Relying solely on SAP Access Control is like having a heavy...
The Case for Custom Roles: Optimizing Security and Efficiency in Oracle Cloud ERP
Many Oracle E-Business Suite and JD Edwards customers are choosing to use Oracle Fusion Cloud ERP (often called Oracle Cloud ERP) to implement new or enhanced functionality while continuing to use their core ERP systems.
When implementing ERP systems and other key business applications, good role design is crucial in ensuring that all users have appropriate, least-privilege access to all the activities they need to fulfill their responsibilities. However, creating good roles can be difficult and time-consuming.
Oracle Fusion Cloud ERP comes with Seeded Roles – i.e., “out of the box” roles, designed for a wide range of common job functions, such as AR Manager, AP Manager, and more. Oracle ERP customers looking to implement new Cloud-based functionality may be tempted to adopt these ready-made roles as a quick and easy way to get up and running as they seem to offer:
- Faster time to value, with pre-defined roles that can be provisioned immediately after installation
- Reduced operational security management costs by using standardized roles
- Scalability: These standard Seeded Roles exist in all Oracle ERP Cloud products. So, from the security implementation standpoint, adopting a new module should be a breeze—potentially.
However, adopting the Seeded Roles can lead to costly security, operational, and licensing problems.
Five Security Risks With Seeded Roles
Here, we outline some of the reasons why we believe that custom roles are well worth the investment.
Roles Should Be Tailored to An Organization’s Business Processes
Each module in Oracle Fusion Cloud ERP comes with a set of roles assigned to it. However, these roles may not cover all the activities that a user needs to perform outside the module or across other applications like JD Edwards EnterpriseOne, Oracle E-Business Suite Financials, or Coupa. Users’ roles should encompass the entire range of activities required to complete the entire business process.
Sensitive Access Risk
Some Seeded Roles include inappropriate sensitive access and configuration capabilities. Creating custom roles enables you to specify precisely who can do what with which set of data, ensuring you can restrict sensitive access to only appropriate users.
Separation of Duties Risk
Within Oracle Cloud ERP itself, there is no easy means to report on Separation of Duties (SoD) conflicts. Although Oracle has defined the Seeded Roles using Oracle Cloud SoD policies, with no visibility into these policies, users can be left with a false sense of security unless they use Oracle Risk Management Cloud – a functionally rich but large and expensive product set.
Factors that affect compliance within a role include:
- Changes to roles: As soon as a Seeded Role is copied and modified, it may no longer be compliant if privileges are added or removed.
- System configuration: If controls such as approval by batch type are implemented within the system, this may no longer be considered an SoD violation. The rules should be updated to reflect this functionality.
- Use of data roles, access types, and risk tolerance levels: How these are used can affect whether access rights breach SoD policies or not.
In all these examples, it isn’t easy to ascertain the actual compliance status until an auditor tests it and tells you. This makes it impossible to be confident in your SoD controls. Here’s why:
- Limited Visibility: Without knowing the SoD rules or the policies the Seeded Roles were designed against, how do you truly know they are compliant?
- Change Management Challenges: How can you test whether any changes to roles, system configuration, or newly created roles maintain compliance?
- Contextual Fit: How do you know if Oracle Cloud SoD Policies are the right fit for the risks that are important in your business?
Some Oracle Cloud ERP customers have found that their internal auditors had reported many unexpected SoD violations while using the Seeded Roles.
Lack of Control Over Appropriate Access
Oracle’s twice-yearly system patches may include updates to the Seeded Roles, which can affect what users are able to do. These changes could introduce Sensitive Access or SoD risks, enabling users to carry out tasks that they are not authorized to perform. Changes to roles should never be applied without proper review and approval, and it is also advisable to conduct a user access review shortly after the patches.
Excessive Licence Consumption
Some Seeded Roles consume a large number of licenses, whether or not the user actually uses the full range of privileges granted. Creating custom roles empowers you to restrict privileges as appropriate.
Custom Roles: The Key to Efficiency and Security
Creating custom roles enables you to provide your users with roles that are fully tailored to the needs of their jobs, granting appropriate, least-privilege access to all the tasks they are authorized to perform. In addition to activities within Oracle Cloud ERP, your custom roles can include functions available in Oracle E-Business Suite, JD Edwards EnterpriseOne, and other key business applications, ensuring that users have seamless access to everything they need to complete their business processes.
Implementing custom roles means that:
- Security administrators have complete control over what users can do.
- Privileges will only be added or removed if the change has been appropriately reviewed and approved
- Sensitive access is only included in roles where it is appropriate and needed
- Your license consumption is optimized as you only include privileges that users need
Pathlock Cloud includes role management tools and powerful cross-application Separation of Duties analysis to help you implement durable custom roles aligned to your business processes. This makes it much easier to ensure compliance and maintain audit readiness.
Contact us today to find out more or schedule a demo.