Role Design in Oracle ERP Cloud
Join our thought leaders Jeff Hare and Donna Curtis of ERP Risk Advisors and SafePaaS CEO Adil Khan as they discuss "How to design roles for an effective Oracle ERP Cloud audit."
Many businesses have made the decision to move to Oracle ERP Cloud, however, what many don’t realize is the huge effort and know-how needed to not only design but deploy well-designed, effective roles. There is a misconception that seeded roles have been designed with security and compliance considered. Unfortunately, this is not the case.
By not addressing the complex issue at the beginning of an ERP project, security risk is left unaddressed which can lead to control deficiencies.
Which seeded roles can allow bad actors to commit fraud
How to effectively design custom roles with effective controls
Top SoD policies that mitigate risk in your Oracle ERP Cloud design
How to ensure activities of users granted privileged access have effective compensating controls
How to simulate risks and comply with access policies before assigning roles to users
LEARN HOW TO DESIGN EFFECTIVE ROLES
Emma - Good afternoon, everybody, and welcome to today's educational webinar, How to Design Roles for a Successful Oracle ERP cloud audit. For those of you who don't know me, I'm Emma on the marketing team, here at SafePaaS. Just a few housekeeping items before we do get started. The session will be recorded. We will have a Q&A session at the end, time permitting. So, please feel free to pop any questions you have in the control panel, and, do stick around, because, at the end of the session, we do have a complimentary offering to share with you all.
So, I'm delighted to be joined today by Jeff Hare and Donna Curtis of ERP Risk Advises and SafePaaS CEO Adil Khan So, we'll start off with some very brief introductions and then a deep dive into the session. So, without further ado, Jeff, I'll hand it over to you.
Jeff - That sounds good. Go ahead, introductions about your previous guys. This is my slide, I'm ready to roll. So we are a risk content company. Many people think about us historically as a risk advisory firm, but we've really evolved over the last few years to being, I would say, the world's only risk content company, where we focus on building and maintaining content that's valuable for identifying issues, mitigating, and remediating issues within the various ERP systems, in particular, ERP Cloud. And we're gonna talk about that a little bit today.
So, we have roles, rules, and reports. And learnings - we have got a lot to offer in terms of the content. If people want to know more, we can get in contact with you after the webinar.
Emma - Adil do want to give everybody a brief intro to the SafePaaS platform?
Adil - Yeah. So, SafePaaS is on a mission to help enterprise customers mitigate risk in their technology, and control that risk. So, the way we do that is through this platform, that we've been building, over the last couple of decades now, And over the last five years, we have been laser-focused on the problem of access governance. And what's driving our growth, the ability to help our customers detect, discover, remediate, and prevent all those types of activities that are difficult to do offline, especially in an online world, in a cloud world. So, if you just take a look at the high level, we have Insight products, where partners like Jeff can use these products to load their content and provide risk identification and assessments to their customers, not just their own access, but also configuration and master data, other areas. Obviously, segregation of duties is the biggest risk to financial statements that we see from our customers. So we deal with that, and what we've seen more recently is other ITGC Controls around User Access Management, identity lifecycle management, where you need to certify the user, and onboard them offboard them. And then, the third sort of layer from top-down that you see, is process controls. So once users have access to your systems, you'll want to make sure that, the activities they are performing to fulfill the process requirements also have embedded controls. And those can range from just your typical procure-to pay-cycle and making sure that, the three-way match is in place and payment terms are in place too.
More ITGC controls as well, like your ID changes match what's in your ticketing system and make sure that people aren’t making changes to your key configuration, let's say, approval hierarchies and so forth outside of that.
The platform is built from the ground up on a cloud infrastructure. So, it has all the capabilities of the modern platform you'd expect, Like SOC compliance, scalability, and adaptability, highly configurable, that works with SAML. So, it supports all the major IDM solutions, it’s got complete Fault Tolerance, 99.97 percent uptime. So yeah, I mean, that's a little bit about our platform.
Emma - OK, so, Jeff, let's dive into this session.
Jeff - Sounds good. So the first thing I want to talk about is, how to make an ERP cloud implementation project successful. And the things that we kind of see are challenges for organizations are highlighted in this slide. I'll go through them 1 by 1.
So the first thing is really just scoping the project. So system integrators typically don't have a firm understanding of audit and compliance requirements. That varies quite a bit, so you can have some that have like a separate risk advisory team, and then some that don't. So, management has to think about how they identify the requirements and then make sure they're built into the overall project plan.
What we typically see is SIs don't scope in the extent, that roles need to be customized. And we're going to talk a lot about customization of roles in an ERP cloud environment. In particular, there's messaging consistently that, from the SIs and Oracle, that seeded roles should be leveraged where they can. And the messaging is obviously changed a little bit. We used to hear messages and said you should always leverage seeded roles.
And I think the messaging is a bit more open, saying seeded roles should be leveraged where they can, and there may be some customization role that's needed. And most SIs don't have a full understanding of that. So to the extent that they're engaged with the customer, they probably don't have a full scope appropriate for what ultimately needs to happen in the long run. And that is when we look at the breadth of the seeded roles, you know, from supply chain to core financials to HCM, 100% of the seeded roles have reasons to customize them. So if you're coming from another system and you're going on ERP Cloud, the question I ask that to think about this is, think about like an E-Business Suite customer How many seeded roles are you still using? Probably not using a lot, maybe just a small number a few. Predominantly, your end user roles are highly customized. And so, I think that the answer to your question, if you have to ask is that really the case in ERP Cloud, can we leverage seeded roles. The answer really is no. The seeded roles have the functional ability to do what they're intended to do, but they have a bunch of other things in them that would not be appropriate. So, for example, there's a large number of roles that have the ability to import data through like what we refer to as FDBI privileges, and those would be used for conversion of data as part of the implementation. But since they have conversion abilities, that would not be subject to workflow approval processes, and so after the system go live, it would be no longer appropriate for end users to have access to those, although there are a lot of those import abilities within end-user roles.
So that's one example. We'll go through some other examples as we continue in the presentation.
So the next element here, have GRC access software, purchased and implemented as part of the project, and the SafePaaS platform would be a great example of high-quality access control software that could be used. And so that's going to be used to identify the issues in seeded roles , is going to be used to test the custom roles. And you really want to do that as part of at least one cycle prior to UAT So if you have a CRP 1 and two, maybe you want to have custom roles built, be integrated with UAT process to make sure that they actually work. That should be part of your testing. Your test script should identify the custom roles that are being used for the test scripts. And, hopefully, t you have somebody that's competent and qualified, that can help you through that process of building custom roles.
We do a lot of customization of roles, and we have a large library of pre-built custom roles, which is predominantly one of our major products right now that we work with system integrators, and end-user companies to implement, is, being able to deploy our library of custom roles into your environment that are SoD free, all the major sensitive accessrisks are removed from them, and they should support UAT relatively easy.
They've been tested by many customers, and our customers use them consistently, so we feel good about them being able to do the transactions. They said they shouldn't, and they should, should not be able to do transactions, they shouldn't. So all those sensitive access risks are removed.
Things like web services and APIs, and configurations like key flexible configurations, , descriptive flex fields, profile option values there. Those are some examples of some things that are in a lot of the seeded roles.
And then, that's really a key part of the project is making sure that you go live with compliant and secure roles assigned to your users.
The next one, next line, I would say here, is just making sure that ITGC in place prior to go live. Provisioning, and de provisioning, user recertification processes. Trying to have some preventive processes to make sure that, as roles are assigned, or roles are built, and modified, that they are tested before they go into production, kind of change management one-on-one. But you need a tool like this, SafePaaS to be able to effectively evaluate those. Not only pre go live, but after go live, during the provisioning process and on a periodic basis to integrate with what your recertification will be doing, which is typically done on a quarterly basis. So, there's a lot of ITGC elements in there. One thing, we think, we feel passionate about is making sure that the audit policies are enabled, that people are trained in how to report on, and use the audit logs to test like your user provisioning process, and de-provisioning and change control.
So, we have a learning offering in that area that companies are leveraging to understand the complexities, of the data that's being generated as part of the audit policies that are enabled.
I mentioned custom roles. We have some pre-built custom roles, even that give another example, pre-built custom roles for enabling somebody to be able to develop reports against the Audit logs or the audit policies.
So those are some examples of some of the things that we see that SIs may not really be aware of, or not be scoping into the project management has to be proactive, make sure they have, you know, either a really competent risk advisory firm, or an SI that's really supported by somebody that can help do that.
So we have SIs that we work with to deploy our content that, know that process understand those risks and how we can help mitigate those.
So, next slide, be great.
Emma - OK, so Adil, Jeff, mentioned, the challenges of working with SIs. So, how does SafePaaS help organizations overcome the challenges that Jeff just described?
Adil - Yeah, absolutely. So, I think Jeff did an excellent job of sort of highlighting some of the key challenges we hear from our customers that are moving at a fairly rapid pace to cloud because it has a lot of advantages to digitize the business, support a hybrid workforce that we're all moving towards and drive efficiencies, So, great decisions, customers are making a move to the cloud, we fully support it. The challenge is that, some of the challenges that we hear from our customers are in line with, obviously, Jeff's experiencing as well. And that's, how do we get through this with our controls intact? Because, all our customers, I would say, have some form of controls in place.
Some are just more proactive and optimized than others who are reactive and informal.
So what SafePaaS does is helps the systems integrators, ERP advisory firms, internal audit organizations, there's some audit organizations that you, all the major audit firms have used SafePaaS as well as an example. So what kind of says enables you to give you the visualization that Jeff's talking about by monitoring the entire process, the life cycle, we call it SCLC controls. So you're moving from let's say, a dev, to a Test, to a, to UAT to Prod, maybe there's training and you're going to Oracle and he's saying, hey, give me these five different instances. And I want to start, day one, doing some conference room pilots, And I want to see how do I post a journal entry, how do I pay an invoice. So, you're having these workshops throughout the project and what SafePaaS is doing during the time, if you so choose to use it as a enabler for your project and a risk mitigator for your project is basically to incorporate SafePaaS as the workflow tool. Right, is all workflow oriented. So, for example, since today's topic is about roles, I'll focus on that but it's not limited to roles. It can be integration, it'd be, process configuration would be RACI objects, like Customer Force. But focusing on today's topic is, you know, basically what you decide to do roles, you start thinking about what roles you have today.
