# Oracle E-Business Suite (EBS) ### Overview The Oracle E-Business Suite (EBS) integration enables organizations to review and analyze user permissions and access within their EBS environment. This integration is particularly valuable for organizations needing to ensure proper Separation of Duties (SOD) and maintain visibility into user capabilities across ERP systems. The integration enables: * Mapping of Users to Responsibilities, with or without Roles * Tracking Function and Concurrent Program access through Responsibilities * Visibility into data access controls via Profile Options, Security Profiles, and Data Access Sets to resources such as Ledgers and Operating Units. * Analysis and review of user entitlements and potential toxic permission combinations ### Configuring Oracle EBS Integration EBS is a customer-managed application that is deployed within your infrastructure. EBS uses an Oracle database as its backend. Veza connects to this database and uses SQL queries to retrieve entity and authorization metadata. #### Prerequisites * Access to the Oracle EBS database, sometimes also referred to as `SERVICE_NAME`. * Database user credentials with read permissions to required tables * Properly configured `SESSION_PER_USER` database parameter for the integration user (see [Configuring SESSION\_PER\_USER](#configuring-session_per_user)) Deploying an [Insight Point](/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point.md) is recommended for secure integration connectivity. For testing purposes, you can skip deploying an Insight Point, in which case [firewall rules and filters](/4yItIzMvkpAvMVFAamTf/integrations/connectivity.md#firewall-rules-and-filters) must allow communication with your Veza tenant. #### Required Permissions The database user must have SELECT permissions on the following tables: * `APPS.FND_APPLICATION_VL` * `APPS.FND_CONCURRENT_PROGRAMS_VL` * `APPS.FND_FORM_FUNCTIONS_VL` * `APPS.FND_MENU_ENTRIES_VL` * `APPS.FND_MENUS_VL` * `APPS.FND_PROFILE_OPTION_VALUES` * `APPS.FND_PROFILE_OPTIONS_VL` * `APPS.FND_REQUEST_GROUP_UNITS` * `APPS.FND_REQUEST_GROUPS` * `APPS.FND_REQUEST_SET_PROGRAMS` * `APPS.FND_REQUEST_SET_STAGES_VL` * `APPS.FND_REQUEST_SETS_VL` * `APPS.FND_RESP_FUNCTIONS` * `APPS.FND_RESPONSIBILITY_VL` * `APPS.FND_USER` * `APPS.GL_ACCESS_SET_NORM_ASSIGN` * `APPS.GL_ACCESS_SETS` * `APPS.GL_LEDGER_SET_NORM_ASSIGN` * `APPS.GL_LEDGER_SETS_V` * `APPS.GL_LEDGERS` * `APPS.HR_OPERATING_UNITS` * `APPS.ORG_ORGANIZATION_DEFINITIONS` * `APPS.PER_ALL_PEOPLE_F` (optional, for user enrichment) * `APPS.PER_SECURITY_ORGANIZATIONS` * `APPS.PER_SECURITY_PROFILES_V` * `APPS.WF_ROLE_HIERARCHIES` * `APPS.WF_ROLES` * `APPS.WF_USER_ROLES` * `APPS.PO_AGENTS` You can create this user with the following setup script: > Replace "Password123" with a strong password. The script assumes the Oracle EBS objects are under the 'apps' schema. If your configuration is different, adjust the schema name as required. ```sql -- Create a new user CREATE USER ebs_integration IDENTIFIED BY "Password123" DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp QUOTA UNLIMITED ON users; -- Grant basic connect role GRANT CREATE SESSION TO ebs_integration; -- Grant object permissions GRANT SELECT ON apps.FND_APPLICATION_VL TO ebs_integration; GRANT SELECT ON apps.FND_CONCURRENT_PROGRAMS_VL TO ebs_integration; GRANT SELECT ON apps.FND_FORM_FUNCTIONS_VL TO ebs_integration; GRANT SELECT ON apps.FND_MENU_ENTRIES_VL TO ebs_integration; GRANT SELECT ON apps.FND_MENUS_VL TO ebs_integration; GRANT SELECT ON apps.FND_PROFILE_OPTIONS_VL TO ebs_integration; GRANT SELECT ON apps.FND_PROFILE_OPTION_VALUES TO ebs_integration; GRANT SELECT ON apps.FND_REQUEST_GROUPS TO ebs_integration; GRANT SELECT ON apps.FND_REQUEST_GROUP_UNITS TO ebs_integration; GRANT SELECT ON apps.FND_REQUEST_SET_PROGRAMS TO ebs_integration; GRANT SELECT ON apps.FND_REQUEST_SETS_VL TO ebs_integration; GRANT SELECT ON apps.FND_REQUEST_SET_STAGES_VL TO ebs_integration; GRANT SELECT ON apps.FND_RESPONSIBILITY_VL TO ebs_integration; GRANT SELECT ON apps.FND_RESP_FUNCTIONS TO ebs_integration; GRANT SELECT ON apps.FND_USER TO ebs_integration; GRANT SELECT ON apps.GL_ACCESS_SETS TO ebs_integration; GRANT SELECT ON apps.GL_ACCESS_SET_NORM_ASSIGN TO ebs_integration; GRANT SELECT ON apps.GL_LEDGERS TO ebs_integration; GRANT SELECT ON apps.GL_LEDGER_SETS_V TO ebs_integration; GRANT SELECT ON apps.GL_LEDGER_SET_NORM_ASSIGN TO ebs_integration; GRANT SELECT ON apps.HR_OPERATING_UNITS TO ebs_integration; GRANT SELECT ON apps.ORG_ORGANIZATION_DEFINITIONS TO ebs_integration; GRANT SELECT ON apps.PER_ALL_PEOPLE_F TO ebs_integration; GRANT SELECT ON apps.PER_SECURITY_ORGANIZATIONS TO ebs_integration; GRANT SELECT ON apps.PER_SECURITY_PROFILES_V TO ebs_integration; GRANT SELECT ON apps.WF_ROLES TO ebs_integration; GRANT SELECT ON apps.WF_ROLE_HIERARCHIES TO ebs_integration; GRANT SELECT ON apps.WF_USER_ROLES TO ebs_integration; GRANT SELECT ON apps.PO_AGENTS TO ebs_integration; ``` ### Configuring Oracle EBS on the Veza Platform 1. In Veza, go to the **Integrations** page. 2. Click *Add Integration* and search for Oracle EBS. Click on the tile to open the integration configuration form. 3. Enter the required configuration options. 