Securing your Oracle Cloud applications is an ongoing challenge. Once implemented, like a new car, Oracle Cloud security must be maintained and checked periodically as users come and go, new company workflows are introduced, and governments adopt new or change existing regulations. At times, it can seem daunting to keep your users, job roles, and privileges in check in order to avoid security risks that can appear during audits.
However, when it comes to user access, there are some easy tasks you can perform right now that will help make your Oracle Cloud application more secure and reduce the risk of compliance violations.
We’ve put together a short list of actions that will help you secure your Oracle ERP Cloud environment. Among other results, these actions will help you identify the most critical user-job role assignments, restrict the ability for job roles to impact the system, and optimize user provisioning.
Minimize Application Implementation Consultant and IT Security Manager job role access
Not all job roles are created equal. The Application Implementation Consultant and IT Security Manager job roles have access to many of the key system administration functions across all Oracle Cloud applications. Make sure you are only assigning these job roles to the users who genuinely need them and that you are conducting periodic reviews of which users have this type of access.
Design and use custom job roles for user access
Oracle Cloud comes with pre-configured (or “seeded”) job roles upon installation. Unfortunately, using these seeded roles without first looking at the duty roles and access privileges they provide, can lead to numerous segregation of duties (SoD) conflicts. Moreover, Oracle Cloud software updates can introduce new functionality and access permissions into these pre-configured job roles.
It is a recommended practice to use seeded job role definitions only as a starting point for designing and building custom job roles. Fully custom job role definitions will not be affected by software updates.
Only use seeded job roles for:
- Designing and building non-inquiry custom job roles
- Emergency account access
- Service accounts that need to process jobs in the background
- Other truly valid business purposes
Establish a formal user provisioning process
Informal user provisioning practices such as copying existing user-job role assignments or not specifying specific job roles in user access requests (for example, “Give Jack the same access as Diane”) typically leads to over-provisioning security and SOX IT General Controls (ITGC) exceptions. Instead, you should establish a formal user provisioning process which contains the following high-level steps:
- Document user access requests via a ticketing system vs. email and clearly state which job roles are being requested for this user.
- Ensure that all access requests are approved by the appropriate IT or Business Owners prior to assignment and make sure to document this approval in the request in the event you are asked to provide evidence.
- Verify that the access granted to the user matches the access requested. For example, if an approved access request states to provide Job Roles A, B, and C to Username G, make sure Username G was only assigned Job Roles A, B and C and nothing more.
Plan for and remove emergency access
Sometimes, it is necessary to grant emergency access to an individual for a short period of time (e.g., vacation, sick, troubleshooting, etc.). However, it is important to remove this access once the emergency passes. Make sure you have a plan and formal process in place for approving, assigning, and removing emergency access privileges when the need arises.
Inquiry only access is NOT provided “out of the box” with any roles and, therefore, cannot be granted without custom roles
Out of the box, Oracle Cloud does not provide any inquiry or view-only roles.
It is best practice to build these inquiry or view-only roles from scratch (that is, without copying them from seeded roles). Access to these roles should be based on the principle of least privilege, which states that the role should only have the minimum set of privileges necessary to perform its function.
These tips come from the Fastpath eBook, 30 Oracle Cloud Security Tips and Tricks, which covers securing Oracle Cloud in three areas: System Administration, Automated Application Controls, and IT General Controls (ITGC). You can see all 30 of these tips and tricks by downloading the eBook, 30 Oracle Cloud Security Tips and Tricks.