A Midsummer Night’s Security Dream

#JDEINFOCUS

Cynthia MilenkovichAugust 22, 2018

A Midsummer Night’s Security Dream

Leveraging a Best Practice JDE Security Model

Introductions

Our Cast of Characters

Act I, Scene i

Proof of Concept has begun

#JDEINFOCUS

Overall Basic Requirements

• Ensure all users can access what they need

• Protect sensitive information

• Secure environment with “all doors closed”

• Application

• Action Code

• Data• Establish appropriate controls using segregation of duties

• Keep security tables small

• Maximize return on time investment

• Expediting set up

• Minimizing future rework

#JDEINFOCUS

Achieving your Objectives

#JDEINFOCUS

SOD ReportingInclude Mitigating Controls?

Other ReportingGeneral MaintenanceOther

POC Objectives – Left to Test?

Take a Look?

General Walk Through

Basic Maintenance

Users & Roles

•Creating and Maintaining Users Faster in a Grid

•Identify and Remove Inactive Users

•Creating or Maintaining Roles Faster in a Grid

•Role Assignment•Managing Multiple Role

Issues•User & Role

Relationships Reporting•User/Role Clean up

Security

•F00950 Faster Maintenance in a Grid

•Menu Filtering Concepts & Maintenance with Security

•Understanding and Implementing ‘Deny All’

•Security Clean up

Reporting

•Run ALLOut Access Reports•Define SoD Rules in ALLOut•Run ALLOut Segregation of

Duties Reports•ALLOut Mitigating Controls•Apply Mitigating Controls to

Users/Roles•Business Unit Reporting•ALLOut Access Auditing

Menus

•Creating and Maintaining Menus Faster in a Grid

Additional Areas We Could Schedule

Act I, Scene II

What's in a Role?

#JDEINFOCUS

Security Design

• Deny ALL

• Application, Action and Data

• Search and select applications

• UDC’s, Media Objects, Applications ending in “S”

• Applications available to all users

• System Access - Work with Submitted Jobs

• Other – Address Book, Item Master

• Data that is Open (MCU called Open, master data)

*Public in a Closed System

#JDEINFOCUS

Where to Start

• Determine Business Streams in Scope

• Break Down Areas within the StreamsCompany A

Procure to Pay

Procurement

Accounts Payable

Receiving

Fixed Assets

Asset Transactions

Reporting

Inventory Mgmt

Inventory Transactions

Balance Management

MRP

Order to Cash

Sales Order

Accounts Receivable

#JDEINFOCUS

Security Role Details

#JDEINFOCUS

Detail The Processes in Areas

Procurement

PO Creation PO Inquiry Receiving Vendor

Set Up

Accounts Payable

Voucher Entry Reporting Accounting Vendor Set

Up

#JDEINFOCUS

Strategies for Security Role Design

• Security Roles• Application, Action Code, E1 Pages

and Other Security Detail• Job Functions

• Meaningful to Management

Receiving Manager

1-Receiving

2-PO Inquiry

3-Manufacturing

Basics

4-Receiving Manager

Receive

1-Receiving

2-PO Inquiry

3-Manufacturing

Basics

4-Inventory Basics

Department Manager

2-PO Inquiry

3-Manufacturing

Basics

5-GL Inquiry

6-WO Exception

Management

#JDEINFOCUS

Task View Navigation

#JDEINFOCUS

Graphical Methods of Accessing

#JDEINFOCUS

Best Practice for Roles• Achieve Best Practice

• Small Process Based Roles – “Users change – Processes Don’t”• Security needs to be “Deny ALL, Grant Back”• Role based security should be “Yes” settings at role level• Sign on with “All Roles”• Use role based menu filtering and/or E1 Pages for navigation• Have separate roles for functional security and data security

• Application and action code security in functional role• Data security (row and column security) in a separate role• Allows for more flexibility and reusability when assigning roles to users

• Roles should not have Segregation of Duties conflicts within them• Process based roles make it easier to achieve segregation of duties• Role AP Manager will likely contain SoD breaches

• Resolve role sequencer\hierarchy conflicts within roles

Act I, Scene iii

The 1st Interruption

#JDEINFOCUS

ALLOut Tools

Access Reporting

SOD Reporting

Audit Trail Report

SOD Locking

Change Control

Mitigating Controls

Requests & Approvals

Controlled Roles

Manage Unused Access

SecurityPlus

CombiRoles

ProfilePlus

MenuPlus

Risk Reporting

Risk Management

Act II, Scene i

Collecting Requirements for Redesign

#JDEINFOCUS

Create the List (All

Programs that enable update to a

process

Create SOD Rules

Determine Rule Details

Execute Reports

Update Reporting Options as

Desired

Creating Rules

Take a Look?

