ch 7 use and care of generic logins in an oracle e-business suite environment

8/12/2019 Ch 7 Use and Care of Generic Logins in an Oracle E-Business Suite Environment

1/38

Use and Care of GenericLogins in an Oracle E-

Business Suite Environment

Presented by:Jeffrey T. Hare, CPA CISA CIA


2/38

Webinar Logistics

Hide and unhide the Webinarcontrol panel by clicking on thearrow icon on the top right of yourscreen

The small window icon togglesbetween a windowed and fullscreen mode

Ask questions throughout thepresentation using the chat dialog

Questions will be reviewed andanswered at the end of thepresentation; Ill open the lines forinteractive Q&A

During the presentation, we will be

conducting a number of polls,please take the time to respond toall those that are applicable

CPE will only be give to those thatanswer at least 3 of the 4 polls

2010 ERPS / ERPRA


3/38

Overview:

Introduction

Audit Trail Overview

Seeded Generic Users

Custom Generic Users

Other Recommendations

Wrap Up

Q&A

Presentation Agenda

2010 ERPS / ERPRA


4/38

IntroductionsJeffrey T. Hare, CPA CISA CIA

Founder of ERP Seminars and Oracle User Best Practices Board

Written various white papers on Internal Controls and Security Best Practices

in an Oracle Applications environment

Frequent contributor to OAUGs Insight magazine

Experience includes Big 4 audit, 6 years in CFO/Controller rolesboth as

auditor and auditee

In Oracle applications space since 1998both as client and consultant

Founder of Internal Controls Repositorypublic domain repository

Author Oracle E-Business Suite Controls: Application Security Best Practices

Contributing author Best Practices in Financial Risk Management

Published in ISACAs Control Journal (twice) and ACFEs Fraud Magazine

2010 ERPS / ERPRA


5/38

Poll 1: How confident are you that

your generic accounts are allidentified and propermonitoring has been put in place

2010 ERPS / ERPRA


6/38


2010 ERPS / ERPRA


7/38


Disconnect between application and database layersNeed to be concerned about application access as well as

database access

Audit trail only kept where application is built to do so

Lack of audit all functionality to monitor privileged users

Lack of detailed audit trail throughout the application

In some cases as is the case with HR, update versus correct

Example: change(s) to columns in a table can cause confusion

related to changes made - Journal Sources example

2010 ERPS / ERPRA


8/38

Audit Trail Technologies

Overview:Row Who / Alerts

Sign On Audit

SnapshotLog

Triggers

2010 ERPS / ERPRA


9/38


Row Who / AlertsWhat is it:

Created by, creation date, last updated by, last updated date

When it is usefulMonitoring things you dont expect to change (however,when it does)

Within an audit period, creation date and last updated date

Transaction monitoring (high volume)some continuous

controls monitoring (CCM) requirements

2010 ERPS / ERPRA


10/38


Sign On AuditWhat is it:

Profile option SignOn:Audit Level set to Form

When is it useful:Tracking user logins and use of professional formsTracking login of generic users such as SYSADMIN, job

scheduling users where activity should be limited by policy

and procedure

2010 ERPS / ERPRA


11/38


SnapshotWhat is it:

Comparison of row who information between instances or

between two points in time (prod versus 12/31 version)

When is it useful:Identifying when something is changed that you wouldnt

expect

When comparisons are pre-mapped such as tools that

compare objects between instances or versions

Application support to identify when there is a configuration

change (i.e. what broke the process)

2010 ERPS / ERPRA


12/38


LogsWhat are they:

Various types of incremental data

Could be traffic flowing across the network or technology

inherent to the database (redo or for mirroring)

When are they useful:High volume transaction tables

Can be used for all audits, but may have limitations

2010 ERPS / ERPRA


13/38


TriggersWhat are they:

