Security & Segregation of Duties for PeopleSoft


Published on

Presentation from Alliance 11 conference from the University of Nebraska and Smart ERP Solutions. Covers Row Level Security and Segregation of Duties for PeopleSoft.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security & Segregation of Duties for PeopleSoft

  1. 1. Security andSegregation of Dutiesfor PeopleSoftSession #29904March 29, 2011
  2. 2. Denise Goin, PeopleSoft Security SpecialistUniversity of Nebraska CSN 14+ years working with PeopleSoft Security, Campus Solutions, HR, Financials, Portal. Higher Ed, Public and Private Sector. Former Oracle Security Consultant.Kirk Chan/Ramesh Panchagnula, Smart ERPSolutions, Inc.
  3. 3. Multi-Institutional Implementation in 2 ProductionInstancesUsing SmartSecurity in Development as well asin Production environmentsOverview of solution providing automatedSegregation of Duties directly from within yourPeopleSoft
  4. 4. Row Level Security at the University of Nebraska Denise Goin PeopleSoft Security Specialist, University of Nebraska CSN
  5. 5. Nebraska Student Information System structureChange in how Security is structured, maintained Business Process changing- enable SACR security to the functional offices Shared data/components/SACR (Especially with Multi-Institution)Why Nebraska choose Smart Security? No row level security on many components in the system, and no read all/update own on anything. Fully configurable as business processes change, or new functionality is needed. As wide open or as restricted as we like.Business Requirement- To be able to SEE everything, but onlyallow UPDATE to our own students, especially CPP
  6. 6. Nebraska Student Information System NeSIS NU NSCSUNL UNO UNK UNMC Chadron Wayne Peru
  7. 7. NeSIS Security Team PeopleSoft Security Specialist University Security State College Analyst Security AnalystUNK UNL UNMC UNO CSC PSC WSCSec. Sec. Sec. Sec. Sec. Sec. Sec.Cord. Cord. Cord. Cord. Cord. Cord. Cord.
  8. 8. Row Level Security- The Issues Business Processes Changing SF SACR Security started the trend No Institution Specific row level security on many pages Transactional Configuration Security/SACR Security Using the Security views on the pages that allow it, didn’t allow for viewing other schools data when needed. Transactional Configuration Security/SACR Security Custom/Cloned
  9. 9. But……..We Want it ALL How to grant access to Students Data from another school without running the risk of mistakes being made when entering data? Many students will attend multiple Universities, even in the same term. Can we protect the data and still allow access to it?
  10. 10. Transactional PagesCampus Community > Personal Information (Student) > Identification (Student) > Citizenship > Citizenship and PassportCampus Community > Personal Information (Student) > Identification (Student) > Citizenship > Visa Permit DataCampus Community > Personal Information (Student) > Identification (Student) > Residency DataCampus Community > Personal Information > Identification > Residency DataCampus Community > Personal Information Student > Participation Data Student > Athletic Participation Curriculm Management > Combined Sections > Combined Sections TableCurriculum Management > Combined Sections > Identify Combined SectionsCurriculm Management > Enrollment Requirements > Define Requisite Student GroupsCurriculm Management > Enrollment Requirements > Enrollment Course ListsCurriculm Management > Enrollment Requirements > Enrollment Requirement GroupsCurriculum Management > Class Rosters > Class RostersCurriculum Management > Dynamic Dates > Dynamic Class Dates TableCurriculum Management > Enrollment Requirements > Define Requisite Entity GroupsCurriculum Management > Enrollment Requirements > Define Test for RequisitesCurriculum Management > Grading > Grade RosterRecords and Enrollment >  3 Cs Summaries  >  Communication Summary Records and Enrollment >  3 Cs Summaries  > Personal Checklist SummaryRecords and Enrollment > Career and Program Information > Student Program PlanRecords and Enrollment > Enrollment Summaries> Enrollment SummaryRecords and Enrollment > Graduation > Honors and AwardsRecords and Enrollment > Graduation > Student DegreesRecords and Enrollment > Student Term Information > Student GradesRecords and Enrollment > Student Term Information > Term Activtate A studentRecords and Enrollment > Student Term Information > Term HistoryRecords and Enrollment > Term Processing > Appointment TableRecords and Enrollment > Term Processing > Student Appointment BlockRecords and Enrollment > Term Processing > Student Enrollment AppointmentRecords and Enrollment > Transfer Credit Evaluation > External EducationRecords and Enrollment > Transfer Credit Evaluation > Test ResultsStudent Admissions > External Test Score Processing >Test ResultsStudent Admissions > Application Entry > Academic Information > Test Results
