Integrate Oracle Identity Management and Advanced Controls for maximum efficiency and compliance

Enforce Segregation of
Duties with Identity
Management and Oracle
Advanced Controls
Stephanie Golly
Sr. Principle Product
Manager
Oracle
Kent Spaulding
Sr. Principal Software Engineer
Oracle

The following is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.

Introductions
 Stephanie Golly, Oracle
– Product Manager for Application Access Controls Governor (AACG)
– Working with Oracle products for 10+ years
– Worked for startup that was eventually acquired by Oracle
– Located in Coeur d’Alene Idaho – (quite possibly the prettiest place on
Earth? )
When I’m not doing Oracle stuff, I
also enjoy riding bikes, boating,
hiking, kayaking, outdoor
activities!

Introductions
 Kent Spaulding, Oracle
– Software Architect for Oracle Advanced Controls
– Working in Software for 20+ years
– Expertise in Identity Management, Security, Data Analytics
– Located in Portland, Oregon – (quite possibly the prettiest place on
Earth? )
When I’m not doing Oracle stuff, I
ride (many) bikes, play disc golf,
enjoy telemark skiing and other
outdoor activities.

Agenda
 User Access Management Business Concerns
 An Automated look at User Management
 A closer look at Segregation of Duties
 Integrating Oracle Identity Management with Application Access
Controls Governor – a Case Study
 Realizing the Benefits

 Do users have
appropriate access?
 Will the access cause
Segregation of Duties
conflicts?
User Access Management
What are your Organizations Business Concerns?
 Users require access to
multiple systems
 User On-Boarding,
Transfers and Off-
Boarding is time and
resource intensive

 User On-Boarding,
Transfers and Off-
Boarding is time and
resource intensive
What does your process look like?

 Do users have
appropriate access?
How are you managing security in a complex system?
 Will the access cause
conflicts?
More People
More Systems
More Logistics

User: Janie Adams
Responsibility: Payables Super User (Process Operations)
Menu: AP_Navigate_GUI12
Submenu: AZN_AP_Invoices_Entry
Function: Payments
Privilege: Create Purchase Order
Role: Buyer
Permission List: Buyer Duty
SOD Conflict
PeopleSoft
EBS

How are you going to balance objectives?
Security and
Compliance
User
Access

Enforcing Segregation of Duties
with Identity Management and Advanced Controls
SOD
Check

Create Supplier Invoice Create PaymentSupplier
Create Supplier Create Payment
for same supplier
+ Create Supplier Create Payment
for supplier≠
Why is Segregation of Duties needed?

Mr. J (Left)
Miss H
Miss GMiss O
Miss DMr. P
Miss LMiss R
Mr. D
$82K
$5K $5 Million
$300K
$17 Million
$15K
$280K $15K
$350K
Who was accused of stealing?

Web of Control Issues
False Invoices
Inaccurate
Financial Reports
Unapproved or
Illegal Suppliers
Delayed Supplier
payments
Fraudulent
Checks
Unauthorized
Journal Entries
Inaccurate
Manual Journal
Entries
Unauthorized Pay
Increases
Duplicate
Payments
Bank Account
Changes
Unused Credit
Memos
Spilt Purchase
Orders
Invalid or
Duplicate
Supplier Master
Statutory Audit
Findings
Incorrect
Payment Terms
Overpayments to
Vendors Personal
Purchases on
Corporate Credit
Card
Missing Prices
Unauthorized
Credit
Unauthorized
Access
Unusual Returns

The Key is to Automate
by…
Enforcing Segregation of Duties with Oracle Identity Management

 Advanced Controls Foundation
 Access Controls Governor
 Pre-Built Integrations
 Demonstration
Advanced Controls

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal18
Advanced Controls Foundation
Custom or Legacy
Applications
Fusion Platform with Dashboards,
Alerts & Drilldowns
Sophisticated Controls Monitoring
and Enforcement Engine
Many Types of Controls against
Various Business Applications

• Move away from silo’d information
• Multiple ERPs monitored from a single application.
• Control totals and exposure areas in self-serve capacity.
Advanced Controls – Embedded Dashboards

Application Access Controls Governor
Enforce Proper Segregation of Duties Across Multiple Systems
Compensating
Policies
Preventive
Provisioning
Remediation
(Clean-up)
Access
Analysis
• Accelerate deployment and time to
value with pre-delivered controls library
• Mitigate risk of privileged user access
to enterprise applications with
approval workflow and audit trails
• Simplify segregation of duties
enforcement with simulation and
remediation
Define Access
Controls
Detection Prevention

Pre-Built Integrations
Custom or Legacy
Applications
Continuous SOD Controls Monitoring
Pre-built
Extensible
Partner Pre-built
CUSTOMER CARE
& BILLING

Role
Permission List
Menu
Component
Page Definition
Component
Page Definition
Access Hierarchy Example – PeopleSoft
Other important attributes:
Business Unit, Effective Date, Set ID, Ledger, Account Lock etc.
Access Points

Glossary of Terminology
Control ManagementAccessPoint
Any level node in
the access model
hierarchy for a
particular
application.
Entitlement
A logical
grouping of
Access points.
E.g. All pages
that allow a user
to create a
voucher grouped
as a single
Entitlement
“Create Voucher”
ModelControl
A rule that
defines toxic
combinations of
entitlements
and/or access
points.

 Review Model Definition
 Analyze Results
 Modify Entitlement
 Deploy Control
Demonstration

 How can we Integrate Oracle
Identity Manager with Application
Access Controls Governor?
Question

 Integration
 Architecture
 Key Workflows
 SoD Integration Library
 Deployment/Configuration
 Versions
Topics

Custom, Legacy, …
EBS AppsFusion Apps
ERP Security & SOD for OIM Projects
Oracle Identity Management
Submit User Access Request
Update User Account
Return SOD Response
Analyze impact and policy
overrides if needed
Request for User Access
1
2
3
4
5
User Provisioning Web Service
User Provisioning Web Service
Compliance/Business
Review
Oracle Advanced Controls
Access Controls Governor

Integration of OIM and Oracle AACG
Integrate Identity Management and SoD Across Systems
Provision Across Multiple
Systems
Automatic Role Provisioning
Increase Efficiency
Avoid Human Error
Check for

Key Workflows
Resource Provisioning
Workflow
Resource Approval
Workflow
 Real-time validation of entitlement
assignment requests using AACG.
 AACG uses predefined rules to determine
if the entitlement assignment would lead
to SoD violations.
 The results of the SoD analysis are
returned to Oracle Identity Manager.
 Provisions an entitlement request that has
passed the resource approval workflow
on the target system.
 Note: Can be configured to perform the
SoD validation a second time -
immediately before the entitlement
assignment is provisioned to the target
system. This ensures SoD compliance.

SoD Invocation Library and Providers
SoD Invocation Library (SIL)
 The SIL is a collection of Java-based
adapters that enable integration with OIM
Connectors.
SIL Providers
 Specialized adapters integrate the SIL with
SoD engines.
 SIL Providers act as the interface between
the SIL and AACG (or other SoD Engines.)
SoD-enabled OIM Connectors
 OIM Connectors that know about SoD
Workflows.
Oracle Identity Manager
- AACG
SoDInvocationLibrary(SIL)andAdapters
OAACG SIL
Provider
Conflict
Analysis
SoD Policy
Simulation
EBS UM Connector
Entitlement1
2
3
PeopleSoft UM Connector
1
2
3
Entitlement
Metadata driven Invocation of OAACG
SIL Provider
Preconfigured invocation of OAACG
SIL Provider
RDF Graph AACG DB

Deploying SIL Providers
Target systems for which SIL
registration is provided include:
 EBS and OAACG
 PSFT and OAACG
 SAP and SAP-GRC

Installing OIM Connectors
Installation InformationPre-configured Connectors
 Oracle e-Business User
Management release 9.1.0 and later
 SAP User Management release
9.1.2.5 and later
 See
http://download.oracle.com/docs/cd/
E11223_01/index.htm

Configuring the OAACG SoD Engine
Steps for Configuring any SoD Engine
Install Oracle AACG
Create an Oracle AACG Account for SoD Operations
Synchronize Role and Responsibility Data from EBS and PSFT
Define Access Controls in AACG
Enable SoD in OIM
Configuring Application Access Controls Governor
Import
• Import entitlement data
from the target system(s)
to the SoD engine.
Configure
• If required, configure
SoD validation rules on
the SoD engine.

Supported Versions, Other Information
 OIM 11gR2 and AACG Certified for 8.6.4.5 and up
 Installation Instructions for OIM Connectors
 See: http://download.oracle.com/docs/cd/E11223_01/index.htm
 OIM SoD Documentation explains how to:
 See: http://docs.oracle.com/cd/E37115_01/dev.1112/e27150/segduties.htm
– Enable SSL in SIL Providers
– Customize Workflows for non-SoD-ready Connectors
– Combine Custom Target Systems and SoD Engines
– Troubleshooting the integration

Integrated IDM and OAC Solution
Oracle Advanced Controls Capabilities IDM OAC
Authentication & SSO for all systems
Coarse & fine grained authorization for heterogeneous IT systems
Account provisioning and de-provisioning
Attestation of access
Enterprise role management and role based automation
Author fine grain access controls in business terms
Define single SOD control to span multiple apps
Conduct simulations & what-if analysis
Pre-built Access, Risk and Compliance Dashboards
Deploy Compensating Config & Transaction Controls
Pre-built, certified adaptors to EBS, PSFT, Fusion

What did they allegedly spend it on?
A
B
C
D Childs medical bills
Tiara
Gambling sites
Jewelry collection
Miss H
Miss O
Mr. P
Miss G

 A Customer Case
 Solution Footprint
 High-level Integration
 Business Process Workflow
Enforcing Segregation of Duties
with Oracle Identity Management

Oracle Identity Management
+ Oracle Advanced Controls
CUSTOMER PROFILE
Global Semiconductor
Manufacturer
• $5+ billion revenue (2011)
• Privately held
• Uses OIM+AACG to govern access
provisioning in EBS and PSFT
Benefits
 Solution:
– Detect and prevent inappropriate
user access
 Result: Full enforcement of user access
policies in both EBS and PSFT.
Streamlined access request approval
with better decision support.

