integrate oracle identity management and advanced controls for maximum efficiency and compliance
DESCRIPTION
Provide Automatic Role provisioing across multiple systems while avoiding human error and checking SOD in one process.TRANSCRIPT
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 1
Enforce Segregation of Duties with Identity Management and Oracle Advanced Controls
Stephanie Golly
Sr. Principle Product
Manager
Oracle
Kent Spaulding
Sr. Principal Software Engineer
Oracle
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 3
The following is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 4
Introductions
Stephanie Golly, Oracle
– Product Manager for Application Access Controls Governor (AACG)
– Working with Oracle products for 10+ years
– Worked for startup that was eventually acquired by Oracle
– Located in Coeur d’Alene Idaho – (quite possibly the prettiest place on
Earth? )
When I’m not doing Oracle stuff, I
also enjoy riding bikes, boating,
hiking, kayaking, outdoor
activities!
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 5
Introductions
Kent Spaulding, Oracle
– Software Architect for Oracle Advanced Controls
– Working in Software for 20+ years
– Expertise in Identity Management, Security, Data Analytics
– Located in Portland, Oregon – (quite possibly the prettiest place on
Earth? )
When I’m not doing Oracle stuff, I
ride (many) bikes, play disc golf,
enjoy telemark skiing and other
outdoor activities.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 6
Agenda
User Access Management Business Concerns
An Automated look at User Management
A closer look at Segregation of Duties
Integrating Oracle Identity Management with Application Access
Controls Governor – a Case Study
Realizing the Benefits
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 7
Do users have
appropriate access?
Will the access cause
Segregation of Duties
conflicts?
User Access Management What are your Organizations Business Concerns?
Users require access to
multiple systems
User On-Boarding,
Transfers and Off-
Boarding is time and
resource intensive
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 8
User On-Boarding,
Transfers and Off-
Boarding is time and
resource intensive
User Access Management What does your process look like?
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 9
Do users have
appropriate access?
User Access Management How are you managing security in a complex system?
Will the access cause
Segregation of Duties
conflicts?
More People
More Systems
More Logistics
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 10
User: Janie Adams
Responsibility: Payables Super User (Process Operations)
Menu: AP_Navigate_GUI12
Submenu: AZN_AP_Invoices_Entry Function: Payments
Privilege: Create Purchase Order
Role: Buyer
Permission List: Buyer Duty
SOD Conflict
PeopleSoft
EBS
Segregation of Duties
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 11
How are you going to balance objectives?
Security and Compliance
User
Access
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 12
Enforcing Segregation of Duties with Identity Management and Advanced Controls
SOD
Check
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 13
Create Supplier Invoice Create Payment Supplier
Create Supplier Create Payment
for same supplier + Create Supplier Create Payment
for supplier ≠
Why is Segregation of Duties needed?
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 14
Mr. J (Left)
Miss H
Miss G Miss O
Miss D Mr. P Miss L Miss R
Mr. D
$82K
$5K $5 Million $300K
$17 Million
$15K $280K $15K
$350K
Who was accused of stealing?
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 15
Web of Control Issues
False Invoices
Inaccurate
Financial Reports
Unapproved or
Illegal Suppliers
Delayed Supplier
payments
Fraudulent
Checks
Unauthorized
Journal Entries
Inaccurate
Manual Journal
Entries
Unauthorized Pay
Increases
Duplicate
Payments
Bank Account
Changes
Unused Credit
Memos
Spilt Purchase
Orders
Invalid or
Duplicate
Supplier Master
Statutory Audit
Findings
Incorrect
Payment Terms
Overpayments to
Vendors Personal
Purchases on
Corporate Credit
Card
Missing Prices
Unauthorized
Credit
Unauthorized
Access Unusual Returns
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 16
The Key is to Automate by…
Enforcing Segregation of Duties with Oracle Identity Management
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 17
Advanced Controls Foundation
Access Controls Governor
Pre-Built Integrations
Demonstration
Advanced Controls
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 18
Advanced Controls Foundation
Custom or Legacy Applications
Fusion Platform with Dashboards, Alerts & Drilldowns
Sophisticated Controls Monitoring and Enforcement Engine
Many Types of Controls against Various Business Applications
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 19
• Move away from silo’d information • Multiple ERPs monitored from a single application. • Control totals and exposure areas in self-serve capacity.
Advanced Controls – Embedded Dashboards
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 20
Application Access Controls Governor Enforce Proper Segregation of Duties Across Multiple Systems
Compensating Policies
Preventive Provisioning
Remediation (Clean-up)
Access Analysis
• Accelerate deployment and time to value with pre-delivered controls library
• Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails
• Simplify segregation of duties enforcement with simulation and remediation
Define Access Controls
Detection Prevention
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 21
Pre-Built Integrations
Custom or Legacy
Applications
Continuous SOD Controls Monitoring
Pre-built
Extensible
Partner Pre-built
CUSTOMER CARE
& BILLING
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 22
Role
Permission List
Menu
Component
Page Definition
Component
Page Definition
Access Hierarchy Example – PeopleSoft
Other important attributes:
Business Unit, Effective Date, Set ID, Ledger, Account Lock etc.