  11. 11. Configuration/Setup PagesCurriculum Management > Instructor/Advisor Information > Instructor/Advisor TableRecords and Enrollment > Term Processing > End of Term Processing > Repeat RuleRecords and Enrollment > Term Processing > End of Term Processing > Repeat Scheme TableSet Up SACR > Common Definitions >  Student Group TableSet Up SACR > Common Definitions > Service Indicators > Service Impact TableSet Up SACR > Common Definitions > Service Indicators > Service Indicator TableSet Up SACR > Product Related > Student Records > Curriculum Management > Dynamic Class DatesSet Up SACR > Product Related > Student Records > Curriculum Management > Instruction ModeSet Up SACR > Product Related > Student Records > Enrollment > Enrollment Action ReasonSet Up SACR > Product Related > Student Records > Enrollment > Time Period TableSet Up SACR > Product Related > Student Records > Enrollment > Unit Conversion TableSet Up SACR > Product Related > Student Records > Grading > Cum. Grade Point AverageSet Up SACR > Product Related > Student Records > Grading > Grade CategorySet Up SACR > Product Related > Student Records > Student Standing and Awards > Academic Standing RuleSet Up SACR > Product Related > Student Records > Student Standing and Awards > Academic Standing TableSet Up SACR > Product Related > Student Records > Student Standing and Awards > Degree Honors TableSet Up SACR > Product Related > Student Records > Transcript > Define Transcript TypeSet Up SACR > Product Related > Student Records > Transcript > Transcript Notes TableSet Up SACR > Product Related > Student Records > Transcript > Transcript TypeSet Up SACR> Foundation Tables > Academic Structure > Academic Career TableSet Up SACR> Foundation Tables > Academic Structure > Academic Group TableSet Up SACR> Foundation Tables > Academic Structure > Academic Insitution TableSet Up SACR> Foundation Tables > Academic Structure > Academic Plan TableSet Up SACR> Foundation Tables > Academic Structure > Academic Program TableSet Up SACR> Foundation Tables > Academic Structure > Academic Subject TableSet Up SACR> Foundation Tables > Academic Structure > Academic SubPlan TableSet Up SACR> Foundation Tables > Academic Structure > Campus TableSet Up SACR> Foundation Tables > Academic Structure > Grading Scheme TableSet Up SACR> Foundation Tables > Academic Structure > Level/Load Rules TableSet Up SACR> Foundation Tables > Facilities > Facility TableSet Up SACR> Foundation Tables > Term Setup > Academic CalendarSet Up SACR> Foundation Tables > Term Setup > Term/Session Table
  12. 12. Security PagesSet Up SACR > Security > Secure Student Administration > Setup > Enrollment Group AccessSet Up SACR > Security > Secure Student Administration > Setup > Enrollment Security TableSet Up SACR > Security > Secure Student Administration > Setup > Service Indicator DisplaySet Up SACR > Security > Secure Student Administration > Setup > User Security ReplacementSet Up SACR > Security > Secure Student Administration > UserID > InstitutionPeopleTools > Security > Permission Lists and Roles > Permission  ListsPeopleTools > Security > Permission Lists and Roles > Roles
  13. 13. Read All/Update own
  14. 14. Read All/Update own
  15. 15. Define CPP Read All/Update Own
  16. 16. Define Security Access by Role Name- View All Update Own
  17. 17. Define Security Access by Role Name – Only See/Update own
  18. 18. Define Security Access by Role Name – Only See/Update own
  19. 19. SACR Configuration Pages- Update Own/View All vs Only See/Update My Own
  20. 20. SACR Configuration Pages- Update Own/View All
  21. 21. Very Configurable
  22. 22. Effective Segregation of Duties Kirk Chan VP, Business Development Ramesh Panchagnula President Smart ERP Solutions, Inc.
  23. 23. “Effective” Segregation of Duties (SoD)Smart SoD™: Effective SoD for PeopleSoftDemoSummary and Q & A
  24. 24. A key element in the compliance lifecycle 10+ years, ERP compliance solutions Smart Security for PeopleSoft
  25. 25. Proactive SoD SoD ReactiveMitigation SoD
  26. 26. Built-in model enables SoD enforcementViolations checked BEFORE go-liveYour decision to enforce rules or allow violationsSaves time (= money)Easy set-up and testing for violationsQuick and easy reportingReduces number of compensating controls requiredReduces auditing effort / costsReduces riskEnforcing and reporting SoD violations reduces opportunityfor fraud
  27. 27. Nothing in PeopleSoftAny releaseUse a Spreadsheet?How do you…Ensure the actual access control mirrors thespreadsheet?Right people access the right data?Manage change control problems?Assess impact of changes?Manage enforcement of SoD?
  28. 28. Aim:Prevent SoD Violations occurring during security Assignment. Ensure Security Policy is enforced long term.