Solution Footprint
Finance
Finance SCM (Pln &
Mfg)
P2PO2C
Finance
CRM HCM
EBS
- General Ledger
- Payable
- Receivable
- Fixed Asset
-I Expenses
- Incentive Comp
- Adv. Collections
Hyperion
- HP, FDM, HFR
EBS
- ASCP (CBP)
- OSFM
- ODM
- GOP
Demantra
- DM
- S&OP
EBS
-Order Mgmt
- Advanced Pricing
- Inventory
- WMS
- Quoting
Global Trade Management./
Trade compliance.
Siebel
- Campaign Mgmt
- Sales
- CRM Base, Manufacturing
Option
-Remote Client
-Marketing server
Oracle Solution
PeopleSoft
- core HR
- Self Service:
- Time & Labor
- Global Payroll(SG, DE)
- Payroll Interface
- Absence Mgmt
- Learning Mgmt
- Benefits Admin
Application Integration Architecture
EBS
- Purchasing
- iProcurement
-Sourcing
- Procurement Contract
- Service Procurement
- Advance Pricing
- iSupplier Portal
- Quality - WMS
- Supplier Life Cycle Mgt - inventory
E-Forms
CIS
Data Warehouse
LDAP PTSSPACE
PEPS
BofA
3rd
Party (GTC)
Bloomberg
Visitor RegnLotus Email
E-Portal
Adexa MES View Plant Maint.
CIMPMS
B2B
FidelityB2A Manager
Property
Mgmt System
Security System
QuestionMarkADP Payroll
OrgPlus
Agile PLM
Interfaces to External / Legacy Applications
Oracle Corporation – Proprietary and Confidential
Security and IDM

Oracle Identity Manager
Resource
Approval
Workflow
Approval Request
Approval/Rejection
1st Level – Manager
2nd Level – Business Owner
3rd Level – Governance Team
Provision to EBS
Controls
Oracle AACG
Violations
Request
GL
Manager
(Already
has GL
User)
OIM – OAC (AACG) Integration

OIM to EBS Provisioning with SoD validation in AACG

Requesting Role in Self Service

SOD Validation and Approval

Benefits of Integrating AACG and OIM
Enterprise-wide, cross application SOD and access management solution
• One-stop proactive user access and SOD management
• Elimination of redundant user provisioning and SOD management efforts
• Increased user provisioning / de-provisioning efficiency
• Improved integration of new applications
• Increased accountability for user access
• Reduced audit deficiencies / greater compliance with laws and regulations
• Improved security / reduction of unauthorized user access

Oracle Advance Controls
OOW2013 Sessions &
Demo Pod Slides

@OracleAdvCntrls
Oracle GRC Advanced Controls
Join Our Linkedin Group
Follow us on Twitter

Demo Workstation
Moscone West 1st Floor #W-013
Monday Tuesday Wednesday
Demo ID 3532
Workstation #: W--013
9:45 – 6:00 9:45 – 6:00 9:45 – 4:00

Demo Workstation
Moscone West 1st Floor #W-013

Optimizing Order-to-Cash with Oracle Advanced Controls for Oracle E-Business Suite
 10:15AM Moscone West – 3018
 CON8816
Reducing Risk for Oracle E-Business Suite Upgrades and Implementations
 1:15PM Moscone West – 3018
 CON8830
Panel Discussion: Intelligent Controls for Key Business Processes and Upgrades
 3:30PM Moscone West – 2002 / 2004
 CON8832
Learn More About Oracle Advance Controls
Wednesday

Advanced Access and User Security for Oracle E-Business Suite and Fusion Applications
 2:00PM Moscone West – 3018
 CON8824
Meet the Governance, Risk, and Compliance Experts
 12:30PM Moscone West 2001A
 MTE9412
Learn More About Oracle Advance Controls
Thursday

Specialized Advanced Controls Partners
 New Benefit for Advanced Controls owners
 Specialized Partners:
– Trained by Oracle:
 Designing and delivering OAC solutions
– Demonstrated ability to deliver reliable OAC
solutions
 Coming soon

Graphic Section Divider

The preceding is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.

Integrate Oracle Identity Management and Advanced Controls for maximum efficiency and compliance

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (10)

Similar a Integrate Oracle Identity Management and Advanced Controls for maximum efficiency and compliance

Similar a Integrate Oracle Identity Management and Advanced Controls for maximum efficiency and compliance (20)

Más de Oracle

Más de Oracle (11)

Último

Último (20)

Integrate Oracle Identity Management and Advanced Controls for maximum efficiency and compliance