Advanced Controls access and user security for superusers con8824

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 1


@OracleAdvCntrls

Post Questions Before,

During and After


The following is intended to outline our general product

direction. It is intended for information purposes only,

and may not be incorporated into any contract.

It is not a commitment to deliver any material, code, or

functionality, and should not be relied upon in making

purchasing decisions. The development, release, and

timing of any features or functionality described for

Oracle’s products remains at the sole discretion of

Oracle.

Advanced Access and User Security for Oracle Applications

Mark Stebelton, CPA, CFE

Director, Product Management – Oracle

Brian Amato, CPA, CISA

Director, Client Services – Fulcrum Way

Reza B’Far

Vice President, Development – Oracle


Program Agenda

Twitter Topic Review

Oracle Advanced Controls Overview - Mark

Implementation Review, Tips and Tricks - Brian

GRC Extensibility - Reza

Questions


Oracle Advanced Controls Product Overview


Standard Controls

User Roles

3-Way

Match

Approval

Hierarchies

Standard

Controls

Social

Media

Policy

E-learning

Ethics

Policy


Standard + Advanced Controls

Sentiment

Analysis

Split

Purchase

Orders Hide

Displays of

Sensitive

Data

Duplicate

Payments

Transaction

Threshold

Amounts

Duplicate

Vendors

Fine-

grained

User

Access

Configuration

Snapshots &

Audit Trial

Transaction

Pattern

Analysis

Fuzzy

Logic,

‘similar

values’

User Roles

3-Way

Match

Approval

Hierarchies

Advanced

Controls

Standard

Controls

Social

Media

Policy

E-learning

Ethics

Policy


GRC Advanced Controls One Enterprise Foundation

Enterprise Risk & Controls Foundation

Dashboards, Reports and Alerts

Notifications Worklists Email Perspectives Search

Risk, Controls & Compliance Management

Reviews Documentation Assessments Remediation Surveys

Continuous Controls & Risk Monitoring

Setups Access Master Data Audit Tests Transactions

User Authored Controls Data Connectors Fraud & Error Patterns

Ro

le B

as

ed

Ac

ce

ss

Se

cu

rity

We

b S

erv

ice

s &

AP

Is

Custom or Legacy Applications

Comprehensive Enterprise Risk Management

Financial Governance

Continuous Controls Monitoring

Flexible • Graphical Authoring

• Detect and Prevent

• Access, Transactions, Setups

Data Driven (Big Data)

100% of Transactions

Manage by Exception

Optimize Processes


Fusion Platform with Dashboards, Alerts & Drilldowns


Advanced Controls Approach


• Embedded intelligence provides visibility into multiple control and process areas.

Advanced Controls – Embedded Dashboards


• Move away from silo’d information • Multiple ERPs monitored from a single application.

Advanced Controls – Embedded Dashboards


• Automatic alerts notify appropriate personnel for action • Actionable Insight to drive the business forward

Advanced Controls – Business Process Monitoring


Sophisticated Controls Monitoring and Enforcement Engine

Advanced Controls Demonstration



Technical Innovation (Engine)

Function: Tracking POs

Form: Receiving

User: John Doe

Role: Shipping Supervisor

Function: Purchase Orders

Tab: Review PO

Vendor: Acme

Transaction: Order 123

Action: Submit PO

Action: Signature Receipt

Role: Shipping Clerk

Correlate Events and

Detect Policy Violation

Complete User Access Path

Relate Access to Actual Transactions

Connect to any provisioning engine

Extend to any authorization model


Oracle SOD Solution - Principles

PLATFORM CAPABILITY BUSINESS BENEFIT

Analysis of privileges at atomic level Ensure reliance by external auditors, eliminate both false positives and false negatives.

Analysis across multiple applications

and instances Enable SOD policies for users with privileges across multiple applications and/or instances

Analysis for any authorization model Enable enforcement of SOD policies for any critical business application

Capture entire User Access Path Enable optimal resolution of SOD conflicts, by redesign of roles and privileges

Web Services to work with any user

provisioning workflow Enable compliant provisioning that is agnostic to multiple user provisioning workflows

Automatic status updates of violations

with Visual Audit Trail Reduced analysis and remediation efforts by self-learning based on prior decisions

Integration with SOA to automate

SOD exception actions Integration with SOA to allow tailored integrations with existing workflows applications

Exception-based user access

attestation process Eliminate redundant effort to attest every quarter if nothing has changed (position, roles etc)

Automated SOD Policy

Documentation and Assessment Comprehensive documentation and automated periodic assessment of SOD policies

