How to Lock Users Out Of E-Business Suite And Allow Specific Users in 11i/R12   Leave a comment

This post is very handy during Month End Activities.

During Month ends if there is critical activity going from the business side and willing to restrict Business users accessing Oracle Applications we can do below configuration changes, before editing any file take a backup of configuration files.

11i

1. Backup file $IAS_ORACLE_HOME/Apache/Apache/conf/apps.conf

2. Edit the apps.conf file and add a list of ip addresses for the users that you want to allow access to the system

e.g.
Alias /OA_HTML/ "/u01/jbcomn/html/"
<Location /OA_HTML/>
Order allow,deny
Allow from XX.XXX.XXX.XXX
Allow from XX.XXX.XXX.XXX
Allow from XX.XXX.XXX.XXX
Allow from X.XXX.XXX.XXX
Allow from localhost
Allow from your_apps_server.company.com
Allow from your_apps_server
</Location>

R12.X, R12.1X

1. Edit file $ORA_CONFIG_HOME/10.1.3/Apache/Apache/conf/custom.conf and add a list of ip addresses for the users that you want to allow access to the system. The benefit of using custom.conf is that it is preserved when autoconfig is run.

e.g.
<Location ~ "/OA_HTML">
Order deny,allow
Deny from all
Allow from XX.XXX.XXX.XXX
Allow from XX.XXX.XXX.XXX
Allow from XX.XXX.XXX.XXX
Allow from X.XXX.XXX.XXX
Allow from localhost
Allow from your_apps_server.company.com
Allow from your_apps_server
</Location>

Note, you need to include localhost and your apps tier server name. One can use the PC name rather than IP address, however PC name is more sensitive to network config
3. Restart Apache

4. Now only the users who are assigned to the ip addresses added will have access. All other users will get a forbidden error when they attempt to login. This is a very simple solution and what makes it good is that it can be done programatically.

If Any user tries to login he will get below error

The forbidden error looks like this:

Forbidden
You don’t have permission to access /OA_HTML/AppsLocalLogin.jsp on this server

If you want to change the message you can do this: edit custom.conf add a line as follows (change the text to suit your requirements)
ErrorDocument 403 “Forbidden oops, you cannot access the production instance as it is month end, only certain users have access at this time

Stop/Start apache. Users will now receive the above message

Important: This may not work if the IP address hitting the web server is from a reverse proxy, load balancer or some other device. This is because the IP address will not be from the end user.

 

Posted October 7, 2013 by balaoracledba.com in 11i/R12, OracleAppsR12

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: