Más contenido relacionado La actualidad más candente (20) Similar a Advanced Controls access and user security for superusers con8824 (20) Advanced Controls access and user security for superusers con88241. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal1
2. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal2
@OracleAdvCntrls
Post Questions Before,
During and After
3. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal3
The following is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.
4. Advanced Access and User
Security for Oracle
Applications
Mark Stebelton, CPA, CFE
Director, Product Management – Oracle
Brian Amato, CPA, CISA
Director, Client Services – Fulcrum Way
Reza B’Far
Vice President, Development – Oracle
5. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal5
Program Agenda
Twitter Topic Review
Oracle Advanced Controls Overview - Mark
Implementation Review, Tips and Tricks - Brian
GRC Extensibility - Reza
Questions
6. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal6
Oracle Advanced Controls
Product Overview
7. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal7
Standard Controls
User Roles
3-Way
Match
Approval
Hierarchies
Standard
Controls
Social
Media
Policy
E-learning
Ethics
Policy
8. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal8
Standard + Advanced Controls
Sentiment
Analysis
Split
Purchase
Orders
Hide
Displays of
Sensitive
Data
Duplicate
Payments
Transaction
Threshold
Amounts
Duplicate
Vendors
Fine-
grained
User
Access
Configuration
Snapshots &
Audit Trial
Transaction
Pattern
Analysis
Fuzzy
Logic,
‘similar
values’
User Roles
3-Way
Match
Approval
Hierarchies
Advanced
Controls
Standard
Controls
Social
Media
Policy
E-learning
Ethics
Policy
9. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal9
GRC Advanced Controls
One Enterprise Foundation
Enterprise Risk & Controls Foundation
Dashboards, Reports and Alerts
NotificationsWorklists Email PerspectivesSearch
Risk, Controls & Compliance Management
ReviewsDocumentation Assessments RemediationSurveys
Continuous Controls & Risk Monitoring
SetupsAccess Master Data Audit TestsTransactions
User Authored ControlsData Connectors Fraud & Error Patterns
RoleBasedAccessSecurity
WebServices&APIs
Custom or Legacy
Applications
Comprehensive
Enterprise Risk Management
Financial Governance
Continuous Controls Monitoring
Flexible
• Graphical Authoring
• Detect and Prevent
• Access, Transactions, Setups
Data Driven (Big Data)
100% of Transactions
Manage by Exception
Optimize Processes
10. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal10
Fusion Platform with Dashboards,
Alerts & Drilldowns
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal10
Advanced Controls Approach
11. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal11
• Embedded intelligence provides visibility into multiple control and process areas.
Advanced Controls – Embedded Dashboards
12. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal12
• Move away from silo’d information
• Multiple ERPs monitored from a single application.
Advanced Controls – Embedded Dashboards
13. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal13
• Automatic alerts notify appropriate personnel for action
• Actionable Insight to drive the business forward
Advanced Controls – Business Process Monitoring
14. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal14
Sophisticated Controls Monitoring
and Enforcement Engine
Advanced Controls Demonstration
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal14
15. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal15
Technical Innovation (Engine)
Function: Tracking POs
Form: Receiving
User: John Doe
Role: Shipping Supervisor
Function: Purchase Orders
Tab: Review PO
Vendor: Acme
Transaction: Order 123
Action: Submit PO
Action: Signature Receipt
Role: Shipping Clerk
Correlate Events and
Detect Policy Violation
Complete User Access Path
Relate Access to Actual Transactions
Connect to any provisioning engine
Extend to any authorization model
16. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal16
Oracle SOD Solution - Principles
PLATFORM CAPABILITY BUSINESS BENEFIT
Analysis of privileges at atomic level Ensure reliance by external auditors, eliminate both false positives and false negatives.
Analysis across multiple applications
and instances
Enable SOD policies for users with privileges across multiple applications and/or instances
Analysis for any authorization model Enable enforcement of SOD policies for any critical business application
Capture entire User Access Path Enable optimal resolution of SOD conflicts, by redesign of roles and privileges
Web Services to work with any user
provisioning workflow
Enable compliant provisioning that is agnostic to multiple user provisioning workflows
Automatic status updates of violations
with Visual Audit Trail
Reduced analysis and remediation efforts by self-learning based on prior decisions
Integration with SOA to automate
SOD exception actions
Integration with SOA to allow tailored integrations with existing workflows applications
Exception-based user access
attestation process
Eliminate redundant effort to attest every quarter if nothing has changed (position, roles etc)
Automated SOD Policy
Documentation and Assessment
Comprehensive documentation and automated periodic assessment of SOD policies
SOD Platform Requirements for Enterprise Scale Customers
17. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal17
Access Analysis
Create Conflict Conditions
• Single/Cross Platform
• Entitlement/Single Access Point
Remove False Positives
18. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal18
Macro and Micro Access Controls
Examples
Define
Entitlements: Enter Invoice
Element Description
Open Interface Invoices AP_APXIIFIX
Invoice Batches AP_APXINWKB_BATCHES
Invoices AP_APXINWKB
Entitlements: Create Suppliers
Element Description
Vendors APXVDMVD
Enter Suppliers PN_APXVDMVD
Suppliers AP_APXVDMVD
Merge Suppliers AP_APXVDDUP
Macro Access Control
Enter Invoice & Create Suppliers
EBS Example
Distinct Micro Access Controls
Open Interface Invoices vs Vendors
Open Interface Invoices vs Enter Suppliers
Open Interface Invoices vs Suppliers
Open Interface Invoices vs Merge Suppliers
Invoice Batches vs Vendors
Invoice Batches vs Enter Suppliers
Invoice Batches vs Suppliers
Invoice Batches vs Merge Suppliers
Invoices vs Vendors
Invoices vs Enter Suppliers
Invoices vs Suppliers
Invoices vs Merge Suppliers
Translates
To
When entitlements are used, each
access point in the entitlement is
considered as an ‘or’ in relation to
the others
19. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal19
Remove False Positives
Define
Examples
• Exclude inactive users
• Exclude specific superuser Responsibilities
• Exclude when not in the same operating unit or ledger
• Include only for a single business unit
User Defined Access Points
• Define a specific path to analyze
• Build using the access points of the target
datasource
• Use as any other access point
Condition Approaches
• Specifically Include
• Specifically Exclude
Condition Types
• Global – apply to ALL models and controls
• Global Path – Exclude a specific access path
• Model/Control Level – applies only to that
model/control
Examples
• EBS: Responsibility>Menu>Function
• PSFT: Menu>Component>Page
20. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal20
Elevated Productivity –
Optimize Process & Empower
Users
• Library of pre-
definedAdvanced Controls
(and extensible)
• Ability to build new
controls by business owners
(no coding)
• 100% Transaction
coverage (no more sampling)
Transaction Controls – Author, Deploy, & Monitor
21. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal21
Transaction Filtering Logic
String, Integer NumericDateFunctions
ANDOR
22. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal22
Many Types of Controls against
Various Business Applications
Advanced Controls Demonstration
23. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal23
Access Hierarchy Example – Oracle EBS
Role
Responsibility
Menu
Sub - Menu
Function:
Create
Invoice
Function:
Create
Customer
Other important attributes:
Operating Units, Data Groups, Set of Books etc
Access Points
24. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal24
Access Connector Example: EBS
• Covers critical access points across business processes in EBS including Financials, HR, Procure to
Pay and Order to Cash
• Includes 2,500+ Micro Access Controls
• Includes 28,000+ Access Points available for extending controls
~1,700
Responsibilities*
~5,400 Menus*
~4,700 Concurrent Programs*
~16,500 Functions*
* Amounts will vary by environment
~28,300 Access Points*
25. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal25
TXN
SYSTEMS
USERS
ROLES
USERS
SETUPS
MASTER
DATA
ROLES
TXN
SYSTEMS
TXN
ROLES
TXNUSERS
SETUPS
TXN
ROLES
SYSTEMS
MASTER
DATA
ROLES
TXN
TXN
SETUPS
Enterprise Risk Graph
26. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal26
Access AND Transaction SOD Analysis
EBS
EMEA
SYSTEM
JOHN
USER
Receivables
ADMIN
ROLE
CUSTOMER
MENU
CUSTOMER
ENTRY
SUBMENU
QUICK
UPDATE
SUBMENU
EDIT
CUSTOMER
FUNCTION
ORDER
MGT
MENU
ORDER
ERNTRY
SUBMENU
ORDER
RELEASE
FUNCTION
JOHN
CHANGES
CUSTOMER SHIPTO
FOR ACME
AND
PROCESSES ORDER
FOR ACME
27. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal27
Sensitive Transaction Controls (aka Superuser Analysis) Sensitive Access Monitoring Controls
11020 STC: Monitor Payments
2370 SAM: Same user created Payables Invoice and Payment
11030 STC: Monitor Purchase Orders
2380 SAM: Same user created Purchase Order and Payables Invoice
11050 STC: Monitor Suppliers
S390 SAM: Same user created Purchase Order and Received Goods and Services
11070 STC: Monitor Procurement Payment Terms
2400 SAM: Same user created Supplier and Approved Purchase Order
