Más contenido relacionado
La actualidad más candente (20)
Similar a Integrate Oracle Identity Management and Advanced Controls for maximum efficiency and compliance (20)
Integrate Oracle Identity Management and Advanced Controls for maximum efficiency and compliance
- 1. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal1
- 2. Enforce Segregation of
Duties with Identity
Management and Oracle
Advanced Controls
Stephanie Golly
Sr. Principle Product
Manager
Oracle
Kent Spaulding
Sr. Principal Software Engineer
Oracle
- 3. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal3
The following is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.
- 4. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal4
Introductions
Stephanie Golly, Oracle
– Product Manager for Application Access Controls Governor (AACG)
– Working with Oracle products for 10+ years
– Worked for startup that was eventually acquired by Oracle
– Located in Coeur d’Alene Idaho – (quite possibly the prettiest place on
Earth? )
When I’m not doing Oracle stuff, I
also enjoy riding bikes, boating,
hiking, kayaking, outdoor
activities!
- 5. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal5
Introductions
Kent Spaulding, Oracle
– Software Architect for Oracle Advanced Controls
– Working in Software for 20+ years
– Expertise in Identity Management, Security, Data Analytics
– Located in Portland, Oregon – (quite possibly the prettiest place on
Earth? )
When I’m not doing Oracle stuff, I
ride (many) bikes, play disc golf,
enjoy telemark skiing and other
outdoor activities.
- 6. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal6
Agenda
User Access Management Business Concerns
An Automated look at User Management
A closer look at Segregation of Duties
Integrating Oracle Identity Management with Application Access
Controls Governor – a Case Study
Realizing the Benefits
- 7. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal7
Do users have
appropriate access?
Will the access cause
Segregation of Duties
conflicts?
User Access Management
What are your Organizations Business Concerns?
Users require access to
multiple systems
User On-Boarding,
Transfers and Off-
Boarding is time and
resource intensive
- 8. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal8
User On-Boarding,
Transfers and Off-
Boarding is time and
resource intensive
User Access Management
What does your process look like?
- 9. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal9
Do users have
appropriate access?
User Access Management
How are you managing security in a complex system?
Will the access cause
Segregation of Duties
conflicts?
More People
More Systems
More Logistics
- 10. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal10
User: Janie Adams
Responsibility: Payables Super User (Process Operations)
Menu: AP_Navigate_GUI12
Submenu: AZN_AP_Invoices_Entry
Function: Payments
Privilege: Create Purchase Order
Role: Buyer
Permission List: Buyer Duty
SOD Conflict
PeopleSoft
EBS
Segregation of Duties
- 11. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal11
How are you going to balance objectives?
Security and
Compliance
User
Access
- 12. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal12
Enforcing Segregation of Duties
with Identity Management and Advanced Controls
SOD
Check
- 13. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal13
Create Supplier Invoice Create PaymentSupplier
Create Supplier Create Payment
for same supplier
+ Create Supplier Create Payment
for supplier≠
Why is Segregation of Duties needed?
- 14. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal14
Mr. J (Left)
Miss H
Miss GMiss O
Miss DMr. P
Miss LMiss R
Mr. D
$82K
$5K $5 Million
$300K
$17 Million
$15K
$280K $15K
$350K
Who was accused of stealing?
- 15. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal15
Web of Control Issues
False Invoices
Inaccurate
Financial Reports
Unapproved or
Illegal Suppliers
Delayed Supplier
payments
Fraudulent
Checks
Unauthorized
Journal Entries
Inaccurate
Manual Journal
Entries
Unauthorized Pay
Increases
Duplicate
Payments
Bank Account
Changes
Unused Credit
Memos
Spilt Purchase
Orders
Invalid or
Duplicate
Supplier Master
Statutory Audit
Findings
Incorrect
Payment Terms
Overpayments to
Vendors Personal
Purchases on
Corporate Credit
Card
Missing Prices
Unauthorized
Credit
Unauthorized
Access
Unusual Returns
- 16. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal16
The Key is to Automate
by…
Enforcing Segregation of Duties with Oracle Identity Management
- 17. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal17
Advanced Controls Foundation
Access Controls Governor
Pre-Built Integrations
Demonstration
Advanced Controls
- 18. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal18
Advanced Controls Foundation
Custom or Legacy
Applications
Fusion Platform with Dashboards,
Alerts & Drilldowns
Sophisticated Controls Monitoring
and Enforcement Engine
Many Types of Controls against
Various Business Applications
- 19. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal19
• Move away from silo’d information
• Multiple ERPs monitored from a single application.
