Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
#JDEINFOCUS
Cynthia MilenkovichAugust 22, 2018
A Midsummer Night’s Security Dream
Leveraging a Best Practice JDE Security Model
Introductions
Our Cast of Characters
Act I, Scene i
Proof of Concept has begun
#JDEINFOCUS
Overall Basic Requirements
• Ensure all users can access what they need
• Protect sensitive information
• Secure environment with “all doors closed”
• Application
• Action Code
• Data• Establish appropriate controls using segregation of duties
• Keep security tables small
• Maximize return on time investment
• Expediting set up
• Minimizing future rework
#JDEINFOCUS
Achieving your Objectives
#JDEINFOCUS
SOD ReportingInclude Mitigating Controls?
Other ReportingGeneral MaintenanceOther
POC Objectives – Left to Test?
Take a Look?
General Walk Through
Basic Maintenance
Users & Roles
•Creating and Maintaining Users Faster in a Grid
•Identify and Remove Inactive Users
•Creating or Maintaining Roles Faster in a Grid
•Role Assignment•Managing Multiple Role
Issues•User & Role
Relationships Reporting•User/Role Clean up
Security
•F00950 Faster Maintenance in a Grid
•Menu Filtering Concepts & Maintenance with Security
•Understanding and Implementing ‘Deny All’
•Security Clean up
Reporting
•Run ALLOut Access Reports•Define SoD Rules in ALLOut•Run ALLOut Segregation of
Duties Reports•ALLOut Mitigating Controls•Apply Mitigating Controls to
Users/Roles•Business Unit Reporting•ALLOut Access Auditing
Menus
•Creating and Maintaining Menus Faster in a Grid
Additional Areas We Could Schedule
Act I, Scene II
What's in a Role?
#JDEINFOCUS
Security Design
• Deny ALL
• Application, Action and Data
• Search and select applications
• UDC’s, Media Objects, Applications ending in “S”
• Applications available to all users
• System Access - Work with Submitted Jobs
• Other – Address Book, Item Master
• Data that is Open (MCU called Open, master data)
*Public in a Closed System
#JDEINFOCUS
Where to Start
• Determine Business Streams in Scope
• Break Down Areas within the StreamsCompany A
Procure to Pay
Procurement
Accounts Payable
Receiving
Fixed Assets
Asset Transactions
Reporting
Inventory Mgmt
Inventory Transactions
Balance Management
MRP
Order to Cash
Sales Order
Accounts Receivable
#JDEINFOCUS
Security Role Details
#JDEINFOCUS
Detail The Processes in Areas
Procurement
PO Creation PO Inquiry Receiving Vendor
Set Up
Accounts Payable
Voucher Entry Reporting Accounting Vendor Set
Up
#JDEINFOCUS
Strategies for Security Role Design
• Security Roles• Application, Action Code, E1 Pages
and Other Security Detail• Job Functions
• Meaningful to Management
Receiving Manager
1-Receiving
2-PO Inquiry
3-Manufacturing
Basics
4-Receiving Manager
Receive
1-Receiving
2-PO Inquiry
3-Manufacturing
Basics
4-Inventory Basics
Department Manager
2-PO Inquiry
3-Manufacturing
Basics
5-GL Inquiry
6-WO Exception
Management
#JDEINFOCUS
Task View Navigation
#JDEINFOCUS
Graphical Methods of Accessing
#JDEINFOCUS
Best Practice for Roles• Achieve Best Practice
• Small Process Based Roles – “Users change – Processes Don’t”• Security needs to be “Deny ALL, Grant Back”• Role based security should be “Yes” settings at role level• Sign on with “All Roles”• Use role based menu filtering and/or E1 Pages for navigation• Have separate roles for functional security and data security
• Application and action code security in functional role• Data security (row and column security) in a separate role• Allows for more flexibility and reusability when assigning roles to users
• Roles should not have Segregation of Duties conflicts within them• Process based roles make it easier to achieve segregation of duties• Role AP Manager will likely contain SoD breaches
• Resolve role sequencer\hierarchy conflicts within roles
Act I, Scene iii
The 1st Interruption
#JDEINFOCUS
ALLOut Tools
Access Reporting
SOD Reporting
Audit Trail Report
SOD Locking
Change Control
Mitigating Controls
Requests & Approvals
Controlled Roles
Manage Unused Access
SecurityPlus
CombiRoles
ProfilePlus
MenuPlus
Risk Reporting
Risk Management
Act II, Scene i
Collecting Requirements for Redesign
#JDEINFOCUS
Create the List (All
Programs that enable update to a
process
Create SOD Rules
Determine Rule Details
Execute Reports
Update Reporting Options as
Desired
Creating Rules
Take a Look?
SOD Reporting
#JDEINFOCUS
Create the Control
Associate with a User or Role
Determine What Rule or Rules it
Relates to
Decide How You Want it to
Show in Reporting
Controls
Take a Look?
Mitigating Control
Act II, Scene ii
What light through yonder Grid doth Shine?
#JDEINFOCUS
SODMaster – Best Practice Lists & Rules
#JDEINFOCUS
Identify Critical Process & Apply SOD
If you use process roles, managing Segregation of Duties is possible by controlling role assignment alone –controlling access to programs (within roles) is unnecessary if the roles themselves only permit a single activity.
P041016P041017P0411P0411SVP0411Z1
R04110Z2R04110ZAR0411Z1P042002
User can create internal intent to make payment to a fictitious supplier, or to a valid supplier inappropriately and approve payment to it.
LIST04A LIST04C
P0411SP0457P04572P04572U
P04572WR04570R04803
Rule04A04C
#JDEINFOCUS
Suggested ControlsControl Control Description Control Group Frequency Active Control DefinitionFIN001 Financial Statement Review ACCOUNTING M Y Income Statements and Balance Sheets are Reviewed by the Company Management.
FIN002 Reconcile to Source System RECONCILE M Y Reconciliation with the Source Systems data.FIN003 Reconcile To Bank Statement RECONCILE M Y Bank Account Reconciliation to Monthly Bank Statements.FIN004 Review FA Disposals Report ACCOUNTING M Y A Report of Disposals is Reviewed and Confirmed Periodically.FIN005 Review FA Additions Report ACCOUNTING M Y A Report of Fixed Assets Additions is Reviewed and Confirmed Periodically.FIN006 Review Itm Ledger Cost Changes ACCOUNTING M Y A Report Showing Item Ledger Inventory Cost Changes is Reviewed on Monthly and
Yearly basis.FIN007 Review Journal Entries ACCOUNTING M Y All GL Journal Entries are Reviewed by a Third Party Before Posting.FIN008 Asset Master Update Segregated ACCESS Y Asset Master File is Created by a Third Responsible Person.FIN009 Review Inv. Revaluation JEs ACCOUNTING M Y Inventory Revaluation Journal Entries are Reviewed by an Authorized Person.
• It’s All There• Risks• Controls• Rules• Lists
• Matrix Linked
Act III – Scene i --a week has passed--
Oh, brave, New World that has such software in it!
#JDEINFOCUS
Risk Reporting - OverviewSystem Access & Critical Process Access Reports• Version/Form Sensitive• User/Role Based• Program BasedSegregation Of Duties Rules and Conflict Reports• SOD Levels and Categories• Environment SpecificRow Security Access Reports• Business Unit• Company AccessDistribution ListsOutput to Excel or PDF
#JDEINFOCUS
Risk Management-OverviewSegregation Of Duties Rule & Breaches Reports• Manual processes & external data from non JDE Systems• Mitigating Controls with Audit Trail and Documentation• Solution Explorer Menu AccessRole Assignment Change Controls• Preventative Segregation Of Duties - Warning or Hard
Stop• “Requests and Approvals” • Audit Trail• Controlled RolesSecurity and Menu Change Controls• SOD Validation & Approval before Promotion • Optional TemplatesSecurity History Audit Reporting• Changes made through JDE (F9312)• Optionally Include Changes made through ALLOut
Please complete a session evaluation
Session ID: 103550
Contact Info:[email protected]
[email protected]: 323-617-3645
#JDEINFOCUS
A 55,000+ member user community for Oracle Cloud, JD Edwards and PeopleSoft customers.
What the Quest JD Edwards Community offers:
Customized digital content
Official JD Edwards newsletter
Customer success stories
Virtual and face-to-face events
JD Edwards networking groups
Visit www.QuestDirect.org for more information!
Who is the Quest Community?