11100 STC: Monitor Payables Bank Accounts
8570 SAM: Same user created Supplier and Payables Invoice
11110 STC: Monitor Payables System Setups
2420 SAM: Same user created Supplier and Payment
11120 STC: Monitor Payables Options: Payments
2430 SAM: Same user created Supplier and Purchase Order
11140 STC: Monitor Payables Options: Tax
2730 SAM: Same user created Journal Entry and Payables Invoice
11180 STC: Monitor Payables Options: Invoices
2770 SAM: Same user created Journal Entry and posted Journal Entry
11210 STC: Monitor Journal Entries
2570 SAM: Same user created Supplier and setup Auto Create Purchase Orders
Sensitive (Superuser) Transaction and Sensitive Access Monitoring
Top 10 Deployed SOD Transaction Controls21
28. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal28
Advanced Access and
Security
29. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal29
AACG – Finding Conflicts
User: Janie Adams
Responsibility: Sales Super User (Operations)
Menu: AR_Navigate_GUI12
Submenu: AZN_AR_Invoices_Entry
Function: Order
Page: Create Customer
Job Role: Receivables Management
Permission: Create Cutomers
SOD Conflict
PSFT
EBS
30. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal30
Interpreting Access Conflicts
User
Role
Permission List
Menu
Panel Component
Page Definition
Finding the Right Path to Resolution
U
R
M
C
D
L
Remove
Menu
Path
Conflicts
31. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal31
Identify the changes to be
made
Click to create a change
management work order
Review impact of changes
Create change request
work order for System
Administrator
Know the Impact Before Committing Changes to the ERP
Simulate Changes
32. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal32
The FulcrumWay
Experience
33. Advanced Access and User
Security for EBS and Oracle
Fusion Applications
Brian Amato, CPA, CISA
Client Service Director - FulcrumWay
34. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal34
Agenda
Objectives, Drivers, Scope
Implementation Approach
Achievements and Benefits
Lessons learned
GRC Extensibility
35. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal35
Objectives, Drivers, Scope
Upgrade 8.6.3 to 8.6.4
Analyze SOD risks for EBS Financials and PSFT HR and Payroll
Define conditions to remove false positives
Implement new security model
36. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal36
Implementation Approach
Risk-Based Approach
Used Oracle’s seeded content
Understand changes from 8.6.3 to 8.6.4
37. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal37
Assess Risk
Detect
Violations
Analyze
Issues
Remediate
Issues
Implement
Corrective
Actions
Monitor
Application
Environment
Scope
Application
Controls
Sample
ERP
Data
Manage
Exceptions
Setup
Preventive
Controls
IT/Business
Control Teams
Application
Controls
Manager
Application
Security
Administrator
Application
Controls
Manager
Establish
Test
Environment
FulcrumWay™ Application Controls Management Best Practices
38. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal38
Oracle Seeded Content
Human Resources
User Access Model Names
Maintain Employees & Modify Employee Salary
Maintain Employees & Process Payroll
Modify Employee Position & Process Payroll
Modify Employee Position & Maintain Employees
Modify Employee Position & Modify Employee Salary
Process Payroll & Modify Employee Salary
39. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal39
New Features in 8.6.4
User Experience
New Content
Relationship Assignments
Improved Search and Detection Engine
Setup and Administration
Performance Optimization
New Security Model
40. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal40
Achievements and Benefits
Able to secure EBS Financial data from HR/Payroll data!
Running Single Instance of AACG for EBS Financials and
PeopleSoft HR/Payroll
Lower costs of compliance
Lower costs IT burden and increased agility
41. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal41
Lessons Learned
Hardware/Software Certification Matrix
PeopleSoft Security Model
AACG Security Model
42. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal42
Role
Permission List
Menu
Component
Page Definition
Component
Page Definition
Access Hierarchy –
PeopleSoft
Access Points
Evaluate User Access
• Test by User Profile
• Test by Page
User
Profile
43. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal43
Access Hierarchy – Oracle EBS
Role
Responsibility
Menu
Sub - Menu
Function
Function
Access Points
44. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal44
8.6.4 Security Model
45. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal45
8.6.4 Security Model
Security Components
46. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal46
8.6.4 Security Model
Leveraging Perspectives to Plan Design AACG Security, Incident
Management
Examples of Perspectives aid in the definition of Data Roles
Perspective can span multiple ERP instances, types (PS, EBS)
A Perspective gets created for each datasource
Perspectives can define which users have security to AACG Controls
and Incidents
47. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal47
GRC Extensibility
AACG with EBS and PeopleSoft
48. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal48
The Extensibility of Oracle
Advanced Controls
49. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal49
Pre-Built Integrations
Custom or Legacy
Applications
Continuous SOD Controls Monitoring
Pre-built
Extensible
Partner Pre-built
CUSTOMER CARE
& BILLING
50. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal50
What is Extension?
