Skip Headers

Oracle Workflow Administrator's Guide
Release 2.6.3.5

Part Number B12160-02
Previous Next       Contents Index Glossary
         Previous  Next          Contents  Index  Glossary

E-mail Notification Security

Each individual e-mail notification message sent by a notification mailer includes a line containing a notification ID (NID), access key, and node identifier, which are used to authenticate responses to the notification.

The format of the NID line is as follows:

NID[NID/access_key@node_identifier]

Responses by E-mail When a user responds to a notification by e-mail, the response message must include the NID line from the original notification message. A notification mailer accepts the response only if the correct NID and access key combination is included in the response. Users can ensure that the response message contains the NID and access key either by including the entire original message when replying or by using a response template that includes the NID line.

Note: Some mail clients, notably early releases of Microsoft Outlook Express, may not copy the NID line properly in a reply message. When responding to a notification, users should verify that the NID line is included in full and contains the prefix NID and all the details between the square brackets.

A user who receives an e-mail notification message may forward the message to another user through the e-mail application. When you configure a notification mailer, you can choose whether to allow a user to respond by e-mail to an e-mail notification that has been forwarded from another role.

Warning: Note that there are limitations when you deselect the Allow Forwarded Response parameter. For example, suppose a notification is sent to a distribution list mail alias that does not have a user/role relationship in the Oracle Workflow directory service. If any user from the distribution list responds to the notification, the notification mailer will always treat their notification response as unsolicited mail, because the "From:" e-mail address, which is an individual user's e-mail address, will never match the distribution list mail alias.

Responses through the Notification Detail Link Attachment HTML-formatted e-mail notifications with attachments and plain text e-mail notifications with HTML attachments include an attachment called Notification Detail Link. When this link is clicked, it displays the notification in the Notification Details Web page. A user who receives a notification with a Notification Detail Link attachment can use this Web page to respond directly to the notification, instead of sending an e-mail response message to be processed by a notification mailer.

You can choose whether to require users to log in before they can access the Notification Details Web page for a notification through the Notification Detail Link.

For Oracle Applications:

Note: If you enabled guest access but no longer want to allow it, you can disable it by setting the WF: GUEST Access to Notification profile option to Disabled and setting an end date for the grant you created. Then stop and restart Oracle HTTP Server and, in Oracle Applications Manager, stop and restart the service component container named Workflow Mailer Service. Users will then always be required to log in before they can access the Notification Details page from the Notification Detail Link.

For standalone Oracle Workflow:

E-mail Notification Summaries Instead of individual e-mail notifications, users can also receive e-mail summaries listing all their open notifications. Users can indicate that they want to receive e-mail summaries by choosing a notification preference of SUMMARY or, for Oracle Applications only, SUMHTML.

To send e-mail summaries, schedule a Launch Summary Notifications event for a notification mailer. For the seeded Workflow Notification Mailer, the Launch Summary Notifications event is scheduled to send e-mail summary notifications once a day by default.

Confirming Responses with Electronic Signatures In Oracle Applications, you can require that the response to a notification be signed with either a password-based signature or a certificate-based digital signature. In this case, users cannot respond to that notification through e-mail. Instead, they must respond to the notification from the Notification Details web page and enter the appropriate type of signature. To access the Notification Details page, users can either log into Oracle Applications separately, or, if their notification preference includes HTML attachments, use the Notification Detail Link.

Use the special message attribute #WF_SIG_POLICY to specify the signature policy for a notification. See: #WF_SIG_POLICY Attribute, Oracle Workflow Developer's Guide.

Excluding Notification Content From E-mail If a particular notification contains sensitive information that you do not want to send in e-mail, you can choose to exclude the content of the notification from the e-mail version of the notification. In this case, users receive an e-mail message that only informs them that they must access the notification through the Notification Details web page instead to view the content and respond. To access the Notification Details page, users can either log into Oracle Applications separately, or, if their notification preference includes HTML attachments, use the Notification Detail Link.

Use the special message attribute #WF_SECURITY_POLICY to specify the content security policy for a notification. See: #WF_SECURITY_POLICY Attribute, Oracle Workflow Developer's Guide.

Sending Outbound E-mail Notifications Only If you do not want to allow responses by e-mail, you can choose to send only outbound e-mail notifications. To configure your notification mailers for outbound-only processing, set the inbound thread count to 0 (zero) in the configuration wizard for each notification mailer.

When you set up an outbound-only mailer, you should configure the mailer to use message templates for response-required notifications that do not request a response by e-mail, but instead direct recipients to respond from the Notification Details Web page. For example, you can configure the mailer to send response-required notifications using the Workflow View From UI message template, which is an alternative template provided by Oracle Workflow in the System: Mailer item type, or create your own custom message templates. The outbound-only mailer can still use the standard message templates to send outbound summary notifications or For Your Information (FYI) notifications that do not require a response.

Disabling E-mail Notifications Ultimately, the security of e-mail notifications depends on the security of your e-mail application. If you do not want to send any workflow information by e-mail, you can choose not to run any notification mailers at all. In this case users must always log on to Oracle Workflow and access the Worklist web page to view and respond to their notifications.

See: Implementing Notification Mailers

See: Notification Preferences

See: Plain Text E-mail

See: HTML-Formatted E-mail with Attachments

See: HTML-Formatted E-mail

See: Plain Text E-mail with an HTML Attachment

See: Setting Up Notification Mailers

See: Inbound Notification Mailer Processing

See: Overview of Notification Handling, Oracle Workflow User's Guide


         Previous  Next          Contents  Index  Glossary



Oracle Logo
Copyright © 2003, 2004, Oracle. All rights reserved.