Post on 30-Jan-2018
Use and Care of Generic Logins in an Oracle E-
Business Suite Environment
Presented by:
Jeffrey T. Hare, CPA CISA CIA
Webinar Logistics
Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right of your screen
The small window icon toggles between a windowed and full screen mode
Ask questions throughout the presentation using the chat dialog
Questions will be reviewed and answered at the end of the presentation; I’ll open the lines for interactive Q&A
During the presentation, we will be conducting a number of polls, please take the time to respond to all those that are applicable
CPE will only be give to those that answer at least 3 of the 4 polls
© 2010 ERPS / ERPRA
Overview:
Introduction
Audit Trail Overview
Seeded Generic Users
Custom Generic Users
Other Recommendations
Wrap Up
Q&A
Presentation Agenda
© 2010 ERPS / ERPRA
IntroductionsJeffrey T. Hare, CPA CISA CIA
•Founder of ERP Seminars and Oracle User Best Practices Board
•Written various white papers on Internal Controls and Security Best Practices
in an Oracle Applications environment
•Frequent contributor to OAUG‟s Insight magazine
•Experience includes Big 4 audit, 6 years in CFO/Controller roles – both as
auditor and auditee
•In Oracle applications space since 1998– both as client and consultant
•Founder of Internal Controls Repository – public domain repository
•Author Oracle E-Business Suite Controls: Application Security Best Practices
•Contributing author Best Practices in Financial Risk Management
•Published in ISACA‟s Control Journal (twice) and ACFE‟s Fraud Magazine
© 2010 ERPS / ERPRA
Poll 1: How confident are you that your generic accounts are all
identified and proper monitoring has been put in place
© 2010 ERPS / ERPRA
Audit Trail Overview
© 2010 ERPS / ERPRA
Audit Trail Overview
•Disconnect between application and database layers
•Need to be concerned about application access as well as
database access
•Audit trail only kept where application is built to do so
•Lack of audit all functionality to monitor privileged users
•Lack of detailed audit trail throughout the application
•In some cases as is the case with HR, update versus correct
•Example: change(s) to columns in a table can cause confusion
related to changes made - Journal Sources example
© 2010 ERPS / ERPRA
Audit Trail Technologies
Overview:
•Row Who / Alerts
•Sign On Audit
•Snapshot
•Log
•Triggers
© 2010 ERPS / ERPRA
Audit Trail Technologies
Row Who / Alerts
•What is it:•Created by, creation date, last updated by, last updated date
•When it is useful•Monitoring things you don‟t expect to change (however,
when it does…)
•Within an audit period, creation date and last updated date
•Transaction monitoring (high volume) – some continuous
controls monitoring (CCM) requirements
© 2010 ERPS / ERPRA
Audit Trail Technologies
Sign On Audit
•What is it: •Profile option “SignOn:Audit Level” – set to Form
•When is it useful:•Tracking user logins and use of professional forms
•Tracking login of generic users such as SYSADMIN, job
scheduling users where activity should be limited by policy
and procedure
© 2010 ERPS / ERPRA
Audit Trail Technologies
Snapshot
•What is it: •Comparison of row who information between instances or
between two points in time (prod versus 12/31 version)
•When is it useful:•Identifying when something is changed that you wouldn‟t
expect
•When comparisons are pre-mapped such as tools that
compare objects between instances or versions
•Application support to identify when there is a configuration
change (i.e. what broke the process)
© 2010 ERPS / ERPRA
Audit Trail Technologies
Logs
•What are they: •Various types of incremental data
•Could be traffic flowing across the network or technology
inherent to the database (redo or for mirroring)
•When are they useful:•High volume transaction tables
•Can be used for all audits, but may have limitations
© 2010 ERPS / ERPRA
Audit Trail Technologies
Triggers•What are they:
•Core database technology
•Use by System Administrator audit trail
•Advanced software packages:
•May allow metadata to be mapped
•Usually have a central repository for easier reporting and
