Presentation from Alliance 11 conference from the University of Nebraska and Smart ERP Solutions. Covers Row Level Security and Segregation of Duties for PeopleSoft.
2. Denise Goin, PeopleSoft Security Specialist
University of Nebraska CSN
14+ years working with PeopleSoft Security,
Campus Solutions, HR, Financials, Portal.
Higher Ed, Public and Private Sector. Former
Oracle Security Consultant.
Kirk Chan/Ramesh Panchagnula, Smart ERP
Solutions, Inc.
3. Multi-Institutional Implementation in 2 Production
Instances
Using SmartSecurity in Development as well as
in Production environments
Overview of solution providing automated
Segregation of Duties directly from within your
PeopleSoft
4. Row Level Security at the
University of Nebraska
Denise Goin
PeopleSoft Security Specialist, University of
Nebraska CSN
5. Nebraska Student Information System structure
Change in how Security is structured, maintained
Business Process changing- enable SACR security to the
functional offices
Shared data/components/SACR (Especially with Multi-Institution)
Why Nebraska choose Smart Security?
No row level security on many components in the system, and no
read all/update own on anything.
Fully configurable as business processes change, or new
functionality is needed.
As wide open or as restricted as we like.
Business Requirement- To be able to SEE everything, but only
allow UPDATE to our own students, especially CPP
6. Nebraska Student
Information System
NeSIS
NU NSCS
UNL UNO UNK UNMC Chadron Wayne Peru
7. NeSIS Security Team
PeopleSoft
Security Specialist
University Security State College
Analyst Security Analyst
UNK UNL UNMC UNO CSC PSC WSC
Sec. Sec. Sec. Sec. Sec. Sec. Sec.
Cord. Cord. Cord. Cord. Cord. Cord. Cord.
8. Row Level Security- The Issues
Business Processes Changing
SF SACR Security started the trend
No Institution Specific row level security on
many pages
Transactional
Configuration
Security/SACR Security
Using the Security views on the pages that
allow it, didn’t allow for viewing other schools
data when needed.
Transactional
Configuration
Security/SACR Security
Custom/Cloned
9. But……..We Want it ALL
How to grant access to Students Data from
another school without running the risk of
mistakes being made when entering data?
Many students will attend multiple Universities,
even in the same term.
Can we protect the data and still allow access
to it?
29. Built-in model enables SoD enforcement
Violations checked BEFORE go-live
Your decision to enforce rules or allow violations
Saves time (= money)
Easy set-up and testing for violations
Quick and easy reporting
Reduces number of compensating controls required
Reduces auditing effort / costs
Reduces risk
Enforcing and reporting SoD violations reduces opportunity
for fraud
30. Nothing in PeopleSoft
Any release
Use a Spreadsheet?
How do you…
Ensure the actual access control mirrors the
spreadsheet?
Right people access the right data?
Manage change control problems?
Assess impact of changes?
Manage enforcement of SoD?
31. Aim:
Prevent SoD Violations occurring during security Assignment.
Ensure Security Policy is enforced long term.
32. A/P “Super”
SoD
Voucher Clerk Role OK
1. AP Voucher clerk
Violations
2. Secondary role 2 Check
3. Secondary role 3
6
Violations
Segregate this task: From this task
Build Security
Change
Role assignment Sales Order Entry Purchase Order
Or Vendor Master Bank Payments
Security Sales Pricing Sales Order Entry
without Purchase Order Goods Receipt
affecting live security Customer Master Sales Order Entry
Sales Order Entry Credit limits
Credit Notes Invoicing (A/R)
Purchase Order Vendor Master
Purchase Order Invoice entry (A/P) Extract from pre-populated,
Vendor Master Purchase Order model
Vendor Master Credit Notes
Invoice entry (A/P) Bank Payments
33. Aim:
Accurately assess existing security for
remediation.
Reduce Audit time and cost.
Build case for restructuring security.
