Blogs

Permalink

Managing Oracle Access Risk: Easy Fixes for Oracle EBS and Oracle Cloud

By Pat Wadland posted 06-30-2021 02:29 PM

  

Maintaining the security of your Oracle EBS or Cloud applications requires constant attention. As employees come and go, are promoted, or move to different departments, verifying who has access to your systems and what they can do with that access is a task that must be revisited and adjusted periodically.

To help you secure your Oracle application environments, we’ve put together a set of simple tasks that you can perform right now that will help you configure responsibilities or roles within your system to enhance your Oracle application access security. 

Review generic users and their access

While there are some legitimate uses for the SYSADMIN and other generic user accounts, they should be used very judiciously and carefully. In particular, because they typically have access to the System Administrator/Application Developer and Application Implementation Consultant/IT Security Manager responsibilities or job roles which provide full access to key functionality in Oracle EBS or Oracle Cloud, respectively. These responsibilities and job roles should only be assigned to users who require them. Therefore, you should periodically review whether these responsibilities or roles are being used, the users with this type of access, and who has passwords for these assignments. Automated audit tools will show what system administrators are doing with their access and any data and configuration settings that were changed using that access. 

Inquiry responsibilities or roles can do more than just inquire

Just because a responsibility or role has “Inquiry” in the name, that does not mean it doesn’t have the ability to perform transactions or update master data. Always verify using automated, Segregation of Duties tools that these Inquiry responsibilities or roles are limited in how much access they grant and are truly for inquiry only purposes. Excessive access on an inquiry role might give users the ability to:

  • See financial result before they are made public
  • Compromise PII or HIPPA privacy
  • View salary information or derived salary information (project billing rates) 

Review users linked to terminated employees

When possible, automate the termination of a user’s access to Oracle if the user is terminated. Because these accounts can be re-activated by a person with administrative access, these user IDs can become backdoors into your Oracle application. Administrators should look for active user IDs tied to terminated employee accounts. 

Avoid using seeded responsibilities or roles

Both Oracle EBS and Cloud come with pre-defined responsibilities and job roles upon installation. Unfortunately, using these seeded or “out-of-the-box” definitions without first looking at the access functions or privileges they provide can lead to many Segregation of Duties (SoD) conflicts. Moreover, Oracle software updates can change the seeded responsibility and job role access permissions.

It is recommended to use seeded responsibility or job role definitions only as a starting point for designing and building custom responsibilities or job roles. However, other valid uses can include:

  • Emergency account access
  • Service accounts that need to process jobs in the background
  • Other truly valid business purposes

After designing and implementing custom security, be sure to end-date all seeded responsibilities or job roles not required for valid business purposes. 

Beware of cross-module access!

Some seeded responsibilities and job roles in Oracle EBS and Cloud, respectively, have interdependent access across multiple applications.

The risk here is that users you thought only had limited access to functions within certain business processes can actually make changes to other parts of the system, potentially circumventing some internal controls you might have in place. 

The advantage of automated audit tools

Automating your user access provisioning and auditing who has access to your system has many advantages:

  • View and fix unintended access
  • Address Segregation of Duties issues within responsibilities or roles
  • Implement automated Segregation of Duties reviews
  • Conduct automated access reviews and certifications for audit and SOX compliance
  • Ensure access reviews and certifications are completed 

How Fastpath can help

Many companies are using a variety of ERP/HCM/CRM applications in addition to Oracle to run their business processes. For example, when a vendor is maintained in one system and paid from another, there is the possibility of Segregation of Duties risk across on-premises and cloud solutions.

Fastpath provides solutions for addressing these concerns in your Oracle EBS or Cloud  applications as well as across a wide variety of interconnected applications, giving you visibility into your user access into all of your business-critical software applications.

To learn more about user access risk in Oracle EBS and Oracle Cloud, watch our on-demand webinar, Security, Audit, And Compliance: Top Sources of Application Access and Security Risk.