• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Advanced Controls access and user security for superusers con8824
 

Advanced Controls access and user security for superusers con8824

on

  • 572 views

External Auditor relies 100% on Oracle Advanced Controls for assessing Segration of Duties at a customer

External Auditor relies 100% on Oracle Advanced Controls for assessing Segration of Duties at a customer

Statistics

Views

Total Views
572
Views on SlideShare
572
Embed Views
0

Actions

Likes
0
Downloads
41
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Advanced Controls access and user security for superusers con8824 Advanced Controls access and user security for superusers con8824 Presentation Transcript

    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal1
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal2 @OracleAdvCntrls Post Questions Before, During and After
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal3 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
    • Advanced Access and User Security for Oracle Applications Mark Stebelton, CPA, CFE Director, Product Management – Oracle Brian Amato, CPA, CISA Director, Client Services – Fulcrum Way Reza B’Far Vice President, Development – Oracle
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal5 Program Agenda  Twitter Topic Review  Oracle Advanced Controls Overview - Mark  Implementation Review, Tips and Tricks - Brian  GRC Extensibility - Reza  Questions
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal6 Oracle Advanced Controls Product Overview
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal7 Standard Controls User Roles 3-Way Match Approval Hierarchies Standard Controls Social Media Policy E-learning Ethics Policy
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal8 Standard + Advanced Controls Sentiment Analysis Split Purchase Orders Hide Displays of Sensitive Data Duplicate Payments Transaction Threshold Amounts Duplicate Vendors Fine- grained User Access Configuration Snapshots & Audit Trial Transaction Pattern Analysis Fuzzy Logic, ‘similar values’ User Roles 3-Way Match Approval Hierarchies Advanced Controls Standard Controls Social Media Policy E-learning Ethics Policy
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal9 GRC Advanced Controls One Enterprise Foundation Enterprise Risk & Controls Foundation Dashboards, Reports and Alerts NotificationsWorklists Email PerspectivesSearch Risk, Controls & Compliance Management ReviewsDocumentation Assessments RemediationSurveys Continuous Controls & Risk Monitoring SetupsAccess Master Data Audit TestsTransactions User Authored ControlsData Connectors Fraud & Error Patterns RoleBasedAccessSecurity WebServices&APIs Custom or Legacy Applications Comprehensive  Enterprise Risk Management  Financial Governance  Continuous Controls Monitoring Flexible • Graphical Authoring • Detect and Prevent • Access, Transactions, Setups Data Driven (Big Data)  100% of Transactions  Manage by Exception  Optimize Processes
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal10 Fusion Platform with Dashboards, Alerts & Drilldowns Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal10 Advanced Controls Approach
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal11 • Embedded intelligence provides visibility into multiple control and process areas. Advanced Controls – Embedded Dashboards
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal12 • Move away from silo’d information • Multiple ERPs monitored from a single application. Advanced Controls – Embedded Dashboards
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal13 • Automatic alerts notify appropriate personnel for action • Actionable Insight to drive the business forward Advanced Controls – Business Process Monitoring
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal14 Sophisticated Controls Monitoring and Enforcement Engine Advanced Controls Demonstration Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal14
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal15 Technical Innovation (Engine) Function: Tracking POs Form: Receiving User: John Doe Role: Shipping Supervisor Function: Purchase Orders Tab: Review PO Vendor: Acme Transaction: Order 123 Action: Submit PO Action: Signature Receipt Role: Shipping Clerk Correlate Events and Detect Policy Violation  Complete User Access Path  Relate Access to Actual Transactions  Connect to any provisioning engine  Extend to any authorization model
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal16 Oracle SOD Solution - Principles PLATFORM CAPABILITY BUSINESS BENEFIT Analysis of privileges at atomic level Ensure reliance by external auditors, eliminate both false positives and false negatives. Analysis across multiple applications and instances Enable SOD policies for users with privileges across multiple applications and/or instances Analysis for any authorization model Enable enforcement of SOD policies for any critical business application Capture entire User Access Path Enable optimal resolution of SOD conflicts, by redesign of roles and privileges Web Services to work with any user provisioning workflow Enable compliant provisioning that is agnostic to multiple user provisioning workflows Automatic status updates of violations with Visual Audit Trail Reduced analysis and remediation efforts by self-learning based on prior decisions Integration with SOA to automate SOD exception actions Integration with SOA to allow tailored integrations with existing workflows applications Exception-based user access attestation process Eliminate redundant effort to attest every quarter if nothing has changed (position, roles etc) Automated SOD Policy Documentation and Assessment Comprehensive documentation and automated periodic assessment of SOD policies SOD Platform Requirements for Enterprise Scale Customers
