the implementation of Profile Options, changes to them and the effect they have on any given High Risk Option.
One such example are the controls around Password Policies, these Profile Options should be in line with your Password Policy for length, characters and more.
In this video, Lewis Hopkins talks to Jeff Hare, CEO of ERP Risk Advisors on the Risks around Profile Options and SQL Injection into forms:
At first, dealing with thousands of Profile Options may seem like an uphill battle, but order can come from chaos. The following steps from Jeff are a great way of analyzing the Options and deciding if and how they should be implemented:
Should it be set in Production?
What level should it be set?
Who should approve that?
Should it go through the change control process?
Seecuring has partnered with ERP Risk Advisors for a series of short videos on key Segregation of Duty and Sensitive Access Risks.
Together we are providing Segregation of Duties, Sensitive Access, Configuration and User Access Reviews as a Subscription. There is no Software to deploy and you get the benefit of both Software and Services to not only identify the problems, but the routes to remediation.