Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 1
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 2
@OracleAdvCntrls
Post Questions Before,
During and After
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 3
The following is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.
Advanced Access and User Security for Oracle Applications
Mark Stebelton, CPA, CFE
Director, Product Management – Oracle
Brian Amato, CPA, CISA
Director, Client Services – Fulcrum Way
Reza B’Far
Vice President, Development – Oracle
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 5
Program Agenda
Twitter Topic Review
Oracle Advanced Controls Overview - Mark
Implementation Review, Tips and Tricks - Brian
GRC Extensibility - Reza
Questions
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 6
Oracle Advanced Controls Product Overview
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 7
Standard Controls
User Roles
3-Way
Match
Approval
Hierarchies
Standard
Controls
Social
Media
Policy
E-learning
Ethics
Policy
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 8
Standard + Advanced Controls
Sentiment
Analysis
Split
Purchase
Orders Hide
Displays of
Sensitive
Data
Duplicate
Payments
Transaction
Threshold
Amounts
Duplicate
Vendors
Fine-
grained
User
Access
Configuration
Snapshots &
Audit Trial
Transaction
Pattern
Analysis
Fuzzy
Logic,
‘similar
values’
User Roles
3-Way
Match
Approval
Hierarchies
Advanced
Controls
Standard
Controls
Social
Media
Policy
E-learning
Ethics
Policy
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 9
GRC Advanced Controls One Enterprise Foundation
Enterprise Risk & Controls Foundation
Dashboards, Reports and Alerts
Notifications Worklists Email Perspectives Search
Risk, Controls & Compliance Management
Reviews Documentation Assessments Remediation Surveys
Continuous Controls & Risk Monitoring
Setups Access Master Data Audit Tests Transactions
User Authored Controls Data Connectors Fraud & Error Patterns
Ro
le B
as
ed
Ac
ce
ss
Se
cu
rity
We
b S
erv
ice
s &
AP
Is
Custom or Legacy Applications
Comprehensive Enterprise Risk Management
Financial Governance
Continuous Controls Monitoring
Flexible • Graphical Authoring
• Detect and Prevent
• Access, Transactions, Setups
Data Driven (Big Data)
100% of Transactions
Manage by Exception
Optimize Processes
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 10
Fusion Platform with Dashboards, Alerts & Drilldowns
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 10
Advanced Controls Approach
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 11
• Embedded intelligence provides visibility into multiple control and process areas.
Advanced Controls – Embedded Dashboards
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 12
• Move away from silo’d information • Multiple ERPs monitored from a single application.
Advanced Controls – Embedded Dashboards
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 13
• Automatic alerts notify appropriate personnel for action • Actionable Insight to drive the business forward
Advanced Controls – Business Process Monitoring
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 14
Sophisticated Controls Monitoring and Enforcement Engine
Advanced Controls Demonstration
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 14
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 15
Technical Innovation (Engine)
Function: Tracking POs
Form: Receiving
User: John Doe
Role: Shipping Supervisor
Function: Purchase Orders
Tab: Review PO
Vendor: Acme
Transaction: Order 123
Action: Submit PO
Action: Signature Receipt
Role: Shipping Clerk
Correlate Events and
Detect Policy Violation
Complete User Access Path
Relate Access to Actual Transactions
Connect to any provisioning engine
Extend to any authorization model
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 16
Oracle SOD Solution - Principles
PLATFORM CAPABILITY BUSINESS BENEFIT
Analysis of privileges at atomic level Ensure reliance by external auditors, eliminate both false positives and false negatives.