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal17 Access Analysis Create Conflict Conditions • Single/Cross Platform • Entitlement/Single Access Point Remove False Positives
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal18 Macro and Micro Access Controls Examples Define Entitlements: Enter Invoice Element Description Open Interface Invoices AP_APXIIFIX Invoice Batches AP_APXINWKB_BATCHES Invoices AP_APXINWKB Entitlements: Create Suppliers Element Description Vendors APXVDMVD Enter Suppliers PN_APXVDMVD Suppliers AP_APXVDMVD Merge Suppliers AP_APXVDDUP Macro Access Control Enter Invoice & Create Suppliers EBS Example Distinct Micro Access Controls Open Interface Invoices vs Vendors Open Interface Invoices vs Enter Suppliers Open Interface Invoices vs Suppliers Open Interface Invoices vs Merge Suppliers Invoice Batches vs Vendors Invoice Batches vs Enter Suppliers Invoice Batches vs Suppliers Invoice Batches vs Merge Suppliers Invoices vs Vendors Invoices vs Enter Suppliers Invoices vs Suppliers Invoices vs Merge Suppliers Translates To When entitlements are used, each access point in the entitlement is considered as an ‘or’ in relation to the others
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal19 Remove False Positives Define Examples • Exclude inactive users • Exclude specific superuser Responsibilities • Exclude when not in the same operating unit or ledger • Include only for a single business unit User Defined Access Points • Define a specific path to analyze • Build using the access points of the target datasource • Use as any other access point Condition Approaches • Specifically Include • Specifically Exclude Condition Types • Global – apply to ALL models and controls • Global Path – Exclude a specific access path • Model/Control Level – applies only to that model/control Examples • EBS: Responsibility>Menu>Function • PSFT: Menu>Component>Page
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal20 Elevated Productivity – Optimize Process & Empower Users • Library of pre- definedAdvanced Controls (and extensible) • Ability to build new controls by business owners (no coding) • 100% Transaction coverage (no more sampling) Transaction Controls – Author, Deploy, & Monitor
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal21 Transaction Filtering Logic String, Integer NumericDateFunctions ANDOR
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal22 Many Types of Controls against Various Business Applications Advanced Controls Demonstration
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal23 Access Hierarchy Example – Oracle EBS Role Responsibility Menu Sub - Menu Function: Create Invoice Function: Create Customer Other important attributes: Operating Units, Data Groups, Set of Books etc Access Points
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal24 Access Connector Example: EBS • Covers critical access points across business processes in EBS including Financials, HR, Procure to Pay and Order to Cash • Includes 2,500+ Micro Access Controls • Includes 28,000+ Access Points available for extending controls ~1,700 Responsibilities* ~5,400 Menus* ~4,700 Concurrent Programs* ~16,500 Functions* * Amounts will vary by environment ~28,300 Access Points*
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal25 TXN SYSTEMS USERS ROLES USERS SETUPS MASTER DATA ROLES TXN SYSTEMS TXN ROLES TXNUSERS SETUPS TXN ROLES SYSTEMS MASTER DATA ROLES TXN TXN SETUPS Enterprise Risk Graph
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal26 Access AND Transaction SOD Analysis EBS EMEA SYSTEM JOHN USER Receivables ADMIN ROLE CUSTOMER MENU CUSTOMER ENTRY SUBMENU QUICK UPDATE SUBMENU EDIT CUSTOMER FUNCTION ORDER MGT MENU ORDER ERNTRY SUBMENU ORDER RELEASE FUNCTION JOHN CHANGES CUSTOMER SHIPTO FOR ACME AND PROCESSES ORDER FOR ACME
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal27 Sensitive Transaction Controls (aka Superuser Analysis) Sensitive Access Monitoring Controls 11020 STC: Monitor Payments 2370 SAM: Same user created Payables Invoice and Payment 11030 STC: Monitor Purchase Orders 2380 SAM: Same user created Purchase Order and Payables Invoice 11050 STC: Monitor Suppliers S390 SAM: Same user created Purchase Order and Received Goods and Services 11070 STC: Monitor Procurement Payment Terms 2400 SAM: Same user created Supplier and Approved Purchase Order 11100 STC: Monitor Payables Bank Accounts 8570 SAM: Same user created Supplier and Payables Invoice 11110 STC: Monitor Payables System Setups 2420 SAM: Same user created Supplier and Payment 11120 STC: Monitor Payables Options: Payments 2430 SAM: Same user created Supplier and Purchase Order 11140 STC: Monitor Payables Options: Tax 2730 SAM: Same user created Journal Entry and Payables Invoice 11180 STC: Monitor Payables Options: Invoices 2770 SAM: Same user created Journal Entry and posted Journal Entry 11210 STC: Monitor Journal Entries 2570 SAM: Same user created Supplier and setup Auto Create Purchase Orders Sensitive (Superuser) Transaction and Sensitive Access Monitoring Top 10 Deployed SOD Transaction Controls21
