Hyperion Application Access Control Governor Blueprint for Oracle GRC Applications

Transcription

1 <Insert Picture Here> Hyperion Application Access Control Governor Blueprint for Oracle GRC Applications Providing organizations the ability to enforce Segregation of Duties across Hyperion Applications

2 Agenda Hyperion Application Access Control Governor Blueprint Overview Business Challenges Solution Details SOD in Hyperion Applications Process Flow Capabilities Details Oracle Blueprints for Oracle GRC Applications

3 Blueprint Overview Blueprint purpose: Help existing Oracle Application Access Control Governor (AACG) customers to centrally monitor, detect, and prevent incompatible access privileges for Hyperion Shared Services (HSS) enabled EPM apps. Blueprint benefit: Mitigate financial process risks inherent to Hyperion Financial Management (HFM) deployments Prevent potential user security threats related to Hyperion EPM deployments Blueprint items: Pre-built AACG Adaptor for HSS and for HFM Security Classes Pre-built AACG Policies for HFM

4 Agenda Hyperion Application Access Control Governor Blueprint Overview Business Challenges Solution Details SOD in Hyperion Applications Process Flow Capabilities Details Oracle Blueprints for Oracle GRC Applications

5 Financial Statement Risk Factors Pressures Exposures Market competition Earnings expectations New accounting or regulatory requirements Secure additional financing High vulnerability to rapid changes interest rates, technology, obsolescence Complex transactions at end of period Significant operations across international borders Overly complex organization structure Weak monitoring and systembased controls Ineffective accounting and information systems AICPA -- Appendix to SAS No. 99, Fraud Risk Factors 5

6 Reducing User Access Security Threats Segregation of Duties Example Policies Support regulatory compliance Reduce risk of fraud and errors Identify key touch points in EPM deployments that require additional oversight Augment HFM reporting regarding security HFM-specific policies Create Journal * Post Journal Create Journal * Approve Journal Consolidation * Consolidate All Lock Data * Unlock Data 6

7 Agenda Hyperion Application Access Control Governor Blueprint Overview Business Challenges Solution Details SOD in Hyperion Applications Process Flow Capabilities Details Oracle Blueprints for Oracle GRC Applications

8 Enforce proper segregation of duties in applications SOD refers to the separation of business activities that a single person may initiate and/or validate, in order to limit or prevent erroneous or fraudulent activities Business activities are enabled through the respective access points within an application (ex. Create Journals, Consolidate Data, etc ) Access Point any level node in the access model hierarchy for a particular application

9 Enforce proper segregation of duties in applications Policy Library Detection Conflict Paths Simplify segregation of duties enforcement with simulation and remediation Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails Accelerate deployment and time to value with predelivered controls library Prevention Define Access Controls Access Analysis Remediation (Clean-up) Preventive Provisioning Compensating Policies

10 Process Flow HSS Evaluate HSS User Authorization Model Remediate Hyperion Users and Groups Blueprint includes: 12 pre-defined HFM AACG Policies AACG Define Hyperion Data Source Extract Authorization Model into AACG Define or import SoD control policies Analyze SoD Conflicts Schedule or Run Conflict Analysis 4 pre-defined AACG globalconditions 1 Incremental Update ODI Scenario for AACG 3 Repository diagnostic SQL scripts Reduce False Positives Conflict Reports SoD conflicts by Policies SoD conflicts by Users Hyperion AACG

11 Solution Architecture Adds ability to: Analyze Hyperion users, groups, roles, and inherited user access Analyze Fusion Apps users, roles, and entitlements Coverage within and across financial sources with application-specific and cross-platform analysis e.g. can t setup HFM GL and post to Fusion/PSFT/EBS GL Hyperion EPM Apps Application Access Controls Governor 8.5 Hyperion Shared Services Adapter Framework (ODI) Fusion Financial Sources

12 Access Adaptor & Semantic Data Store Semantic Data Store Access Adaptor Captures and converts Authorization Data of target Applications like Hyperion into single common model in AACG Database Can be configured against HFM and other HSS based Hyperion apps Full and incremental data pulls

13 Seeded Fine Grain Access Control Define Comparing EBS and HFM Access Points Hyperion Journals Administrator Hyperion Post Journals EBS R12 Create Journal Entries EBS R12 Enter Journals EBS R12 Enter Encumbrances Entitlements: Post HFM Journal Entry Element Hyperion Journals Administrator Hyperion Post Journals Description Journals Administrator Post Journals Entitlements: Enter EBS Journal Entry Element Create Journals Enter Journals Enter Encumbrances Description Create journal Entries Enter Journals Enter Encumbrances POLICY Enter Journal(EBS) * Post Journal(HFM)

14 Validation Cross Platform Conflicts Same individual / different user accounts Hyperion Shared Services Oracle ebusiness Suite Group of groups Responsibility Group Menus Role Nested roles Functions

15 Agenda Hyperion Application Access Control Governor Blueprint Overview Business Challenges Solution Details SOD in Hyperion Applications Process Flow Capabilities Details Oracle Blueprints for Oracle GRC Applications

16 What are Blueprints? Best Practices Standardized techniques, methods, & processes, based on business practice analysis across multiple organizations. Example: Centralized Health & Safety Incident Management Content Pre-defined modules, policies, reports, models, attributes, lookups, semantic business objects, physical mappings. Example: Pre-built policies to detect SOD-related fraud in Hyperion Financial Mgmt Integrations Out-of-the-box interoperability with critical business systems delivering best practices across entire business process. Example: Connector to Hyperion FM for accounts-based controls assessment scoping

17 How do Blueprints fit into the GRC Platform? Enterprise GRC Platform Functional Extensibility Blueprints leverage the Oracle GRC Platform Configurability and Extensibility Framework Components GRCI GRCM GRCC-A GRCC-C GRCC-T GRCC-P 11g FMW Framework WEBCAT MODULES MODELS SDD & SDM PATTERNS RULES ADF & SOA Health, Safety and Environment HSE Blueprint includes: 15 pre-defined Types 25 pre-defined Classes 5 pre-defined Perspectives 153 pre-defined Attributes 18 pre-defined Lookup Values 20 pre-defined Graphs 4 pre-defined Risk Context Models 13 pre-defined Survey Questions1 Standalone ADF-based configurable incident capture page

18 How are Blueprints Different from Products? Freely available Free, open & extensible Free, self-paced training Free, community based support

19 Blueprints Ecosystem Blueprints Enterprise GRC Platform Partners Increase ROI with one platform for all GRC Initiatives Share new blueprints in an online community Collaborate online on extending existing blueprints Oracle Customers