Blog dedicated to Oracle Applications (E-Business Suite) Technology; covers Apps Architecture, Administration and third party bolt-ons to Apps

Thursday, July 19, 2007

Disable default Apps users

One of the security best practices is to disable default Oracle Apps users. Patch 3904641 (released with Oct 2005 CPU) has the sql to do it. Here's the copy paste from readme of the patch:

This patch disables the a list of application users that are active and shipped
along with the E-Business suite as default. This is recommended as part of the
Best practices security document. Please note that some of these users have
higher privileges like system administrator responsibilites assigned to them.

Please check the table below to verify how many of the application users that
are still required for the normal functioning of your E-Business Suite.

-------------------------------------------------------------------------------
Application User Product/Purpose
-------------------------------------------------------------------------------
ANONYMOUS FND/AOL
AUTOINSTALL AD (Application DBA)
CONCURRENT MANAGER FND/AOL
FEEDER SYSTEM AD (Application DBA)
INITIAL SETUP AD (Application DBA)
STANDALONE BATCH PROCESS FND/AOL
MOBILEADM Mobile Applications Admin
ASGADM Field Service/Sales Application Admin
WIZARD AD (Application DBA)
ASGUEST Sales Application guest user
IEXADMIN Internet Expenses
IBE_GUEST iSupport Guest user - 1
IBE_ADMIN iSupport Admin user
IBEGUEST iSupport Guest user - 1
OP_SYSADMIN OP (Process Manufacturing) Admin User
OP_CUST_CARE_ADMIN Customer Care Admin for Oracle Provisioning
IRC_EMP_GUEST iRec Employee Guest Login
IRC_EXT_GUEST iRecruitment External Guest Login
-----------------------------------------------------------------------------

Our Recommendations are as follows:

If all the above users are needed : Change the passwords using the System Admin user interface for all the needed users. The "afdefusrdis.sql" file does not need to be executed manually.

If some of the above users are not needed : Comment out the users that are needed in the "afdefusrdis.sql" file, log into "sqlplus" as "apps" user and execute the SQL.
OR
Use the System Admin user interface, and disable the application users that are not needed by end dating the above users.

If all the above users are not needed : Log into "sqlplus" as "apps" user and run this "afdefusrdis.sql" file

1 comment:

Oracle Training said...

Nice article on changing default passwords. Thanks.