Hyperion Application Access Control Governor Blueprint for ... · •Hyperion Application Access...

<Insert Picture Here>

Hyperion Application Access Control Governor

Blueprint for Oracle GRC Applications

Providing organizations the ability to enforce Segregation of Duties

across Hyperion Applications

• Hyperion Application Access Control Governor Blueprint Overview

• Business Challenges

• Solution Details

• SOD in Hyperion Applications

• Process Flow

• Capabilities Details

• Oracle Blueprints for Oracle GRC Applications

Segregation of Duties for Hyperion Agenda

Blueprint purpose:

• Help existing Oracle Application Access Control Governor

(AACG) customers to centrally monitor, detect, and prevent

incompatible access privileges for Hyperion Shared Services

(HSS) enabled EPM apps.

Blueprint benefit:

• Mitigate financial process risks inherent to Hyperion Financial

Management (HFM) deployments

• Prevent potential user security threats related to Hyperion EPM

deployments

Blueprint items:

• Pre-built AACG Adaptor for HSS and for HFM Security Classes

• Pre-built AACG Policies for HFM

Segregation of Duties for Hyperion Blueprint Overview





• Process Flow




• Market competition

• Earnings expectations

• New accounting or regulatory

requirements

• Secure additional financing

• High vulnerability to rapid

changes – interest rates,

technology, obsolescence

• Complex transactions at end of

period

• Significant operations across

international borders

• Overly complex organization

structure

• Weak monitoring and system-

based controls

• Ineffective accounting and

information systems

5

Pressures Exposures

AICPA -- Appendix to SAS No. 99, Fraud Risk Factors

Segregation of Duties for Hyperion Financial Statement Risk Factors

• Support regulatory compliance

• Reduce risk of fraud and errors

• Identify key touch points in EPM

deployments that require

additional oversight

• Augment HFM reporting

regarding security

• HFM-specific policies

• Create Journal * Post Journal

• Create Journal * Approve

Journal

• Consolidation * Consolidate All

• Lock Data * Unlock Data

6

Segregation of Duties Example Policies

Segregation of Duties for Hyperion Reducing User Access Security Threats





• Process Flow




� SOD refers to the separation

of business activities that a

single person may initiate

and/or validate, in order to

limit or prevent erroneous or

fraudulent activities

� Business activities are

enabled through the

respective access points

within an application (ex.

Create Journals,

Consolidate Data, etc…)

� Access Point – any level

node in the access model

hierarchy for a particular

application

Segregation of Duties for Hyperion Enforce proper segregation of duties in applications

•Simplify segregation of duties

enforcement with simulation

and remediation

•Mitigate risk of privileged

user access to enterprise

applications with approval

workflow and audit trails

•Accelerate deployment and

time to value with pre-

delivered controls library

Detection

Access

Analysis

Compensating

Policies

Define

Access

Controls

Remediation

(Clean-up)

Preventive

Provisioning

Prevention

• Policy Library• Conflict Paths

• Policy Library• Conflict Paths

Segregation of Duties for Hyperion Enforce proper segregation of duties in applications

Blueprint includes:

• 12 pre-defined HFM AACG

Policies

• 4 pre-defined AACG global-

conditions

• 1 Incremental Update ODI

Scenario for AACG

• 3 Repository diagnostic SQL

scripts

HSS

AACG

ConflictReports

Evaluate HSS UserAuthorization Model

ExtractAuthorization Model

into AACG

Define or importSoD control policies

Define HyperionData Source

Reduce FalsePositives

Analyze SoDConflicts

Schedule or RunConflict Analysis

SoD conflicts byPolicies

RemediateHyperion Users and

Groups

SoD conflicts byUsers

Hyperion AACG

Segregation of Duties for Hyperion Process Flow

Financial Sources

Hyperion Shared Services

Hyperion EPM Apps

Adapter Framework

(ODI)

Application Access Controls Governor 8.5

• Adds ability to:

• Analyze Hyperion users, groups, roles, and inherited user access

• Analyze Fusion Apps users, roles, and entitlements

• Coverage within and across financial sources with application-specific and cross-platform analysis