Access Points
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 23
Glossary of Terminology Control Management
Access P
oin
t
Any level node in the access model hierarchy for a particular application.
Entitlem
ent A logical
grouping of Access points. E.g. All pages that allow a user to create a voucher grouped as a single Entitlement “Create Voucher”
Model \ C
ontr
ol
A rule that defines toxic combinations of entitlements and/or access points.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 24
Review Model Definition
Analyze Results
Modify Entitlement
Deploy Control
Demonstration
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 25
How can we Integrate Oracle
Identity Manager with Application
Access Controls Governor?
Question
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 26
Integration
Architecture
Key Workflows
SoD Integration Library
Deployment/Configuration
Versions
Topics
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 27
Custom, Legacy, …
EBS Apps Fusion Apps
ERP Security & SOD for OIM Projects
Oracle Identity Management
Submit User Access Request
Update User Account
Return SOD Response
Analyze impact and policy
overrides if needed
Request for User Access
1
2
3
4
5
User Provisioning Web Service
User Provisioning Web Service
Compliance/Business
Review
Oracle Advanced Controls Access Controls Governor
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 28
Integration of OIM and Oracle AACG Integrate Identity Management and SoD Across Systems
Provision Across Multiple
Systems
Automatic Role Provisioning
Increase Efficiency
Avoid Human Error
Check for
Segregation of Duties
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 29
Integration of OIM and Oracle AACG Key Workflows
Resource Provisioning
Workflow Resource Approval
Workflow
Real-time validation of entitlement
assignment requests using AACG.
AACG uses predefined rules to determine
if the entitlement assignment would lead
to SoD violations.
The results of the SoD analysis are
returned to Oracle Identity Manager.
Provisions an entitlement request that has
passed the resource approval workflow
on the target system.
Note: Can be configured to perform the
SoD validation a second time -
immediately before the entitlement
assignment is provisioned to the target
system. This ensures SoD compliance.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 30
Integration of OIM and Oracle AACG SoD Invocation Library and Providers
SoD Invocation Library (SIL)
The SIL is a collection of Java-based
adapters that enable integration with OIM
Connectors.
SIL Providers
Specialized adapters integrate the SIL with
SoD engines.
SIL Providers act as the interface between
the SIL and AACG (or other SoD Engines.)
SoD-enabled OIM Connectors
OIM Connectors that know about SoD
Workflows.
Oracle Identity Manager
Oracle Advanced Controls - AACG
SoD
In
voca
tio
n L
ibra
ry (
SIL)
an
d A
da
pte
rs
OAACG SIL Provider
Conflict Analysis
SoD Policy Simulation
EBS UM Connector
Entitlement1
2
3
PeopleSoft UM Connector
1
2
3
Entitlement
Metadata driven Invocation of OAACG SIL Provider
Preconfigured invocation of OAACG SIL Provider
RDF Graph AACG DB
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 31
Integration of OIM and Oracle AACG Deploying SIL Providers
Target systems for which SIL
registration is provided include:
EBS and OAACG
PSFT and OAACG
SAP and SAP-GRC
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 32
Integration of OIM and Oracle AACG Installing OIM Connectors
Installation Information Pre-configured Connectors
Oracle e-Business User
Management release 9.1.0 and later
SAP User Management release
9.1.2.5 and later
See
http://download.oracle.com/docs/cd/
E11223_01/index.htm
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 33
Integration of OIM and Oracle AACG Configuring the OAACG SoD Engine
Steps for Configuring any SoD Engine
Install Oracle AACG
Create an Oracle AACG Account for SoD Operations
Synchronize Role and Responsibility Data from EBS and PSFT
Define Access Controls in AACG
Enable SoD in OIM
Configuring Application Access Controls Governor
Import
• Import entitlement data
from the target system(s)
to the SoD engine.
Configure
• If required, configure
SoD validation rules on
the SoD engine.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 34
Integration of OIM and Oracle AACG Supported Versions, Other Information
OIM 11gR2 and AACG Certified for 8.6.4.5 and up
Installation Instructions for OIM Connectors
See: http://download.oracle.com/docs/cd/E11223_01/index.htm
OIM SoD Documentation explains how to:
See: http://docs.oracle.com/cd/E37115_01/dev.1112/e27150/segduties.htm
– Enable SSL in SIL Providers
– Customize Workflows for non-SoD-ready Connectors
– Combine Custom Target Systems and SoD Engines
– Troubleshooting the integration
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 35
Integrated IDM and OAC Solution
Oracle Advanced Controls Capabilities IDM OAC
Authentication & SSO for all systems
Coarse & fine grained authorization for heterogeneous IT systems
Account provisioning and de-provisioning
Attestation of access
Enterprise role management and role based automation
Author fine grain access controls in business terms
Define single SOD control to span multiple apps
Conduct simulations & what-if analysis
Pre-built Access, Risk and Compliance Dashboards
Deploy Compensating Config & Transaction Controls
Pre-built, certified adaptors to EBS, PSFT, Fusion
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 36
What did they allegedly spend it on?
