When planning their implementation most of our clients struggle assigning the right roles and
responsibilities to their users. Most admin security groups have to constantly walk the tightrope of
providing too much or not enough access to key functions within the application. Too much access
allows users to break generally accepted separation of duty rules which may lead to fraud or exposure
of key sensitive information. Of course, too little access causes communication overhead between
departments and individuals as they try to gather all the data necessary for their job function.
When explained that clearly we can all see that this would be problematic. Large systems like Oracle
ERP Cloud have thousands of tasks, roles and privileges that provide a myriad of overlapping capabilities
that may lead to conflicts within the separation of duties (SOD). In addition, if you’re subject to SOX
compliance or similar legislation, there are key considerations of which you need to be aware that
further complicate the process.
Let’s discuss the pros and cons of access security as offered by Oracle ERP Cloud, a leader in the cloud
computing arena. Oracle ERP Cloud uses role-based access control (RBAC). Access to functions and data
is defined at the role level rather than at the user level, which is the most efficient way to manage
security, especially in large organizations that require scalability. This reduces an administrator’s effort
as roles are maintained at a higher level and can be assigned to multiple users that perform the same
Three security types are available:
- Job/Function Roles – what users with a particular job can do; e.g. financial analysts, accounts payable managers, etc.
- Data roles – define which set of data a user can access, such as US vs EU operations. Access can be restricted to specific organizations or granted across all organizations depending on the requirement.
- Common Roles – shared functionality that is not job specific; self-service HR forms and expense reporting, for example, since both managers and employees need access to functions such as time sheet submission and expense reporting
Within the Oracle Financials Cloud module, for example, there are several common job roles that come “out of the box.” These Seeded Roles can be used as delivered or modified to suit your business. Or, you can create new roles from scratch. Think of General Ledger Manager or Accounts Payable specialist as typical job roles.
The advantages of using Seeded Roles are very much in line with the benefits that Oracle promotes for adopting ERP Cloud:
- Faster time to value, with pre-defined roles that can be provisioned with minimum setup.
- Reduced operational security administration costs from using standardized roles.
- Standard Seeded Roles exist in all Oracle ERP Cloud products. So consistency and integration have been built in.
But when you dig deeper and consider SOD and SOX compliance, the disadvantages of using the Seeded Roles come to light.
Standardization brings many benefits, but, as always, there’s a downside. Oracle assumes that the Seeded Roles will fit your organization with very little customization and that the pre-defined Oracle Cloud SOD policies used to design the seeded roles will adequately test the risks in your business. Oracle states that the duty definitions in seeded roles have been defined using their best practices approach, although these best practices policies have not been documented and are not available for general user review. With SOD policies not being available, and no easy means of reporting on SOD violations, users can be left in the dark about the suitability of their security. As experienced security implementers, we know that this is often the case.
Short of purchasing very expensive Risk and Compliance software that includes detailed audit of SOD violations, an alternative is to work with expert implementers who have created hybrid roles that meet internal and external Auditor requirements as well as SOX compliance reviews. The hybrid roles incorporate seeded Oracle roles with modifications that take into consideration “normal” business requirements. Since few companies are one size fits all, these can further be modified by completing a series of questions that will address specific considerations. If you are interested in talking to our staff of experienced implementers, please contact us at firstname.lastname@example.org.