So some of customers I can see that are attending this, SafePaaS customers are coming from an EBS world and so we have a chat with them and say, well, who pays journals today? Who posts journal entries today? And how does that responsibility to use the Oracle EBS term look like today? If you're coming from Workday or some other SAP or whatever your system is, how do you perform those transactions? They typically have a set of rules today, in place, and they have good controls in place. And the scary thing for them is that I'm going to lose all that effort that I've put in with my auditors and all that. So what we can do is provide you that traceability and analytics in SafePaaS to accelerate the process. That's that first bullet point.
Now, the way we do that, you'll hear a little bit later when I talk about a solution, so I'll kind of get into a little bit more of the meat of it, but that's the first pain point that we hear from the customers.
Look, I've been told cloud is fast is cheaper. It’ll lower my costs, but I'm bogged down with role design work. So Jeff and his team can come in. They can draw up their sleeves to work with you directly or a combination. They can also leverage SafePaaS for you.
So they're the experts, they can just do it faster in SafePaaS. And that's the second bullet point about workflow enablement. So it's not good enough just to have the analytics. Today's, hybrid projects our global, most of our customer have, resources that are supporting the project out of US, India, Latin America, Europe. So, it truly is a, follow the Sun model project today to accelerate that and, as Jeff said, the SIs or not, don't have the skill sets, the advisory, the level of knowledge that Jeff brings to the table for you where he can have his team can go in and really provide you the content. So the best thing would be to start with the content. But many of you are already in the middle of your projects, or already live. So you may not be able to replace all content, but maybe you can do some at a time. But, what you can do is leverage our enterprise roles manager capability, which will essentially simulate the roles design process, working with an expert, and the content that Jeff brings to the table with the ERP Advisory Service. We can work flow that. The workflow can go from the people that ultimately own the role, It can include your security, a CISO organization is very active in today's projects. Auditors are involved. So it will help you collaborate with all these resources. There's a question I noticed earlier today on this web sessio - it's a great question. Instead of waiting for the UAT what can we do before that?
And so first recommendation we start with content that's good, like the ones Jeff has really battle-tested in the real world. And chances are, most audit firms have seen that.
And applied the SoD policies, restructive access policy. So it's good content.
But on top of that, you obviously have some modifications enhancements you will make to adjust to your business needs. You may not be organized if you're a bank, same way as a manufacturing company would be right, that makes cars' automobiles. So, you have to adjust those things somewhat, especially as you go downstream at sub leger level.
So, being able to do that through a workflow, really expedite your projects, reduces the risk in the project.
And, finally, the last bullet point is about accelerating the timeline. So, cloud is about speed. It's about results. It's about an agile organization. So, one of the unique capabilities that SafePaaS has it kind of builds again on top of what Jeff is saying, is once you deploy these roles, you also want to be able to enable audit as an example. Or some other way of analyzing the data, and comparing the results across those instances.
Dev, test, and so forth. So you have to provide data analytics. What SafePaaS has the capability to auto-generate those BI reports based on objects. So, let's say you want to track changes that you’ve made to a specific role configuration, let's say an IT role that you've introduced to help your SI maintain the product in hypercare post go live. So, you'll be able to generate that kind of reporting straight out of SafePaaS, once the auditors enabled, or even if the audit is not available, because auditor does not available for everything. And I'll get into that a little bit more with some screenshots later in the presentation.
So, that's how we're helping SIs overcome the deficiency along with bringing in our partners like Jeff to help them get their skills and the gaps in their advisory situation met by marrying those resources and technology together.
Emma - Great insight. Adil. So, let's talk more about the roles then Jeff, let's start with the employee role.
Jeff - Sounds good. We've got a couple of screenshots here. If you’re an ERP cloud customer, or in the process, you'll recognize the screenshots. This is from Oracle Customer Connect, which is a site developed for ERP cloud that didn't exist for other products. And one of the things that it allows you to do is submit an enhancement request, so they call those ideas, and we've been tracking, I guess, some deficiencies in design for a long time. And they decided ultimately to provide some enhancement requests in and around an area that we felt was significant that Oracle hadn't addressed. There's no other way in some cases do get Oracle's attention.
The first one here that we're talking about, the supplier management role as Fire Management groups. And then the next one we'll talk about the employee role HCM roles. So, there's a link down there. If you guys get the slides, you can you can click on the link and you can see the data actually in Oracle customer Connect.
So, the long and short of both of these topics are, there's an FBDI process . FBDI is the structure that is used to be able to convert data from your legacy system that you're going from to ERP cloud. And so it's really conversion processes. There are a series of templates. Those templates are available on Oracle's website. Typically the SIs pull those down, and walk the client through the nature of the templates, the SIs are probably loading those, and pre loading those as part of the conversions. And then, somebody can execute those at some point during the build processes in different environments, and ultimately in production.
