Restricting access to Fusion SaaS applications by IP addresses or IP range

September 27, 2019 | 2 minute read
Text Size 100%:

Introduction

An increasingly frequent requirement from customers is to restrict access to cloud applications by Origination IP or target IP addresses or ranges. Such a restriction provides additional layer of security on top of other security measures enforced, such as federated single sign-on and 2-step verification. Let's compare couple of ways Oracle fusion SaaS applications support IP-based restricted access.

Overview of IP whitelisting needs

There are 2 types of IP restrictions that customers request. The first type, outbound IP whitelisting, is where some customers want the IP addresses of Fusion applications whitelisted in their corporate firewalls. This is a complex topic and there are multiple aspects to be considered before such a restriction can be enabled.  Please review the a-team blog on this topic.

The second type of white listing, inbound IP whitelisting, is where customers want Oracle applications to accept traffic from only the approved IP addresses or IP ranges. This ensures that users from IP not approved by customer cannot access the application in its entirety or can only access some features of the applications.

Network-level inbound IP whitelisting 

Customers have been requesting IP restrictions to be applied by Oracle support. This has been the only solution available prior to availability of LBAC in release 19A. Customers open SR to Oracle support with a list of IP addresses or IP ranges specified by CIDR. Oracle support applies these changes, once approved, on a weekly basis. So there is a 2-week lead time before the IP restrictions are effective. This approach is still feasible, although Oracle encourages customers to use Location Based Access Control. 

Location Based Access Control (LBAC)

This is a new common feature introduced in Fusion SaaS applications release 19A. Note that IP ranges specified in this feature can be overridden by network level IP whitelisting done by request to Oracle support.  Customers must either alter the network level white listing or remove it altogether before using location based access control. 

LBAC works by specifying list of IP addresses or CIDR ranges in Security Console. Once applied, only users connecting from an approved IP can access the application. Exceptions can be made by marking certain roles public, in which case, features allowed by those roles can be accessed from any IP. This feature can be used to restrict, for example, all HCM features excluding annual benefits enrollment to be accessed only from corporate network. 

The key benefit of LBAC is that it's entirely self-service for customer, so the IP restrictions will be effective immediately. 

References

Managing Location based access:

https://docs.oracle.com/en/cloud/saas/applications-common/19a/faser/managing-location-based-access.html#FASER3273387

A-team blog on outbound white-listing:

http://www.ateam-oracle.com/fusion-cloud-ip-whitelisting

IP white listing for Oracle Applications Cloud:

Oracle Applications Cloud - IP Address White Listing Service Entitlement(Doc ID 2089639.1)

 

 

 

Mani Krishnan


Previous Post

Making OCI Metrics Available in Oracle Management Cloud

Pulkit Sharma | 9 min read

Next Post


OIC Process Form VBCS decision tree

Sushil Shukla | 1 min read