View
2
Download
0
Category
Preview:
Citation preview
SHAPING SECURITY TAKING PEOPLESOFT SECURITY TO NEXT LEVEL
SPEAKER: Jarmanjit Singh CISSP CISA PeopleSoft Security Expert
DATE: 23 June 2015
Introduction
Problem Statement
Problem Summary
PeopleSoft Security
Dynamic Security - Solutions
Online Access Request Process
Solutions Summary
Questions
AGENDA
PeopleSoft Security Implementation, Redesign
and Support Services Value Added solutions (Bolt-
ons) to automate Security
Speaker: Jarmanjit Singh CISSP CISA Founder and PeopleSoft Security Expert – at Jarman & Company 10+ years of experience in IT with 6+ years in PeopleSoft Security and Integrations Have executed and supported several end to end PeopleSoft Security Implementations. Actively working on enhancing Security module of PeopleSoft. Innovative SECURITY SOLUTIONS
that actually make your life EASIER
INTRODUCTION
HR
Job Profiles Security Profiles
Roles and Responsibilities
Business Security
Businesses use Information systems
Informations systems are protected by Security layer
Users need access to Information systems
The best security model is where Job Profiles = Security Profiles There has to be a match or there will be problems This is just one part of it
Tip 1: You should have a good design strategy in place. - least privilege
PROBLEM STATEMENT
This adds more complexity. HR and Security are 2 different modules. Changes in HR doesn’t trigger security. The effort is manual and that’s where it goes out of sync and wrong.
Hire
Terminate
Employee Life Cycle
Provision Identity
De-provision Access
Access Life Cycle
Should always stay Compliant
The Ultimate goal
HR is a very dynamic function. Means, Dynamic HR = Dynamic Security
Tip 2: Make Security dynamic as much as possible. You need tools.
Dynamic
Security
PROBLEM STATEMENT cont.
Not everything can be made Dynamic
o People wear different hats
o Job profiles are not standard
o There is no direct mapping between Job profiles and Roles and responsibilities
That’s where you need Security access request process.
PROBLEM REALIZATION
Tip 3: Use online access request process. You will save big times vs external, manual, paper-based process.
Invoices and expenses are pilling up. Very frustrated!!!
I haven’t heard about my access for many days now. Is anything happening!! I really need to approve this
PO. Please help!!!
It becomes imperative to pay bills on time or late payment fees will be charged. I do
not believe ITS wants this to happen
Tip 4: Be Proactive than reactive in your approach
MOTIVATIONAL EXAMPLES
Security is not about creating Roles and PLs only Design is the key to any Product or Service Beside the Inexperienced teams, there are other reasons as well:
o Team is always thin. o Project support takes up to 50% of time
Tip 5: Find ways to save this time
SECURITY TEAM - qualifications
Match Security Objects with HR Job profiles o Sets the platform to establish controls in business o Sets the foundation for Least Privilege Principle
Make Security Dynamic as much as possible o Help reduce administration costs o Streamline security o Eliminate human errors o Improved service delivery
Compliment it with Online Access request process o Full audit trail of all requests o Built-in approval mechanism
Be Proactive than reactive in approach o This should be used in strategy o There is no one line definition here
SUMMARY so far.
Database
Page access - Page Access - Data Access - User Preferences
PeopleSoft security has 3 elements
User Preferences
PEOPLESOFT SECURITY intro.
PL 1
Multiple pages can be assigned to a Permission list
Pag
es
Pe
rm L
ists
Ro
les
Use
rs
Users Change Roles Don’t
PeopleSoft uses Role Based Access model to control Page access Pages are grouped into roles and roles are assigned to the Users Role is a logical representation of a Job function. For example, Journal Entry role will have pages to do Journal entries. Best model where employees turnover is high
PL 1 PL 1 PL 1 PL 1
Role 1 Role 1 Role 1 Role 1
PAGE ACCESS - RBAC
Database Row Level Security
Human Capital Management
People with Job People w/o Job Time & Labor
Security by PL - Location - Company - Business unit - Setid
Security by Permission List - Person of
Interest
TL security by Permission List - Dynamic
groups - Static groups
Security by Department Tree
DATA ACCESS - RLS
Financials
Row Security Chartfield Security
- Business Un it - Setid - Ledger - Paycycle - Etc.
- Department - Account - Project - Fund - Etc.
Campus Solution
Secure Student Administration
Secure Student Financials
- Institution - Career - Program - 3C Group - Etc.
- Business Unit - Setid - Company
Also called User Defaults
In FS, they also mean User authorizations.
For example, authority to create Vendors.
It is a huge deal in FS. – 50% of work
There are tons of Authorization options in FS.