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal28 Advanced Access and Security
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal29 AACG – Finding Conflicts User: Janie Adams Responsibility: Sales Super User (Operations) Menu: AR_Navigate_GUI12 Submenu: AZN_AR_Invoices_Entry Function: Order Page: Create Customer Job Role: Receivables Management Permission: Create Cutomers SOD Conflict PSFT EBS
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal30 Interpreting Access Conflicts  User Role Permission List  Menu  Panel Component  Page Definition Finding the Right Path to Resolution U R M C D L Remove Menu Path Conflicts
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal31  Identify the changes to be made  Click to create a change management work order  Review impact of changes  Create change request work order for System Administrator Know the Impact Before Committing Changes to the ERP Simulate Changes
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal32 The FulcrumWay Experience
    • Advanced Access and User Security for EBS and Oracle Fusion Applications Brian Amato, CPA, CISA Client Service Director - FulcrumWay
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal34 Agenda  Objectives, Drivers, Scope  Implementation Approach  Achievements and Benefits  Lessons learned  GRC Extensibility
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal35 Objectives, Drivers, Scope  Upgrade 8.6.3 to 8.6.4  Analyze SOD risks for EBS Financials and PSFT HR and Payroll  Define conditions to remove false positives  Implement new security model
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal36 Implementation Approach  Risk-Based Approach  Used Oracle’s seeded content  Understand changes from 8.6.3 to 8.6.4
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal37 Assess Risk Detect Violations Analyze Issues Remediate Issues Implement Corrective Actions Monitor Application Environment Scope Application Controls Sample ERP Data Manage Exceptions Setup Preventive Controls IT/Business Control Teams Application Controls Manager Application Security Administrator Application Controls Manager Establish Test Environment FulcrumWay™ Application Controls Management Best Practices
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal38 Oracle Seeded Content Human Resources User Access Model Names Maintain Employees & Modify Employee Salary Maintain Employees & Process Payroll Modify Employee Position & Process Payroll Modify Employee Position & Maintain Employees Modify Employee Position & Modify Employee Salary Process Payroll & Modify Employee Salary
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal39 New Features in 8.6.4  User Experience  New Content  Relationship Assignments  Improved Search and Detection Engine  Setup and Administration  Performance Optimization  New Security Model
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal40 Achievements and Benefits  Able to secure EBS Financial data from HR/Payroll data!  Running Single Instance of AACG for EBS Financials and PeopleSoft HR/Payroll  Lower costs of compliance  Lower costs IT burden and increased agility
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal41 Lessons Learned  Hardware/Software Certification Matrix  PeopleSoft Security Model  AACG Security Model
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal42 Role Permission List Menu Component Page Definition Component Page Definition Access Hierarchy – PeopleSoft Access Points Evaluate User Access • Test by User Profile • Test by Page User Profile
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal43 Access Hierarchy – Oracle EBS Role Responsibility Menu Sub - Menu Function Function Access Points
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal44 8.6.4 Security Model
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal45 8.6.4 Security Model Security Components
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal46 8.6.4 Security Model  Leveraging Perspectives to Plan Design AACG Security, Incident Management  Examples of Perspectives aid in the definition of Data Roles  Perspective can span multiple ERP instances, types (PS, EBS)  A Perspective gets created for each datasource  Perspectives can define which users have security to AACG Controls and Incidents
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal47 GRC Extensibility  AACG with EBS and PeopleSoft
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal48 The Extensibility of Oracle Advanced Controls
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal49 Pre-Built Integrations Custom or Legacy Applications Continuous SOD Controls Monitoring Pre-built Extensible Partner Pre-built CUSTOMER CARE & BILLING