Work done by end users
and their developers to
add new abilities to GRCC
WHY IS IT VALUABLE?
Gives you the ability to extend standard
functionality to meet your unique needs
WHAT PRODUCT DOES IT SPAN?
EGRCM and EGRCC 8.x
in a Single Platform
Ways to Extend GRCC
Expertise Create a new…
End user
Model
Control
Incident
Developer
Business object
Connector
Pattern
API/Web Service
51. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal51
ConnectorsControls
General Domain Knowledge
(Financial, Medical, SCM, etc.)
Business Application System
Experts (EBS, PSFT, etc.)
Skill Set Required
Application Engineer
or Software Engineer
Actuarial Skills
Specific Domain Knowledge
(P2P, GL, T&E, etc.)
Business
Objects
Advanced
Extensions
Required
Preferred
Not Required
DBA's, ETL Users
or Analytic App. Builders
• Allows us to build an internal factory for building meta-data cost-effectively
• Provides the platform for a future ecosystem of meta-data
• SDLC: Minimizing risk in execution through reduction of Knowledge Diffusion
Risk Management
Clearly Separated Skill Sets
52. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal52
High-Level Platform Extensibility Points
• Getting Data into GRC for Analysis
• OWL (Ontology Web Language) – an XML language
• Web Services
• Custom Objects
• Advanced extensions – Java
• Extending the Workflows & Reporting
• Both RESTful & SOAP Web Services available
• SOA Integration out of the box
• Data Analytics for Custom Reporting and Dashboards
• Physical and Logical Security that follows the GRC Security Model
53. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal53
Focus – GRC Controls Extensibility
• Takes a picture of various aspects of your system
• Authorization model
• Transaction model
• Others
• Then, it searches for exceptions (violations)
• Controls are the criteria the system uses to search
• Points of Extensibility:
• Different ways by which it searches
• Different data sources through which it searches
• Different ways it can provide the results (web services, etc.)
• Provides workflows for remediation of the exceptions
54. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal54
When do you need extensibility?
Connecting to a custom application or COTS/ERP For which there
exists no pre-built connector
Custom data or behavior that needs to be added to application(s) that
aren’t supported out of the box (PSFT, EBS, etc.)
Adding custom reports to the system
– Data Analytics data-mart provides an open analytic schema for all
discovered violations and other data for custom reports
– Robust security model for the analytic data-marts
Besides extensibility, a core feature of the product is custom objects –
you can import, directly into the user interface of the application, data
through a spreadsheet format (Microsoft Excel).
55. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal55
Examples of Extensibility
Extensibility Point Use-Case
GRC Web Services User Provisioning Requests (OIM, Fusion, etc.) using GRC API’s for
near-real-time checks to see if a user should be provisioned a given set
of roles.
GRC Connectors UCM Connector allowing expense receipts of hotel folios, etc. be
analyzed using the GRC Text Analysis and reasoning engine
GRC Connectors Connecting to Health-Care applications via their native protocols or
HL7 to find Health-Care fraud and/or waste.
Workflow Extensibility EGRCM and EGRCC SOA (SOAP), REST, and BPEL Extensibility
Data Analytics Custom Reports and Analytics
56. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal56
GRC Data Analytics
GRC Transactional Schema is CLOSED.
– You may not access it. GRC Data Analytics is a way for you to extract data
to build your own reports and analytics
GRC Data Analytic Schema Includes:
– Summarized data in a properly normalized format for reporting (fact tables,
dimensions, and other normalized forms – all tuned for the purposes of
reporting and analytic dashboards)
– Full physical and logical security: GRC Users and Roles become Database
Users and Views allowing proper mirroring of data-level security in the
application
– Populated on-demand or on scheduled bases
– Will include data for both EGRCC and EGRCM
57. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal57
Conclusion
58. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal58
“ …only two years after the implementation…,the external
auditor relies 100 percent on Oracle GRC to assess
security segregation of duties at the client.”
- PwC
Impact of Oracle Advanced Controls
PwC Case Study
Addressed material weakness resulting from security and compliance issues
Inappropriate access being granted
Access granted without approval
Access not reviewed
Access not approved in timely manner
Source : PwC Whitepaper : Optimizing ERP Projects with GRC’s Advanced Financial Controls
59. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal59
?’s
60. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal60
@OracleAdvCntrls
Oracle GRC Advanced Controls
Join Our Linkedin Group
Follow us on Twitter
61. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal61
The following is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.