Core database technology

Use by System Administrator audit trail

Advanced software packages:May allow metadata to be mapped

Usually have a central repository for easier reporting and

data management

May allow for alerting of informationWhen are they useful:

Setups (key control configurations), Master Data, Security,

Development; SQL Forms

2010 ERPS / ERPRA


14/38


See full webinar Building an Audit Trail inan Oracle E-Business Suite Environment

at:

http://www.erpseminars.com/WebinarAccessForm.html

2010 ERPS / ERPRA


15/38


2010 ERPS / ERPRA


16/38


Sources11i: Metalink Note 189367.1

R12: Metalink Note: 403537.1

ERP Seminars Internal Controls Repository(end users only)

SQLusers w/o employee assigned

Stale users (users not logged in recently)

2010 ERPS / ERPRA


17/38


Known Seeded Generic Users:'GUEST','AME_INVALID_APPROVER','ANONYMOUS','APPSMGR', 'ASGADM','ASGUEST','AUTOINSTALL','BOL-OPS',

'BOL-SETUP','BOL-SUPPORT','CONCURRENT

MANAGER','FEEDER SYSTEM','IBE_ADMIN','IBE_GUEST','IBEGUEST','IEXADMIN',

INITIALSETUP','IRC_EMP_GUEST','IRC_EXT_GUEST','MO

BILEADM','MOBADM','MOBDEV','OP_CUST_CARE_ADMI

N','OP_SYSADMIN', ' PORTAL30','PORTAL30_SSO',STANDALONE BATCH

PROCESS','SYSADMIN', 'WIZARD','XML_USER'

2010 ERPS / ERPRA


18/38


Sample SQL Statement:Users w/o employee logins assigned

Purpose: Identify possible consultants or generic

users

Select user_name, start_date, end_date

From fnd_user

Where end_date is null and employee_id is null

2010 ERPS / ERPRA


19/38


Disposition of seeded users:End date, where possible, depending on

applications being used

Test, test, testDo not end date GUEST or SYSADMIN

Monitor activity of GUEST and SYSADMIN

2010 ERPS / ERPRA


20/38

Seeded Generic User Accounts

For SysAdmin:Assign only the System Administrator responsibility and UserManagement role to the SYSADMIN login. If there are any other

responsibilities or roles, they should be end-dated.

Review the active assigned responsibilities at least monthly or,

preferably develop an alert or detailed audit trail (log or trigger based)

to monitor the assignment of new responsibilities and roles or the

removal of end dates on disabled responsibilities or roles.

Require the use of the SYSADMIN login to be manually logged each

time it is used.

Establish a policy or develop security standards for the owner of the

SYSADMIN login to understand the SYSADMIN login should be used

only when it is absolutely required by Oracle.

2010 ERPS / ERPRA


21/38


For SysAdmin:Treat the SYSADMIN password similarly to Apps - one person (orsmall group) should know the password, and the password should be

sealed in an envelope and held securely by an IT manager.

Reset the SYSADMIN password according to a corporate password

reset policy (I have seen some clients not reset their SYSADMINpassword) - note that even if the password expires, the SYSADMIN

login is still active.

Most importantly, NEVER end date the SYSADMIN login as it is

needed internally in many places. End-dating the SYSADMIN login

may shut down your system or certain processes within your system

(i.e. workflow processes).

2010 ERPS / ERPRA


22/38


For SysAdmin:can be performed using a named login and the System Administratorresponsibility should NEVER be done using the SYSADMIN login.

2010 ERPS / ERPRA


23/38


For Guest:Cannot log in as Guest

No responsibilities need be assigned

Similar monitoring to SYSADMINFollow Metalink Note: 443353.1 for

maintenance of GUEST password

2010 ERPS / ERPRA


24/38

Poll 2: Which statement bestrepresents my organizationsdisposition of seeded generic

logins

2010 ERPS / ERPRA


25/38


2010 ERPS / ERPRA


26/38


Job Scheduling userThe only responsibility granted to the user should be a jobscheduling responsibility with a single function Requests:

Submit assigned to the menu. No other functions are to be

granted, particularly any functions that update data or allowaccess to sensitive data. If support users need access to other

forms, they should access those forms through their own named

login and Support responsibilities designed for supporting the

applications.