• e.g. can’t setup HFM GL and post to Fusion/PSFT/EBS GL

• Adds ability to:

• Analyze Hyperion users, groups, roles, and inherited user access

• Analyze Fusion Apps users, roles, and entitlements

• Coverage within and across financial sources with application-specific and cross-platform analysis

• e.g. can’t setup HFM GL and post to Fusion/PSFT/EBS GL

Fusion

Segregation of Duties for Hyperion Solution Architecture

Access Adaptor

• Captures and converts Authorization

Data of target Applications like

Hyperion into single common model

in AACG Database

• Can be configured against HFM and

other HSS based Hyperion apps

• Full and incremental data pulls

Semantic Data Store

Segregation of Duties for Hyperion Access Adaptor & Semantic Data Store

Define

Entitlements: Post HFM Journal EntryElement Description

Hyperion – Journals Administrator Journals Administrator

Hyperion – Post Journals Post Journals

Entitlements: Enter EBS Journal EntryElement Description

Create Journals Create journal Entries

Enter Journals Enter Journals

Enter Encumbrances Enter Encumbrances

POLICY

Enter Journal(EBS) * Post Journal(HFM)

Access Points �Hyperion – Journals Administrator

�Hyperion – Post Journals

�EBS R12 – Create Journal Entries

�EBS R12 – Enter Journals

�EBS R12 – Enter Encumbrances

Comparing EBS and HFM

Segregation of Duties for Hyperion Seeded Fine Grain Access Control

Same individual /

different user accounts

Group of groups

Group

Role

Nested roles

Responsibility

Menus

Functions

Segregation of Duties for Hyperion Validation Cross Platform Conflicts

Hyperion Shared

Services

Oracle eBusiness

Suite





• Process Flow




Best Practices

Standardized techniques, methods, & processes, based on

business practice analysis across multiple organizations.Example: Centralized Health & Safety Incident Management

Content

Pre-defined modules, policies, reports, models, attributes,

lookups, semantic business objects, physical mappings.Example: Pre-built policies to detect SOD-related fraud in Hyperion Financial Mgmt

Integrations

Out-of-the-box interoperability with critical business systems

delivering best practices across entire business process.Example: Connector to Hyperion FM for accounts-based controls assessment scoping

Segregation of Duties for Hyperion What are Blueprints?

Blueprints leverage the Oracle GRC

Platform Configurability and

Extensibility Framework

Health, Safety and

Environment

HSE Blueprint includes:

• 15 pre-defined Types

• 25 pre-defined Classes

• 5 pre-defined Perspectives

• 153 pre-defined Attributes

• 18 pre-defined Lookup Values

• 20 pre-defined Graphs

• 4 pre-defined Risk Context Models

• 13 pre-defined Survey Questions1

• Standalone ADF-based

configurable incident capture page

Enterprise GRC PlatformEnterprise GRC Platform

GRCIGRCI

GRCMGRCM

GRCC-AGRCC-A

GRCC-CGRCC-C

GRCC-TGRCC-T

GRCC-PGRCC-P

Functional

Components

Extensibility

Framework

RULESRULES

PATTERNSPATTERNS

SDD & SDMSDD & SDM

MODELSMODELS

MODULESMODULES

WEBCATWEBCAT

11g FMW11g FMW ADF & SOAADF & SOA

Segregation of Duties for Hyperion How do Blueprints fit into the GRC Platform?

Freely available

Free, self-paced training

Free, community based support

Free, open & extensible

Segregation of Duties for Hyperion How are Blueprints Different from Products?

Oracle

Partners

Customers

Enterprise GRC

Platform

• Increase ROI with one platform for all GRC Initiatives

• Share new blueprints in an online community

• Collaborate online on extending existing blueprints

Blueprints

Segregation of Duties for Hyperion Blueprints Ecosystem

Hyperion Application Access Control Governor Blueprint for ... · •Hyperion Application Access...

Documents

Transcript of Hyperion Application Access Control Governor Blueprint for ... · •Hyperion Application Access...