Best Practices in Security Design for a College System · PeopleSoft Security Overview •User...

Best Practices in Security Design for a College System

Session Number 5760

March 05, 2019

Shelia SloanSystem Analyst IV

University System of [email protected]

Johnathan RiderSystems and Infrastructure Services Manager

Washington State Board for Community and Technical [email protected]

Cameron McClurgManaging Director

SpearMC [email protected]

University System of Georgia & Oracle

PeopleSoft Financials PeopleSoft HCM

Application 9.2 Image 27 9.2 Image 26

PeopleTools 8.56.14 8.56.14

Washington State Board for Community and Technical

Colleges & OraclePeopleSoft Financials PeopleSoft HCM Campus Solutions

Application 9.2 Image 28 9.2 Image 27 9.0 Bundle 51

PeopleTools 8.56.07 8.56.07 8.56.07

Purpose

• Best Practices in Security Design for a College System: How University System of Georgia and the Washington State Board for Community and Technical Colleges designed security balancing centralized control with decentralized security administration.

• We'll review delivered security components that facilitate efficient security design. We’ll discuss what features/components are centrally managed and which features are decentralized. In addition, the business process that allows for the central board to work with the individual campuses will be explained.

Agenda

❖About Us

❖PeopleSoft Authentication Overview

❖PeopleSoft Security Overview

❖One Shared PeopleSoft Instance (Pros/Cons)

❖Security Design

❖Security Administration Approaches

❖Auditing

❖Uploads (Excel to CI)

❖Lessons Learned

❖Wrap Up and Q&A

About The University System of Georgia

• The University System of Georgia (USG) is a part of the community in each of Georgia’s 159 counties and provides services across the state. The USG is composed of 26 higher education institutions including four research universities, four comprehensive universities, nine state universities and nine state colleges. It also includes the Georgia Public Library Service, which encompasses approximately 389 facilities within the 61 library systems throughout the State of Georgia. Additionally, the USG includes the Georgia Archives which identifies, collects, manages, preserves and provides access to records and information about Georgia.

About The Washington State Board for Community and Technical Colleges

• The Washington State Board for Community and Technical Colleges — led by a nine-member governor-appointed board — advocates, coordinates and directs Washington state’s system of 34 public community and technical colleges.

• Each year, about 370,000 students train for the workforce, prepare to transfer to a university, gain basic math and English skills, or pursue continuing education. Our students, graduates and community partners increase the state’s quality of life and economic vitality as entrepreneurs, employees, consumers and taxpayers

Definition Slide

• Role (Static/Dynamic)-Roles are intermediate objects that link user profiles to permission lists• Static Roles – Security Administrators Have to manually Assign roles to users. These are static roles

• Dynamic Roles – Roles can be assigned to users by a role query, peoplecode, or via ldap rules without manual effort.

• Permission List - Permission lists are groups of authorizations that you assign to roles. Permission lists store sign in times, page access, PeopleTools access, and so on.

• Definition Security – This leverages the primary permission list to restrict users access to PeopleToolsDatabase Definitions, such as trees, menus,queries, etc.

• File Server Security - Prevents data from leakage through shared folders on your file server

• Database Security -Refers to the collective measures used to protect and secure a database or databasemanagement software from illegitimate use and malicious threats and attacks.

• Row Level Security – Restricts User Access to certain rows in a table without allowing them to see all rows

• Segregation of Duties - An internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task

PeopleSoft Authentication Overview

• Authentication Options (SSO, MSAD Integration, Identity Services, PeopleSoft User ID/Password)• USG utilizes SSO (Single Sign On ) Using SAML Authentication

• USG also requires two factor authentication to login to the application

• Support Staff and Non Employee Type users use a local PeopleSoft User id and Password.


• PASSWORD OPTIONS • USG sets password controls for non single sign on accounts according to our

IT Handbook and Audit Requirements; 5 attempts to lockout; 8 password history; 10 character in length, with one upper case and two digits

• All employees use Single Sign On and their password controls are on their active directory accounts

PeopleSoft Security Overview

• User Authorization (perm lists, roles)• USG users gain authorization within the application using custom roles and

permission lists. This is a combination of dynamic and static role assignments

• Portal Security around fluid homepages and tiles are restricted to certain roles/permissions.

• USG Uses Definition security to control delivered and custom queries we develop for end users


• Row Level Security (SACR, row level, dept tree security)• USG uses row level security in the HCM application; it is based on the

department security tree.

• In Financials for USG, it is restricted only at the business unit level.


• Database Security • USG has several two tier users at the Database level for institutions to use for querying

institutional specific data.