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal50 What is Extension?  Work done by end users and their developers to add new abilities to GRCC WHY IS IT VALUABLE?  Gives you the ability to extend standard functionality to meet your unique needs WHAT PRODUCT DOES IT SPAN?  EGRCM and EGRCC 8.x in a Single Platform Ways to Extend GRCC Expertise Create a new… End user Model Control Incident Developer Business object Connector Pattern API/Web Service
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal51 ConnectorsControls General Domain Knowledge (Financial, Medical, SCM, etc.) Business Application System Experts (EBS, PSFT, etc.) Skill Set Required Application Engineer or Software Engineer Actuarial Skills Specific Domain Knowledge (P2P, GL, T&E, etc.) Business Objects Advanced Extensions Required Preferred Not Required DBA's, ETL Users or Analytic App. Builders • Allows us to build an internal factory for building meta-data cost-effectively • Provides the platform for a future ecosystem of meta-data • SDLC: Minimizing risk in execution through reduction of Knowledge Diffusion Risk Management Clearly Separated Skill Sets
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal52 High-Level Platform Extensibility Points • Getting Data into GRC for Analysis • OWL (Ontology Web Language) – an XML language • Web Services • Custom Objects • Advanced extensions – Java • Extending the Workflows & Reporting • Both RESTful & SOAP Web Services available • SOA Integration out of the box • Data Analytics for Custom Reporting and Dashboards • Physical and Logical Security that follows the GRC Security Model
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal53 Focus – GRC Controls Extensibility • Takes a picture of various aspects of your system • Authorization model • Transaction model • Others • Then, it searches for exceptions (violations) • Controls are the criteria the system uses to search • Points of Extensibility: • Different ways by which it searches • Different data sources through which it searches • Different ways it can provide the results (web services, etc.) • Provides workflows for remediation of the exceptions
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal54 When do you need extensibility?  Connecting to a custom application or COTS/ERP For which there exists no pre-built connector  Custom data or behavior that needs to be added to application(s) that aren’t supported out of the box (PSFT, EBS, etc.)  Adding custom reports to the system – Data Analytics data-mart provides an open analytic schema for all discovered violations and other data for custom reports – Robust security model for the analytic data-marts  Besides extensibility, a core feature of the product is custom objects – you can import, directly into the user interface of the application, data through a spreadsheet format (Microsoft Excel).
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal55 Examples of Extensibility Extensibility Point Use-Case GRC Web Services User Provisioning Requests (OIM, Fusion, etc.) using GRC API’s for near-real-time checks to see if a user should be provisioned a given set of roles. GRC Connectors UCM Connector allowing expense receipts of hotel folios, etc. be analyzed using the GRC Text Analysis and reasoning engine GRC Connectors Connecting to Health-Care applications via their native protocols or HL7 to find Health-Care fraud and/or waste. Workflow Extensibility EGRCM and EGRCC SOA (SOAP), REST, and BPEL Extensibility Data Analytics Custom Reports and Analytics
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal56 GRC Data Analytics  GRC Transactional Schema is CLOSED. – You may not access it. GRC Data Analytics is a way for you to extract data to build your own reports and analytics  GRC Data Analytic Schema Includes: – Summarized data in a properly normalized format for reporting (fact tables, dimensions, and other normalized forms – all tuned for the purposes of reporting and analytic dashboards) – Full physical and logical security: GRC Users and Roles become Database Users and Views allowing proper mirroring of data-level security in the application – Populated on-demand or on scheduled bases – Will include data for both EGRCC and EGRCM
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal57 Conclusion
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal58 “ …only two years after the implementation…,the external auditor relies 100 percent on Oracle GRC to assess security segregation of duties at the client.” - PwC Impact of Oracle Advanced Controls PwC Case Study Addressed material weakness resulting from security and compliance issues Inappropriate access being granted Access granted without approval Access not reviewed Access not approved in timely manner Source : PwC Whitepaper : Optimizing ERP Projects with GRC’s Advanced Financial Controls
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal59 ?’s
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal60 @OracleAdvCntrls Oracle GRC Advanced Controls Join Our Linkedin Group Follow us on Twitter
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal61 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.