34. Roles
(High-
Level)
Permission
List
(Process)
Components
(In-depth Audit)
Reporting directly on
existing PeopleSoft
security
35. Creating a journal entry and opening a closed accounting period
Maintaining accounts receivable master data and posting receipts
Depositing cash and reconciling bank statements
Completing goods transfer and adjusting physical inventory counts
Approving time cards and distributing paychecks
Preparing an order and changing a billing document
Changing an order and creating a delivery
Creating a journal entry and opening a closed accounting period
Creating general ledger accounts and posting journal entries
Maintaining bank account information and posting payments
36. Role level
Create matrix of all active system roles
Identify all roles that should not be linked to the same user
Such as purchasing and payments
Permission List / Business Process level
Include Application security & processing options
Add to / modify as needed
Component / Program level
Add in any custom or modified processing
If creating your own rules, start with most important controls &
gradually add to them
37. Current Economic Climate (fewer employees)
Many redundancies equates to less people doing more.
Major requirement from Audit to allow remediation where a
user is considered a risk.
SOX requires that during an audit all risks must at least be
visible and understood by the business.
With this comes risk assessment and documentation.
Seasonal Changes
Staff holidays or time away from office requires other
users be able to perform these additional duties.
38. Ability to mitigate users once a validation has occurred.
Details of mitigation, including notes get added to a
mitigation table.
The user gets checked during the next validation but is
not added to the violations table.
Ability to time out mitigations, i.e. allowing for staff who
are on holiday, etc.
39.
40. Business Requirements Smart Solutions
Row level security on any data that requires limited or authorized access
Smart Security
Define , manage and enforce segregation of duties for various roles within
an organization to adhere to compliance requirements
Smart SoD
Robust workflow approval capabilities across any business transaction or
documents across your Enterprise
Smart Workflow
Streamlined and easy-to-use data entry pages configured to meet your
specific business process requirements, incl. industry reqmts; Easily add
Smart Docs including
features anywhere such as Save as Draft, Copy from Templates, ERP Gadget
Attachments, Configurable Print, Collaborative Comments, Workflow, User
Help, Business Process View
Configuring and tailoring business processes to meet your organization’s
specific processes, including defining step-by-step actions for each
Smart Enterprise BPM
process and managing your users through your organizations specific
business process.
One-stop visibility into the full business process lifecycle of a transaction
Smart Lifecycle Viewer
Addressing additional compliance requirements not in standard
PeopleSoft: I-9/W-4 Form, 1042 Foreign National Requirements
Smart Compliance
Manageable solutions for complex integration needs
Smart Integration Packs
Other Common, Critical and Complementary business requirements
Tell us, we’ll build it!
41. Developed expressly for PeopleSoft
Q
by SmartERP in cooperation with Q
Software Software
Uniquely integrated within your
SmartERP
current PeopleSoft
Powerful Proactive, Reactive and
Mitigation features
Built-in
Smart SoD™ Analytics/Reporting/Dashboards
Use delivered SoD rules or easily
create your own
42.
43. SoD Model and Rules
Reactive: Mass check for user violations
Proactive: Validate new user profile
against established SoD rules
Dashboard/Analytics
44.
45. Value Statement
Segregation of Duties is an important element of your overall
PeopleSoft security and risk management
Key Features of Smart SoD can help you maintain legislative
compliance (SoX), meet audit requirements and reduce the
likelihood and impacts of fraud and errors
Expressly designed for your current PeopleSoft
Powerful Proactive, Reactive and Mitigation Features
Automated Workflow Approvals
Reporting/Dashboards facilitate audits and compliance
Use pre-packaged built-in SoD rules (from PeopleSoft audits) or easily
create your own
Add-on Architecture Lowers Total Cost of Ownership
Seamless Integration
Utilize Best Practices
Maintenance and Upgrades
46. Denise Goin
PeopleSoft Security Specialist
University of Nebraska CSN
University of Nebraska
E-mail: ddgoin@nebraska.edu
Kirk Chan
VP, Business Development
Smart ERP Solutions, Inc.
E-mail: kirk.c@smarterp.com
Ramesh Panchagnula
President
Smart ERP Solutions, Inc.
E-mail: ramesh.p@smarterp.com
47. This presentation and all
Alliance 2011 presentations
are available for download
from the Conference site at
www. heug.org
www.psugonline.org
www.federalusersnetwork.com
Presentations from previous meetings are also available