Use and Care of Generic

Logins in an Oracle E-
Business Suite Environment
Presented by:
Jeffrey T. Hare, CPA CISA CIA
Webinar Logistics
Hide and unhide the Webinar
control panel by clicking on the
arrow icon on the top right of your
screen
The small window icon toggles
between a windowed and full
screen mode
Ask questions throughout the
presentation using the chat dialog
Questions will be reviewed and
answered at the end of the
presentation; Ill open the lines for
interactive Q&A
During the presentation, we will be
conducting a number of polls,
please take the time to respond to
all those that are applicable
CPE will only be give to those that
answer at least 3 of the 4 polls
2010 ERPS / ERPRA
Overview:
Introduction
Audit Trail Overview
Seeded Generic Users
Custom Generic Users
Other Recommendations
Wrap Up
Q&A
Presentation Agenda
2010 ERPS / ERPRA
Introductions
Jeffrey T. Hare, CPA CISA CIA
Founder of ERP Seminars and Oracle User Best Practices Board
Written various white papers on Internal Controls and Security Best Practices
in an Oracle Applications environment
Frequent contributor to OAUGs Insight magazine
Experience includes Big 4 audit, 6 years in CFO/Controller roles both as
auditor and auditee
In Oracle applications space since 1998 both as client and consultant
Founder of Internal Controls Repository public domain repository
Author Oracle E-Business Suite Controls: Application Security Best Practices
Contributing author Best Practices in Financial Risk Management
Published in ISACAs Control Journal (twice) and ACFEs Fraud Magazine
2010 ERPS / ERPRA
Poll 1: How confident are you that
your generic accounts are all
identified and proper
monitoring has been put in place
2010 ERPS / ERPRA
Audit Trail Overview
2010 ERPS / ERPRA
Audit Trail Overview
Disconnect between application and database layers
Need to be concerned about application access as well as
database access
Audit trail only kept where application is built to do so
Lack of audit all functionality to monitor privileged users
Lack of detailed audit trail throughout the application
In some cases as is the case with HR, update versus correct
Example: change(s) to columns in a table can cause confusion
related to changes made - Journal Sources example
2010 ERPS / ERPRA
Audit Trail Technologies
Overview:
Row Who / Alerts
Sign On Audit
Snapshot
Log
Triggers
2010 ERPS / ERPRA
Audit Trail Technologies
Row Who / Alerts
What is it:
Created by, creation date, last updated by, last updated date
When it is useful
Monitoring things you dont expect to change (however,
when it does)
Within an audit period, creation date and last updated date
Transaction monitoring (high volume) some continuous
controls monitoring (CCM) requirements
2010 ERPS / ERPRA
Audit Trail Technologies
Sign On Audit
What is it:
Profile option SignOn:Audit Level set to Form
When is it useful:
Tracking user logins and use of professional forms
Tracking login of generic users such as SYSADMIN, job
scheduling users where activity should be limited by policy
and procedure
2010 ERPS / ERPRA
Audit Trail Technologies
Snapshot
What is it:
Comparison of row who information between instances or
between two points in time (prod versus 12/31 version)
When is it useful:
Identifying when something is changed that you wouldnt
expect
When comparisons are pre-mapped such as tools that
compare objects between instances or versions
Application support to identify when there is a configuration
change (i.e. what broke the process)
2010 ERPS / ERPRA
Audit Trail Technologies
Logs
What are they:
Various types of incremental data
Could be traffic flowing across the network or technology
inherent to the database (redo or for mirroring)
When are they useful:
High volume transaction tables
Can be used for all audits, but may have limitations
2010 ERPS / ERPRA
Audit Trail Technologies
Triggers
What are they:
Core database technology
Use by System Administrator audit trail
Advanced software packages:
May allow metadata to be mapped
Usually have a central repository for easier reporting and
data management
May allow for alerting of information
When are they useful:
Setups (key control configurations), Master Data, Security,
Development; SQL Forms
2010 ERPS / ERPRA
Audit Trail Technologies
See full webinar Building an Audit Trail in
an Oracle E-Business Suite Environment
at:
http://www.erpseminars.com/WebinarAccessForm.html
2010 ERPS / ERPRA
Seeded Generic Users
2010 ERPS / ERPRA
Seeded Generic Users
Sources
11i: Metalink Note 189367.1
R12: Metalink Note: 403537.1
ERP Seminars Internal Controls Repository
(end users only)
SQL users w/o employee assigned
Stale users (users not logged in recently)
2010 ERPS / ERPRA
Seeded Generic Users
Known Seeded Generic Users:
'GUEST','AME_INVALID_APPROVER','ANONYMOUS','APP
SMGR', 'ASGADM','ASGUEST','AUTOINSTALL','BOL-OPS',
'BOL-SETUP','BOL-SUPPORT','CONCURRENT
MANAGER','FEEDER SYSTEM',
'IBE_ADMIN','IBE_GUEST','IBEGUEST','IEXADMIN',
INITIALSETUP','IRC_EMP_GUEST','IRC_EXT_GUEST','MO
BILEADM','MOBADM','MOBDEV','OP_CUST_CARE_ADMI
N','OP_SYSADMIN', ' PORTAL30','
PORTAL30_SSO',STANDALONE BATCH
PROCESS','SYSADMIN', 'WIZARD','XML_USER'
2010 ERPS / ERPRA
Seeded Generic Users
Sample SQL Statement:
Users w/o employee logins assigned
Purpose: Identify possible consultants or generic
users
Select user_name, start_date, end_date
From fnd_user
Where end_date is null and employee_id is null
2010 ERPS / ERPRA
Seeded Generic Users
Disposition of seeded users:
End date, where possible, depending on
applications being used
Test, test, test
Do not end date GUEST or SYSADMIN
Monitor activity of GUEST and SYSADMIN
2010 ERPS / ERPRA
Seeded Generic User Accounts
For SysAdmin:
Assign only the System Administrator responsibility and User
Management role to the SYSADMIN login. If there are any other
responsibilities or roles, they should be end-dated.