So, like I was talking about earlier, FBDI processes should really only be used only as part of the initial go live. There are maybe some limited cases where you're loading data manually on a situational basis after that, but that should be a very tightly controlled process going forward. Primarily because those conversion processes don't go through workflow. So, management is implementing a lot of workflows, and that's the primary mechanism of controlling the traditional segregation of duties, the entry of an action versus the approval of that action. So enter journals approve journals for example, or enter journals, post journals in an EBS world. That’s going to be automated through a workflow approval process. That’s Management’s primary control mechanism to prevent fraud and financial misstatement segregating that's just really automated, 100% through the workflow design process. So to the extent that anybody has an FDBI template that gives them the ability to bypass the workflow approval process. And in many cases, it also doesn't get tracked as part of the logs, so that has to be tested on a case-by-case basis. But you think, logically, the loading bulk loading of data via conversion processes would not be logged via audit policies.
So, the two screenshots we have here, when we first logged these, backing up a little bit we looked at the population of the roles that have a combination that allows an employee with access to that role assigned to them, take an FDBI template that’s already prepopulated, upload it into the, what we call the inbound directory, and then run a process that processes that data. So, it's clear, if you're looking at these, what we looked at, it is specifically, there's an FSCM duty role that contains a series of privileges that allows somebody to take a file from their desktop and upload it into an inbound directory.
And then the other thing, the other half of this process is an import process called import supplier bank account. So we focused on that one as a critical risk in and of itself. So if somebody has the ability to create the file, upload this, and run the process, or existing suppliers, that import process creates a new bank account, and then it defaults that as the to be used bank account for future payments. So, that would have to be something you'd have to have as part of a load process or a conversion process.
So every, whether it's whether it's Workday or NetSuite or any other SaaS provider, they're going to have similar capabilities. They have to provide capabilities, for our SIs and management to convert data. So this is not uncommon, in terms of the ability.
It's not unique to ERP Cloud. What is unique is that they provided disability in a lot of seeded roles that end up being available to end users.
So on this screenshot, so stepping back on the idea is what we ended up doing is logging a series of enhancement requests or ideas with different product team to say there are several roles within your area that have this risk and you should consider remediating it if it's got to be anywhere, it should be in an implementation role only. And those implementation roles are things that should not be assigned to somebody post go live.
But these are end user roles, so, like, the majority of the roles here on this slide, supplier specialists, supplier administrators, supplier self-service, these are these are roles that are assigned to suppliers that are using the supplier portal or in EBS terms UBI supplier but called supplier portal ERP cloud.
So, if you used one or more of these seeded roles and you assign these to suppliers all the suppliers any supplier it has access to this role would be able to import a file that would not only change their bank account, but any other bank account for any other supplier. Now, a supplier may have a hard time understanding the nuances of this so maybe in the big scheme of life, it's a lower risk because you have to have IDs associated with suppliers. That's usually how these FBDI templates are built. So it may not be something a supplier would have the knowledge, and maybe even the data to be able to commit fraud. But nonetheless, we wouldn't want these available to suppliers.
So these are external resources, they're not our own resources. We don't have an arrangement with them, there could be off shore resources at that. And what I always like to say to management, you have to think about where your risks are coming from and what the motivation is behind somebody really going forward. If you're a 100% US- based company and all your resources are US-based if they commit fraud, you're probably going to identify them and you're going to have them prosecuted. But if they are in another country, other than, a country that is favorable to prosecution of cases like this, you may or may not have the same deterents in that respect.
So think about that, because you may have not only suppliers in this case, but you may have offshore resources, in a variety different countries throughout the world, support an application that may have one access to one or more of these privileges.
So that's a supplier management example.
As of right now, the supplier management team has not said that they're going to necessarily fix these issues. So, even if they today, they came back, and they said, we think we see your point, we're going to make a change of these. We're going to put this in the queue, it's going to be at least three releases out, probably a minimum of a year, nine months to a year. And it could even take longer than that.
There's another issue for internal employees. Exactly the same as this in terms of the risks, but it's a different series of roles that the HCM team owns. And one of those is the Employee Role. So, the employee role is an abstract role. That's a typically assigned to all employees, sometimes by default, as soon as they're set up with access to the system.
That gives them basic things like, you know, managing their own bank account for payroll if they have that, and some core abilities related to workflow processes and some other things.
So, it's kinda like the role that everybody gets.
So, the employee role has the same risk, and the HCM team they are the ones who we initially logged it with, because of the employee role being all users internally, then the employee role works with the financial team to really understand the risk then this with the rest of the organization, and the HCM team came back. And they said, Yes, this is a risk and we're going to remediate this. So, it's a while around the same time has made them in the same day, July 12, 2021, that that we logged the series of ideas enhancements requests. Interestingly enough, we would call this a bug. I mean, it really is it a fairly significant issue, and, in terms of fraud, but Oracle didn't look at that. They looked at this as something that needed to require enhancement. Requests go to the form of voting process, and so on.
And there's a whole nother story behind that, I think, that we've talked about offline, but the net result is the HCM team decided almost almost immediately within a couple of weeks. So, as by the end of July, 2 to 3 weeks, I think they said, yes, we identify this as a risk, we've talked to the teams internally, and we're going to remediate this.
So, how did you think it took them to fix this? Was it like one patch, two patches at one quarter two quarters? Well, the answer to that is, it's not fixed yet. They're going to roll this fix out in 22 D, which is coming up in November, December, timeframe for most organizations. So, from identification to fix and this scenario, it's going to be almost 18 months almost a year and a half. Now, they have said, they're thinking about rolling this back into 22 C, I'm not sure where that is. So, once, once they've done the development and actually gone through the testing, they've got it queued in for 22 D. But, it may end up being a 20 to see the HCM team are fixing all the roles within their area, so, they've they've communicated to us that they're gonna fix 11 of these roles. So, that's 11 out of 138 roles that we know that this combination exists in right now, and the other product teams, that oversee the other 27 roles, in this case, have not committed to this fix.
So this is probably the most acute example, it is fraud risk, it's a significant issue. It's, systemic, I mean, that you can make not just to change to one, but you could really change as many supplier bank accounts. Then the question for management, often are they're mitigating controls related to this, that HCM process doesn't go, like, updates to that doesn't go through workflow if you have workflow enabled.
And if you have the audit policies related to this, enabled, like supplier master auto policies, that doesn't hit the audit logs, it's a conversion process. So, you’ve got to think about what controls would be in place already. And it's often that you don't really have strong controls in this area. Or they'll be difficult to implement, identify that, so that's a whole other topic. But the real long-term, or short-term, hopefully, you'll look at this as a short-term issue, as you've got to remediate these roles.
So I've talked about, this is one specific. It's one privilege, in one duty role. What we do, in our analysis, using software tools, like SafePaaS, we do a very comprehensive assessment of risk. And, given what we know about seeded roles, and the nuances of these risks, we could probably present to you a reason that every role that you're using, if you're using seeded roles in the production environment, has a reason to customize.
It doesn't mean you would, or doesn't mean you have to, right away, there's there's a path, if you will, based on risk. But there are that the roles are purposely built to be able to do the activities that they are intended to do. But all of them have something that are in them, that really, they shouldn't have. And your end users that are assigned those roles shouldn't have the ability to do with this being a very kind of a cute example.
So I think we're on to Auto Policies next. The auto policies are really important in terms of warming the foundation of your environment. And I let Donna, who is our ERP cloud practice, they talked through enabling a lot of policies and the value of them.
Donna - Hey, welcome, everybody. Thanks for joining. Audit policies. You want me to hit both core? And product levels?
Jeff - At a high level, yep.
Donna - At a high level, OK, so what you're looking out in this front page is what we call the core audit policies, These are the core of the applications. They don't hit any specific module. They are core. They hit all the areas. So, the top one, Fusion Applications, this Business Objects, this is what is turning on audit policies for all of your basic modules, for all of the lower level for General Ledger, for our payments, for payables, receivables, that is turning them on to everything else. So, your audit level of auditing means you actually have, audit policy is turned on for those areas. You hit the configure business object attributes button, and it will take you into the areas where you would pick those specific areas to turn on specific pieces such as in general ledger. You can turn on general sources and you can say, Yes, I want to audit the general sources form, and I want to see if anyone has turned on or off, the ability to freeze a general source or two, to make changes to the accounting combinations setups or other criteria or any of those type of things in general ledger. In the supplier model, you can turn on the ability to audit bank account information, or supplier sites, or suppliers themselves, or different pieces within that.
You turn those on in that top section for each of those different areas. Then you have the rest of these, These are core, So Pages in Business Objects, modifications, that gives you access to the composers, sandboxes, and page composers, and things like that, you turn that on audit level. You drop that down and you have the ability to select high, medium, or low. We recommend High, course for all of these levels, so you can capture everything that's being done.
Oracle Enterprise Scheduling Services, that's your ESS. Those are your requests, you're running your reports, this gives you the opportunity to see who has scheduled things, canceled schedules, um, review different things that are happening within that area About that. Metadata services gives you your sandboxes, who's created, in your sandbox, who's published, a sandbox, has changed to sandbox, those kind of things within that one. ODI data integrator. I'm not as familiar with what's in there, but that gives you access to those pieces. It's the only one I'm not as familiar with.
Oracle Platform Security Services, your OPSS. This is a key one that we have everybody turn on from the very beginning. This gives you access to all of your provisioning, your security, your role design, what roles have been modified, what users have been provisioned, who's been provisioned with what, what was added, what new users have been created. Those kind of things are done within here. So this is a key for the most of your ..., to keep track of your provisioning.
So a suite, the bottom one, is your workflow. What workflow pieces have been updated and changed. That's also very key.
The one caveat in here is on the Oracle platform security services, you'll notice the audit level here is low. It's the only one that has this little strange idiosyncrasy, that if you set it to high, which is what we would have you do. If somebody comes in and says, You know, I'm going to make some changes, but I don’t want anyone to know that I made the changes, so I'm going to turn it off, and then I'm going to make whatever I want to make changes to. Then, I'm going to come back in here, and I'm gonna turn it back on. No one will ever know right? Once you've changed it from high to off when you come back to turn it back on the highest level you have access to is low, your medium and high go way, and you have no access to those, again, you only have access to low. So, if you were to come back in, and someone were to say, Well, it's low.
I want to turn it back to high highest, what it's supposed to be at, you realize you can't.
You then know somebody turned it off at some point, because it should high should be a value, you should have access to, unless it was turned off. So that's kind of the, and it's the only one that has that. The rest of them have the ability to go up or down to any level without any issues.
We have them. Jeff, do you want to talk about the learning course that we have associated with.
Jeff - With all its policies. I'd make a couple of comments here. I think, Donna, I think that the use case you decided was suddenly turning on and turning off, and then going back to low. I'll just say the logging of this configuration, if we go back a couple of years, didn't exist. So that's another enhancement requests we did, and Oracle, I think, really set last December 20 to 21. Do you remember correctly? So prior to 21 D, if you turn on and turn off auto policy, there is no way in the system that no place in the system that you have that ability. The nice thing, I think I was going to touch on this a little bit, there, are, there are definitely gaps in what needs to be audited versus what's available to be audited. I mean certainly Oracle's making a lot of enhancements. We've had, a bunch of, other people have been making enhancement requests along the building of audit policies, but we're excited that SafePaaS has the technology, that will enhance that audit logging, where it doesn't exist.
The other thing I would say, is, like, each one of these components here, are all really middleware technology. So the fusion applications, as they used to be called, we call ERP Cloud now, was really a fusion middleware that evolved into applications. And so the nuances of teams within the, that, that contribute and need to be able to make changes as you're logging in as is kind of a mystery, it feels like a black hole in some respects. You can login enhancement requests, you can log tickets and some of them might be middleware people which are really not core to ERP cloud, they're building Metalware, they're maintaining, and this is something that that's being leveraged across integrations custom integrations, for example. But, one of the challenges that faces is, there are cases where there are updates happening through the application, where the data is very difficult to understand. In some cases, we even say, See data as it's being made by a middleware user, like it made us Oracle, HCM, something blah, blah, blah, the long string that made the change. And, that's because the way the logs are being built. That's not taking up the application user. It's still using this kind of like, do you think about a database user or an integration user that does that?
I'm not sure probably, like this integration user that stitches together the entire suite. So I would like to think of what people say that ERP Cloud is an integrated, fully integrated immature suite. It's really a group of products that are built independently and then integrated, if you will buy a middleware. And these are all middleware components, pages, business object made up modification, ESS, metadata, services, ODI, platforms. These are all what we would think of as components that are being maintained by a middleware team. Having said that, then the data that comes out of this is fairly difficult to understand.
And we have done many engagements with both our customers, or anywhere from 40 to 60 hours, talking through enabling these auto policies, what should be enabled, what's available, and then helping them understand how to look at the data in the log files and report on them.
So what we did, what we did in lieu of having to provide that same service at a much higher cost, is we built out a learning class, so It's Part of one of the content platforms we have. We have rules, roles, reports, and learning as part of our ERP Armor platform, and our learning platform has a bunch of different classes. One of them is a class that Donna has built and will continue to enhance in and around understanding how to, what to enable, and then how to look at the data, and these quota policies, and then also the, the business objects are the business elements of the different various modules that she was talking about The configure business, and I think there's a screenshot after this that goes into this next level of detail the drill-down.
So I'll turn it back over to you, Donna, to go through this next slide.
Donna - So this is, this is where you have the ability to select your specific area. So go on to the next one. So, these are some of the products that are available. You can select auto policies for. They range, there's HR, there's financials, their supply chain, all the different areas. There's, they're adding to them all the time. So, every time there's an upgrade, we come in and look at what's in there and what we have the ability to update new things. Let's go on to the next one.
So, for example, for supplier model, we have access to the supplier itself. the payment method sites addresses bank accounts, And you select, just check the box, next to which areas you want to actually turn the auditing on for.
On to the next slide. I'm just trying to go little quickly so we can get through.
Emma - I think we're onto the solutions now.
Donna - Great, OK. So, yeah. It just just go back one more slide Just for a second, just a little bit. In each of these areas, if you think of the form, select, if you think of the supplier sites form, it has all different kinds of fields and areas within that form. And it would open up another box, which would give you access to what they call the attributes. And the attributes are basically the fields within that form, and you tell the system, which of these fields are the fields you want to audit. So you tell the system which of them are the key pieces that you want to audit on, which of the fields. So you don't have to audit everything in the form. You can only pick out the specific pieces.
Like if I just want to know the exact number or the bank name or the bank branch or that I don't need all of that 35 fields that are in this form, I just want four of them - you can select those specifically so it doesn't over audit for things that are unimportant.
Adil - OK, thank you, Donna and Jeff, for clarifying that - I think it's critical to get audit as a mitigation on changes to privileges and roles. So, I'm going to talk a little bit about how we are working with Jeff and his team Donna ERP Advisors, and other partners where you can streamline this process that is tedious. That’s where SafePaaS has the ability - and I'll walk you through the swim lanes as the solution to the rules management problem. And later on, we'll make an announcement where you can benefit from today's session if you have these challenges.
So the first swim lane is about defining the security model. Obviously, we've been doing cloud for many years, probably five plus years now. So we have that security model all defined up. We have the rule set that Jeff can bring in as part of his content. Or if you already have a rule set, he can help you review that, I'm sure. So that's basically the policies that that govern your access management. So those are the two components, and then what we call a snapshot, we take a snapshot of your ERP system strategically, precisely on what you're trying to do. So, in this case, the snapshot would be of the roles, and I'm going to be talking about roles. Those of you that are more advanced with the roles, understanding, it is an NACI standard, Oracle adopted ... RBAC standard. But, as we know, we've learned over the couple of decades are, back.
The challenge with that, is that customers assume the controls are static, but because these roles are changing, due to Oracle releases every quarter, whatever you can’t completely trust RBAC.
So, we have to take frequent snapshots, so if you're doing a project or if you're live already on cloud, you have to do these frequent snapshots or what SafePaaS does it takes a snapshot of Oracle, as often as you want, once a day, once a quarter, or anything in between. That's typically what we see, our customers should always be current in SafePaaS. The other thing it does, it brings all this control information - the evidence of the control information, In this case, the role information into a system that's completely independent. What our customers worry about and their auditors is about completion, completeness and accuracy and timeliness. So by bringing this information away, that challenge that Donna was pointing out, where somebody could turn off the security and then turn it back on. And then you can’t adjust it, that results in real-world findings for you and a tremendous amount of work not only to remediate these findings but also to prevent them from happening in the future. Or worse, depending on substantive testing, that your auditor has to do.
The first swim lane is really how we log your content, all your content that Jeff talked about. His firm can help you with, as well as the snapshot of your current setups.
Whether, you're in the lifecycle of going live, you’re already live. So, you can take snapshots, for example, your instant strategy. So, let's say you're in QA, you want to go to UAT and into prod. You can take multiple snapshots, create multiple environments, compare things. So, it makes it really flexible as I was saying, accelerates your project or your management of the service.
The second swim lane is where the fun happens in my mind and that's where we accelerate - the thing I talked at the beginning. So what we can do is, we have the simulation capabilities. I noticed a couple of customers on the call that are using this capability today. So it basically simulates, you know, what Jeff was talking about - it takes a long time to select audit policies. Same thing is true for controls, also around your roles. So it will simulate the role, even if it's inherited, because the problem is even the custom roles that we're talking about are somewhat dependent on that inheritance.
That's a concept of RBAC that Oracle's adopted for Cloud ERP. So, inheritance is still the risk in many cases. So even though you're building custom roles, you're relying on those inherited privileges, you still have risk.
So we provide that you the full visibility down to the lowest level and sometimes the customers are surprised when they run the role simulator because they thought they were focusing more on the direct privileges, but those indirect privileges is where the problem is that their auditors may have discovered or someone else may have discovered.
So and then what you can do is, to correct that problem, you can generate the corrected role in a format that can then be deployed into your Cloud ERP to prevent that. So that's the acceleration piece.
So that’s the second swim lane there. The third one is more about assigning the roles to the users and loading the roles, so you also have this challenge around go live - crunch time. And people don't have the bandwidth. So we can use SafePaaS to deploy those role assignments by creating the assignment in SafePaaS takes the pressure off the project team as well, as you provide the audit, completeness, accuracy, transparency that they're looking for on confirming that the right, people got the right role. It can become a pretty tedious last two weeks of a go live. Or longer, depending on what you're deploying, but in general, I see between 2 to 4 weeks. Customers really don't always get it right. And your partner may still be, your SI System Integrator partner, may still be in the system doing hypercare. And so you have another challenge there, when to take away those roles.
So that assignment capability really automates that whole process and takes the pressure off your team and your maintenance folks as they're transitioning to managed service or some other way of managing your service moving forward.
We can then turn on the monitoring capability, and that could be the monitoring the roles themselves. Most often, our customers, will monitor sensitive roles more frequently, some cases, maybe even a daily basis. Other cases, they're doing at least quarterly, before, and after the patches are going in. So now, instead of doing that, compare and contrast on 22 D, that's coming in November, as Jeff was talking about, versus 22 C that you might be on, you can enable that comparison capability within SafePaaS and simulate the new roles in a non-prod environment.
So the whole process becomes more sustainable and by sustainable I mean, lower cost to you and lower risk to you. So that's the sort of a swim lane view of SafePaaS that I can say next in a few minutes.
And I won't go into details of the screenshot, the screenshots from SafePaaS - So you can see that we have the ability to define the role and then simulate the role. So what you're seeing on the screen in the background there is a role called SafePaaS GL rule.
That is part of the general ledger application. And these are the privileges, different levels. And then the second screen in the foreground is showing you the elements of the role. And notice, there's also, it's very hard to read on the screen, so we'll send you the slides to see if you can blow it up. But basically, you can enable the workflow. So there's a reviewer and approval process, which is typical for any control. So when you simulate the role, you can also workflow that, as I said, beginning of the presentation.
You can send it to reviewers and improvers, which could be the folks that are ultimately responsible for controls over that module, or that process. And so that really provides that audit evidence that can be timely, accurate, and complete that your auditors will ask for before you exit UAT.
I also wanted to touch on audit capabilities within SafePaaS. So, as Jeff was saying, we have realize the gaps in the Oracle audit process. So there are 2 and 3 complaints we hear from our customers, have audit. First of all, it's a great feature, please use it if you're not using it, get together with Jeff. And, you know, that's the starting point.
But the complaints that are coming from customers that have been using it for a while one is that it doesn't coalesce the data in a way that is easy to consume for the control owner.So lots of different reports. They have to go in.
The second one, or maybe even the first one, I would say even more important, would be that risk, that somebody may turn off and turn on, because they might turn out to have security console access, they can turn it off, and do certain things, and then turn it back on. So, having SafePaaS as a completely independent audit platform protects you against those kinds of silly or high, sort of fraud risk and things like that. So, that's a benefit. So, what the configuration monitoring or really cloud application monitoring or process monitoring does, is enables you to basically take a snapshot of the audit tables.
In many cases, our customers also take a snapshot of the base tables, because they want to be able to see the data in General Ledger, for example, general ledger categories. They want to go see it, how a user sees it. Exactly on the screen, because that's how we communicate with the application. We see what's on the screen. We take screenshots in the old days we used to, you know, store those screenshots and compare them against the quarterly changes and compare them. But now, it's fully automated in SafePaaS. So you can define, it has much more flexibility. You can make it more user friendly. It also has workflows.
So one of the complaints, the third complaint that we get from our customers that have been using audit, is it doesn't have any closed-loop workflow. So, “yeah, we made a change, and yeah, it wasn't a good change. We should have not made it and audit reported that, but how do we treat that? what is our closure on it?” And that's offline and e-mails. And so, you end up doing just as much work. With SafePaaS we recognize coming from an audit background, that we need to close the workflow whenever there's an incident. So we create the incident, and then we close loop it. So, it goes through a reviewer or approval process. The person that made the change receives a notification, that, hey, you made the changes that are what you intended to do, maybe the charity to bank account as Jeff saying, not knowing, or worse, maybe it's fraud.
So they change the bank account, and now you’ve got an alert that says, “hey, you changed the bank count, that you may or may not have been aware of.” Now it's going to go to the next level, so there's gonna be a reviewer or an approver. So it ultimately goes to the owner of that process if you want to set it up that way, that's what that people tab does. It's hard to read here, But the People tab will take it to the owner, and they will be able to then take an action on it and say you shouldn't have changed it.
The other thing that our customers have given us some really good, practical advice is that they use some sort of a ticketing system, whether using ServiceNow, or something else, so you can also put it in your ticket number, so now we can give you your auditors reconciliation reports, straight from SafePaaS saying this ticket was created to go and change our own categories. And, in fact, that's the only change that was made during that period, when this user had elevated access. So, now, you've solved your elevated access issue. You've solved your roles management problem with privileges being updated periodically by Oracle, not to mention just inherent roles having all these risks.
And you have prevented process risks from escalating like the Changing a Bank account, where you have these holes in a very complex application that's put together. So, that's the benefit of automating your controls. And configuration controls, specifically in SafePaaS and then making it a workflow that that mimics your enterprise, your hybrid work environment. So, things don't fall through the cracks. That's my message to you. I think that's pretty much all the time we have.
Emma - Yeah, we didn't have, we didn't have a case study.
Adil - So, yeah, this is an example of a customer that is a multinational technology company based in UK. They've been a great customer for a couple of years and have really built, sort of up, iterative approach to rolling out safe paths. So, we started off dealing with the immediate challenges around, third party risks around using managed services.
You know dependence on external auditors and third party auditors, on doing access monitoring and so forth. So we have sort of, been working with them in a, not a big bang approach, more of a staggered approach as their business allows bandwidth to do the same as very flexible, modular, kind of like Lego blocks, you can build the way you want it. So they've been kind of picking and choosing strategically what they need. And they use our major 2 platforms that I covered AccessPaaS, which is for Rules Management Roles simulation. It also does user provisioning automates that process that I mentioned earlier. Obviously, it does segregation of duties and all that good stuff. So it's a complete suite of access governance based on policies.
So using that, and also using MonitorPaaS supplier example, that Jeff brought a one-way, they're protecting themselves is by tracking that in SafePaaS - that’s one of the first controls we built, knowing that that was an issue. Then we have DataProbe, which is our ETL, that makes it scalable so we can connect directly to the the cloud using standard API services. We support all the major APIs, REST, SOAP So even JDBC for your on premise customers and flat files or whatever you might have, so pretty versatile tool, that enables us to really take a snapshot of any ERP or application or infrastructure out there.
And the last piece is just the success they've had recently, that's reported to us through our project office. There's just an improvement in their productivity, reduction in costs you would expect from automation. But, on top of that, there are some things that are unique. They've discovered some sensitive risks that are specific to their business model, they work around the globe. And they have obviously, GDPR challenge, you know, things to comply with, as well as the challenges in working in certain countries, where data sensitivity to data residency is very important to them. So, that's giving them the actionable insight, when they see these alerts, these incidents, they're able to proactively address them and not wait for the audit, which is reactive, typically.
Because you get straight from the Audit Committee, a list of findings, and everybody runs around trying to figure that out, what happened. So, they're able to manage their business proactively and streamline their business, while maintaining security across the enterprise. So, that's it, in a nutshell. We can talk a lot more about it, or maybe even have them talk to you directly, if you're interested.
If you're interested in learning more please contact us HERE