Contract Management Security and Administration Best Practices Session ID# 15401
Tony Sleva
Principal Technical Engineer
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 3
The following is intended to outline our general product
direction. It is intended for information purposes only, and may
not be incorporated into any contract. It is not a commitment to
deliver any material, code, or functionality, and should not be
relied upon in making purchasing decisions. The development,
release, and timing of any features or functionality described for
Oracle’s products remains at the sole discretion of Oracle.
Safe Harbor Statement
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 4
Environmental Security
Primavera Contract Management Administration
– Security Administration
– Other Administration
Q&A
Program Agenda
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 5
Main Components to Secure
– Web Server
– Database Server
– BI Publisher Server
– Content Server
Best Practices
– All servers behind the corporate firewall
– Use a Proxy Server in front of the Web Server
– Implement SSL
– Change the default ports
– Change the default users/passwords (don’t use exp/sql for your database password!)
– Restrict machine access
– LDAP/SSO
– If you hire a security consultant, don’t let them leave without making and explaining recommendations!
Environmental Security For the IT Person in All of Us
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 6
http
://ww
w.x
kcd.c
om
/936
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 7
Change the EXPADMIN Administrator ID password
Update the User Password Settings
Create Access Templates
Create User Accounts
Apply additional Project Access changes
Update Server Configuration settings
Configure Content Management settings (13.0 and later)
Configure User Email Settings (14.0 SP2 and later)
PCM Administration Security Focused Administration Workflow
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 8
Change your EXPADMIN password ASAP
“If Contract Management is a new installation, sign into the Contract Management Administration
Application with the default administrator user name and password. (The default is expadmin for both
the user name and password.” - Page 22 of the PCM 14 User Guide
EXPADMIN cannot be deleted
EXPADMIN cannot be renamed
PCM Administration Administrator IDs
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 9
Maximum password length = 20
If a user account is locked after surpassing the
maximum number of attempts, an administrator
must unlock the account from within User Accounts.
The Prohibited Password list can be imported from
a plain text file
PCM Administration User Password Settings
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 10
Configures View, Add, Edit, Export, and Delete rights for each module
Configures rights for specific actions:
– Reject/Close Change Management
– Copy Commitments to Budget
– Edit Original Estimate
– Apply/View Markup
– Update Submittals from Schedule
PCM Administration Access Templates
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 11
Configures Approval Rights
Templates and Users have a Many-to-Many Relationship
Users can only have a single Template applied per Project
Template changes do not automatically cascade down to Users on Save (by design)
Update Users was added in 13.1 SP2 and 14.0 SP2
PCM Administration Access Templates
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 12
PCM Administration User Accounts
Email Address required for email usage within PCM
Enabling Requires new password at next login a
good practice for new user accounts
Disable this User Account will be checked if
maximum login attempts is exceeded
User has all rights to all projects overrides all other
settings
Can Access File Server does not control anything if
using a Content Repository for all projects
– Yes = Files are first uploaded to a File Server, then a PCM
user creates links to the files within PCM.
– No = Files are uploaded to a File Server via PCM.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 13
PCM Administration User Accounts
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 14
Users can have multiple Access Templates
Different Access Template can be applied to different Projects
Selecting (or Re-selecting) an Access Template will update the User’s rights within a Project,
overwriting any existing modifications.
PCM Administration User Accounts
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 15
All Access Template and User Account information is stored in the EXPADMIN database schema
ADMN
– Data entered in User Accounts screen
– Background info, such as last project group used, failed login attempts, and more
SECURITY
– Access Templates
– User Access per Project and Project Template
– Does not have rows for users with Administrative privileges
– Module rights calculated numerically: View = 1, Add = 2, Edit = 4, Export = 8, Delete = 16
Example: View + Add + Edit + Export + Delete = 1 + 2 + 4 + 8 +16 = 31
PCM Administration Behind the Scenes: Access Templates and User Accounts
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 16
Launched at the Project level
Changes made here impact only the selected User and only on this Project
Project-level look at User Access that allows fine tuning of the rights assigned by Access Templates
PCM Administration Project Access
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 17
Restricts user access to documents affecting a specific company
Configured at the very bottom of User Project Access
Access By Company functionality searches for the assigned company in specific fields within a
document
Example: Transmittals access is restricted by the To, From, and BIC companies.
A full list of modules and fields used by Access By Company can be found in:
Document 1277125.1 – “Access by Company - Access Details by Document Type”
Behind the Scenes: Field restrictions are held in the ITEM_TABLE table for each document type.
PCM Administration Access By Company
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 18
Dropdown is driven by explang.xml
Default Location: c:\Oracle\Middleware\user_projects\domains\cm\com\primavera\exponline\common
Language files are located in resource_strings.jar (often a component of Service Packs)
Default Location: c:\Oracle\Middleware\user_projects\domains\cm\lib
Other Available Languages: Spanish (ES), Portuguese (BR), Russian, Chinese (TW), French (CA)
PCM Administration Server Configuration – Default Language for New Users
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 19
Folder paths must match those in the BI Publisher Catalog and are case sensitive
Import Reports & Forms can be run one location at a time, or all at once
PCM Administration Server Configuration – Reports, Forms, and Letter Templates Locations
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 20
Configure default Content Repository behavior for new Projects
Configure Content Repository usage per Project
Specify attachment locations for Projects not using a Content Repository
PCM Administration Content Management
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 21
New in 14.0 SP2
Controls participation in three email-based functions in Contract Management
– Receive Payment Requisition and Change Order approval (New in 14.0 SP2)
– Receive Daily Digest of action items (New in 14.0 SP2)
– Add emails to Correspondence Sent Log
Configures default settings for New Users
Allows for mass subscription, or mass unsubscription
Users can update all of their own settings within User Settings
PCM Administration User Email Settings