Review the active assigned responsibilities at least monthly or,
preferably develop an alert or detailed audit trail (log or trigger based)
to monitor the assignment of new responsibilities and roles or the
removal of end dates on disabled responsibilities or roles.
Require the use of the SYSADMIN login to be manually logged each
time it is used.
Establish a policy or develop security standards for the owner of the
SYSADMIN login to understand the SYSADMIN login should be used
only when it is absolutely required by Oracle.
2010 ERPS / ERPRA
Seeded Generic User Accounts
For SysAdmin:
Treat the SYSADMIN password similarly to Apps - one person (or
small group) should know the password, and the password should be
sealed in an envelope and held securely by an IT manager.
Reset the SYSADMIN password according to a corporate password
reset policy (I have seen some clients not reset their SYSADMIN
password) - note that even if the password expires, the SYSADMIN
login is still active.
Most importantly, NEVER end date the SYSADMIN login as it is
needed internally in many places. End-dating the SYSADMIN login
may shut down your system or certain processes within your system
(i.e. workflow processes).
2010 ERPS / ERPRA
Seeded Generic User Accounts
For SysAdmin:
can be performed using a named login and the System Administrator
responsibility should NEVER be done using the SYSADMIN login.
2010 ERPS / ERPRA
Seeded Generic User Accounts
For Guest:
Cannot log in as Guest
No responsibilities need be assigned
Similar monitoring to SYSADMIN
Follow Metalink Note: 443353.1 for
maintenance of GUEST password
2010 ERPS / ERPRA
Poll 2: Which statement best
represents my organizations
disposition of seeded generic
logins
2010 ERPS / ERPRA
Custom Generic Users
2010 ERPS / ERPRA
Custom Generic Users
Job Scheduling user
The only responsibility granted to the user should be a job
scheduling responsibility with a single function Requests:
Submit assigned to the menu. No other functions are to be
granted, particularly any functions that update data or allow
access to sensitive data. If support users need access to other
forms, they should access those forms through their own named
login and Support responsibilities designed for supporting the
applications.
2010 ERPS / ERPRA
Custom Generic Users
Job Scheduling user
Review the active assigned responsibilities to make sure no other
responsibilities have been assigned to this login no less frequently
than monthly. If the person(s) responsible for maintaining this
login also has access to the System Administrator responsibility,
consider developing an Alert or detailed audit trail to monitor for
new responsibilities or roles being assigned or for assigned
responsibilities or roles having their end date removed.
2010 ERPS / ERPRA
Custom Generic Users
Job Scheduling user
Narrowly define the requests and reports that this responsibility
can use to only schedule jobs. No reports with sensitive data
should be contained in the request group.
Changes to security related to this login should be required to go
through the Change Management process. This would include
changes to the responsibility definition, underlying menu, and the
request group.
2010 ERPS / ERPRA
Other Recommendations
2010 ERPS / ERPRA
Other Recommendations
11i Password Decryption Risk
Even for those users that are end-dated, make
sure you change the password from the default
password to avoid the decryption risk outlined in
Integrigys white paper Oracle Applications 11i
Password Decryption . Find out more at:
www.integrigy.comor email me for a copy of the
white paper.
2010 ERPS / ERPRA
Poll 3: The recommendations
outlined in this webinar are
consistent with current internal
and external audit
recommendations
2010 ERPS / ERPRA
Wrap Up
2010 ERPS / ERPRA
Wrap Up
Recap
The following is a recap of the recommendations:
Monitor unsuccessful logins
Setup up SignOn Audit
Monitor security changes requires log or trigger-based
auditing mechanism for activity in user assignments (roles
and responsibilities), menus, request groups, roles
End-date those logins not needed (after thorough testing)
Assign accountability for those that need to remain active
Have users log activity and review actual activity versus
sign-on audit reports
Policies, standards, and procedures should reflect use of
generic logins (seeded and custom)
2010 ERPS / ERPRA
ERP Risk Advisors Services
Free one-hour consultation
On-site seminars (1 - 2 days) custom tailored to your companys
needs as well as various web-based seminars
RFP / RFI management for Oracle-related GRC software
SOD / UAC Third Party software projects / remediation
GRC Software implementation
Security and internal controls design and implementation for pre- and
post-implementation
Pre-defined level I and level II assessment services see:
http://www.erpseminars.com/Services.html
2010 ERPS / ERPRA
Q & A
2010 ERPS / ERPRA
Poll 4: I'd like to follow
up this webinar with:
2010 ERPS / ERPRA
Contact Information
Jeffrey T. Hare, CPA CISA CIA
Cell: 970-324-1450
Office: 970-785-6455
E-mail: jhare@erpseminars.com
Websites: www.erpseminars.com, www.oubpb.com
Oracle Internal Controls and Security listserver (public
domain listsever) at http://groups.yahoo.com/group/OracleSox
Internal Controls Repository (end users only)
http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/
2010 ERPS / ERPRA
Best Practices Caveat
Best Practices Caveat
The Best Practices cited in this presentation have not been
validated with your external auditors nor has there been any
systematic study of industry practices to determine they are in
fact Best Practices for a representative sample of companies
attempting to comply with the Sarbanes-Oxley Act of 2002 or
other corporate governance initiatives mentioned. The Best
Practice examples given here should not substitute for accounting
or legal advice for your organization and provide no
indemnification from fraud, material misstatements in your
financial statements, or control deficiencies.
2010 ERPS / ERPRA