The document discusses enforcing segregation of duties (SoD) using Oracle Identity Management and Advanced Controls, outlining their integration and functionalities. Key topics include user access management, the risks of improper access, and automated solutions for enhancing security and compliance. The presentation also includes case studies and the benefits of these systems in a complex organizational environment.

1. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal1

2. Enforce Segregation of
Duties with Identity
Management and Oracle
Advanced Controls
Stephanie Golly
Sr. Principle Product
Manager
Oracle
Kent Spaulding
Sr. Principal Software Engineer
Oracle

3. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal3
The following is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.

4. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal4
Introductions
 Stephanie Golly, Oracle
– Product Manager for Application Access Controls Governor (AACG)
– Working with Oracle products for 10+ years
– Worked for startup that was eventually acquired by Oracle
– Located in Coeur d’Alene Idaho – (quite possibly the prettiest place on
Earth? )
When I’m not doing Oracle stuff, I
also enjoy riding bikes, boating,
hiking, kayaking, outdoor
activities!

5. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal5
Introductions
 Kent Spaulding, Oracle
– Software Architect for Oracle Advanced Controls
– Working in Software for 20+ years
– Expertise in Identity Management, Security, Data Analytics
– Located in Portland, Oregon – (quite possibly the prettiest place on
Earth? )
When I’m not doing Oracle stuff, I
ride (many) bikes, play disc golf,
enjoy telemark skiing and other
outdoor activities.

6. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal6
Agenda
 User Access Management Business Concerns
 An Automated look at User Management
 A closer look at Segregation of Duties
 Integrating Oracle Identity Management with Application Access
Controls Governor – a Case Study
 Realizing the Benefits

7. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal7
 Do users have
appropriate access?
 Will the access cause
Segregation of Duties
conflicts?
User Access Management
What are your Organizations Business Concerns?
 Users require access to
multiple systems
 User On-Boarding,
Transfers and Off-
Boarding is time and
resource intensive

8. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal8
 User On-Boarding,
Transfers and Off-
Boarding is time and
resource intensive
User Access Management
What does your process look like?

9. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal9
 Do users have
appropriate access?
User Access Management
How are you managing security in a complex system?
 Will the access cause
Segregation of Duties
conflicts?
More People
More Systems
More Logistics

10. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal10
User: Janie Adams
Responsibility: Payables Super User (Process Operations)
Menu: AP_Navigate_GUI12
Submenu: AZN_AP_Invoices_Entry
Function: Payments
Privilege: Create Purchase Order
Role: Buyer
Permission List: Buyer Duty
SOD Conflict
PeopleSoft
EBS
Segregation of Duties

11. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal11
How are you going to balance objectives?
Security and
Compliance
User
Access

12. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal12
Enforcing Segregation of Duties
with Identity Management and Advanced Controls
SOD
Check

13. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal13
Create Supplier Invoice Create PaymentSupplier
Create Supplier Create Payment
for same supplier
+ Create Supplier Create Payment
for supplier≠
Why is Segregation of Duties needed?

14. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal14
Mr. J (Left)
Miss H
Miss GMiss O
Miss DMr. P
Miss LMiss R
Mr. D
$82K
$5K $5 Million
$300K
$17 Million
$15K
$280K $15K
$350K
Who was accused of stealing?

15. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal15
Web of Control Issues
False Invoices
Inaccurate
Financial Reports
Unapproved or
Illegal Suppliers
Delayed Supplier
payments
Fraudulent
Checks
Unauthorized
Journal Entries
Inaccurate
Manual Journal
Entries
Unauthorized Pay
Increases
Duplicate
Payments
Bank Account
Changes
Unused Credit
Memos
Spilt Purchase
Orders
Invalid or
Duplicate
Supplier Master
Statutory Audit
Findings
Incorrect
Payment Terms
Overpayments to
Vendors Personal
Purchases on
Corporate Credit
Card
Missing Prices
Unauthorized
Credit
Unauthorized
Access
Unusual Returns

16. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal16
The Key is to Automate
by…
Enforcing Segregation of Duties with Oracle Identity Management

17. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal17
 Advanced Controls Foundation
 Access Controls Governor
 Pre-Built Integrations
 Demonstration
Advanced Controls

18. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal18
Advanced Controls Foundation
Custom or Legacy
Applications
Fusion Platform with Dashboards,
Alerts & Drilldowns
Sophisticated Controls Monitoring
and Enforcement Engine
Many Types of Controls against
Various Business Applications

19. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal19
• Move away from silo’d information
• Multiple ERPs monitored from a single application.
• Control totals and exposure areas in self-serve capacity.
Advanced Controls – Embedded Dashboards

20. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal20
Application Access Controls Governor
Enforce Proper Segregation of Duties Across Multiple Systems
Compensating
Policies
Preventive
Provisioning
Remediation
(Clean-up)
Access
Analysis
• Accelerate deployment and time to
value with pre-delivered controls library
• Mitigate risk of privileged user access
to enterprise applications with
approval workflow and audit trails
• Simplify segregation of duties
enforcement with simulation and
remediation
Define Access
Controls
Detection Prevention

21. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal21
Pre-Built Integrations
Custom or Legacy
Applications
Continuous SOD Controls Monitoring
Pre-built
Extensible
Partner Pre-built
CUSTOMER CARE
& BILLING

22. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal22
Role
Permission List
Menu
Component
Page Definition
Component
Page Definition
Access Hierarchy Example – PeopleSoft
Other important attributes:
Business Unit, Effective Date, Set ID, Ledger, Account Lock etc.
Access Points

23. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal23
Glossary of Terminology
Control ManagementAccessPoint
Any level node in
the access model
hierarchy for a
particular
application.
Entitlement
A logical
grouping of
Access points.
E.g. All pages
that allow a user
to create a
voucher grouped
as a single
Entitlement
“Create Voucher”
ModelControl
A rule that
defines toxic
combinations of
entitlements
and/or access
points.

24. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal24
 Review Model Definition
 Analyze Results
 Modify Entitlement
 Deploy Control
Demonstration

25. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal25
 How can we Integrate Oracle
Identity Manager with Application
Access Controls Governor?
Question

26. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal26
 Integration
 Architecture
 Key Workflows
 SoD Integration Library
 Deployment/Configuration
 Versions
Topics

27. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal27
Custom, Legacy, …
EBS AppsFusion Apps
ERP Security & SOD for OIM Projects
Oracle Identity Management
Submit User Access Request
Update User Account
Return SOD Response
Analyze impact and policy
overrides if needed
Request for User Access
1
2
3
4
5
User Provisioning Web Service
User Provisioning Web Service
Compliance/Business
Review
Oracle Advanced Controls
Access Controls Governor

28. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal28
Integration of OIM and Oracle AACG
Integrate Identity Management and SoD Across Systems
Provision Across Multiple
Systems
Automatic Role Provisioning
Increase Efficiency
Avoid Human Error
Check for
Segregation of Duties

29. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal29
Integration of OIM and Oracle AACG
Key Workflows
Resource Provisioning
Workflow
Resource Approval
Workflow
 Real-time validation of entitlement
assignment requests using AACG.
 AACG uses predefined rules to determine
if the entitlement assignment would lead
to SoD violations.
 The results of the SoD analysis are
returned to Oracle Identity Manager.
 Provisions an entitlement request that has
passed the resource approval workflow
on the target system.
 Note: Can be configured to perform the
SoD validation a second time -
immediately before the entitlement
assignment is provisioned to the target
system. This ensures SoD compliance.

30. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal30
Integration of OIM and Oracle AACG
SoD Invocation Library and Providers
SoD Invocation Library (SIL)
 The SIL is a collection of Java-based
adapters that enable integration with OIM
Connectors.
SIL Providers
 Specialized adapters integrate the SIL with
SoD engines.
 SIL Providers act as the interface between
the SIL and AACG (or other SoD Engines.)
SoD-enabled OIM Connectors
 OIM Connectors that know about SoD
Workflows.
Oracle Identity Manager
Oracle Advanced Controls
- AACG
SoDInvocationLibrary(SIL)andAdapters
OAACG SIL
Provider
Conflict
Analysis
SoD Policy
Simulation
EBS UM Connector
Entitlement1
2
3
PeopleSoft UM Connector
1
2
3
Entitlement
Metadata driven Invocation of OAACG
SIL Provider
Preconfigured invocation of OAACG
SIL Provider
RDF Graph AACG DB

31. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal31
Integration of OIM and Oracle AACG
Deploying SIL Providers
Target systems for which SIL
registration is provided include:
 EBS and OAACG
 PSFT and OAACG
 SAP and SAP-GRC

32. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal32
Integration of OIM and Oracle AACG
Installing OIM Connectors
Installation InformationPre-configured Connectors
 Oracle e-Business User
Management release 9.1.0 and later
 SAP User Management release
9.1.2.5 and later
 See
http://download.oracle.com/docs/cd/
E11223_01/index.htm

33. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal33
Integration of OIM and Oracle AACG
Configuring the OAACG SoD Engine
Steps for Configuring any SoD Engine
Install Oracle AACG
Create an Oracle AACG Account for SoD Operations
Synchronize Role and Responsibility Data from EBS and PSFT
Define Access Controls in AACG
Enable SoD in OIM
Configuring Application Access Controls Governor
Import
• Import entitlement data
from the target system(s)
to the SoD engine.
Configure
• If required, configure
SoD validation rules on
the SoD engine.

34. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal34
Integration of OIM and Oracle AACG
Supported Versions, Other Information
 OIM 11gR2 and AACG Certified for 8.6.4.5 and up
 Installation Instructions for OIM Connectors
 See: http://download.oracle.com/docs/cd/E11223_01/index.htm
 OIM SoD Documentation explains how to:
 See: http://docs.oracle.com/cd/E37115_01/dev.1112/e27150/segduties.htm
– Enable SSL in SIL Providers
– Customize Workflows for non-SoD-ready Connectors
– Combine Custom Target Systems and SoD Engines
– Troubleshooting the integration

35. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal35
Integrated IDM and OAC Solution
Oracle Advanced Controls Capabilities IDM OAC
Authentication & SSO for all systems
Coarse & fine grained authorization for heterogeneous IT systems
Account provisioning and de-provisioning
Attestation of access
Enterprise role management and role based automation
Author fine grain access controls in business terms
Define single SOD control to span multiple apps
Conduct simulations & what-if analysis
Pre-built Access, Risk and Compliance Dashboards
Deploy Compensating Config & Transaction Controls
Pre-built, certified adaptors to EBS, PSFT, Fusion

36. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal36
What did they allegedly spend it on?
A
B
C
D Childs medical bills
Tiara
Gambling sites
Jewelry collection
Miss H
Miss O
Mr. P
Miss G

37. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal37
 A Customer Case
 Solution Footprint
 High-level Integration
 Business Process Workflow
Enforcing Segregation of Duties
with Oracle Identity Management

38. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal38
Oracle Identity Management
+ Oracle Advanced Controls
CUSTOMER PROFILE
Global Semiconductor
Manufacturer
• $5+ billion revenue (2011)
• Privately held
• Uses OIM+AACG to govern access
provisioning in EBS and PSFT
Benefits
 Solution:
– Detect and prevent inappropriate
user access
 Result: Full enforcement of user access
policies in both EBS and PSFT.
Streamlined access request approval
with better decision support.

