Protecting oracle apps 11i energy suite accounts

Hi,

Our shop wants to run an Energy Upstream ERP based technology stack, which is integrated into Oracle Apps 11i. Can we enforce database password complexity and expiration rules for the accounts listed below without making the system interfaces unusable and difficult to troubleshoot or the application system unusable and unpredictable as some have suggested? below the list of accounts:

User Description

APPLSYS
APPLSYSPUB
APPS
ABM Activity Based Management Account
AK Oracle Common Modules-AK Account
AMS Oracle Marketing Account
AMV Oracle Marketing Encyclopedia System Account
AP Oracle Payables Account
AR Oracle Receivables Account
ASF Oracle Sales Online Account
ASG CRM Mobile Services Gateway Account
ASL Oracle Mobile Field Sales Laptop Account
ASO Oracle Order Capture Account
AST Oracle TeleSales Account
AX Oracle Common Modules-AX Account
AZ Application Implementation Account
BEN Oracle Benefits Account
BEN Oracle Benefits Account
BIC Oracle Customer Intelligence Account
BIL Oracle Sales Intelligence Account
BIM Oracle Marketing Intelligence Account
BIS Oracle Applications BIS Account
BIX Oracle Call Center Intelligence Account
BOM Oracle Bills of Material Account
BSC Oracle Balanced Scorecard Account
CCT Oracle Telephony Manager Account
CE Oracle Cash Management Account
CN Oracle Sales Compensation Account
CRP Oracle Capacity Account
CS Oracle Service Account
CSC Oracle Customer Care Account
CSD Oracle Depot Repair Account
CSF Oracle Field Service Account
CSP Oracle Spares Management Account
CSR Oracle Scheduler Account
CSS Oracle Support Account
CUA CRL Financials Assets Account
CUE Oracle Billing Connect Account
CUF Oracle CRL Financials Account
CUI Network Logistics Inventory Account
CUN Network Logistics NATS Account
CUP Network Logistics Purchasing Account
CUS Oracle Network Logistics Account
CZ Oracle Product Configurator Account
EAA Oracle SEM Exchange Account
EAM Oracle Enterprise Asset Management Account
EAP Oracle Energy Payables Account
EAR Oracle Energy Receivables Account
EB Oracle Energy Base Account
EC Oracle EDI Gateway Account
ECX Oracle XML Gateway Account
EDM Enterprise Upstream Datamart Account
EE Oracle Energy AFE Account
EF Oracle Energy Financials Account
EFA Oracle Energy Assets Account
EFO Novistar Field Operations Account
EGL Oracle Energy General Ledger Account
EGM Oracle Energy Gas Marketing Account
EIN Oracle Energy Inventory Account
EJ Oracle Energy JIB Account
EK Oracle Energy Market Acctg Account
EL Oracle Energy Land Account
ENG Oracle Engineering Account
ENI Oracle Engineering Intelligence System Account
EPO Oracle Energy Purchasing Account
ER Oracle Energy Revenue Account
ESV Oracle Energy First Purchaser Account
ET Oracle Energy Reg Reporting Account
EU Oracle Energy Production Account
EVM Value Based Management Account
EYE Oracle Energy Integrator Account
FA Oracle Assets Account
FEM Strategic Enterprise Management Account
FII Oracle Financial Intelligence Account
FLM Oracle Flow Manufacturing Account
FPT Oracle Banking Center Account
FRM Oracle Report Manager Account
FTE Oracle Transportation Hub Account
FV Oracle Federal Financials Account
GL Oracle General Ledger Account
GMA Oracle Process Mfg Systems Account
GMD Oracle Process Mfg Product Development Account
GME Oracle Process Mfg Execution Account
GMF Oracle Process Mfg Financials Account
GMI Oracle Process Mfg Inventory Account
GML Oracle Process Mfg Logistics Account
GMP Oracle Process Mfg Planning Account
GMS Oracle Grants Management Account
GR Oracle Process Regulatory Management Account
HR Oracle Human Resources Account
HRI Human Resources Intelligence Account
HXC Oracle Time Capture Account
HXT Oracle Time Management Account
IBA Oracle iMarketing Account
IBE Oracle iStore Account
IBP Bill Presentment & Payment Account
IBU Oracle iSupport Account
IBY Oracle iPayment Account
ICX Oracle Applications for Web Account
IEB Oracle Interaction Blending Account
IEM Oracle eMail Center Account
IEO Call Center Technology Account
IES Oracle Scripting Account
IEU Universal Work Queue Account
IEX Oracle Collections Account
IGC Commitment Administration Account
IGF Student Systems Fin Aid Account
IGI Oracle International Public Sector Financials Account
IGS Oracle Student Systems Account
IGW Oracle Grants Proposal Account
INV Oracle Inventory Account
IPA CRL Financials Projects Account
IPD Oracle Product Development Exchange Account
ISC Oracle Supply Chain Intelligence Account
ITG Oracle Internet Procurement Enterprise Connector Account
JA Asia/Pacific Localizations Account
JE European Localizations Account
JG Shared Localizations Account
JL Latin America Localizations Account
JTF Oracle CRM Foundation Account
ME Oracle Maintenance Repair & Overhaul Account
MFG Oracle Mfg Menu Account
MRP Oracle Master Scheduling/MRP Account
MSC Oracle Advanced Supply Chain Planning Account
MSD Oracle Demand Planning Account
MSO Oracle Constraint Based Optimization Account
MSR Oracle Risk Optimization Account
MWA Mobile Applications Account
OE Oracle Order Entry Account
OKC Oracle Contracts Core Account
OKE Oracle Contracts for Projects Account
OKR Oracle Contracts for Rights Account
OKS Oracle Service Contracts Account
OKX Oracle Contract Integration Account
ONT Oracle Order Management Account
OPI Oracle Operations Intelligence Account
OSM Oracle Sales and Marketing Account
OTA Oracle Training Account
OZF Funds & Budgets Account
OZP Trade Planning Account
OZS Oracle iClaims Account
PA Oracle Project Accounting Account
PJM Oracle Project Manufacturing Account
PMI Oracle Process Management Intelligence Account
PN Oracle Property Manager Account
PO Oracle Purchasing Account
POA Oracle Purchasing Intelligence Account
POM Oracle Exchange Account
POS Internet Supplier Portal Account
PSA Public Sector Applications Account
PSB Public Sector Budgeting Account
PSP Oracle Labor Distribution Account
PV Partner Relationship Management Account
QA Oracle Quality Account
QP Oracle Pricing Account
RG Application Report Generator Account
RHX Oracle Advanced Planning Foundation Account
RLA Oracle Release Management Account
RLM Oracle Release Management Account
SSP Oracle SSP Account
VEA Oracle Automotive Account
VEH Oracle Automotive Account
WIP Oracle Work in Process Account
WMS Oracle Warehouse Management System Account
WPS Oracle Manufacturing Scheduling Account
WSH Oracle Shipping Execution Account
WSM Shop Floor Management Account
XDP Oracle SDP Provisioning Account
XLA Oracle Common Accounting Modules Account
XNC Oracle Sales for Communications Account
XNM Oracle Marketing for Communications Account
XNP Oracle SDP Number Portability Account
XNS Oracle Service for Communications Account
XTR Oracle Treasury Account