• They are restricted to their company or business unit using Oracle VPD;

• In HCM , the sensitive data is masked even at the two tier level unless a special user id is used.

• SBCTC utilizes Oracle’s GoldenGate Software to replicate PeopleSoft databases to an Oracle database which allows colleges access to their near real-time data. College’s access this via a database rather than accessing it through the Peoplesoft application.


• File server security• Custom directories for custom SQRs, nVisions

• Application homes are read only and secured

• Only DBA type support people have access to these areas.

One Shared PeopleSoft Instance (Cons)

• Restricting data access *Company level security is not always delivered

• Restricting Queries *Query Security and retaining original query integrity

• Common Roles, either too restrictive or too broad*agreement on what the roles should be

One Shared PeopleSoft Instance (Pros)

• Support and Cost

• Server resources (CPU, MEM, HDD, etc.)

• Less support staff

• One place to apply patches and images

• One place to troubleshoot all institutions

Security Design (Headaches)

• Designing security around individual users.

• Designing security around job titles.

• Designing security around one institution.

Security Design (Recommendations)

• Flexible permission lists and roles.

• Design roles around business processes (i.e. Voucher Entry, HR Employee Maintenance, Journal Entry, etc)

• Make permission lists very flexible at the menu bar level (reduces redundancy)

• Use dynamic roles where possible (HR job attributes are great for this)

• Make roles fit at the lowest level so there are no segregation of duties issues.

• Standardize on a naming convention for permission list and roles.

• Ensure the role names make functional sense.


• Decentralized Security Administration (Role Grant)

• Control what roles your local security administrators see by using role grants and the distributed user profile.

• Keep any institution specific roles in separate role grants (should be limited to mostly workflow type roles)


• Managing security via a release process.• Create security in a test environment that is separate from the development

environment

• Unit and system test

• Package as part of the release and then User Acceptance test

• Deploy to Production

• This process controls security more effectively and can be applied to non production environments easier


• Sensitive Data Control• With the risk of PII data, it is important to control sensitive data.

• Within Query, records that contain Sensitive data should be moved to a separate query tree an a separate security role;

• Within the application only provide those pages to the users who really need access to update them, such as an Human Resources analyst who updates job data, or mask the data to only show the last 4, unless you have a special security role to allow full access.


• Auto creation of user ids/vs manual (and other Batch Security jobs)• USG Financials allows users to self register for a user id, by matching their last 4 of SSN,

birthdate and zip code; Or the account must be manually created.

• USG HCM has an autoprovision process that automatically creates the user id in the system once the new hire job record is created. Once this is provisioned, the dynamic roles process and sjts run via a batch process.


• Dynamic Role Security• Dynamic role assignment can be based on many different things, such as job attributes,

or approver pages, etc. • They can be driven off of PeopleCode or a Query• USG has an Expenses approval role set up to dynamically assign to users on the expenses

approver assignments page, as well as on the designate box on the update profile.• USG has many roles in HCM that are dynamic based off of certain employee attributes;

Examples are BOR Employee (all employees that are in an active status get this base role); BOR Terminated EE, (all terminated users get this role, to access their previous paychecks and w2 info); Others include Timesheet, Retiree, Manager roles, and many more.

• This takes a lot of the burden off the local security admin.• SBCTC utilizes dynamic roles to establish appropriate access to data based on the user

profile classification and institution.


• Operating Policies and Procedures• Put procedures in place for security design updates, taking into consideration all

institutions needs. Maintain flexibility and always update your security design matrix.

• Testing procedures need to be put into place for system testing and user acceptance testing.

• Ensure you put monitoring procedures in place (See Audit section next)

• Work with the functional owner to ensure security is delivered in such a way to meet their needs as the module owner.


• Provide Tools to the local Security Administrators for ease of use. • USG and SBCTC created Job Aids by Job Function;

• These should be customized by each institution to fit their needs


Here is an example job aid for HCM based on Navigation by Role

Security Administration Approaches

• Places the administration in the hands of those that know their staff and their unique institutions business needs.

• Eliminates the middle man and saves time.

• Less Bureaucracy

• Better sense of ownership

• Allows more flexibility for the institution.

• Close Proximity resulting in customer satisfaction

• Current user access/job changes is easier to manage

Pros Cons

For smaller institutions, it could become a segregation of duties issue.Could be a resource constraint for small institutions

If not properly trained, unnecessary access may be provisioned, causing audit issues.

Decentralized Security Model

Security Administration Approaches

• Creates a standard process for security administration.

• Central point of contact

• Trained administration staff who also monitor for audit issues and who update practitioner security upon termination.