SOD Platform Requirements for Enterprise Scale Customers


Access Analysis

Create Conflict Conditions

• Single/Cross Platform

• Entitlement/Single Access Point

Remove False Positives


Macro and Micro Access Controls Examples

Define

Entitlements: Enter Invoice Element Description

Open Interface Invoices AP_APXIIFIX

Invoice Batches AP_APXINWKB_BATCHES

Invoices AP_APXINWKB

Entitlements: Create Suppliers Element Description

Vendors APXVDMVD

Enter Suppliers PN_APXVDMVD

Suppliers AP_APXVDMVD

Merge Suppliers AP_APXVDDUP

Macro Access Control Enter Invoice & Create Suppliers

EBS Example

Distinct Micro Access Controls Open Interface Invoices vs Vendors

Open Interface Invoices vs Enter Suppliers

Open Interface Invoices vs Suppliers

Open Interface Invoices vs Merge Suppliers

Invoice Batches vs Vendors

Invoice Batches vs Enter Suppliers

Invoice Batches vs Suppliers

Invoice Batches vs Merge Suppliers

Invoices vs Vendors

Invoices vs Enter Suppliers

Invoices vs Suppliers

Invoices vs Merge Suppliers

Translates To

When entitlements are used, each access point in the entitlement is considered as an ‘or’ in relation to the others


Remove False Positives

Define

Examples • Exclude inactive users

• Exclude specific superuser Responsibilities

• Exclude when not in the same operating unit or ledger

• Include only for a single business unit

User Defined Access Points • Define a specific path to analyze

• Build using the access points of the target

datasource

• Use as any other access point

Condition Approaches • Specifically Include

• Specifically Exclude

Condition Types • Global – apply to ALL models and controls

• Global Path – Exclude a specific access path

• Model/Control Level – applies only to that

model/control

Examples • EBS: Responsibility>Menu>Function

• PSFT: Menu>Component>Page


Elevated Productivity – Optimize Process & Empower Users • Library of pre- definedAdvanced Controls (and extensible) • Ability to build new controls by business owners (no coding) • 100% Transaction coverage (no more sampling)

Transaction Controls – Author, Deploy, & Monitor


Transaction Filtering Logic

String, Integer Numeric Date Functions

AND OR


Many Types of Controls against Various Business Applications

Advanced Controls Demonstration


Access Hierarchy Example – Oracle EBS

Role

Responsibility

Menu

Sub - Menu

Function: Create Invoice

Function: Create Customer

Other important attributes:

Operating Units, Data Groups, Set of Books etc

Access Points


Access Connector Example: EBS • Covers critical access points across business processes in EBS including Financials, HR, Procure to

Pay and Order to Cash

• Includes 2,500+ Micro Access Controls

• Includes 28,000+ Access Points available for extending controls

~1,700

Responsibilities*

~5,400 Menus*

~4,700 Concurrent Programs*

~16,500 Functions*

* Amounts will vary by environment

~28,300 Access Points*


TXN

SYSTEMS

USERS

ROLES

USERS

SETUPS

MASTER

DATA

ROLES

TXN

SYSTEMS

TXN

ROLES

TXN USERS

SETUPS

TXN

ROLES

SYSTEMS

MASTER

DATA

ROLES

TXN

TXN

SETUPS

Enterprise Risk Graph


Access AND Transaction SOD Analysis

EBS

EMEA

SYSTEM

JOHN

USER

Receivables

ADMIN

ROLE

CUSTOMER

MENU

CUSTOMER

ENTRY

SUBMENU

QUICK

UPDATE

SUBMENU

EDIT

CUSTOMER

FUNCTION

ORDER

MGT

MENU ORDER

ERNTRY

SUBMENU

ORDER

RELEASE

FUNCTION

JOHN

CHANGES

CUSTOMER SHIPTO

FOR ACME

AND

PROCESSES ORDER

FOR ACME


Sensitive Transaction Controls (aka Superuser Analysis) Sensitive Access Monitoring Controls