USER PREFERENCES
End Users
Permission
Lists
PeopleSoft
Pages
PeopleSoft
Security Roles
•Pages access is same across all applications. i.e. RBAC model
Secu
rity
Op
era
tio
ns
Secu
rity Main
ten
ance
Secu
rity
Op
era
tio
ns
Page Access Data Access
•Row Security elements can be assigned via Permission Lists. •Or, Directly to Users
End Users
Security
Elements
Permission
List
Secu
rity
Op
era
tio
ns
User Preferences
End Users
User
Preferences
Very high maintenance cost. TnE Self-service also needs Data security. There, usually, are Business rules But Assignment is all manual Huge Potential for Human errors Inconsistent Security Leads to large number of Help Desk Calls •There is a huge list
of User Prefs in FS. •And, they all get assigned Directly to Users IDs.
ADMINISTRATION COST
RBAC model works fine for page access in all Applications. Row level security and User Preferences get assigned Directly to User IDs Or via PLs in some cases.
o This is where most of the cost lies.
o And, this is where security remains inconsistent.
Can there be rules around assigning Row security and User Preferences? Even better, can those rules be fed into the system? Can system auto assign Row Security and User Preferences? Answer is YES! We have introduced Rule Based Security model for auto assigning Row security and User preferences.
WHAT’S THE SOLUTION?
Au
tom
ate
d
Data Access
End Users
Row Security
Rules
Engine
User Preferences
End Users
User Prefs
Rules
Engine Au
tom
ate
d
Secu
rity
Op
era
tio
ns
Data Access
End Users
Security
Options
Permission
List
Secu
rity
Op
era
tio
ns
User Preferences
End Users
User
Preferences
This makes Data Access and User preferences dynamic as well. Huge win in terms of administration cost.
DYNAMIC SECURITY
LIST OF TOOLS Bolt –ons (HCM)
Dynamic Security by Permission list
Dynamic Security by Dept tree
Dynamic TL Security by PL
- Location - Company - Business unit - Salary Grade
- Security by Department Tree
- Dynamic groups
- Static groups
Person of Interest
Bolt-ons (FSCM)
Dynamic Row Security
Dynamic TnE authorizations
- Business Un it - Setid - Ledger - Paycycle - Etc.
• Request Access
• Approve Request
• Auto Implement
Online Access Request Process - Production
We have similar Process for Project Environments
Dynamic Role Assignment Process 1 2 3
4 5
6
7
8
Pieces that can’t be made dynamic, a process is required
Production – Live systems
– It is always urgent
– Less number of systems but large number of users
In Project – Test environments
– Again, it’s always urgent
– Large number of systems but less number of users
ACCESS REQUEST PROCESS
FS HCM CS
Portal
Roles
Data Security Data Security
User Defaults
Roles Roles
Data Security
User Defaults
Roles
Data Security Data Security
User Defaults
Roles Roles
Data Security
User Defaults
Review/Approve Review/Approve Review/Approve
1. FS 2. HCM 3. CS Step 1: Requester makes request. Paper based manual process. Too much information to fill.
Step 2: Approver approves request. Manual: paper/Fax/Email/Phone
based process. Hard to organize, adds delay.
Step 3: Security Implements request Manual: Add roles, Data Security &
User preferences. Very cumbersome. 3 different
systems. Hard to stay on top. Potential for Human errors.
Current
Approach
COMMON PROCESS
FS HCM CS
Portal
Data Security Data Security
User Defaults
Roles
Data Security
User Defaults
Roles
Review/Approve
2. HCM Down to one process. We have created online
access request process within PeopleSoft.
You can configure multiple forms
It uses workflow for approvals.
Auto implement
No manual Intervention by Security team.
No delay from Security end. Requests get implemented as soon as they are approved by business.
New State
of Security
STANDARIZATION - automation
AWE
Program
User will make a request
Lead will review/approve it
System will auto implement it
Time saved here can be utilized in designing better security Improve project teams productivity Email exchanges/tickets between Project team and security will reduce by more
than 50%
PROJECT TEAM - security
SOLUTIONS SUMMARY
Security Objects should match with Job Profiles Security should be as dynamic as possible Centralized Security model
Delivered - Dynamic role assignment Custom – Dynamic RLS and User Preferences Custom – Online Access Request Process (Production and non production)
We discussed STRATEGIES and TOOLs STRATEGIES
TOOLS
This is what will make security Simple, Easy to Operate, Complaint, Streamlined and Instantly available.
Questions?
Visit our website for more information: www.jarmanc.com Name: Jarmanjit Singh Email: info@jarman.com Cell Ph: 647 282 9267
Recommended