• More resource bandwidth to cover security administration

• Can closely monitor user access and upon termination deprovision the subsystem access as well.

Pros Cons

Creates an extra layer to the request process, slowing down response time

Out of touch with real business needs at the individual institutions, especially the larger ones.

Does not allow institution to be as unique and flexible in their security practices.

Current user access and job changes/security changes is harder to manage.

Centralized Security Model

Auditing

• What to Audit (“at risk” transactions, terminations, new hires, current users, segregation of duties, etc)

• When auditing, look for terminated users with active accounts, users with too much access (segregation of duties issues), and current user access to determine if still appropriate.

• Other things to look for are things such as privileged users (local security administrators, support users, dbas, or users with peopletools access.

• The privilege user access needs to be evaluated more often than the regular end users.• Users that transfer between departments need to have their security reviewed for accuracy.

New job duties could mean new roles, and old roles would need to be removed. • Auditing records such as additional pay to ensure no one updates their own data ensures an

extra layer of protection.• Auditing user security protects the local security admin as well as provides a great way to

provide auditors the history they need.

Auditing

• USG provides supporting tools for the institutions to use for audit purposes. • In Financials a termination query is built off Job Record to show any terminated user whose user id is still

unlocked. As an important note, this is to be used as a secondary tool for confirming terminations. The HR system is always the system of record for ensuring accuracy.

• In HCM, the termination role dynamically gets assigned and the employee roles get removed.• USG created queries to monitor who has local security administration privileges. This allows us to ensure they

haven’t terminated and on an annual basis we certify these users with each institution. • USG Centrally controls the local security administration roles, to ensure that it is not handed out to users who

do not need it. • At USG, we have built a query based of the State Segregation of Duties Matrix they have provided. This is a

tool for the institutions to use to review users who have risks or potential risks of segregation of duties. This does not take into account user preferences, however it is meant to be a fast way to narrow down users to focus on.

• USG has Many Payroll/Job Audit queries that are run as part of every payroll process on Calc, confirm and payroll days.

Auditing

Segregation of Duties is a key component of control activities of the institution

• Assigning key duties and responsibilities to different personnel to reduce the risk of error, misuse, or fraud

• Example: one person initiates, a different person records, a different person approves, etc.

Auditing

This is the SOD Matrix the State provided. We based our Query from this.

Auditing

You will notice that there are a few user ids returned. This doesn’t automatically mean there are SOD issues. An evaluation of each user must be completed. In the Financials Application there are more user preference type actions, that have to be taken into account. A user may have access to a page, however if they don’t have the action, they can’t update the page.

Auditing

• INTERNAL Controls

• A process the provides reasonable assurance that the objectives of the institution will be achieved.

• Not one event, but a series of actions that occur throughout an institution’s operations.

• An integral part of the operational processes and not a separate system.

Everyone has a responsibility for internal controls

• Management–directly responsible for the design, implementation, and operating effectiveness

• Staff–help management and are responsible for reporting issues

External auditors are not considered part of an institution’s internal control system.

Auditing

• SOD/Employee Compensation/(HCMS) EXAMPLE

NOTE: In some instances, the Human Resources module and the payroll module may be part of the same system. However, the employees responsible for processing the payroll should not have access to the Human Resources module and vice versa. For smaller institutions where one employee maintains the HR data in HCMS and processes payroll, this employee should not be able to authorize and execute the pay run (i.e., generate payroll checks) or distribute payroll checks.

Compensating Controls Example:

To enhance controls over the payroll process, the following compensating controls can be utilized:

• A supervisory-level employee who is not involved in the payroll process reviews and approves the pre-payment payroll report as well as the final payroll reports after the payroll has been processed.

• Distribution of payroll checks is conducted by a supervisory-level employee without payroll responsibilities, and checks not distributed are investigated.

• Gross wages, per the payroll journals and the general ledger, are reconciled to the W-2s.

Auditing

• Two types of Data auditing.• Field Auditing

• Record Level Auditing (based on Database Triggers)

Auditing – Field

• Check box on Record in App Designer

• Only works for data entry through normal component.

• Uses Delivered PSAUDIT and PSAUDITEXT tables. Tracks OLDVALUE/NEWVALUE.

Auditing – Database Triggers

• Steps1. Create a subrecord that has three fields (OprID, Date/Time Stamp, Action)

• Optional, Add SQL ID if you want to include back end SQL auditing

2. Copy desired record to be audited and add the new subrecord

3. Create Audit Trigger in PeopleSoft PIA

4. Run Process to Create Trigger

5. Copy SQL generated from process to SQL Client and execute


• Step 1 – Create Subrecord


• Step 2 – Copy desired Record and insert new Subrecord.


