In this article we will look into the limitation and issues faced with Location Based Access Control (LBAC) which is the new security feature introduced in Fusion.
If you are new to LBAC (Location Based Access Control), please go through the previous posts to know this feature.
Table of Contents
Limitations of LBAC:
If the client is implementing globally across multiple countries, then the limit of 32 IP addresses and 1000 characters won’t be sufficient. Oracle is suggesting alternative approaches as they are working on increasing the limit in parallel.
Oracle has suggested Customers to follow methods to reduce the whitelisting IP address:
- have mobile users login to VPN and add the VPN IP range using CIDR
- have mobile users use corporate proxy server and restrict IP of the proxy
- have mobile users connect to corporate wi-fi to access restricted content and use wi-fi IP range to whitelist
- have mobile app exclude the whitelist, using “public” roles and use CIDR to restrict corporate network.
Issues faced with LBAC:
Currently, LBAC protects the HCM REST API and HCM SOAP Services and if an user from outside of the IP range tries to access then they would not be able to access these services.
However BI Publisher SOAP services and REST API for common features don’t have the same protection and the BI reports can be run from outside using external services. In case of IP whitelisting done from Oracle end, all of these REST and SOAP are blocked outside of the IP range. So, I think this is a bug with LBAC and hope Oracle is working on it to fix these issues.
Users are able to view the BI Reports/Analytics by directly accessing them using xxxx-xxx1.XX.usX.oraclecloud.com/analytics hyperlink even though they don’t have the Employee role which should ideally give access to Reports and Analytics area.
If you/client is facing any issues with LBAC, Oracle requests to raise the SR with these options:
Select Where is the Problem as: Cloud [You will see Software / Cloud / Manage Cloud Service].
Service Type as : Cloud Product [ ex : Oracle Fusion Global Human Resources Cloud Service ].
Problem Type as : Customizations(Branding,User Interface Text,Customization Framework and Migration,ADFDI Setup and Installation)
Hope this information helps you take right decisions when you compare IP Whitelisting by Oracle or move to LBAC. Until the current limitations are resolved we should be on watch mode and not to jump on to LBAC if the clients want to avoid risk.
Tip: If you have already implemented LBAC, please work with Oracle on pushing them for a solution for these issues. If you haven’t implemented think if these issues would impact your business or not.
1000 character limit no longer applies,update your info