4. Click *Create Integration* to validate and save the configuration. #### Configuration Options | Field | Notes | | --------------------- | ------------------------------------------------------------------------- | | Set the Insight Point | Choose whether to use the default data plane or a deployed Insight Point. | | Name | A friendly name to identify the unique integration. | | Server Address | The IP address of the Oracle database service. | | Server Port | The port number to use (default: 1521). | | Database Name | The Oracle service name for the EBS database. | | Username | Database user with required read permissions. | | Password | Password for the database user. | ### Configuring SESSION\_PER\_USER The Oracle EBS integration requires the `SESSION_PER_USER` parameter to be set appropriately to prevent the `ORA-02391: exceeded simultaneous SESSIONS_PER_USER limit` error during data extraction. #### Recommended Setting For Oracle EBS integrations with Veza, we recommend setting the `SESSION_PER_USER` parameter to at least **5** for the database user used for integration. Veza creates 3 data sources for Oracle EBS that can connect and create sessions in parallel. The integration runs discovery processes that can create additional concurrent connections (typically 4 max concurrent sessions). If you are using the same database user for multiple Veza tenants or have other integrations using the same user account, you may need to increase the `SESSION_PER_USER` value further. Adjust based on your specific environment requirements. Set this parameter for the Veza integration user by creating and applying a profile: ```sql -- Create a profile with the SESSION_PER_USER limit CREATE PROFILE ebs_integration_profile LIMIT SESSIONS_PER_USER 5; -- Assign this profile to the integration user ALTER USER ebs_integration PROFILE ebs_integration_profile; ``` ### Notes and Supported Entities #### Effective Relationships The Oracle EBS integration supports Veza [Query Modes](/4yItIzMvkpAvMVFAamTf/features/search/query-mode.md) to show the effective access that an EBS User has. In **Effective** mode, the following criteria are evaluated when determining whether a user has access to a Function through a Responsibility: * **The Responsibility assignment is active**, based on the start and end date of the assignment at the time of extraction. * **Function Exclusions for the Responsibility**: if the Function is excluded, it will not appear in Effective mode. * **Menu Exclusions for the Responsibility**: if any menu on the path to the Function is excluded, the Function will not appear in Effective mode. * Additionally, if the **Function shares a menu entry** with an excluded menu, it is considered inaccessible. * **Menu entry prompts**: a menu entry without a prompt is considered inaccessible. * Function menu entries without a prompt are not accessible. * Sub-menu entries without a prompt are inaccessible, and are not evaluated for accessible functions. * Functions accessible through an AZN menu are accessible regardless of prompt. > Assignment status is evaluated at extraction time and does not change in real time. If a Responsibility assignment expires between extractions, the user will continue to appear as having that access in Veza until the next extraction runs. Additionally, Profile Options will have an `Effective Profile Binding` in the path to the destination resource (Ledger, Data Access Set, or Operating Unit) only if the Profile Option applies to that resource type. #### Data Sources Configuring the EBS integration enables three data sources for extracting *IAM* entities (users and responsibilities), *Actions* (functions and concurrent programs), and *Resources* such as ledgers and operating units within EBS. #### Supported Entities **Oracle EBS Instance** Core container representing a single Oracle E-Business Suite installation. #### Oracle EBS User Represents individual users within the EBS system. * Attributes: * `updated_at`, `created_at` * `start_date`, `end_date`, `last_logon_date` * `description`, `email` * `first_name`, `last_name` * `is_buyer` > EBS Users are always included in discovery. Users with an `end_date` in the past are marked as inactive (`is_active = false`) in Veza. The `start_date` attribute is available for filtering but does not