Fun with Roles and Responsibilities in the Cloud

When planning their implementation, most of our clients struggle to assign their users the right roles and responsibilities. Most admin security groups have to constantly walk the tightrope of providing too much or insufficient access to key functions within the application. Too much access allows users to break generally accepted separation of duty rules, which may lead to fraud or exposure of key sensitive information. Of course, too little access causes communication overhead between departments and individuals as they try to gather all the data necessary for their job function.

When explained that clearly, we can all see that this would be problematic. Large systems like Oracle ERP Cloud have thousands of tasks, roles and privileges that provide a myriad of overlapping capabilities that may lead to conflicts within the separation of duties (SOD). In addition, if you’re subject to SOX compliance or similar legislation, there are key considerations of which you need to be aware that further complicate the process.

Let’s discuss the pros and cons of access security as offered by Oracle ERP Cloud, a leader in the cloud computing arena. Oracle ERP Cloud uses role-based access control (RBAC). Access to functions and data is defined at the role level rather than at the user level, which is the most efficient way to manage security, especially in large organizations that require scalability. This reduces an administrator’s effort as roles are maintained at a higher level and can be assigned to multiple users that perform the same role.

Three security types are available:

• Job/Function Roles – what users with a particular job can do; e.g. financial analysts, accounts payable managers, etc.
• Data roles – define which set of data a user can access, such as US vs EU operations. Access can be restricted to specific organizations or granted across all organizations depending on the requirement.   
• Common Roles – shared functionality that is not job-specific; self-service HR forms and expense reporting, for example, since both managers and employees need access to functions such as timesheet submission and expense reporting

Within the Oracle Financials Cloud module, for example, there are several common job roles that come “out of the box.” These Seeded Roles can be used as delivered or modified to suit your business. Or, you can create new roles from scratch.  Think of General Ledger Manager or Accounts Payable specialist as typical job roles.

The advantages of using Seeded Roles are very much in line with the benefits that Oracle promotes for adopting ERP Cloud:

• Faster time to value, with pre-defined roles that can be provisioned with minimum setup.
• Reduced operational security administration costs from using standardized roles.
• Standard Seeded Roles exist in all Oracle ERP Cloud products. So consistency and integration have been built in.  

But when you dig deeper and consider SOD and SOX compliance, the disadvantages of using the Seeded Roles come to light.

Standardization brings many benefits, but, as always, there’s a downside.  Oracle assumes that the Seeded Roles will fit your organization with very little customization and that the pre-defined Oracle Cloud SOD policies used to design the seeded roles will adequately test the risks in your business.  Oracle states that the duty definitions in seeded roles have been defined using their best practices approach, although these best practices policies have not been documented and are not available for general user review.  With SOD policies not being available, and no easy means of reporting on SOD violations, users can be left in the dark about the suitability of their security.  As experienced security implementers, we know that this is often the case.

Short of purchasing very expensive Risk and Compliance software that includes detailed audits of SOD violations, an alternative is to work with expert implementers who have created hybrid roles that meet internal and external Auditor requirements as well as SOX compliance reviews. The hybrid roles incorporate seeded Oracle roles with modifications that take into consideration “normal” business requirements.  Since few companies are one size fits all, these can further be modified by completing a series of questions that will address specific considerations.

This post was originally published by CTR. CTR was acquired by AST in January 2023.