• Control totals and exposure areas in self-serve capacity.
Advanced Controls – Embedded Dashboards
- 20. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal20
Application Access Controls Governor
Enforce Proper Segregation of Duties Across Multiple Systems
Compensating
Policies
Preventive
Provisioning
Remediation
(Clean-up)
Access
Analysis
• Accelerate deployment and time to
value with pre-delivered controls library
• Mitigate risk of privileged user access
to enterprise applications with
approval workflow and audit trails
• Simplify segregation of duties
enforcement with simulation and
remediation
Define Access
Controls
Detection Prevention
- 21. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal21
Pre-Built Integrations
Custom or Legacy
Applications
Continuous SOD Controls Monitoring
Pre-built
Extensible
Partner Pre-built
CUSTOMER CARE
& BILLING
- 22. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal22
Role
Permission List
Menu
Component
Page Definition
Component
Page Definition
Access Hierarchy Example – PeopleSoft
Other important attributes:
Business Unit, Effective Date, Set ID, Ledger, Account Lock etc.
Access Points
- 23. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal23
Glossary of Terminology
Control ManagementAccessPoint
Any level node in
the access model
hierarchy for a
particular
application.
Entitlement
A logical
grouping of
Access points.
E.g. All pages
that allow a user
to create a
voucher grouped
as a single
Entitlement
“Create Voucher”
ModelControl
A rule that
defines toxic
combinations of
entitlements
and/or access
points.
- 24. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal24
Review Model Definition
Analyze Results
Modify Entitlement
Deploy Control
Demonstration
- 25. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal25
How can we Integrate Oracle
Identity Manager with Application
Access Controls Governor?
Question
- 26. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal26
Integration
Architecture
Key Workflows
SoD Integration Library
Deployment/Configuration
Versions
Topics
- 27. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal27
Custom, Legacy, …
EBS AppsFusion Apps
ERP Security & SOD for OIM Projects
Oracle Identity Management
Submit User Access Request
Update User Account
Return SOD Response
Analyze impact and policy
overrides if needed
Request for User Access
1
2
3
4
5
User Provisioning Web Service
User Provisioning Web Service
Compliance/Business
Review
Oracle Advanced Controls
Access Controls Governor
- 28. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal28
Integration of OIM and Oracle AACG
Integrate Identity Management and SoD Across Systems
Provision Across Multiple
Systems
Automatic Role Provisioning
Increase Efficiency
Avoid Human Error
Check for
Segregation of Duties
- 29. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal29
Integration of OIM and Oracle AACG
Key Workflows
Resource Provisioning
Workflow
Resource Approval
Workflow
Real-time validation of entitlement
assignment requests using AACG.
AACG uses predefined rules to determine
if the entitlement assignment would lead
to SoD violations.
The results of the SoD analysis are
returned to Oracle Identity Manager.
Provisions an entitlement request that has
passed the resource approval workflow
on the target system.
Note: Can be configured to perform the
SoD validation a second time -
immediately before the entitlement
assignment is provisioned to the target
system. This ensures SoD compliance.
- 30. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal30
Integration of OIM and Oracle AACG
SoD Invocation Library and Providers
SoD Invocation Library (SIL)
The SIL is a collection of Java-based
adapters that enable integration with OIM
Connectors.
SIL Providers
Specialized adapters integrate the SIL with
SoD engines.
SIL Providers act as the interface between
the SIL and AACG (or other SoD Engines.)
