Enabling Location Based Access Control (LBAC)

There was no other alternative to provide minimal access to users from other IP range.

What are the benefits of LBAC?
With LBAC, the Security Administrator can setup the IP address/IP range using CIDR and we can provide upto max of 32 distinct IP Address/IP ranges.

• People logging in from that IP range specified will have the complete access as per their roles.
• We also have an option to make some roles public so that users will be able to login and access the tasks provided by these roles out of the IP ranges too.
• We do not need to raise an SR to get the IP address white listed and wait for them to apply that in a turnaround time of 2 weeks.
• It is reflected immediately. No need to bounce the server.

Before we start to enable LBAC – Points to keep in mind:

• Configure the Location Based Access in Test POD first. After successful testing move it to Production.
• Set up a valid email address. When required, the location-based access control reset or recovery notification is sent to that email address.
• Add yourself to the user category for which the notification template ORA Administration Activity Requested Template is enabled.
• Keep the list of valid IP addresses ready.

Who can enable LBAC?
Any user with “IT Security Manager” role can enable Location Based Access Control and make role public. We can make a role public only when LBAC is enabled. To enable LBAC, we must register all the possible IP addresses from which the users usually login to the application.

By default Security Console > Administration tab will look like:

Steps to enable LBAC tab on Security Console:
Navigate to Setup and Maintenance > Manage Administrator Profile Values and set the profile value to Yes at the site level for profile code ASE_ADMINISTER_LOCATION_BASED_ACCESS_CONTROL. There is no system bounce or sign-out required.

Post this change we can go back to Security Console > Administration and check the LBAC option.

We can see the LBAC options now. We can check the “Enable Location Based Access” check box and provide the IP ranges below and save the page. Enter one or more IP addresses separated by commas. For example, 192.168.10.12, 192.168.10.0. To indicate a range of IP addresses, you may follow the Classless Inter-Domain Routing (CIDR) notation, such as 192.168.10.0/24. We can enter only up to 32 IP addresses of version IPv4 in the IP Address Whitelist text box.  Current computer’s IP address appears on the page. Add that IP address to the list so that your access to the application remains unaffected when you sign in from that computer.

If you Enable the checkbox and don’t specify any IP addresses and save, then all users will not be able to login including the administrator. So we have to be very careful when enabling LBAC and only the administrator needs to enable this feature.

Once we setup the LBAC, here are the possibilities for user access:

Recovery Methods:
Security Administrator should have an action plan ready if one of the admins does an incorrect LBAC setup preventing everyone to login from all IP ranges.

• Make sure you have an admin user with the following privileges (IT Security Manager role will have these privileges): ASE_ADMINISTER_SSO_PRIV, ASE_ADMINSTER_SECURITY_PRIV
• Make sure the notification is enabled for ORA Location Based Access Disabled Confirmation Template. (Security Console- User Categories-Notifications)
• Access admin recovery URL https://<podname>.fa.<datacentername>.oraclecloud.com/hcmUI/faces/AdminActivity and enter your admin user name
• After you request access to the Administration Activity page, you get an email at your registered email ID containing a URL similar to the one given below: https://<podname>.fa.<datacentername>.oraclecloud.com/fscmUI/faces/FuseWelcome
• Click the URL and you’re directed to a secure Administrator Activity page. Select the Disable Location Based Access option and click Submit. You receive a confirmation that location-based access is disabled. Immediately, you’re redirected to the Oracle Applications Cloud login page where you can sign in using your registered user name and password, and gain access to tasks and data as earlier.

Use Cases of LBAC functionality:

• Public Access for Pending Workers
• Public Access for External Learners
• Public Access for Oracle Recruiting Cloud Users
• Self Service Access to users to complete their tasks from home while keeping the admin roles restricted to office

What will happen if you are already using IP Whitelisting with Oracle Support?

Raise an SR requesting a list of your existing whitelisted IP addresses for you to use when setting up your new LBAC whitelist
Request a clean-out of your existing white list; LBAC is a new white listing method that should replace, not co-exist with, your existing white list.

Steps to disable LBAC:
To disable location based access, deselect the Enable Location Based Access check box. The existing IP addresses remain in a read-only state so that you can reuse the same information when you enable the functionality again. At that point, you can add or remove IP addresses based on your need.

Refer to the below links for more details:
Cloud COE link
Oracle Documentation
Oracle Support Doc ID 2089639.1

If you have any questions, please feel free to reach out to me by posting in comments section.

If you are interested in learning Fusion Technical tools go through this post

If you liked the article, please share it with your friends/ colleagues/ teammates or anyone who might also benefit from it.