• Step 2 – Arrange the subrecord at the beginning and Create Table


• Step 2 – Verify in SQL


• Step 3 – Create Audit Trigger in PeopleSoft PIA


• Step 4 - Run Process to Create Trigger


• Step 5 - Copy SQL generated from process to SQL Client and execute


• Testing


• Building Queries and Alerts• A series of Queries can be run on a periodic basis (i.e. a quarterly security

audit)

• Alerts can be built for violations (i.e. Notify Functional owner if a user has deleted data, Notify Security Admin if a user has updated their own security)


• Note: Process Relies on DB function GET_PS_OPRID. This doesn’t exist in your Database until you create it. Oracle delivers this script in your ps_home directory.


• Optional – Add to the table for back end changes (INSERTS, UPDATES).

Auditing – Advice

• Use Sparingly• Identify Key/Critical records (User Profiles, Banking, PII, etc.)

• Start Small. Build prototype and determine what works for your organization

• Be Careful – One missed step and you bring the system down…

• Leverage Alerts, but don’t overuse (don’t allow the notification to become noise)

Excel to CI - Overview

Excel to CI - Overview

• Leverage Excel to view or enter data into PeopleSoft:

Component Interface - Overview

• PeopleSoft delivers multiple ways to load data into the system• Delivered Uploads (Vouchers, Items, Journal Uploads)• Delivered technology – Integration Broker, Component Interfaces, etc.

• Component Interface – Application Programming Interface (API)

• Used to enter, manipulate or access data, logic or functionality (most common is entering data)

• Key Advantage – Leverages Online Validation (peoplecode). Can provide End user validation.

• Can Load mass amounts of data into PeopleSoft (with validation)

• Leverages Security (must have access to CI and Component)

Component Interface– Overview (cont.)

• Works best with less parent/child relationships in the record structure

• Maps to only one PeopleSoft component. However multiple CI’s can be built on the same component. (i.e. Creating one with certain peoplecode attached vs. a second one without)


• Keys are special properties containing values that retrieve an instance (Get keys) or a list of instances (Find keys) of the component interface. When you create a new component interface, Get and Find keys are created based on the search record definition for the underlying component. However, you can add, remove, or change keys in PeopleSoft Application Designer. Create keys are created for components that have the Add action enabled.

Excel to CI – Overview

• Connect Excel to the Component Interface

• Delivered (blank) excel to ci template in the ps_home directory

• Excel to CI templates come with built in macros (Visual Basic) that execute business logic for each transaction.


• Connect to Database


• New Template - Connect to a Component Interface


• Select fields for Input and for Submission• Select Input Cell - Selects an individual cell to be included in the data input

sheet. Cells that have been selected as input cells are highlighted in pink.

• Include for Submission - Includes a single property to be included on the Staging and Submission sheet.


• New Data Sheet


• Stage and Submit


• Stage and Submit• Data entry is real time

• Error handling puts burden back on end user. Requires good, descriptive errors. The same error online would occur in Excel.

• OK, Warning, Error

• Post Results brings results (OK, Warning, Error) back to Data Sheet. Subsequent Stage and Submits will only bring forward New rows and Errors.

Excel to CI – Advice

• Beware complicated components

• Leverage “Post Results” only if you stay disciplined

• Once a working version of an upload exists, it can be replicated (i.e. distributed to multiple users). Pros and Cons

• Add PeopleCode to enhance data uploads • Defaults – Keep it simple for your users. Add defaulting of additional data

elements to keep data entry to a minimum (similar to online experience).

• Expanded error handling – Prevents “bad” data from getting in the system.

Lessons Learned

• Base roles on business process not positions.

• Two factor authentication…

• Local Campuses didn’t maintain the active directory as they should, which caused Single Sign on issues; last name, hypens, etc…

• Reports to Structure on Job/Position wasn’t well maintained in legacy system which lead to Manager Reports to issues and Company Directory issues and effected the dynamic manager role.

Questions?Or send to [email protected]

Complete your session survey!• Open the HEUG Events App on your phone,

tablet, or laptop

• Click on this session in your schedule.

• Then click the "Resources" button and "Survey“You will be required to login once with your Eventsentialusername and password.

Thank you!This presentation and all Alliance 2019 presentations

are available for download from the Conference site atwww.alliance-conference.com

Best Practices in Security Design for a College System · PeopleSoft Security Overview •User...

Documents

Transcript of Best Practices in Security Design for a College System · PeopleSoft Security Overview •User...