SOD Reporting

#JDEINFOCUS

Create the Control

Associate with a User or Role

Determine What Rule or Rules it

Relates to

Decide How You Want it to

Show in Reporting

Controls

Take a Look?

Mitigating Control

Act II, Scene ii

What light through yonder Grid doth Shine?

#JDEINFOCUS

SODMaster – Best Practice Lists & Rules

#JDEINFOCUS

Identify Critical Process & Apply SOD

If you use process roles, managing Segregation of Duties is possible by controlling role assignment alone –controlling access to programs (within roles) is unnecessary if the roles themselves only permit a single activity.

P041016P041017P0411P0411SVP0411Z1

R04110Z2R04110ZAR0411Z1P042002

User can create internal intent to make payment to a fictitious supplier, or to a valid supplier inappropriately and approve payment to it.

LIST04A LIST04C

P0411SP0457P04572P04572U

P04572WR04570R04803

Rule04A04C

#JDEINFOCUS

Suggested ControlsControl Control Description Control Group Frequency Active Control DefinitionFIN001 Financial Statement Review ACCOUNTING M Y Income Statements and Balance Sheets are Reviewed by the Company Management.

FIN002 Reconcile to Source System RECONCILE M Y Reconciliation with the Source Systems data.FIN003 Reconcile To Bank Statement RECONCILE M Y Bank Account Reconciliation to Monthly Bank Statements.FIN004 Review FA Disposals Report ACCOUNTING M Y A Report of Disposals is Reviewed and Confirmed Periodically.FIN005 Review FA Additions Report ACCOUNTING M Y A Report of Fixed Assets Additions is Reviewed and Confirmed Periodically.FIN006 Review Itm Ledger Cost Changes ACCOUNTING M Y A Report Showing Item Ledger Inventory Cost Changes is Reviewed on Monthly and

Yearly basis.FIN007 Review Journal Entries ACCOUNTING M Y All GL Journal Entries are Reviewed by a Third Party Before Posting.FIN008 Asset Master Update Segregated ACCESS Y Asset Master File is Created by a Third Responsible Person.FIN009 Review Inv. Revaluation JEs ACCOUNTING M Y Inventory Revaluation Journal Entries are Reviewed by an Authorized Person.

• It’s All There• Risks• Controls• Rules• Lists

• Matrix Linked

Act III – Scene i --a week has passed--

Oh, brave, New World that has such software in it!

#JDEINFOCUS

Risk Reporting - OverviewSystem Access & Critical Process Access Reports• Version/Form Sensitive• User/Role Based• Program BasedSegregation Of Duties Rules and Conflict Reports• SOD Levels and Categories• Environment SpecificRow Security Access Reports• Business Unit• Company AccessDistribution ListsOutput to Excel or PDF

#JDEINFOCUS

Risk Management-OverviewSegregation Of Duties Rule & Breaches Reports• Manual processes & external data from non JDE Systems• Mitigating Controls with Audit Trail and Documentation• Solution Explorer Menu AccessRole Assignment Change Controls• Preventative Segregation Of Duties - Warning or Hard

Stop• “Requests and Approvals” • Audit Trail• Controlled RolesSecurity and Menu Change Controls• SOD Validation & Approval before Promotion • Optional TemplatesSecurity History Audit Reporting• Changes made through JDE (F9312)• Optionally Include Changes made through ALLOut

Please complete a session evaluation

Session ID: 103550

Contact Info:info@alloutsecurity.com

Cynthia.Milenkovich@alloutsecurity.comTel: 323-617-3645

#JDEINFOCUS

A 55,000+ member user community for Oracle Cloud, JD Edwards and PeopleSoft customers.

What the Quest JD Edwards Community offers:

Customized digital content

Official JD Edwards newsletter

Customer success stories

Virtual and face-to-face events

JD Edwards networking groups

Visit www.QuestDirect.org for more information!

Who is the Quest Community?