11020 STC: Monitor Payments 2370 SAM: Same user created Payables Invoice and Payment

11030 STC: Monitor Purchase Orders 2380 SAM: Same user created Purchase Order and Payables Invoice

11050 STC: Monitor Suppliers S390 SAM: Same user created Purchase Order and Received Goods and Services

11070 STC: Monitor Procurement Payment Terms 2400 SAM: Same user created Supplier and Approved Purchase Order

11100 STC: Monitor Payables Bank Accounts 8570 SAM: Same user created Supplier and Payables Invoice

11110 STC: Monitor Payables System Setups 2420 SAM: Same user created Supplier and Payment

11120 STC: Monitor Payables Options: Payments 2430 SAM: Same user created Supplier and Purchase Order

11140 STC: Monitor Payables Options: Tax 2730 SAM: Same user created Journal Entry and Payables Invoice

11180 STC: Monitor Payables Options: Invoices 2770 SAM: Same user created Journal Entry and posted Journal Entry

11210 STC: Monitor Journal Entries 2570 SAM: Same user created Supplier and setup Auto Create Purchase Orders

Sensitive (Superuser) Transaction and Sensitive Access Monitoring

Top 10 Deployed SOD Transaction Controls 21


Advanced Access and Security


AACG – Finding Conflicts

User: Janie Adams

Responsibility: Sales Super User (Operations)

Menu: AR_Navigate_GUI12

Submenu: AZN_AR_Invoices_Entry Function: Order

Page: Create Customer

Job Role: Receivables Management

Permission: Create Cutomers

SOD Conflict

PSFT EBS


Interpreting Access Conflicts

User

Role

Permission List

Menu

Panel Component

Page Definition

Finding the Right Path to Resolution

U

R

M

C

D

L

Remove

Menu

Path

Conflicts


Identify the changes to be

made

Click to create a change

management work order

Review impact of changes

Create change request

work order for System

Administrator

Know the Impact Before Committing Changes to the ERP

Simulate Changes


The FulcrumWay Experience

Advanced Access and User Security for EBS and Oracle Fusion Applications

Brian Amato, CPA, CISA

Client Service Director - FulcrumWay


Agenda

Objectives, Drivers, Scope

Implementation Approach

Achievements and Benefits

Lessons learned

GRC Extensibility


Objectives, Drivers, Scope

Upgrade 8.6.3 to 8.6.4

Analyze SOD risks for EBS Financials and PSFT HR and Payroll

Define conditions to remove false positives

Implement new security model


Implementation Approach

Risk-Based Approach

Used Oracle’s seeded content

Understand changes from 8.6.3 to 8.6.4


Assess Risk Detect

Violations

Analyze

Issues

Remediate

Issues

Implement

Corrective

Actions

Monitor

Application

Environment

Scope

Application

Controls

Sample

ERP

Data

Manage

Exceptions

Setup

Preventive

Controls

IT/Business

Control Teams

Application

Controls

Manager

Application

Security

Administrator

Application

Controls

Manager

Establish

Test

Environment

FulcrumWay™ Application Controls Management Best Practices


Oracle Seeded Content

Human Resources

User Access Model Names

Maintain Employees & Modify Employee Salary

Maintain Employees & Process Payroll

Modify Employee Position & Process Payroll

Modify Employee Position & Maintain Employees

Modify Employee Position & Modify Employee Salary

Process Payroll & Modify Employee Salary


New Features in 8.6.4

User Experience

New Content

Relationship Assignments

Improved Search and Detection Engine

Setup and Administration

Performance Optimization

New Security Model


Achievements and Benefits

Able to secure EBS Financial data from HR/Payroll data!

Running Single Instance of AACG for EBS Financials and

PeopleSoft HR/Payroll

Lower costs of compliance

Lower costs IT burden and increased agility


Lessons Learned

Hardware/Software Certification Matrix

PeopleSoft Security Model

AACG Security Model


Role

Permission List

Menu

Component

Page Definition

Component

Page Definition

Access Hierarchy – PeopleSoft

Access Points

Evaluate User Access

• Test by User Profile

• Test by Page

User Profile


Access Hierarchy – Oracle EBS

Role

Responsibility

Menu

Sub - Menu

Function

Function

Access Points


8.6.4 Security Model



Security Components



Leveraging Perspectives to Plan Design AACG Security, Incident

Management

Examples of Perspectives aid in the definition of Data Roles

Perspective can span multiple ERP instances, types (PS, EBS)

A Perspective gets created for each datasource

Perspectives can define which users have security to AACG Controls

and Incidents


GRC Extensibility

AACG with EBS and PeopleSoft


The Extensibility of Oracle Advanced Controls


Pre-Built Integrations

Custom or Legacy

Applications

Continuous SOD Controls Monitoring

Pre-built

Extensible

Partner Pre-built

CUSTOMER CARE

& BILLING


What is Extension?

Work done by end users

and their developers to

add new abilities to GRCC

WHY IS IT VALUABLE?

Gives you the ability to extend standard

functionality to meet your unique needs

WHAT PRODUCT DOES IT SPAN?