  29. 29. A/P “Super” SoD Voucher Clerk Role OK1. AP Voucher clerk Violations2. Secondary role 2 Check3. Secondary role 3 6 Violations Segregate this task: From this task Build Security Change Role assignment Sales Order Entry Purchase Order Or Vendor Master Bank Payments Security Sales Pricing Sales Order Entry without Purchase Order Goods Receiptaffecting live security Customer Master Sales Order Entry Sales Order Entry Credit limits Credit Notes Invoicing (A/R) Purchase Order Vendor Master Purchase Order Invoice entry (A/P) Extract from pre-populated, Vendor Master Purchase Order model Vendor Master Credit Notes Invoice entry (A/P) Bank Payments
  30. 30. Aim:Accurately assess existing security for remediation. Reduce Audit time and cost. Build case for restructuring security.
  31. 31. Roles (High- Level) Permission List (Process) Components (In-depth Audit)Reporting directly on existing PeopleSoft security
  32. 32. Creating a journal entry and opening a closed accounting periodMaintaining accounts receivable master data and posting receiptsDepositing cash and reconciling bank statementsCompleting goods transfer and adjusting physical inventory countsApproving time cards and distributing paychecksPreparing an order and changing a billing documentChanging an order and creating a deliveryCreating a journal entry and opening a closed accounting periodCreating general ledger accounts and posting journal entriesMaintaining bank account information and posting payments
  33. 33. Role levelCreate matrix of all active system rolesIdentify all roles that should not be linked to the same userSuch as purchasing and paymentsPermission List / Business Process levelInclude Application security & processing optionsAdd to / modify as neededComponent / Program levelAdd in any custom or modified processingIf creating your own rules, start with most important controls &gradually add to them
  34. 34. Current Economic Climate (fewer employees)Many redundancies equates to less people doing more.Major requirement from Audit to allow remediation where auser is considered a risk.SOX requires that during an audit all risks must at least bevisible and understood by the business.With this comes risk assessment and documentation.Seasonal ChangesStaff holidays or time away from office requires otherusers be able to perform these additional duties.
  35. 35. Ability to mitigate users once a validation has occurred.Details of mitigation, including notes get added to amitigation table.The user gets checked during the next validation but isnot added to the violations table.Ability to time out mitigations, i.e. allowing for staff whoare on holiday, etc.
  36. 36. Business Requirements Smart SolutionsRow level security on any data that requires limited or authorized access Smart SecurityDefine , manage and enforce segregation of duties for various roles withinan organization to adhere to compliance requirements Smart SoDRobust workflow approval capabilities across any business transaction ordocuments across your Enterprise Smart WorkflowStreamlined and easy-to-use data entry pages configured to meet yourspecific business process requirements, incl. industry reqmts; Easily add Smart Docs includingfeatures anywhere such as Save as Draft, Copy from Templates, ERP GadgetAttachments, Configurable Print, Collaborative Comments, Workflow, UserHelp, Business Process ViewConfiguring and tailoring business processes to meet your organization’sspecific processes, including defining step-by-step actions for each Smart Enterprise BPMprocess and managing your users through your organizations specificbusiness process.One-stop visibility into the full business process lifecycle of a transaction Smart Lifecycle ViewerAddressing additional compliance requirements not in standardPeopleSoft: I-9/W-4 Form, 1042 Foreign National Requirements Smart ComplianceManageable solutions for complex integration needs Smart Integration PacksOther Common, Critical and Complementary business requirements Tell us, we’ll build it!
  37. 37. Developed expressly for PeopleSoft Q by SmartERP in cooperation with QSoftware Software Uniquely integrated within your SmartERP current PeopleSoft Powerful Proactive, Reactive and Mitigation features Built-in Smart SoD™ Analytics/Reporting/Dashboards Use delivered SoD rules or easily create your own
  38. 38. SoD Model and RulesReactive: Mass check for user violationsProactive: Validate new user profileagainst established SoD rulesDashboard/Analytics
  39. 39. Value StatementSegregation of Duties is an important element of your overallPeopleSoft security and risk management Key Features of Smart SoD can help you maintain legislative compliance (SoX), meet audit requirements and reduce the likelihood and impacts of fraud and errors Expressly designed for your current PeopleSoft Powerful Proactive, Reactive and Mitigation Features Automated Workflow Approvals Reporting/Dashboards facilitate audits and compliance Use pre-packaged built-in SoD rules (from PeopleSoft audits) or easily create your own Add-on Architecture Lowers Total Cost of Ownership Seamless Integration Utilize Best Practices Maintenance and Upgrades
  40. 40. Denise Goin PeopleSoft Security Specialist University of Nebraska CSN University of Nebraska E-mail: ddgoin@nebraska.eduKirk Chan VP, Business Development Smart ERP Solutions, Inc. E-mail: kirk.c@smarterp.comRamesh Panchagnula President Smart ERP Solutions, Inc. E-mail:
  41. 41. This presentation and allAlliance 2011 presentationsare available for downloadfrom the Conference site at www. www.psugonline.orgwww.federalusersnetwork.comPresentations from previous meetings are also available