During some special time periods, Business management wants to restrict users to access R12.2 EBS website but allow only one or two users to complete some dedicated tasks, such as month-end process.
Oracle EBS has a way to do that. See Oracle Doc ID 605538.1 (How To Lock Users Out Of E-Business Suite And Allow Specific Users). This only works if EBS website does not have multiple web nodes which may use load balancing (such as F5) in the middle.
Our users use VPN to log onto company's network and PC. After I added below lines to file $IAS_ORACLE_HOME/instances/EBS_web_OHS1/config/OHS/EBS_web/custom.conf and bounced apps services, only users use the two IP addresses can access our EBS site and all other users get "Forbidden oops." message on the login page.
<Location ~ "/OA_HTML">
Order deny,allow
Deny from all
Allow from 10.55.xxx.92
Allow from 10.53.xxx.134
ErrorDocument 403 "Forbidden oops."
Allow from localhost
</Location>
Use "grep ohs_inst $CONTEXT_FILE" to identify the OHS# (i.e. EBS_web_OHS1) and the location.
If load balancing is used, above method may not work because end-user's IP may not reach EBS server. Other ways can be used to accomplish this but additional work is needed.
1. Create a special Responsibility. Then, disable all other Responsibilities. Only users in the new Responsibility will be able to log into EBS site to do the work.
2. You can disable/enable users in bulk using API. But this will change last_update_date and last_updated_by of table fnd_user, and may become a security auditing concern (specially when we have 57,000+ active users in the system. Huge worry is users' password would still work).
fnd_user_pkg.disableuser('<username>');
fnd_user_pkg.enableuser('<username>');
3. Ask internal firewall team to restrict access to the EBS Load Balancer URL to specific IP addresses.
4. Change the Load Balancer port to a temporary port that only will be given to the authorized users, and after the archive process is complete, the port can be switched back to the original port so it becomes available to all users.
An alternative solution is keep running a query to monitor who is using EBS site.