EGRCM and EGRCC 8.x

in a Single Platform

Ways to Extend GRCC

Expertise Create a new…

End user

Model

Control

Incident

Developer

Business object

Connector

Pattern

API/Web Service


Connectors Controls

General Domain Knowledge (Financial, Medical, SCM, etc.)

Business Application System Experts (EBS, PSFT, etc.)

Skill Set Required

Application Engineer or Software Engineer

Actuarial Skills

Specific Domain Knowledge (P2P, GL, T&E, etc.)

Business Objects

Advanced Extensions

Required

Preferred

Not Required

DBA's, ETL Users or Analytic App. Builders

• Allows us to build an internal factory for building meta-data cost-effectively

• Provides the platform for a future ecosystem of meta-data

• SDLC: Minimizing risk in execution through reduction of Knowledge Diffusion

Risk Management

Clearly Separated Skill Sets


High-Level Platform Extensibility Points

• Getting Data into GRC for Analysis

• OWL (Ontology Web Language) – an XML language

• Web Services

• Custom Objects

• Advanced extensions – Java

• Extending the Workflows & Reporting

• Both RESTful & SOAP Web Services available

• SOA Integration out of the box

• Data Analytics for Custom Reporting and Dashboards

• Physical and Logical Security that follows the GRC Security Model


Focus – GRC Controls Extensibility

• Takes a picture of various aspects of your system

• Authorization model

• Transaction model

• Others

• Then, it searches for exceptions (violations)

• Controls are the criteria the system uses to search

• Points of Extensibility:

• Different ways by which it searches

• Different data sources through which it searches

• Different ways it can provide the results (web services, etc.)

• Provides workflows for remediation of the exceptions


When do you need extensibility?

Connecting to a custom application or COTS/ERP For which there

exists no pre-built connector

Custom data or behavior that needs to be added to application(s) that

aren’t supported out of the box (PSFT, EBS, etc.)

Adding custom reports to the system

– Data Analytics data-mart provides an open analytic schema for all

discovered violations and other data for custom reports

– Robust security model for the analytic data-marts

Besides extensibility, a core feature of the product is custom objects –

you can import, directly into the user interface of the application, data

through a spreadsheet format (Microsoft Excel).


Examples of Extensibility

Extensibility Point Use-Case

GRC Web Services User Provisioning Requests (OIM, Fusion, etc.) using GRC API’s for

near-real-time checks to see if a user should be provisioned a given set

of roles.

GRC Connectors UCM Connector allowing expense receipts of hotel folios, etc. be

analyzed using the GRC Text Analysis and reasoning engine

GRC Connectors Connecting to Health-Care applications via their native protocols or

HL7 to find Health-Care fraud and/or waste.

Workflow Extensibility EGRCM and EGRCC SOA (SOAP), REST, and BPEL Extensibility

Data Analytics Custom Reports and Analytics


GRC Data Analytics

GRC Transactional Schema is CLOSED.

– You may not access it. GRC Data Analytics is a way for you to extract data

to build your own reports and analytics

GRC Data Analytic Schema Includes:

– Summarized data in a properly normalized format for reporting (fact tables,

dimensions, and other normalized forms – all tuned for the purposes of

reporting and analytic dashboards)

– Full physical and logical security: GRC Users and Roles become Database

Users and Views allowing proper mirroring of data-level security in the

application

– Populated on-demand or on scheduled bases

– Will include data for both EGRCC and EGRCM


Conclusion


“ …only two years after the implementation…,the external

auditor relies 100 percent on Oracle GRC to assess

security segregation of duties at the client.”

- PwC

Impact of Oracle Advanced Controls PwC Case Study

Addressed material weakness resulting from security and compliance issues

Inappropriate access being granted

Access granted without approval

Access not reviewed

Access not approved in timely manner

Source : PwC Whitepaper : Optimizing ERP Projects with GRC’s Advanced Financial Controls


?’s


@OracleAdvCntrls

Oracle GRC Advanced Controls

Join Our Linkedin Group

Follow us on Twitter


The following is intended to outline our general product

direction. It is intended for information purposes only,

and may not be incorporated into any contract.

It is not a commitment to deliver any material, code, or

functionality, and should not be relied upon in making

purchasing decisions. The development, release, and

timing of any features or functionality described for

Oracle’s products remains at the sole discretion of

Oracle.

Advanced Controls access and user security for superusers con8824

Technology

oracle andor

development oracle

confidential oracle

confidential oracle

confidential oracle

sole discretion of oracle

advanced access

alerts drilldowns copyright