You can configure the following options in Oracle Workflow to take advantage of the security features you want.
Conguring Oracle Workow Security Options
You can set the following global workflow preferences related to security.
• Workflow administrator, which defines the role that has administrator privileges in accessing Oracle Workflow Web pages.
• LDAP preferences, if you are integrating with Oracle Internet Directory. LDAP preferences include LDAP host, LDAP port, LDAP password, LDAP changelog base directory, and LDAP user base directory. LDAP password values are masked as asterisks in the display and are stored in encrypted form.
See: Setting Global User Preferences, page 2-11.
For information about configuring e-mail notification security options, see: E-mail Notification Security, page 2-72.
Conguring Standalone Oracle Workow Options for Oracle Application Server Security Framework During installation of standalone Oracle Workflow, the Workflow Configuration Assistant lets you enter LDAP preferences in order to integrate with Oracle Internet Directory. If you do choose to integrate with Oracle Internet Directory, the Workflow Configuration Assistant automatically installs the appropriate version of the Workflow PL/SQL security package, called WFA_SEC, and a directory service implementation based on Oracle Internet Directory.
For Oracle Workflow shipped with Oracle Application Server, Oracle Internet Directory integration also enables Oracle Workflow to participate in Oracle Application Server single sign-on.
If you choose to integrate with Oracle Internet Directory, you must perform the following steps:
1. Perform an initial synchronization of the user information in your Workflow directory service with Oracle Internet Directory.
2. Schedule synchronization periodically between your Workflow directory service and Oracle Internet Directory.
See: Integrating an Oracle Workflow Directory Service with Oracle Internet Directory, page 2-21 and Synchronizing Workflow Directory Services with Oracle Internet Directory, page 2-40.
Conguring Standalone Oracle Workow Options for Database Security
If you do not enter LDAP preferences in the Workflow Configuration Assistant during installation, then a directory service implementation based on Oracle Database users
and roles is automatically installed, along with the appropriate version of the Workflow PL/SQL security package, called WFA_SEC.
In this case, you should modify the default directory service views to add e-mail addresses for the database users if you want them to be able to receive e-mail notifications. See: Integrating an Oracle Workflow Directory Service with Oracle Database Users, page 2-22.
Note:You can also implement a custom version of the WFA_SEC security package, if you want to implement your own application-specific security. However, note that only the predefined versions of the WFA_SEC security package provided by Oracle Workflow are supported by Oracle. See: Oracle Workflow Support Policy, Oracle Workflow Developer's Guide.
Conguring Oracle Workow Options for Oracle Applications Security
If you are using the version of Oracle Workflow embedded in Oracle
Applications, directory service views for users and roles from the unified Oracle Applications environment are automatically implemented for you during installation. In Oracle Applications, Oracle Workflow uses a directory service model in which
denormalized information is maintained in the Workflow local tables for performance gain. The local Workflow directory service tables store user and role information originating from various other Oracle Applications modules, as well as ad hoc users and roles, so that the Workflow directory service views can access this information with good performance. You should maintain synchronization between the user and role information stored in application tables by the source modules and the information stored in the Workflow local tables. See: Setting Up a Directory Service for Oracle Workflow Embedded in Oracle Applications, page 2-23.
Also, in Oracle Applications, you can optionally give users access to the Advanced Worklist and Personal Worklist Web pages from any responsibility you choose. To make a Worklist available from a particular responsibility, you must add the appropriate function to the menu associated with that responsibility. Then you can assign that responsibility to your users. See: Adding Worklist Functions to User Responsibilities, page 2-130.
Similarly, you can give users access to the Workflow Monitor Test Application from a responsibility that you choose. To make the Workflow Monitor Test Application available from a particular responsibility, you must add its menu to a top-level menu for that responsibility. Then you can assign that responsibility to your users. See: Testing Status Monitor Access, page 5-33.
You can use a special message attribute with the internal name #WF_SIG_POLICY to require that a user’s response to a notification be authenticated by an electronic signature. Otherwise, the response will not be considered valid.
• If you define a notification to require a password-based signature, users must confirm their response by entering their Oracle Applications user name and password.
• If you define a notification to require a certficate-based signature, users must sign their response with a valid X.509 certificate issued by a certificate authority.
See: #WF_SIG_POLICY Attribute, Oracle Workflow Developer's Guide.
Additionally, in Oracle Applications a user can grant access to his or her worklist to another user. That user can then act as a proxy to handle notifications on the owner’s behalf. The worklist access feature lets one user allow another user to handle his or
her notifications without giving the second user access to any other privileges or responsibilities that the first user has in Oracle Applications. However, note that a user who has access to another user’s worklist can view all the details of that user’s notifications and take most actions that the owner can take on the notifications. Ensure that your users take all necessary security considerations into account when they choose to grant worklist access to another user. See: Worklist Access, Oracle Workflow User's Guide.