Kind regards,

By "account", it looks like you're referring to "database account", not accounts within the application.

In my experience, if a seeded database userid is being used by  Oracle and you let the password expire (due to expiration rules)  without pro-actively changing the password, you may quickly discover all of the things that can go wrong with the Oracle application.

Metalink would be a great resource to get Oracle's recommendations on changing passwords for seeded accounts. I haven't seen any  Oracle documentation that would restrict your ability to implement  password complexity.

This Metalink document should help with APPS, APPLSYS, and  APPLSYSPUB:

How To Manually Change The APPS, APPLSYS and APPLSYSPUB Passwords in Oracle Applications
Note:160337. 1
IMPORTANT NOTE: Please only use this note as a last resort. The  supported method of changing the APPLSYS password is to use  FNDCPASS, and this will also change the APPS password automatically.
Additionally, it is recommended to not change the APPLSYSPUB  password.

A few other Metalink documents that may be useful are:
Note 189367.1 - Best Practices for Securing the E-Business Suite
Patch 4926128 - ORACLE DEFAULT PASSWORD SCANNER

Note:398942. 1 - FNDCPASS Utility New Feature ALLORACLE

Goal
Explain the usage of a new FNDCPASS Utility feature introduced in 11.5.10 RUP 3 to change Oracle EBS base product schema password with a single command line invocation.

Starting with Release 11.5.10 RUP 3, a single command line  invocation of FNDCPASS changes the password for all Oracle EBusiness  Suite base product schemas, which number approximately 200.

Upon installation of Oracle Applications, a number of schemas  (sometimes called ORACLE schemas) are present in the database. You  do not need to create these schemas; however, you should change the  default passwords. These schemas come from different sources and can be described as being of the following types:

1. Schemas that exist in every Oracle database (whether used by Oracle Applications or not) [ex: SYS,SYSTEM].
...<snip>...

Your list didn't include SYS or SYSTEM. I asked our DBA to provide "a list of all database userids with update access to at  least one table within the Oracle database". His list is below. A  few of these may be specific to our implementation.

AD_PATCH_MONITOR_ ROLE
AMV
APPLSYS
APPS
AR
CS
CTXAPP
CTXSYS
DBA
EGO
EXP_FULL_DATABASE
GATHER_SYSTEM_ STATISTICS
ICX
JTF
OKR
OLAPSYS
OLAP_USER
PA
PUBLIC
SELECT_CATALOG_ ROLE
SYS
SYSTEM