2010 ERPS / ERPRA


27/38


Job Scheduling userReview the active assigned responsibilities to make sure no otherresponsibilities have been assigned to this login no less frequently

than monthly. If the person(s) responsible for maintaining this

login also has access to the System Administrator responsibility,consider developing an Alert or detailed audit trail to monitor for

new responsibilities or roles being assigned or for assigned

responsibilities or roles having their end date removed.

2010 ERPS / ERPRA


28/38


Job Scheduling userNarrowly define the requests and reports that this responsibilitycan use to only schedule jobs. No reports with sensitive data

should be contained in the request group.

Changes to security related to this login should be required to gothrough the Change Management process. This would include

changes to the responsibility definition, underlying menu, and the

request group.

2010 ERPS / ERPRA


29/38


2010 ERPS / ERPRA


30/38


11i Password Decryption Risk

Even for those users that are end-dated, make

sure you change the password from the defaultpassword to avoid the decryption risk outlined in

Integrigys white paper Oracle Applications 11i

Password Decryption . Find out more at:

www.integrigy.com or email me for a copy of the

white paper.

2010 ERPS / ERPRA
http://www.integrigy.com/http://www.integrigy.com/


31/38

Poll 3: The recommendationsoutlined in this webinar are

consistent with current internaland external auditrecommendations

2010 ERPS / ERPRA


32/38

Wrap Up

2010 ERPS / ERPRA


33/38

Wrap Up

RecapThe following is a recap of the recommendations:Monitor unsuccessful logins

Setup up SignOn Audit

Monitor security changesrequires log or trigger-based

auditing mechanism for activity in user assignments (roles

and responsibilities), menus, request groups, roles

End-date those logins not needed (after thorough testing)

Assign accountability for those that need to remain active

Have users log activity and review actual activity versussign-on audit reports

Policies, standards, and procedures should reflect use of

generic logins (seeded and custom)

2010 ERPS / ERPRA


34/38

ERP Risk Advisors Services

Free one-hour consultation

On-site seminars (1 - 2 days) custom tailored to your companys

needs as well as various web-based seminars

RFP / RFI management for Oracle-related GRC software

SOD / UAC Third Party software projects / remediation

GRC Software implementation

Security and internal controls design and implementation for pre- and

post-implementation

Pre-defined level I and level II assessment servicessee:

http://www.erpseminars.com/Services.html

2010 ERPS / ERPRA


35/38

Q & A

2010 ERPS / ERPRA


36/38

Poll 4: I'd like to followup this webinar with:

2010 ERPS / ERPRA

C f i


37/38

Contact Information

Jeffrey T. Hare, CPA CISA CIA

Cell: 970-324-1450

Office: 970-785-6455

E-mail: [email protected]

Websites: www.erpseminars.com, www.oubpb.com Oracle Internal Controls and Security listserver (public

domain listsever) at http://groups.yahoo.com/group/OracleSox

Internal Controls Repository (end users only)http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/

2010 ERPS / ERPRA

B P i C


38/38

Best Practices Caveat

Best Practices Caveat

The Best Practices cited in this presentation have not been

validated with your external auditors nor has there been any

systematic study of industry practices to determine they are in

fact Best Practices for a representative sample of companies

attempting to comply with the Sarbanes-Oxley Act of 2002 or

other corporate governance initiatives mentioned. The Best

Practice examples given here should not substitute for accounting

or legal advice for your organization and provide no

indemnification from fraud, material misstatements in yourfinancial statements, or control deficiencies.

2010 ERPS / ERPRA

ch 7 use and care of generic logins in an oracle e-business suite environment

Documents