data management
•May allow for alerting of information
•When are they useful:•Setups (key control configurations), Master Data, Security,
Development; SQL Forms
© 2010 ERPS / ERPRA
Audit Trail Technologies
See full webinar “Building an Audit Trail in
an Oracle E-Business Suite Environment
at: http://www.erpseminars.com/WebinarAccessForm.html
© 2010 ERPS / ERPRA
Seeded Generic Users
© 2010 ERPS / ERPRA
Seeded Generic Users
Sources•11i: Metalink Note 189367.1
•R12: Metalink Note: 403537.1
•ERP Seminars‟ Internal Controls Repository
(end users only)
•SQL – users w/o employee assigned
•Stale users (users not logged in recently)
© 2010 ERPS / ERPRA
Seeded Generic Users
Known Seeded Generic Users:'GUEST','AME_INVALID_APPROVER','ANONYMOUS','APP
SMGR', 'ASGADM','ASGUEST','AUTOINSTALL','BOL-OPS',
'BOL-SETUP','BOL-SUPPORT','CONCURRENT
MANAGER','FEEDER SYSTEM',
'IBE_ADMIN','IBE_GUEST','IBEGUEST','IEXADMIN',
„INITIALSETUP','IRC_EMP_GUEST','IRC_EXT_GUEST','MO
BILEADM','MOBADM','MOBDEV','OP_CUST_CARE_ADMI
N','OP_SYSADMIN', ' PORTAL30','
PORTAL30_SSO',‟STANDALONE BATCH
PROCESS','SYSADMIN', 'WIZARD','XML_USER'
© 2010 ERPS / ERPRA
Seeded Generic Users
Sample SQL Statement:Users w/o employee logins assigned
Purpose: Identify possible consultants or generic
users
Select user_name, start_date, end_date
From fnd_user
Where end_date is null and employee_id is null
© 2010 ERPS / ERPRA
Seeded Generic Users
Disposition of seeded users:•End date, where possible, depending on
applications being used
•Test, test, test
•Do not end date GUEST or SYSADMIN
•Monitor activity of GUEST and SYSADMIN
© 2010 ERPS / ERPRA
Seeded Generic User Accounts
For SysAdmin:•Assign only the System Administrator responsibility and User
Management role to the SYSADMIN login. If there are any other
responsibilities or roles, they should be end-dated.
•Review the active assigned responsibilities at least monthly or,
preferably develop an alert or detailed audit trail (log or trigger based)
to monitor the assignment of new responsibilities and roles or the
removal of end dates on disabled responsibilities or roles.
•Require the use of the SYSADMIN login to be manually logged each
time it is used.
•Establish a policy or develop security standards for the owner of the
SYSADMIN login to understand the SYSADMIN login should be used
only when it is absolutely required by Oracle.
© 2010 ERPS / ERPRA
Seeded Generic User Accounts
For SysAdmin:•Treat the SYSADMIN password similarly to Apps - one person (or
small group) should know the password, and the password should be
sealed in an envelope and held securely by an IT manager.
•Reset the SYSADMIN password according to a corporate password
reset policy (I have seen some clients not reset their SYSADMIN
password) - note that even if the password expires, the SYSADMIN
login is still active.
•Most importantly, NEVER end date the SYSADMIN login as it is
needed internally in many places. End-dating the SYSADMIN login
may shut down your system or certain processes within your system
(i.e. workflow processes).
© 2010 ERPS / ERPRA
Seeded Generic User Accounts
For SysAdmin:•can be performed using a named login and the System Administrator
responsibility should NEVER be done using the SYSADMIN login.
© 2010 ERPS / ERPRA
Seeded Generic User Accounts
For Guest:•Cannot log in as Guest
•No responsibilities need be assigned
•Similar monitoring to SYSADMIN
•Follow Metalink Note: 443353.1 for
maintenance of GUEST password
© 2010 ERPS / ERPRA
Poll 2: Which statement best represents my organization’s disposition of seeded generic
logins
© 2010 ERPS / ERPRA
Custom Generic Users
© 2010 ERPS / ERPRA
Custom Generic Users
Job Scheduling user•The only responsibility granted to the user should be a job
scheduling responsibility with a single function “Requests:
Submit” assigned to the menu. No other functions are to be
granted, particularly any functions that update data or allow
access to sensitive data. If support users need access to other
forms, they should access those forms through their own named
login and “Support” responsibilities designed for supporting the
applications.
