Oracle Cloud applications come with preconfigured ("out-of-the-box") job roles, duty roles, and privileges. These are intended to make it easy for administrators to quickly assign access to new users so they have the functionality they need to perform their job functions.
Unfortunately, many preconfigured roles include access privileges well beyond what's needed to perform a particular job function, leading to Segregation of Duties (SoD) conflicts. Moreover, some preconfigured job roles have interdependent access across multiple applications. For example, several roles allow the creation of manual journal entries within the subledgers.
Administrators and business process owners must consider the underlying privileges provided by the preconfigured roles to fully understand what they can do when assigned to end users. They should be aware that preconfigured job role assignments might provide users with access to change transactional or master data.
Instead of using these out-of-the-box job roles, a better option is to design and build your own customized roles, only using the preconfigured role definitions as a starting point for this process.
Most preconfigured job roles are built to handle a general "one-size-fits-all" set of job assignments, but every business is different. No one knows your business better than you; not the software manufacturer and not the system implementor. Building and assigning roles and their associated privileges will ensure you retain control over your Oracle software security.
When customizing roles, it is best to follow the Principle of Least Privilege: users should only be granted the minimum permission to access a system or operation required to complete their job functions or tasks.
Software updates can introduce new functionality into Oracle Cloud seeded duty roles but will not impact fully customized job roles. In fact, you have the option to use new functionality when it is available. Tools like Fastpath Assure will help you identify any issues caused by integrating new functionality into your solution. Reports will assess whether there are potential SoD risks during testing before moving this functionality into production. Moreover, creating and using customized job roles will not affect your licensing or support plan.
While it takes more time and effort, defining your own custom roles within Oracle Cloud will improve your internal controls, compliance, and security for your business and minimize SoD conflicts.
Fastpath specializes in security, audit, and compliance, providing solutions for reviewing access, segregation of duties, user provisioning, emergency access.
Find out how to build a robust security architecture for Oracle Cloud. Download Oracle Security in the Cloud (https://www.gofastpath.com/oracle-cloud-security-protiviti-fastpath-ebook) and receive a step-by-step guide to building a solid security architecture during Oracle Cloud implementation and redesign projects.