A very common security failure is failing to uniquely identify a user and audit their actions. When a shared or common account is used, it becomes exponentially more difficult with each additional “shared” user to track and audit who is making changes to data. Furthermore, a company’s technical staff, supported by tools to help proactively anticipate and resolve problems, will certainly struggle if they cannot identify which users are having those problems.

One way to reduce account sharing is to enforce “single user login” by disallowing multiple logins under the same username. MetaLink documents 375403.1 “How Can I Restrict Applications Users To Be Signed In Only Once At Any Time” and 270454.1 “How To Limit The Number Of Form User Open And The Number Of Session User” describe how to accomplish this:

When properly patched and configured, the E-Business Suite raises a Workflow event when the same user has multiple, open sessions. A subscription attached to this event may take some action including closing the old session under the same user name or sending an email notification to the administrator. Patch 2128669 contains an example demonstrating how to write a custom event and/or additional subscriptions. The subscription calls a rule function that updates the ICX_SESSIONS table setting the DISABLED_FLAG='Y' for all other sessions for the user. This renders the other sessions invalid. The next user action returns the browser to a login screen indicating the session is invalid. User names appearing in the subscription's parameter list are excluded from this functionality. This functionality is disabled by default.

> back to list