Analysis across multiple applications
and instances Enable SOD policies for users with privileges across multiple applications and/or instances
Analysis for any authorization model Enable enforcement of SOD policies for any critical business application
Capture entire User Access Path Enable optimal resolution of SOD conflicts, by redesign of roles and privileges
Web Services to work with any user
provisioning workflow Enable compliant provisioning that is agnostic to multiple user provisioning workflows
Automatic status updates of violations
with Visual Audit Trail Reduced analysis and remediation efforts by self-learning based on prior decisions
Integration with SOA to automate
SOD exception actions Integration with SOA to allow tailored integrations with existing workflows applications
Exception-based user access
attestation process Eliminate redundant effort to attest every quarter if nothing has changed (position, roles etc)
Automated SOD Policy
Documentation and Assessment Comprehensive documentation and automated periodic assessment of SOD policies
SOD Platform Requirements for Enterprise Scale Customers
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 17
Access Analysis
Create Conflict Conditions
• Single/Cross Platform
• Entitlement/Single Access Point
Remove False Positives
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 18
Macro and Micro Access Controls Examples
Define
Entitlements: Enter Invoice Element Description
Open Interface Invoices AP_APXIIFIX
Invoice Batches AP_APXINWKB_BATCHES
Invoices AP_APXINWKB
Entitlements: Create Suppliers Element Description
Vendors APXVDMVD
Enter Suppliers PN_APXVDMVD
Suppliers AP_APXVDMVD
Merge Suppliers AP_APXVDDUP
Macro Access Control Enter Invoice & Create Suppliers
EBS Example
Distinct Micro Access Controls Open Interface Invoices vs Vendors
Open Interface Invoices vs Enter Suppliers
Open Interface Invoices vs Suppliers
Open Interface Invoices vs Merge Suppliers
Invoice Batches vs Vendors
Invoice Batches vs Enter Suppliers
Invoice Batches vs Suppliers
Invoice Batches vs Merge Suppliers
Invoices vs Vendors
Invoices vs Enter Suppliers
Invoices vs Suppliers
Invoices vs Merge Suppliers
Translates To
When entitlements are used, each access point in the entitlement is considered as an ‘or’ in relation to the others
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 19
Remove False Positives
Define
Examples • Exclude inactive users
• Exclude specific superuser Responsibilities
• Exclude when not in the same operating unit or ledger
• Include only for a single business unit
User Defined Access Points • Define a specific path to analyze
• Build using the access points of the target
datasource
• Use as any other access point
Condition Approaches • Specifically Include
• Specifically Exclude
Condition Types • Global – apply to ALL models and controls
• Global Path – Exclude a specific access path
• Model/Control Level – applies only to that
model/control
Examples • EBS: Responsibility>Menu>Function
• PSFT: Menu>Component>Page
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 20
Elevated Productivity – Optimize Process & Empower Users • Library of pre- definedAdvanced Controls (and extensible) • Ability to build new controls by business owners (no coding) • 100% Transaction coverage (no more sampling)
Transaction Controls – Author, Deploy, & Monitor
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 21
Transaction Filtering Logic
String, Integer Numeric Date Functions
AND OR
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 22
Many Types of Controls against Various Business Applications
Advanced Controls Demonstration
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 23
Access Hierarchy Example – Oracle EBS
Role
Responsibility
Menu
Sub - Menu
Function: Create Invoice
Function: Create Customer
Other important attributes:
Operating Units, Data Groups, Set of Books etc
Access Points
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 24
Access Connector Example: EBS • Covers critical access points across business processes in EBS including Financials, HR, Procure to
Pay and Order to Cash
• Includes 2,500+ Micro Access Controls
• Includes 28,000+ Access Points available for extending controls
~1,700
Responsibilities*
~5,400 Menus*
~4,700 Concurrent Programs*
~16,500 Functions*
* Amounts will vary by environment
~28,300 Access Points*
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 25
TXN
SYSTEMS
USERS
ROLES
USERS
SETUPS
MASTER
DATA
ROLES
TXN
SYSTEMS
TXN
ROLES
TXN USERS
SETUPS
TXN
ROLES
SYSTEMS
MASTER
DATA
ROLES
TXN
TXN
SETUPS
Enterprise Risk Graph
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 26
Access AND Transaction SOD Analysis
EBS
EMEA
SYSTEM
JOHN
USER
Receivables
ADMIN
ROLE
CUSTOMER
MENU
CUSTOMER
ENTRY
SUBMENU
QUICK
UPDATE
SUBMENU
EDIT
CUSTOMER
FUNCTION
ORDER
MGT
MENU ORDER
ERNTRY
SUBMENU
ORDER
RELEASE
FUNCTION
JOHN
CHANGES
CUSTOMER SHIPTO
FOR ACME
AND
PROCESSES ORDER
FOR ACME
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 27
Sensitive Transaction Controls (aka Superuser Analysis) Sensitive Access Monitoring Controls
11020 STC: Monitor Payments 2370 SAM: Same user created Payables Invoice and Payment
11030 STC: Monitor Purchase Orders 2380 SAM: Same user created Purchase Order and Payables Invoice
11050 STC: Monitor Suppliers S390 SAM: Same user created Purchase Order and Received Goods and Services
11070 STC: Monitor Procurement Payment Terms 2400 SAM: Same user created Supplier and Approved Purchase Order