A
B
C
D Childs medical bills
Tiara
Gambling sites
Jewelry collection
Miss H
Miss O
Mr. P
Miss G
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 37
A Customer Case
Solution Footprint
High-level Integration
Business Process Workflow
Enforcing Segregation of Duties
with Oracle Identity Management
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 38
Oracle Identity Management + Oracle Advanced Controls
CUSTOMER PROFILE
Global Semiconductor
Manufacturer • $5+ billion revenue (2011)
• Privately held
• Uses OIM+AACG to govern access
provisioning in EBS and PSFT
Benefits
Solution:
– Detect and prevent inappropriate
user access
Result: Full enforcement of user access
policies in both EBS and PSFT.
Streamlined access request approval
with better decision support.
Page 39
Solution Footprint
Finance Finance SCM (Pln &
Mfg) P2P O2C
Finance CRM HCM
EBS
- General Ledger
- Payable
- Receivable
- Fixed Asset
-I Expenses
- Incentive Comp
- Adv. Collections
Hyperion
- HP, FDM, HFR
EBS
- ASCP (CBP)
- OSFM
- ODM
- GOP
Demantra
- DM
- S&OP
EBS
-Order Mgmt
- Advanced Pricing
- Inventory
- WMS
- Quoting
Global Trade Management./ Trade compliance.
Siebel
- Campaign Mgmt
- Sales
- CRM Base, Manufacturing
Option
-Remote Client
-Marketing server
Oracle Solution
PeopleSoft
- core HR
- Self Service:
- Time & Labor
- Global Payroll(SG, DE)
- Payroll Interface
- Absence Mgmt
- Learning Mgmt
- Benefits Admin
Application Integration Architecture
EBS
- Purchasing
- iProcurement
-Sourcing
- Procurement Contract
- Service Procurement
- Advance Pricing
- iSupplier Portal
- Quality - WMS
- Supplier Life Cycle Mgt - inventory
E-Forms
CIS
Data Warehouse
LDAP PTS SPACE
PEPS
BofA
3rd Party (GTC)
Bloomberg
Visitor Regn Lotus Email
E-Portal
Adexa MES View Plant Maint.
CIM PMS
B2B
Fidelity B2A Manager
Property
Mgmt System Security System
QuestionMark ADP Payroll
OrgPlus
Agile PLM
Interfaces to External / Legacy Applications
Oracle Advanced Controls
Oracle Corporation – Proprietary and Confidential
Security and IDM
Page 40
Oracle Identity Manager
Resource Approval Workflow
Approval Request
Approval/Rejection
1st Level – Manager
2nd Level – Business Owner
3rd Level – Governance Team Provision to EBS
Controls
Oracle AACG
Violations
Request
GL Manager
(Already has GL User)
OIM – OAC (AACG) Integration
Oracle Corporation – Proprietary and Confidential
Page 41
OIM to EBS Provisioning with SoD validation in AACG
Oracle Corporation – Proprietary and Confidential
Page 42
Requesting Role in Self Service
Oracle Corporation – Proprietary and Confidential
Page 43
SOD Validation and Approval
Oracle Corporation – Proprietary and Confidential
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 44
Benefits of Integrating AACG and OIM Enterprise-wide, cross application SOD and access management solution
• One-stop proactive user access and SOD management
• Elimination of redundant user provisioning and SOD management efforts
• Increased user provisioning / de-provisioning efficiency
• Improved integration of new applications
• Increased accountability for user access
• Reduced audit deficiencies / greater compliance with laws and regulations
• Improved security / reduction of unauthorized user access
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 45
Oracle Advance Controls OOW2013 Sessions & Demo Pod Slides
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 46
@OracleAdvCntrls
Oracle GRC Advanced Controls
Join Our Linkedin Group
Follow us on Twitter
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 47
Demo Workstation Moscone West 1st Floor #W-013
Monday Tuesday Wednesday
Demo ID 3532
Workstation #: W--013 9:45 – 6:00 9:45 – 6:00 9:45 – 4:00
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 48
Demo Workstation Moscone West 1st Floor #W-013
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 49
Optimizing Order-to-Cash with Oracle Advanced Controls for Oracle E-Business Suite
10:15AM Moscone West – 3018
CON8816
Reducing Risk for Oracle E-Business Suite Upgrades and Implementations
1:15PM Moscone West – 3018
CON8830
Panel Discussion: Intelligent Controls for Key Business Processes and Upgrades
3:30PM Moscone West – 2002 / 2004
CON8832
Learn More About Oracle Advance Controls Wednesday
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 50
Advanced Access and User Security for Oracle E-Business Suite and Fusion Applications
2:00PM Moscone West – 3018
CON8824
Meet the Governance, Risk, and Compliance Experts
12:30PM Moscone West 2001A
MTE9412
Learn More About Oracle Advance Controls Thursday
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 51
Specialized Advanced Controls Partners
New Benefit for Advanced Controls owners
Specialized Partners:
– Trained by Oracle:
Designing and delivering OAC solutions
– Demonstrated ability to deliver reliable OAC
solutions
Coming soon
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 52
Graphic Section Divider
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 53
The preceding is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 54