• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Integrate Oracle Identity Management and Advanced Controls for maximum efficiency and compliance
 

Integrate Oracle Identity Management and Advanced Controls for maximum efficiency and compliance

on

  • 2,209 views

Provide Automatic Role provisioing across multiple systems while avoiding human error and checking SOD in one process.

Provide Automatic Role provisioing across multiple systems while avoiding human error and checking SOD in one process.

Statistics

Views

Total Views
2,209
Views on SlideShare
2,209
Embed Views
0

Actions

Likes
1
Downloads
78
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Integrate Oracle Identity Management and Advanced Controls for maximum efficiency and compliance Integrate Oracle Identity Management and Advanced Controls for maximum efficiency and compliance Presentation Transcript

    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal1
    • Enforce Segregation of Duties with Identity Management and Oracle Advanced Controls Stephanie Golly Sr. Principle Product Manager Oracle Kent Spaulding Sr. Principal Software Engineer Oracle
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal3 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal4 Introductions  Stephanie Golly, Oracle – Product Manager for Application Access Controls Governor (AACG) – Working with Oracle products for 10+ years – Worked for startup that was eventually acquired by Oracle – Located in Coeur d’Alene Idaho – (quite possibly the prettiest place on Earth? ) When I’m not doing Oracle stuff, I also enjoy riding bikes, boating, hiking, kayaking, outdoor activities!
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal5 Introductions  Kent Spaulding, Oracle – Software Architect for Oracle Advanced Controls – Working in Software for 20+ years – Expertise in Identity Management, Security, Data Analytics – Located in Portland, Oregon – (quite possibly the prettiest place on Earth? ) When I’m not doing Oracle stuff, I ride (many) bikes, play disc golf, enjoy telemark skiing and other outdoor activities.
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal6 Agenda  User Access Management Business Concerns  An Automated look at User Management  A closer look at Segregation of Duties  Integrating Oracle Identity Management with Application Access Controls Governor – a Case Study  Realizing the Benefits
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal7  Do users have appropriate access?  Will the access cause Segregation of Duties conflicts? User Access Management What are your Organizations Business Concerns?  Users require access to multiple systems  User On-Boarding, Transfers and Off- Boarding is time and resource intensive
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal8  User On-Boarding, Transfers and Off- Boarding is time and resource intensive User Access Management What does your process look like?
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal9  Do users have appropriate access? User Access Management How are you managing security in a complex system?  Will the access cause Segregation of Duties conflicts? More People More Systems More Logistics
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal10 User: Janie Adams Responsibility: Payables Super User (Process Operations) Menu: AP_Navigate_GUI12 Submenu: AZN_AP_Invoices_Entry Function: Payments Privilege: Create Purchase Order Role: Buyer Permission List: Buyer Duty SOD Conflict PeopleSoft EBS Segregation of Duties
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal11 How are you going to balance objectives? Security and Compliance User Access
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal12 Enforcing Segregation of Duties with Identity Management and Advanced Controls SOD Check
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal13 Create Supplier Invoice Create PaymentSupplier Create Supplier Create Payment for same supplier + Create Supplier Create Payment for supplier≠ Why is Segregation of Duties needed?
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal14 Mr. J (Left) Miss H Miss GMiss O Miss DMr. P Miss LMiss R Mr. D $82K $5K $5 Million $300K $17 Million $15K $280K $15K $350K Who was accused of stealing?
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal15 Web of Control Issues False Invoices Inaccurate Financial Reports Unapproved or Illegal Suppliers Delayed Supplier payments Fraudulent Checks Unauthorized Journal Entries Inaccurate Manual Journal Entries Unauthorized Pay Increases Duplicate Payments Bank Account Changes Unused Credit Memos Spilt Purchase Orders Invalid or Duplicate Supplier Master Statutory Audit Findings Incorrect Payment Terms Overpayments to Vendors Personal Purchases on Corporate Credit Card Missing Prices Unauthorized Credit Unauthorized Access Unusual Returns
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal16 The Key is to Automate by… Enforcing Segregation of Duties with Oracle Identity Management
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal17  Advanced Controls Foundation  Access Controls Governor  Pre-Built Integrations  Demonstration Advanced Controls
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal18 Advanced Controls Foundation Custom or Legacy Applications Fusion Platform with Dashboards, Alerts & Drilldowns Sophisticated Controls Monitoring and Enforcement Engine Many Types of Controls against Various Business Applications
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal19 • Move away from silo’d information • Multiple ERPs monitored from a single application. • Control totals and exposure areas in self-serve capacity. Advanced Controls – Embedded Dashboards
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal20 Application Access Controls Governor Enforce Proper Segregation of Duties Across Multiple Systems Compensating Policies Preventive Provisioning Remediation (Clean-up) Access Analysis • Accelerate deployment and time to value with pre-delivered controls library • Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails • Simplify segregation of duties enforcement with simulation and remediation Define Access Controls Detection Prevention
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal21 Pre-Built Integrations Custom or Legacy Applications Continuous SOD Controls Monitoring Pre-built Extensible Partner Pre-built CUSTOMER CARE & BILLING
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal22 Role Permission List Menu Component Page Definition Component Page Definition Access Hierarchy Example – PeopleSoft Other important attributes: Business Unit, Effective Date, Set ID, Ledger, Account Lock etc. Access Points
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal23 Glossary of Terminology Control ManagementAccessPoint Any level node in the access model hierarchy for a particular application. Entitlement A logical grouping of Access points. E.g. All pages that allow a user to create a voucher grouped as a single Entitlement “Create Voucher” ModelControl A rule that defines toxic combinations of entitlements and/or access points.
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal24  Review Model Definition  Analyze Results  Modify Entitlement  Deploy Control Demonstration
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal25  How can we Integrate Oracle Identity Manager with Application Access Controls Governor? Question
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal26  Integration  Architecture  Key Workflows  SoD Integration Library  Deployment/Configuration  Versions Topics
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal27 Custom, Legacy, … EBS AppsFusion Apps ERP Security & SOD for OIM Projects Oracle Identity Management Submit User Access Request Update User Account Return SOD Response Analyze impact and policy overrides if needed Request for User Access 1 2 3 4 5 User Provisioning Web Service User Provisioning Web Service Compliance/Business Review Oracle Advanced Controls Access Controls Governor
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal28 Integration of OIM and Oracle AACG Integrate Identity Management and SoD Across Systems Provision Across Multiple Systems Automatic Role Provisioning Increase Efficiency Avoid Human Error Check for Segregation of Duties
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal29 Integration of OIM and Oracle AACG Key Workflows Resource Provisioning Workflow Resource Approval Workflow  Real-time validation of entitlement assignment requests using AACG.  AACG uses predefined rules to determine if the entitlement assignment would lead to SoD violations.  The results of the SoD analysis are returned to Oracle Identity Manager.  Provisions an entitlement request that has passed the resource approval workflow on the target system.  Note: Can be configured to perform the SoD validation a second time - immediately before the entitlement assignment is provisioned to the target system. This ensures SoD compliance.
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal30 Integration of OIM and Oracle AACG SoD Invocation Library and Providers SoD Invocation Library (SIL)  The SIL is a collection of Java-based adapters that enable integration with OIM Connectors. SIL Providers  Specialized adapters integrate the SIL with SoD engines.  SIL Providers act as the interface between the SIL and AACG (or other SoD Engines.) SoD-enabled OIM Connectors  OIM Connectors that know about SoD Workflows. Oracle Identity Manager Oracle Advanced Controls - AACG SoDInvocationLibrary(SIL)andAdapters OAACG SIL Provider Conflict Analysis SoD Policy Simulation EBS UM Connector Entitlement1 2 3 PeopleSoft UM Connector 1 2 3 Entitlement Metadata driven Invocation of OAACG SIL Provider Preconfigured invocation of OAACG SIL Provider RDF Graph AACG DB
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal31 Integration of OIM and Oracle AACG Deploying SIL Providers Target systems for which SIL registration is provided include:  EBS and OAACG  PSFT and OAACG  SAP and SAP-GRC
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal32 Integration of OIM and Oracle AACG Installing OIM Connectors Installation InformationPre-configured Connectors  Oracle e-Business User Management release 9.1.0 and later  SAP User Management release 9.1.2.5 and later  See http://download.oracle.com/docs/cd/ E11223_01/index.htm
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal33 Integration of OIM and Oracle AACG Configuring the OAACG SoD Engine Steps for Configuring any SoD Engine Install Oracle AACG Create an Oracle AACG Account for SoD Operations Synchronize Role and Responsibility Data from EBS and PSFT Define Access Controls in AACG Enable SoD in OIM Configuring Application Access Controls Governor Import • Import entitlement data from the target system(s) to the SoD engine. Configure • If required, configure SoD validation rules on the SoD engine.
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal34 Integration of OIM and Oracle AACG Supported Versions, Other Information  OIM 11gR2 and AACG Certified for 8.6.4.5 and up  Installation Instructions for OIM Connectors  See: http://download.oracle.com/docs/cd/E11223_01/index.htm  OIM SoD Documentation explains how to:  See: http://docs.oracle.com/cd/E37115_01/dev.1112/e27150/segduties.htm – Enable SSL in SIL Providers – Customize Workflows for non-SoD-ready Connectors – Combine Custom Target Systems and SoD Engines – Troubleshooting the integration