© 2010 ERPS / ERPRA
Custom Generic Users
Job Scheduling user•Review the active assigned responsibilities to make sure no other
responsibilities have been assigned to this login no less frequently
than monthly. If the person(s) responsible for maintaining this
login also has access to the System Administrator responsibility,
consider developing an Alert or detailed audit trail to monitor for
new responsibilities or roles being assigned or for assigned
responsibilities or roles having their end date removed.
© 2010 ERPS / ERPRA
Custom Generic Users
Job Scheduling user•Narrowly define the requests and reports that this responsibility
can use to only schedule jobs. No reports with sensitive data
should be contained in the request group.
•Changes to security related to this login should be required to go
through the Change Management process. This would include
changes to the responsibility definition, underlying menu, and the
request group.
© 2010 ERPS / ERPRA
Other Recommendations
© 2010 ERPS / ERPRA
Other Recommendations
11i Password Decryption Risk
Even for those users that are end-dated, make
sure you change the password from the default
password to avoid the decryption risk outlined in
Integrigy‟s white paper “Oracle Applications 11i
Password Decryption “. Find out more at:
www.integrigy.com or email me for a copy of the
white paper.
© 2010 ERPS / ERPRA
Poll 3: The recommendations outlined in this webinar are
consistent with current internal and external audit recommendations
© 2010 ERPS / ERPRA
Wrap Up
© 2010 ERPS / ERPRA
Wrap Up
Recap•The following is a recap of the recommendations:
•Monitor unsuccessful logins
•Setup up SignOn Audit
•Monitor security changes– requires log or trigger-based
auditing mechanism for activity in user assignments (roles
and responsibilities), menus, request groups, roles
•End-date those logins not needed (after thorough testing)
•Assign accountability for those that need to remain active
•Have users log activity and review actual activity versus
sign-on audit reports
•Policies, standards, and procedures should reflect use of
generic logins (seeded and custom)
© 2010 ERPS / ERPRA
ERP Risk Advisors Services
•Free one-hour consultation
•On-site seminars (1 - 2 days) – custom tailored to your company‟s
needs as well as various web-based seminars
•RFP / RFI management for Oracle-related GRC software
•SOD / UAC Third Party software projects / remediation
•GRC Software implementation
•Security and internal controls design and implementation for pre- and
post-implementation
•Pre-defined level I and level II assessment services – see:
http://www.erpseminars.com/Services.html
© 2010 ERPS / ERPRA
Q & A
© 2010 ERPS / ERPRA
Poll 4: I'd like to follow up this webinar with:
© 2010 ERPS / ERPRA
Contact Information
Jeffrey T. Hare, CPA CISA CIA
Cell: 970-324-1450
Office: 970-785-6455
E-mail: jhare@erpseminars.com
Websites: www.erpseminars.com, www.oubpb.com
Oracle Internal Controls and Security listserver (public
domain listsever) at http://groups.yahoo.com/group/OracleSox
Internal Controls Repository (end users only) http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/
© 2010 ERPS / ERPRA
Best Practices Caveat
Best Practices Caveat
The Best Practices cited in this presentation have not been
validated with your external auditors nor has there been any
systematic study of industry practices to determine they are „in
fact‟ Best Practices for a representative sample of companies
attempting to comply with the Sarbanes-Oxley Act of 2002 or
other corporate governance initiatives mentioned. The Best
Practice examples given here should not substitute for accounting
or legal advice for your organization and provide no
indemnification from fraud, material misstatements in your
financial statements, or control deficiencies.
© 2010 ERPS / ERPRA