My suggestion:
1. Create a general system procedure that gives requirements that any system you choose must meet. Include all the applicable FDA 21 CFR 11 requirements.
2. Choose your system (e.g. in your case, Oracle ERP)
3. Validate the system against the requirements in (1).
4. (if necessary) Create a work-instruction for staff on using the specific system you've chosen.
Depending on how stuff fits together, you might be able to just tack-on "system access and security" requirements in your documentation control procedure.