39. Page 39
Solution Footprint
Finance
Finance SCM (Pln &
Mfg)
P2PO2C
Finance
CRM HCM
EBS
- General Ledger
- Payable
- Receivable
- Fixed Asset
-I Expenses
- Incentive Comp
- Adv. Collections
Hyperion
- HP, FDM, HFR
EBS
- ASCP (CBP)
- OSFM
- ODM
- GOP
Demantra
- DM
- S&OP
EBS
-Order Mgmt
- Advanced Pricing
- Inventory
- WMS
- Quoting
Global Trade Management./
Trade compliance.
Siebel
- Campaign Mgmt
- Sales
- CRM Base, Manufacturing
Option
-Remote Client
-Marketing server
Oracle Solution
PeopleSoft
- core HR
- Self Service:
- Time & Labor
- Global Payroll(SG, DE)
- Payroll Interface
- Absence Mgmt
- Learning Mgmt
- Benefits Admin
Application Integration Architecture
EBS
- Purchasing
- iProcurement
-Sourcing
- Procurement Contract
- Service Procurement
- Advance Pricing
- iSupplier Portal
- Quality - WMS
- Supplier Life Cycle Mgt - inventory
E-Forms
CIS
Data Warehouse
LDAP PTSSPACE
PEPS
BofA
3rd
Party (GTC)
Bloomberg
Visitor RegnLotus Email
E-Portal
Adexa MES View Plant Maint.
CIMPMS
B2B
FidelityB2A Manager
Property
Mgmt System
Security System
QuestionMarkADP Payroll
OrgPlus
Agile PLM
Interfaces to External / Legacy Applications
Oracle Advanced Controls
Oracle Corporation – Proprietary and Confidential
Security and IDM

40. Page 40
Oracle Identity Manager
Resource
Approval
Workflow
Approval Request
Approval/Rejection
1st Level – Manager
2nd Level – Business Owner
3rd Level – Governance Team
Provision to EBS
Controls
Oracle AACG
Violations
Request
GL
Manager
(Already
has GL
User)
OIM – OAC (AACG) Integration
Oracle Corporation – Proprietary and Confidential

41. Page 41
OIM to EBS Provisioning with SoD validation in AACG
Oracle Corporation – Proprietary and Confidential

42. Page 42
Requesting Role in Self Service
Oracle Corporation – Proprietary and Confidential

43. Page 43
SOD Validation and Approval
Oracle Corporation – Proprietary and Confidential

44. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal44
Benefits of Integrating AACG and OIM
Enterprise-wide, cross application SOD and access management solution
• One-stop proactive user access and SOD management
• Elimination of redundant user provisioning and SOD management efforts
• Increased user provisioning / de-provisioning efficiency
• Improved integration of new applications
• Increased accountability for user access
• Reduced audit deficiencies / greater compliance with laws and regulations
• Improved security / reduction of unauthorized user access

45. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal45
Oracle Advance Controls
OOW2013 Sessions &
Demo Pod Slides

46. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal46
@OracleAdvCntrls
Oracle GRC Advanced Controls
Join Our Linkedin Group
Follow us on Twitter

47. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal47
Demo Workstation
Moscone West 1st Floor #W-013
Monday Tuesday Wednesday
Demo ID 3532
Workstation #: W--013
9:45 – 6:00 9:45 – 6:00 9:45 – 4:00

48. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal48
Demo Workstation
Moscone West 1st Floor #W-013

49. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal49
Optimizing Order-to-Cash with Oracle Advanced Controls for Oracle E-Business Suite
 10:15AM Moscone West – 3018
 CON8816
Reducing Risk for Oracle E-Business Suite Upgrades and Implementations
 1:15PM Moscone West – 3018
 CON8830
Panel Discussion: Intelligent Controls for Key Business Processes and Upgrades
 3:30PM Moscone West – 2002 / 2004
 CON8832
Learn More About Oracle Advance Controls
Wednesday

50. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal50
Advanced Access and User Security for Oracle E-Business Suite and Fusion Applications
 2:00PM Moscone West – 3018
 CON8824
Meet the Governance, Risk, and Compliance Experts
 12:30PM Moscone West 2001A
 MTE9412
Learn More About Oracle Advance Controls
Thursday

51. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal51
Specialized Advanced Controls Partners
 New Benefit for Advanced Controls owners
 Specialized Partners:
– Trained by Oracle:
 Designing and delivering OAC solutions
– Demonstrated ability to deliver reliable OAC
solutions
 Coming soon

52. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal52
Graphic Section Divider

53. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal53
The preceding is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.

54. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal54