Profile Options is a part of the overall configuration of your Oracle Application, used effectively they allow for fine grained control of how the Application 'behaves' and how Transactions are completed.
As well as the many thousands of Profile Options, there is a hierarchy to how they can be deployed. Want a Role to have a distinct setting? Maybe a User? There is an array of settings that must be considered when implementing these Options.
As well as forming part of the foundation for Oracle's Cloud Applications, there are Risks associated with their use that Organizations should be implementing Controls for.
These Controls should be monitoring the implementation of Profile Options, changes to them and the effect they have on any given High Risk Option.
One such example are the controls around Read Only, this setting can set a User to be completely Read Only, despite the Roles and access they may have. Now the issue arises if that Read Only setting is removed, now the User has complete authority over the Privileges that are granted to them.
In this video, Lewis Hopkins talks to Jeff Hare, CEO of ERP Risk Advisors on the Risks around Profile Options:
At first, dealing with thousands of Profile Options may seem like an uphill battle, but order can come from chaos. The following steps from Jeff are a great way of analyzing the Options and deciding if and how they should be implemented:
Should it be set in Production?
What level should it be set?
Who should approve that?
Should it go through the change control process?
Seecuring has partnered with ERP Risk Advisors for a series of short videos on key Segregation of Duty and Sensitive Access Risks.
Together we are providing Segregation of Duties, Sensitive Access, Configuration and User Access Reviews as a Subscription. There is no Software to deploy and you get the benefit of both Software and Services to not only identify the problems, but the routes to remediation.