Access review or recertification is an IT General Control procedure that involves auditing all user access roles, privileges, and combinations of roles to determine if they are correct and adhere to the organization’s internal policies and compliance regulations. Most organizations only perform this audit of user access once a year, although some may review their high privileged user accounts more frequently. From a compliance point of view, it is critical for organizations to provide JD Edwards users with the least amount of access required to perform their tasks and that existing roles do not create conflicts that could lead to fraud or financial misinformation. This makes access reviews a key activity to mitigate risk, prevent fraud, and meet compliance.
Most business applications have a role-based access control (RBAC) security model to assign roles and authorizations. However, JD Edwards user roles pose a specific problem when it comes to access reviews. Within JD Edwards (JDE), multiple roles assigned to a single user can be viewed in the “sequence manager.” But there is a known issue associated with this.
The permissions of roles higher in the sequence will take priority over the permission of roles lower in the sequence. Unfortunately, this means JD Edwards customers can end up with unexpected access results when granting multiple JDE roles to a user. This is one of the many RBAC issues that necessitate a third-party security solution to assist in managing this type of “inherited permission risk.”
The assignment of multiple roles in any business application requires thorough testing to effectively manage the inherited permission risks. Unfortunately, most business applications, including JD Edwards, lack effective access testing across multiple roles. Periodic access reviews help identify such roles and provide business managers with the necessary information to de-provision or segregate users to mitigate risk and prevent fraud.
While most organizations conduct access reviews at least once a year, it is usually a time-consuming manual process where security and compliance teams have to constantly initiate the process and continuously follow up with the business manager to fill in their review sheets. At the end of the review, business managers have to wade through volumes of unintelligible data and try to get any meaningful information to sign it off.
However, an automated access review solution can take away a majority of the manual work required to administer the reviews and provide data in organized reports that are easy to comprehend and draw insights from. Some of the benefits of deploying an automated review solution include:
Easy to Execute: Automation simplifies and accelerates the review process and provides accurate, intelligible information. Once you identify the business owners who are responsible for carrying out the reviews and set them up as approvers, they can be automatically notified when a review has been initiated, and they will be required to review all the items that affect their role(s).
Maintains Audit Trail: JD Edwards users can accept or reject the changes and provide an explanation for their decision within the review tool. This ensures that a complete audit trail is maintained, showing who approved/rejected what and when. Users can also use filters to check which reviews are pending and complete them on time.
Reports to Satisfy Auditors: Instead of maintaining data on spreadsheets, making it extremely difficult for internal and external auditors to check for compliance violations, an automated solution shows complete information, including current and previous values and who approved them. This helps you quickly access the required information and provide answers to external auditors.
Pathlock helps organizations consolidate the access review process for all their business systems into one centralized point. This ensures consistent performance across all business applications to increase efficiency and lower your costs. Pathlock’s automated access review solution enables you to produce review reports with the touch of a button and present business managers with clear information that they can easily understand and review. The solution also captures data on approvals, rejections, and explanatory notes directly into your JD Edwards system, allowing you to quickly and easily produce evidence for your auditors whenever needed.
Download the Pathlock Periodic Access Review Data Sheet to learn how you can save time, effort, and cost by automating your JD Edwards user access reviews.
Share