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal35 Integrated IDM and OAC Solution Oracle Advanced Controls Capabilities IDM OAC Authentication & SSO for all systems Coarse & fine grained authorization for heterogeneous IT systems Account provisioning and de-provisioning Attestation of access Enterprise role management and role based automation Author fine grain access controls in business terms Define single SOD control to span multiple apps Conduct simulations & what-if analysis Pre-built Access, Risk and Compliance Dashboards Deploy Compensating Config & Transaction Controls Pre-built, certified adaptors to EBS, PSFT, Fusion
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal36 What did they allegedly spend it on? A B C D Childs medical bills Tiara Gambling sites Jewelry collection Miss H Miss O Mr. P Miss G
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal37  A Customer Case  Solution Footprint  High-level Integration  Business Process Workflow Enforcing Segregation of Duties with Oracle Identity Management
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal38 Oracle Identity Management + Oracle Advanced Controls CUSTOMER PROFILE Global Semiconductor Manufacturer • $5+ billion revenue (2011) • Privately held • Uses OIM+AACG to govern access provisioning in EBS and PSFT Benefits  Solution: – Detect and prevent inappropriate user access  Result: Full enforcement of user access policies in both EBS and PSFT. Streamlined access request approval with better decision support.
    • Page 39 Solution Footprint Finance Finance SCM (Pln & Mfg) P2PO2C Finance CRM HCM EBS - General Ledger - Payable - Receivable - Fixed Asset -I Expenses - Incentive Comp - Adv. Collections Hyperion - HP, FDM, HFR EBS - ASCP (CBP) - OSFM - ODM - GOP Demantra - DM - S&OP EBS -Order Mgmt - Advanced Pricing - Inventory - WMS - Quoting Global Trade Management./ Trade compliance. Siebel - Campaign Mgmt - Sales - CRM Base, Manufacturing Option -Remote Client -Marketing server Oracle Solution PeopleSoft - core HR - Self Service: - Time & Labor - Global Payroll(SG, DE) - Payroll Interface - Absence Mgmt - Learning Mgmt - Benefits Admin Application Integration Architecture EBS - Purchasing - iProcurement -Sourcing - Procurement Contract - Service Procurement - Advance Pricing - iSupplier Portal - Quality - WMS - Supplier Life Cycle Mgt - inventory E-Forms CIS Data Warehouse LDAP PTSSPACE PEPS BofA 3rd Party (GTC) Bloomberg Visitor RegnLotus Email E-Portal Adexa MES View Plant Maint. CIMPMS B2B FidelityB2A Manager Property Mgmt System Security System QuestionMarkADP Payroll OrgPlus Agile PLM Interfaces to External / Legacy Applications Oracle Advanced Controls Oracle Corporation – Proprietary and Confidential Security and IDM
    • Page 40 Oracle Identity Manager Resource Approval Workflow Approval Request Approval/Rejection 1st Level – Manager 2nd Level – Business Owner 3rd Level – Governance Team Provision to EBS Controls Oracle AACG Violations Request GL Manager (Already has GL User) OIM – OAC (AACG) Integration Oracle Corporation – Proprietary and Confidential
    • Page 41 OIM to EBS Provisioning with SoD validation in AACG Oracle Corporation – Proprietary and Confidential
    • Page 42 Requesting Role in Self Service Oracle Corporation – Proprietary and Confidential
    • Page 43 SOD Validation and Approval Oracle Corporation – Proprietary and Confidential
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal44 Benefits of Integrating AACG and OIM Enterprise-wide, cross application SOD and access management solution • One-stop proactive user access and SOD management • Elimination of redundant user provisioning and SOD management efforts • Increased user provisioning / de-provisioning efficiency • Improved integration of new applications • Increased accountability for user access • Reduced audit deficiencies / greater compliance with laws and regulations • Improved security / reduction of unauthorized user access
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal45 Oracle Advance Controls OOW2013 Sessions & Demo Pod Slides
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal46 @OracleAdvCntrls Oracle GRC Advanced Controls Join Our Linkedin Group Follow us on Twitter
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal47 Demo Workstation Moscone West 1st Floor #W-013 Monday Tuesday Wednesday Demo ID 3532 Workstation #: W--013 9:45 – 6:00 9:45 – 6:00 9:45 – 4:00
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal48 Demo Workstation Moscone West 1st Floor #W-013
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal49 Optimizing Order-to-Cash with Oracle Advanced Controls for Oracle E-Business Suite  10:15AM Moscone West – 3018  CON8816 Reducing Risk for Oracle E-Business Suite Upgrades and Implementations  1:15PM Moscone West – 3018  CON8830 Panel Discussion: Intelligent Controls for Key Business Processes and Upgrades  3:30PM Moscone West – 2002 / 2004  CON8832 Learn More About Oracle Advance Controls Wednesday
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal50 Advanced Access and User Security for Oracle E-Business Suite and Fusion Applications  2:00PM Moscone West – 3018  CON8824 Meet the Governance, Risk, and Compliance Experts  12:30PM Moscone West 2001A  MTE9412 Learn More About Oracle Advance Controls Thursday
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal51 Specialized Advanced Controls Partners  New Benefit for Advanced Controls owners  Specialized Partners: – Trained by Oracle:  Designing and delivering OAC solutions – Demonstrated ability to deliver reliable OAC solutions  Coming soon
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal52 Graphic Section Divider
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal53 The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
    • Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal54