Post on 21-Apr-2020
transcript
<Insert Picture Here>
Hyperion Application Access Control Governor
Blueprint for Oracle GRC Applications
Providing organizations the ability to enforce Segregation of Duties
across Hyperion Applications
• Hyperion Application Access Control Governor Blueprint Overview
• Business Challenges
• Solution Details
• SOD in Hyperion Applications
• Process Flow
• Capabilities Details
• Oracle Blueprints for Oracle GRC Applications
Segregation of Duties for Hyperion Agenda
Blueprint purpose:
• Help existing Oracle Application Access Control Governor
(AACG) customers to centrally monitor, detect, and prevent
incompatible access privileges for Hyperion Shared Services
(HSS) enabled EPM apps.
Blueprint benefit:
• Mitigate financial process risks inherent to Hyperion Financial
Management (HFM) deployments
• Prevent potential user security threats related to Hyperion EPM
deployments
Blueprint items:
• Pre-built AACG Adaptor for HSS and for HFM Security Classes
• Pre-built AACG Policies for HFM
Segregation of Duties for Hyperion Blueprint Overview
• Hyperion Application Access Control Governor Blueprint Overview
• Business Challenges
• Solution Details
• SOD in Hyperion Applications
• Process Flow
• Capabilities Details
• Oracle Blueprints for Oracle GRC Applications
Segregation of Duties for Hyperion Agenda
• Market competition
• Earnings expectations
• New accounting or regulatory
requirements
• Secure additional financing
• High vulnerability to rapid
changes – interest rates,
technology, obsolescence
• Complex transactions at end of
period
• Significant operations across
international borders
• Overly complex organization
structure
• Weak monitoring and system-
based controls
• Ineffective accounting and
information systems
5
Pressures Exposures
AICPA -- Appendix to SAS No. 99, Fraud Risk Factors
Segregation of Duties for Hyperion Financial Statement Risk Factors
• Support regulatory compliance
• Reduce risk of fraud and errors
• Identify key touch points in EPM
deployments that require
additional oversight
• Augment HFM reporting
regarding security
• HFM-specific policies
• Create Journal * Post Journal
• Create Journal * Approve
Journal
• Consolidation * Consolidate All
• Lock Data * Unlock Data
6
Segregation of Duties Example Policies
Segregation of Duties for Hyperion Reducing User Access Security Threats
• Hyperion Application Access Control Governor Blueprint Overview
• Business Challenges
• Solution Details
• SOD in Hyperion Applications
• Process Flow
• Capabilities Details
• Oracle Blueprints for Oracle GRC Applications
Segregation of Duties for Hyperion Agenda
� SOD refers to the separation
of business activities that a
single person may initiate
and/or validate, in order to
limit or prevent erroneous or
fraudulent activities
� Business activities are
enabled through the
respective access points
within an application (ex.
Create Journals,
Consolidate Data, etc…)
� Access Point – any level
node in the access model
hierarchy for a particular
application
Segregation of Duties for Hyperion Enforce proper segregation of duties in applications
•Simplify segregation of duties
enforcement with simulation
and remediation
•Mitigate risk of privileged
user access to enterprise
applications with approval
workflow and audit trails
•Accelerate deployment and
time to value with pre-
delivered controls library
Detection
Access
Analysis
Compensating
Policies
Define
Access
Controls
Remediation
(Clean-up)
Preventive
Provisioning
Prevention
• Policy Library• Conflict Paths
• Policy Library• Conflict Paths
Segregation of Duties for Hyperion Enforce proper segregation of duties in applications
Blueprint includes:
• 12 pre-defined HFM AACG
Policies
• 4 pre-defined AACG global-
conditions
• 1 Incremental Update ODI
Scenario for AACG
• 3 Repository diagnostic SQL
scripts
HSS
AACG
ConflictReports
Evaluate HSS UserAuthorization Model
ExtractAuthorization Model
into AACG
Define or importSoD control policies
Define HyperionData Source
Reduce FalsePositives
Analyze SoDConflicts
Schedule or RunConflict Analysis
SoD conflicts byPolicies
RemediateHyperion Users and
Groups
SoD conflicts byUsers
Hyperion AACG
Segregation of Duties for Hyperion Process Flow
Financial Sources
Hyperion Shared Services
Hyperion EPM Apps
Adapter Framework
(ODI)
Application Access Controls Governor 8.5
• Adds ability to:
• Analyze Hyperion users, groups, roles, and inherited user access
• Analyze Fusion Apps users, roles, and entitlements
• Coverage within and across financial sources with application-specific and cross-platform analysis
• e.g. can’t setup HFM GL and post to Fusion/PSFT/EBS GL
• Adds ability to:
• Analyze Hyperion users, groups, roles, and inherited user access
• Analyze Fusion Apps users, roles, and entitlements
• Coverage within and across financial sources with application-specific and cross-platform analysis
• e.g. can’t setup HFM GL and post to Fusion/PSFT/EBS GL
Fusion
Segregation of Duties for Hyperion Solution Architecture
Access Adaptor
• Captures and converts Authorization
Data of target Applications like
Hyperion into single common model
in AACG Database
• Can be configured against HFM and
other HSS based Hyperion apps
• Full and incremental data pulls
Semantic Data Store
Segregation of Duties for Hyperion Access Adaptor & Semantic Data Store
Define
Entitlements: Post HFM Journal EntryElement Description
Hyperion – Journals Administrator Journals Administrator
Hyperion – Post Journals Post Journals
Entitlements: Enter EBS Journal EntryElement Description
Create Journals Create journal Entries
Enter Journals Enter Journals
Enter Encumbrances Enter Encumbrances
POLICY
Enter Journal(EBS) * Post Journal(HFM)
Access Points �Hyperion – Journals Administrator
�Hyperion – Post Journals
�EBS R12 – Create Journal Entries
�EBS R12 – Enter Journals
�EBS R12 – Enter Encumbrances
Comparing EBS and HFM
Segregation of Duties for Hyperion Seeded Fine Grain Access Control
Same individual /
different user accounts
Group of groups
Group
Role
Nested roles
Responsibility
Menus
Functions
Segregation of Duties for Hyperion Validation Cross Platform Conflicts
Hyperion Shared
Services
Oracle eBusiness
Suite
• Hyperion Application Access Control Governor Blueprint Overview
• Business Challenges
• Solution Details
• SOD in Hyperion Applications
• Process Flow
• Capabilities Details
• Oracle Blueprints for Oracle GRC Applications
Segregation of Duties for Hyperion Agenda
Best Practices
Standardized techniques, methods, & processes, based on
business practice analysis across multiple organizations.Example: Centralized Health & Safety Incident Management
Content
Pre-defined modules, policies, reports, models, attributes,
lookups, semantic business objects, physical mappings.Example: Pre-built policies to detect SOD-related fraud in Hyperion Financial Mgmt
Integrations
Out-of-the-box interoperability with critical business systems
delivering best practices across entire business process.Example: Connector to Hyperion FM for accounts-based controls assessment scoping
Segregation of Duties for Hyperion What are Blueprints?
Blueprints leverage the Oracle GRC
Platform Configurability and
Extensibility Framework
Health, Safety and
Environment
HSE Blueprint includes:
• 15 pre-defined Types
• 25 pre-defined Classes
• 5 pre-defined Perspectives
• 153 pre-defined Attributes
• 18 pre-defined Lookup Values
• 20 pre-defined Graphs
• 4 pre-defined Risk Context Models
• 13 pre-defined Survey Questions1
• Standalone ADF-based
configurable incident capture page
Enterprise GRC PlatformEnterprise GRC Platform
GRCIGRCI
GRCMGRCM
GRCC-AGRCC-A
GRCC-CGRCC-C
GRCC-TGRCC-T
GRCC-PGRCC-P
Functional
Components
Extensibility
Framework
RULESRULES
PATTERNSPATTERNS
SDD & SDMSDD & SDM
MODELSMODELS
MODULESMODULES
WEBCATWEBCAT
11g FMW11g FMW ADF & SOAADF & SOA
Segregation of Duties for Hyperion How do Blueprints fit into the GRC Platform?
Freely available
Free, self-paced training
Free, community based support
Free, open & extensible
Segregation of Duties for Hyperion How are Blueprints Different from Products?
Oracle
Partners
Customers
Enterprise GRC
Platform
• Increase ROI with one platform for all GRC Initiatives
• Share new blueprints in an online community
• Collaborate online on extending existing blueprints
Blueprints
Segregation of Duties for Hyperion Blueprints Ecosystem