SoD-enabled OIM Connectors
OIM Connectors that know about SoD
Workflows.
Oracle Identity Manager
Oracle Advanced Controls
- AACG
SoDInvocationLibrary(SIL)andAdapters
OAACG SIL
Provider
Conflict
Analysis
SoD Policy
Simulation
EBS UM Connector
Entitlement1
2
3
PeopleSoft UM Connector
1
2
3
Entitlement
Metadata driven Invocation of OAACG
SIL Provider
Preconfigured invocation of OAACG
SIL Provider
RDF Graph AACG DB
- 31. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal31
Integration of OIM and Oracle AACG
Deploying SIL Providers
Target systems for which SIL
registration is provided include:
EBS and OAACG
PSFT and OAACG
SAP and SAP-GRC
- 32. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal32
Integration of OIM and Oracle AACG
Installing OIM Connectors
Installation InformationPre-configured Connectors
Oracle e-Business User
Management release 9.1.0 and later
SAP User Management release
9.1.2.5 and later
See
http://download.oracle.com/docs/cd/
E11223_01/index.htm
- 33. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal33
Integration of OIM and Oracle AACG
Configuring the OAACG SoD Engine
Steps for Configuring any SoD Engine
Install Oracle AACG
Create an Oracle AACG Account for SoD Operations
Synchronize Role and Responsibility Data from EBS and PSFT
Define Access Controls in AACG
Enable SoD in OIM
Configuring Application Access Controls Governor
Import
• Import entitlement data
from the target system(s)
to the SoD engine.
Configure
• If required, configure
SoD validation rules on
the SoD engine.
- 34. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal34
Integration of OIM and Oracle AACG
Supported Versions, Other Information
OIM 11gR2 and AACG Certified for 8.6.4.5 and up
Installation Instructions for OIM Connectors
See: http://download.oracle.com/docs/cd/E11223_01/index.htm
OIM SoD Documentation explains how to:
See: http://docs.oracle.com/cd/E37115_01/dev.1112/e27150/segduties.htm
– Enable SSL in SIL Providers
– Customize Workflows for non-SoD-ready Connectors
– Combine Custom Target Systems and SoD Engines
– Troubleshooting the integration
- 35. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal35
Integrated IDM and OAC Solution
Oracle Advanced Controls Capabilities IDM OAC
Authentication & SSO for all systems
Coarse & fine grained authorization for heterogeneous IT systems
Account provisioning and de-provisioning
Attestation of access
Enterprise role management and role based automation
Author fine grain access controls in business terms
Define single SOD control to span multiple apps
Conduct simulations & what-if analysis
Pre-built Access, Risk and Compliance Dashboards
Deploy Compensating Config & Transaction Controls
Pre-built, certified adaptors to EBS, PSFT, Fusion
- 36. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal36
What did they allegedly spend it on?
A
B
C
D Childs medical bills
Tiara
Gambling sites
Jewelry collection
Miss H
Miss O
Mr. P
Miss G
- 37. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal37
A Customer Case
Solution Footprint
High-level Integration
Business Process Workflow
Enforcing Segregation of Duties
with Oracle Identity Management
- 38. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal38
Oracle Identity Management
+ Oracle Advanced Controls
CUSTOMER PROFILE
Global Semiconductor
Manufacturer
• $5+ billion revenue (2011)
• Privately held
• Uses OIM+AACG to govern access
provisioning in EBS and PSFT
Benefits
Solution:
– Detect and prevent inappropriate
user access
Result: Full enforcement of user access
policies in both EBS and PSFT.
Streamlined access request approval
with better decision support.
- 39. Page 39
Solution Footprint
Finance
Finance SCM (Pln &
Mfg)
P2PO2C
Finance
CRM HCM
EBS
- General Ledger
- Payable
- Receivable
- Fixed Asset
-I Expenses
- Incentive Comp
- Adv. Collections
Hyperion
- HP, FDM, HFR
EBS
- ASCP (CBP)
- OSFM
- ODM
- GOP
Demantra
- DM
- S&OP
EBS
-Order Mgmt
- Advanced Pricing
- Inventory
- WMS
- Quoting
Global Trade Management./
Trade compliance.