11100 STC: Monitor Payables Bank Accounts 8570 SAM: Same user created Supplier and Payables Invoice
11110 STC: Monitor Payables System Setups 2420 SAM: Same user created Supplier and Payment
11120 STC: Monitor Payables Options: Payments 2430 SAM: Same user created Supplier and Purchase Order
11140 STC: Monitor Payables Options: Tax 2730 SAM: Same user created Journal Entry and Payables Invoice
11180 STC: Monitor Payables Options: Invoices 2770 SAM: Same user created Journal Entry and posted Journal Entry
11210 STC: Monitor Journal Entries 2570 SAM: Same user created Supplier and setup Auto Create Purchase Orders
Sensitive (Superuser) Transaction and Sensitive Access Monitoring
Top 10 Deployed SOD Transaction Controls 21
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 28
Advanced Access and Security
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 29
AACG – Finding Conflicts
User: Janie Adams
Responsibility: Sales Super User (Operations)
Menu: AR_Navigate_GUI12
Submenu: AZN_AR_Invoices_Entry Function: Order
Page: Create Customer
Job Role: Receivables Management
Permission: Create Cutomers
SOD Conflict
PSFT EBS
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 30
Interpreting Access Conflicts
User
Role
Permission List
Menu
Panel Component
Page Definition
Finding the Right Path to Resolution
U
R
M
C
D
L
Remove
Menu
Path
Conflicts
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 31
Identify the changes to be
made
Click to create a change
management work order
Review impact of changes
Create change request
work order for System
Administrator
Know the Impact Before Committing Changes to the ERP
Simulate Changes
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 32
The FulcrumWay Experience
Advanced Access and User Security for EBS and Oracle Fusion Applications
Brian Amato, CPA, CISA
Client Service Director - FulcrumWay
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 34
Agenda
Objectives, Drivers, Scope
Implementation Approach
Achievements and Benefits
Lessons learned
GRC Extensibility
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 35
Objectives, Drivers, Scope
Upgrade 8.6.3 to 8.6.4
Analyze SOD risks for EBS Financials and PSFT HR and Payroll
Define conditions to remove false positives
Implement new security model
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 36
Implementation Approach
Risk-Based Approach
Used Oracle’s seeded content
Understand changes from 8.6.3 to 8.6.4
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 37
Assess Risk Detect
Violations
Analyze
Issues
Remediate
Issues
Implement
Corrective
Actions
Monitor
Application
Environment
Scope
Application
Controls
Sample
ERP
Data
Manage
Exceptions
Setup
Preventive
Controls
IT/Business
Control Teams
Application
Controls
Manager
Application
Security
Administrator
Application
Controls
Manager
Establish
Test
Environment
FulcrumWay™ Application Controls Management Best Practices
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 38
Oracle Seeded Content
Human Resources
User Access Model Names
Maintain Employees & Modify Employee Salary
Maintain Employees & Process Payroll
Modify Employee Position & Process Payroll
Modify Employee Position & Maintain Employees
Modify Employee Position & Modify Employee Salary
Process Payroll & Modify Employee Salary
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 39
New Features in 8.6.4
User Experience
New Content
Relationship Assignments
Improved Search and Detection Engine
Setup and Administration
Performance Optimization
New Security Model
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 40
Achievements and Benefits
Able to secure EBS Financial data from HR/Payroll data!
Running Single Instance of AACG for EBS Financials and
PeopleSoft HR/Payroll
Lower costs of compliance
Lower costs IT burden and increased agility
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 41
Lessons Learned
Hardware/Software Certification Matrix
PeopleSoft Security Model
AACG Security Model
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 42
Role
Permission List
Menu
Component
Page Definition
Component
Page Definition
Access Hierarchy – PeopleSoft
Access Points
Evaluate User Access
• Test by User Profile
• Test by Page
User Profile
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 43
Access Hierarchy – Oracle EBS
Role
Responsibility
Menu
Sub - Menu
Function
Function
Access Points
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 44
8.6.4 Security Model
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 45
8.6.4 Security Model
Security Components
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 46
8.6.4 Security Model
Leveraging Perspectives to Plan Design AACG Security, Incident
Management
Examples of Perspectives aid in the definition of Data Roles
Perspective can span multiple ERP instances, types (PS, EBS)
A Perspective gets created for each datasource
Perspectives can define which users have security to AACG Controls
and Incidents
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 47
GRC Extensibility
AACG with EBS and PeopleSoft
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 48
The Extensibility of Oracle Advanced Controls
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 49
Pre-Built Integrations
Custom or Legacy
Applications
Continuous SOD Controls Monitoring
Pre-built
Extensible
Partner Pre-built
CUSTOMER CARE
& BILLING
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 50
What is Extension?
Work done by end users
and their developers to
add new abilities to GRCC
WHY IS IT VALUABLE?
Gives you the ability to extend standard
functionality to meet your unique needs
WHAT PRODUCT DOES IT SPAN?
EGRCM and EGRCC 8.x
in a Single Platform
Ways to Extend GRCC
Expertise Create a new…
End user
Model
Control
Incident
Developer
Business object
Connector
Pattern
API/Web Service
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 51
Connectors Controls
General Domain Knowledge (Financial, Medical, SCM, etc.)
Business Application System Experts (EBS, PSFT, etc.)
Skill Set Required
Application Engineer or Software Engineer
Actuarial Skills
Specific Domain Knowledge (P2P, GL, T&E, etc.)
Business Objects
Advanced Extensions
Required
Preferred
Not Required
DBA's, ETL Users or Analytic App. Builders
• Allows us to build an internal factory for building meta-data cost-effectively
• Provides the platform for a future ecosystem of meta-data
• SDLC: Minimizing risk in execution through reduction of Knowledge Diffusion
Risk Management
Clearly Separated Skill Sets
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 52
High-Level Platform Extensibility Points
• Getting Data into GRC for Analysis
• OWL (Ontology Web Language) – an XML language
• Web Services
• Custom Objects
• Advanced extensions – Java
• Extending the Workflows & Reporting
• Both RESTful & SOAP Web Services available
• SOA Integration out of the box
• Data Analytics for Custom Reporting and Dashboards
• Physical and Logical Security that follows the GRC Security Model
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 53
Focus – GRC Controls Extensibility
• Takes a picture of various aspects of your system
• Authorization model
• Transaction model
• Others
• Then, it searches for exceptions (violations)
• Controls are the criteria the system uses to search
• Points of Extensibility:
• Different ways by which it searches
• Different data sources through which it searches
• Different ways it can provide the results (web services, etc.)
• Provides workflows for remediation of the exceptions
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 54
When do you need extensibility?
Connecting to a custom application or COTS/ERP For which there
exists no pre-built connector
Custom data or behavior that needs to be added to application(s) that
aren’t supported out of the box (PSFT, EBS, etc.)
Adding custom reports to the system
– Data Analytics data-mart provides an open analytic schema for all
discovered violations and other data for custom reports
– Robust security model for the analytic data-marts
Besides extensibility, a core feature of the product is custom objects –
you can import, directly into the user interface of the application, data
through a spreadsheet format (Microsoft Excel).
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 55
Examples of Extensibility
Extensibility Point Use-Case
GRC Web Services User Provisioning Requests (OIM, Fusion, etc.) using GRC API’s for
near-real-time checks to see if a user should be provisioned a given set
of roles.
GRC Connectors UCM Connector allowing expense receipts of hotel folios, etc. be
analyzed using the GRC Text Analysis and reasoning engine
GRC Connectors Connecting to Health-Care applications via their native protocols or
HL7 to find Health-Care fraud and/or waste.
Workflow Extensibility EGRCM and EGRCC SOA (SOAP), REST, and BPEL Extensibility
Data Analytics Custom Reports and Analytics
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 56
GRC Data Analytics
GRC Transactional Schema is CLOSED.
– You may not access it. GRC Data Analytics is a way for you to extract data
to build your own reports and analytics
GRC Data Analytic Schema Includes:
– Summarized data in a properly normalized format for reporting (fact tables,
dimensions, and other normalized forms – all tuned for the purposes of
reporting and analytic dashboards)
– Full physical and logical security: GRC Users and Roles become Database
Users and Views allowing proper mirroring of data-level security in the
application
– Populated on-demand or on scheduled bases
– Will include data for both EGRCC and EGRCM
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 57
Conclusion
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 58
“ …only two years after the implementation…,the external
auditor relies 100 percent on Oracle GRC to assess
security segregation of duties at the client.”
- PwC
Impact of Oracle Advanced Controls PwC Case Study
Addressed material weakness resulting from security and compliance issues
Inappropriate access being granted
Access granted without approval
Access not reviewed
Access not approved in timely manner
Source : PwC Whitepaper : Optimizing ERP Projects with GRC’s Advanced Financial Controls
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 59
?’s
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 60
@OracleAdvCntrls
Oracle GRC Advanced Controls
Join Our Linkedin Group
Follow us on Twitter
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 61
The following is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.