affect active status. Note that `is_active` is evaluated at extraction time, and does not change based on the current date. For example, if an extraction is one week old, but contains a user with an end date yesterday, that user will still appear as "active" in Veza. #### Oracle EBS Role Defines a collection of permissions and access rights. * Attributes: * `updated_at`, `created_at` * `description` > Only active EBS Roles are discovered by Veza. Roles that have an expiration date in the past at the time of the extraction, or a start date in the future, are not included in the discovery. #### Oracle EBS Responsibility A key security component defining user access and capabilities. * Attributes: * `application_id`, `group_application_id` * `request_group_id`, `responsibility_id` * `menu_id`, `description` > Only active EBS Responsibilities are discovered by Veza. Responsibilities that have a end-date in the past or start-date in the future are not included in the extraction. #### Oracle EBS Responsibility Binding A Responsibility Binding represents the relationship between an EBS User and a Responsibility. This entity type tracks a user's access to Functions, Concurrent Programs, and Resources: * Attributes: * `user_name`, `user_id` * `last_name`, `first_name` * `user_description`, `role_names` * `application_id`, `group_application_id` * `request_group_id`, `responsibility_id` * `responsibility_name`, `menu_id` * `menu_name`, `user_menu_name` * `menu_is_azn` #### Oracle EBS Effective RF Binding Links responsibilities to functions in Effective Mode. * Attributes: * `application_id`, `group_application_id` * `request_group_id`, `responsibility_id` * `menu_id`, `description` #### Oracle EBS Menu Hierarchical structure of options and functions. * Attributes: * `menu_id`, `menu_type`, `description` * Note: System Query Mode Only #### Oracle EBS Menu Exclusion Specifies excluded menu items for responsibilities. * Attributes: * `application_id`, `responsibility_id` * `action_id`, `rule_type` * Note: System Query Mode Only #### Oracle EBS Function Represents specific actions or operations. * Attributes: * `application_id`, `parameters` * `function_type`, `description` * `function_id`, `user_function_name` #### Oracle EBS Function Exclusion Defines excluded functions for responsibilities. * Attributes: * `application_id`, `responsibility_id` * `action_id`, `rule_type` * Note: System Query Mode Only #### Oracle EBS Application Represents a specific module within the EBS suite. * Attributes: * `application_id`, `short_name` #### Oracle EBS Request Group Collection of concurrent programs and request sets. * Attributes: * `application_id`, `group_id` * `description`, `group_code` #### Oracle EBS Request Set Group of concurrent programs that can be run together. * Attributes: * `application_id`, `request_set_id` * `start_stage`, `concurrent_program_id` * `user_request_set_name`, `description` #### Oracle EBS Concurrent Program Executable programs for background processing. * Attributes: * `application_id`, `program_name` * `executable_id_application_id`, `executable_id` * `request_set_flag_name`, `user_program_name` * `description`, `program_id` #### Oracle EBS Profile Option System-wide or user-specific configuration settings. * Attributes: * `profile_option_id`, `profile_option_name` * `user_profile_option_name`, `application_id` * `start_date_active`, `end_date_active` * `hierarchy_type`, `description` * `updated_at`, `created_at` #### Oracle EBS Data Access Set Defines ledger access permissions. * Attributes: * `access_set_id`, `access_set_name` * `default_ledger_id`, `description` * `updated_at`, `created_at` #### Oracle EBS Security Profile Controls access to HR information. * Attributes: * `security_profile_id`, `security_profile_name` * `business_group_id`, `business_group_name` * `program_update_date` * `updated_at`, `created_at` #### Oracle EBS Ledger Set Collection of ledgers for financial reporting. * Attributes: * `ledger_set_name`, `ledger_id` * `short_name`, `description` * `updated_at`, `created_at` #### Oracle EBS Ledger Financial reporting entity for business transactions. * Attributes: * `ledger_id`, `ledger_name` * `short_name`, `description` * `updated_at`, `created_at` #### Oracle EBS Operating Unit Organization partitioning data for multiple companies. * Attributes: * `operating_unit_name`, `organization_id` * `business_group_id`, `date_from`, `date_to` * `short_code`, `set_of_books_id` * `default_legal_context_id`, `ledger_name` #### Oracle EBS Effective Profile Option Binding Links profile options to responsibilities. * Attributes: * `responsibility_id`, `application_id` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/oracle-ebs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.