Siebel
- Campaign Mgmt
- Sales
- CRM Base, Manufacturing
Option
-Remote Client
-Marketing server
Oracle Solution
PeopleSoft
- core HR
- Self Service:
- Time & Labor
- Global Payroll(SG, DE)
- Payroll Interface
- Absence Mgmt
- Learning Mgmt
- Benefits Admin
Application Integration Architecture
EBS
- Purchasing
- iProcurement
-Sourcing
- Procurement Contract
- Service Procurement
- Advance Pricing
- iSupplier Portal
- Quality - WMS
- Supplier Life Cycle Mgt - inventory
E-Forms
CIS
Data Warehouse
LDAP PTSSPACE
PEPS
BofA
3rd
Party (GTC)
Bloomberg
Visitor RegnLotus Email
E-Portal
Adexa MES View Plant Maint.
CIMPMS
B2B
FidelityB2A Manager
Property
Mgmt System
Security System
QuestionMarkADP Payroll
OrgPlus
Agile PLM
Interfaces to External / Legacy Applications
Oracle Advanced Controls
Oracle Corporation – Proprietary and Confidential
Security and IDM
- 40. Page 40
Oracle Identity Manager
Resource
Approval
Workflow
Approval Request
Approval/Rejection
1st Level – Manager
2nd Level – Business Owner
3rd Level – Governance Team
Provision to EBS
Controls
Oracle AACG
Violations
Request
GL
Manager
(Already
has GL
User)
OIM – OAC (AACG) Integration
Oracle Corporation – Proprietary and Confidential
- 41. Page 41
OIM to EBS Provisioning with SoD validation in AACG
Oracle Corporation – Proprietary and Confidential
- 44. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal44
Benefits of Integrating AACG and OIM
Enterprise-wide, cross application SOD and access management solution
• One-stop proactive user access and SOD management
• Elimination of redundant user provisioning and SOD management efforts
• Increased user provisioning / de-provisioning efficiency
• Improved integration of new applications
• Increased accountability for user access
• Reduced audit deficiencies / greater compliance with laws and regulations
• Improved security / reduction of unauthorized user access
- 45. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal45
Oracle Advance Controls
OOW2013 Sessions &
Demo Pod Slides
- 46. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal46
@OracleAdvCntrls
Oracle GRC Advanced Controls
Join Our Linkedin Group
Follow us on Twitter
- 47. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal47
Demo Workstation
Moscone West 1st Floor #W-013
Monday Tuesday Wednesday
Demo ID 3532
Workstation #: W--013
9:45 – 6:00 9:45 – 6:00 9:45 – 4:00
- 48. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal48
Demo Workstation
Moscone West 1st Floor #W-013
- 49. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal49
Optimizing Order-to-Cash with Oracle Advanced Controls for Oracle E-Business Suite
10:15AM Moscone West – 3018
CON8816
Reducing Risk for Oracle E-Business Suite Upgrades and Implementations
1:15PM Moscone West – 3018
CON8830
Panel Discussion: Intelligent Controls for Key Business Processes and Upgrades
3:30PM Moscone West – 2002 / 2004
CON8832
Learn More About Oracle Advance Controls
Wednesday
- 50. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal50
Advanced Access and User Security for Oracle E-Business Suite and Fusion Applications
2:00PM Moscone West – 3018
CON8824
Meet the Governance, Risk, and Compliance Experts
12:30PM Moscone West 2001A
MTE9412
Learn More About Oracle Advance Controls
Thursday
- 51. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal51
Specialized Advanced Controls Partners
New Benefit for Advanced Controls owners
Specialized Partners:
– Trained by Oracle:
Designing and delivering OAC solutions
– Demonstrated ability to deliver reliable OAC
solutions
Coming soon
- 52. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal52
Graphic Section Divider
- 53. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal53
The preceding is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.
- 54. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal54