30 Oracle Cloud Security Tips and Tricks

30 Oracle Cloud Security Tipsand TricksPatrick Wadland, CISA, CFE

© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779

www.gofastpath.com. | Page 1

30 Oracle Cloud Security Tips and Tricks

Oracle Cloud ERP is a complex system and securing it can seem overwhelming.

But not all system security issues have to be complicated. And just to prove it, we’ve put

together some surprisingly simple tips that you can put into action right away to help you

define user roles and permissions, manage users, prevent segregation of duties conflicts, and

more.

This eBook takes you through 30 tips and tricks for securing Oracle Cloud in three areas:

System Administration, Automated Application Controls, and IT General Controls (ITGC).

Let’s get started!

http://www.gofastpath.com



System Administration

TIP #1: Use the Simulate Navigator feature to identify which privileges grant access to critical business processes and IT activities

Oracle’s Role Navigation Simulator helps administrators identify which privileges provide access to

specific work areas and tasks. Administrators can use this tool to build segregation of duties (SoD)

rulesets. It also shows how user roles can gain access to specific privileges without requiring the

administrator to have prior knowledge of the navigation needed to get there.

Access the Role Navigation Simulator via the Roles tab in the Security Console (Security Console >

Roles Section > Query a Job Role).

From the example shown in Figure 1, the administrator can see all the privileges and sub-privileges

granted to the Supplier Manager role.

Figure 1 – Role Navigation Simulator

TIP #2: Review and reconcile data access

While the job roles (and the duty roles contained within those job roles) will control the privileges those

users have in Oracle Cloud, the Data Access tool will tell the administrator what the users can view and

edit.

For example, suppose you set up a general accounting manager role, and you allow that role to enter

and post journal entries. Even though that role will be able to go into the journal pages, the user will

not be able to enter a journal unless they have the specific type of data access associated with it to

process that transaction.




To use the Data Access tool, go to:

Navigator > Setup and Maintenance > Manage Data Access for Users

Figure 2 shows the Manage Data Access for Users screen. In addition to having the privileges secure

for each role, it is also necessary to reconcile the data access for each user role.

Fastpath’s Oracle Cloud products will show you all the users that are assigned data access, as well as

which specific data access they have.

Figure 2 – Manage Data Access for Users

TIP #3: Minimize Application Implementation Consultant and IT Security Manager job role access

The Application Implementation Consultant and IT Security Manager job roles (see Figure 3) provide

many of the key system administration functions in Oracle Cloud. Make sure you are only assigning

these to job roles to the users who genuinely need it and that you are periodically reviewing the users

who have these access privileges.

Figure 3 – View of the Application Implementation Consultant and IT Security Manager job role permissions




TIP #4: Design and use custom job roles for user access; seeded job roles are NOT recommended

Oracle Cloud comes with pre-defined job roles upon installation. Unfortunately, using these seeded

(or “out-of-the-box”) role definitions without first looking at the access privileges they provide can lead

to many segregation of duties (SoD) conflicts. Moreover, Oracle Cloud software updates can change

seeded job role access permissions.

Companies typically use three types of role design:

• Use seeded job roles without adjustments

• Fully customized job role definitions

• A combination of seeded and custom job role definitions

Fastpath recommends using seeded job role definitions as a starting point for designing and building

customized job roles. Only use seeded job roles for:

• Emergency account access

• Service accounts that need to process jobs in the background

• Other truly valid business purposes

TIP #5: Assess and test patching impacts

As mentioned elsewhere, quarterly patches can introduce new functionality into seeded job roles but

will not impact customized roles. This underscores why your organization should design and use fully

customized job roles for user access.

Any new functions created by the update will be visible immediately upon patch completion. Always

test new functionality in a non-production environment, and only move it into production when it is

thoroughly tested and users are trained on the new functionality.

TIP #6: Beware of cross-module access!

Some seeded job roles also have interdependent access across multiple applications.

For instance, several roles allow the creation of manual journal entries via the Subledger module (or

application), among them, the AP Manager, the AR Manager, and Payroll Manager.

The example, Figure 4 shows the Payroll Manager job role has the Subledger Accounting Manager duty

role assigned to it. Having access to the Subledger Accounting Manager allows the user to create a

subledger journal entry manually, giving the user the ability to not only create a manual journal entry but

also to CHANGE the Journal Source. The risk here is that a user with this access can make a manual

entry look like a system journal entry, potentially circumventing any journal approval rules you might

have in place.




Figure 4 – Payroll Manager job role with Subledger Accounting Manager duty role assigned

TIP #7: Inquiry only access is NOT provided “out of the box” with any roles and, therefore, cannot be granted without custom roles

Out of the box, Oracle Cloud does not provide ANY inquiry or view-only roles.

It is best practice to build these inquiry or view-only roles from scratch (that is, without copying them

from seeded roles). Access to these roles should be based on the principle of least privilege, which

states that the role should only have the minimum set of privileges necessary to perform its function.

TIP #8: Periodically test false positive access

When using a GRC tool (like Fastpath) on your ERP, periodically test job roles, duty roles, data access,

and other security settings to determine if a privilege leads to true or false positive access of business

or IT functionality.

Administrators should have a process in place to test false positive access results from the GRC tool

periodically using a non-production environment; ideally, one that has been recently refreshed from

production. See the next tip for an example test approach.

TIP #9: Maintain and remediate false positive testing results

The following is one possible approach to testing for “False Positive” access:

1. Using your GRC tool, generate a detailed Excel report (i.e., full access path from Job

Role > Duty Role > Privilege) indicating all of the job roles which can access your

key business process/IT activities as determined by your firm’s SoD matrix/ruleset

(Fastpath can easily create this type of report).

2. Use Excel’s Remove Duplicates functionality to remove any duplicate results.

3. Create a test username in your non-production environment, and, for each unique

Access Path-Privilege combination, assign this username a job role that the report

claims can access the privilege. If possible, record and keep track of the exact UI

navigation.




For each Access Path-Privilege combination tested, record if the privilege is accessible (Yes) or not

(No) and, if it is not accessible, analyze and assess if it would be possible to remove the privilege from

the preceding duty or job role without impacting other duty or job roles.

TIP #10: Add mitigating rules and conditions in your GRC tool to eliminate false positives

Once false positives are identified, you can establish mitigating rules and conditions to inform the

GRC tool that the user role should be able to perform an action, such as approving journal entries,

requisitions, or POs, as shown in Figure 5.

Figure 5 – Adding a mitigation rule using Fastpath




Automated Application Controls

TIP #11: Check your credit before you wreck your credit!

Credit checking can be difficult to enforce in Oracle Cloud. For example, there are about eight

configuration settings across four areas/levels that must be synchronized just to have credit checking

properly in place. These configurations must be set appropriately for Oracle Cloud to:

• Perform a credit check on sales orders at the time the orders are booked

• Place orders by customers with insufficient credit on hold

• Prevent the release of orders on hold until the hold(s) is removed

To perform credit checking, start with the following configurations:

Customer

• Credit Limit

• Order Amount Limit

System

• AR Payment Terms

• Customer Profile Classes

• Credit Management

Business Unit

• Receivables

• Transaction Types

Customer Site

• Credit Limits and Late Charges

NOTE: Don’t try to get everything right at once. Instead, proceed one at a time to make sure each is set

correctly before moving on to the next setting. This also applies to any business process that requires

setting multiple configurations.




TIP #12: Validate aging methods

Always make sure your AR Aging reports (see Figure 6) are tied to the appropriate aging methods and

verify that these aging methods are configured appropriately, so overdue invoices appear in the correct

Aging Buckets to help recover the delinquent debt.

Make sure that the aging methods (also known as “aging buckets” in Oracle EBS) are configured

appropriately because these will dictate where any overdue AR invoices appear in your overdue reports.

For example, someone could manipulate the aging methods to put something that is overdue by 90-

180 days in a shorter aging bucket, giving the user reading the report the false impression that it is not

delinquent debt.

Figure 6 – Example of Aging Bucket Reports

TIP #13: Don’t delegate your delegation of authority!

Make sure you have an appropriate approval chain to approve purchase requisitions and purchase

orders. Multiple configurations at the Business Unit level must be set appropriately for Oracle Cloud

to enforce the approval hierarchy for purchase requisitions and purchase orders based on the total

requisition or PO value.

Two configurations to help you configure the approval chain properly are:

• Configure Procurement Business Function

• Manage Requisition Approvals Tasks




TIP #14: Match, match, match!

3-Way Matching helps ensure that purchase orders, invoices, and receipts are validated from both

a pricing and quantity perspective as you go through the procurement process. Similar to Credit

Checking (Tip #11), multiple configurations at different levels must be set appropriately for Oracle ERP

Cloud to:

• Require matching on all AP invoices

• Ensure that any AP Invoices that don’t comply with these configurations are placed on hold

Appropriately setting these configurations will help to achieve purchasing and payables control

objectives. Two settings to help you configure your procurement validation process are:

• Invoice Tolerance Set, Financials/System Options

• Payables Invoice Hold

TIP #15: Carefully review and lockdown supplier access

While you can build job roles which have inquiry-only access to suppliers, some sub-privileges can give

users access to supplier bank accounts, supplier sites, and more. Therefore, it is important to properly

configure which job roles have full access to supplier master data.

While Oracle has published many MoS (My Oracle Support) Documents on how to detect and secure

this supplier access, actually securing it can still be a challenge.

Review MoS Documents or talk to consultants with Oracle Cloud Security technical expertise to help

you design and build custom supplier inquiry roles.

TIP #16: Check for duplicate invoices across business units

While Oracle Cloud will try to prevent duplicate invoice payments, it will not prevent the payments of

two invoices with the same invoice number from within two different business units (or operating units

in EBS). Oracle Cloud DOES NOT look across business units and will not see the duplicate invoice.




The solution is to design and deploy a solution that seamlessly interrogates invoices across business

units for duplicate invoice numbers as well as other variables that can lead to erroneous or fraudulent

duplicate invoice payments.

TIP #17: Freeze journals!

Manage Journal Sources is a tool within Oracle Cloud to help you identify the origin of a journal entry.

To access the Manage Journal Sources tool, go to:

Setup and Maintenance > Search Tasks > Manage Journal Sources

The Manage Journal Sources tool gives you the option to Freeze Journals (see Figure 7).

When Freeze Journals is set to Yes (Enabled), journals created with this source cannot be modified

prior to posting. When Freeze Journals is set to No (Disabled), users with access to create journals can

open journals prior to posting and perform any of the following actions:

• Modify the GL accounts

• Modify debit/credit amounts

• Add manual journal lines to system journal entries

The risk is that disabling Freeze Journals will allow a user to change GL accounts along with debit/

credit amounts, which can lead to financial statement fraud. The best practice is to freeze all

systematic journal sources (Receivables, Assets, etc.) and unfreeze all manual journal sources.

Figure 7 – Using Manage Journal Sources to Freeze Journals




TIP #18: Depreciate those assets

Multiple configurations at different levels must be set appropriately for Oracle Cloud to calculate and

record depreciation for fixed assets in accordance with corporate policy. Configuration settings that

will help achieve these and other purchasing control objectives are Asset Books, Asset Categories, and

Depreciation Methods.

TIP #19: Don’t sublet subledger manual journals

In Oracle EBS Release 12 (R12), Oracle introduced a new capability that allows users to create manual

journal entries within the subledger module; however, users can make these manual journals look

like system journals. This functionality has been carried over to Oracle ERP Cloud as well and can be

accessed from the Create Subledger Journal Entry Online and Create Subledger Journal Entry Batch

screens (see Figure 8).

No user should be able to create manual journal entries within the subledgers unless management

has designed controls to detect and identify these manual subledger journals; making sure the journal

approval rules are in place will mitigate this risk.

Figure 8 – Create Subledger Journal Entry screen

TIP #20: Utilize Journal Approval Rules and Workflows

Effective journal approval rules and workflow will help detect, mitigate, and prevent unauthorized

journal entries leading to reduced opportunities for financial statement fraud such as net income

overstatements or understatements.

Go to Manage Journal Approval Rules (see Figure 9) to enable and set up these workflows:

Navigator > Setup and Maintenance > All Tasks > Manage Journal Approval Rules




The bottom line: Make sure you have workflow enabled and you have specific journal rules in place, so

journals being created are routed to the appropriate people.

Figure 9 – Manage Journal Approval Rules screen




IT General Controls (ITGC)

TIP #21: Establish a formal user provisioning process

Copying existing user and job role assignments or not specifying specific job roles in access requests

(for example, “Give Jack the same access as Diane”) typically leads to over-provisioning security and

SOX ITGC exceptions. It is important to have a formal process for provisioning users:

1. Document the user access request:

• Have a process to add and modify user access to all key applications

• Document all user access requests via a ticketing system and state which responsibilities

or roles (if using UMX for RBAC) are being requested.

2. Approve the user access request

• Ensure that all access requests are approved by appropriate IT or Business Owners prior

to assignment and that evidence of this approval exists in the request if asked to provide

evidence.

3. Validate the provisioned access

• Verify that access requested matches access granted

• Verify that roles requested match roles assigned

TIP #22: Establish a formal user termination process

Likewise, there should be a formal process for terminating users:

1. Document the user termination

• Have a process to end-date user access

• Document all user termination requests via a ticketing system and set up integrations with

Active Directory and other systems so that IT is promptly notified when users leave the

company




2. Terminate ALL user access

• Terminate network access immediately

• Disable Oracle Cloud access NO LATER than two weeks of user’s last day of employment

• Terminate access to all other applications

3. Validate the user’s terminated access

• Verify that terminated users no longer appear on user access review reports

NOTE: Make sure Oracle Cloud (and all key systems) are integrated appropriately with Active Directory

(terminates network access). Integration with Active Directory ensures IT knows when an employee

has been terminated and will not have to wait for HR to tell them. There may be a legitimate reason

why IT was not told about the termination, but SOX auditors are generally not interested in the

explanation.

TIP #23: Plan for and remove emergency access

There are times when access privileges must be granted to some individuals in emergency or

temporary situations (vacation, sick, troubleshooting, etc.). Make sure you have a plan for approving,

assigning, and removing emergency access privileges when the need arises.

TIP #24: Automate your user access review

Many user access reviews are still performed manually, which is adequate for small companies, but

can lead to problems and Segregation of Duties conflicts in larger organizations. Automating user

access reviews include greater auditability and consistency, as well as reducing the time it takes to

generate, review, and organize the reports. Many GRC tools will help you automate the user access

review process.

The following example illustrates Fastpath’s automated review process:




1. Fastpath generates a report of users and their access privileges

2. Managers review these reports and accept or reject each item

• If accepted, the user access is authorized

• If rejected, the user access is unauthorized. Access privileges are removed and remediation

or corrective action is taken.

TIP #25: Take a risk-based approach to security

Identify your organization’s highest risks and address these issues first. When reviewing users and

job roles, look at those individuals and roles who have the most critical access first. Start with the

Application Implementation Consultant and IT Security Manager job roles (see Tip #3).

TIP #26: More responsibility = Less access

Management jobs are not transactional jobs and should not have transactional access. Therefore, even

though some managers may be involved in transactions, they should not be performing them. As a

rule, transactional access should decrease with responsibility.

TIP #27: Redesign business processes for Segregation of Duties

Users should not have access to multiple parts of a process. Many accounting firms will provide a

business process walkthrough that will identify vulnerabilities in your business processes, an important

requirement for SOX compliance. This can be hard to do without a GRC tool like Fastpath.

TIP #28: Establish a process to track all configuration changes you make to the system

Auditors might ask for a list of all configuration changes over the past year, and Oracle Cloud does

not provide this for you. One common misperception about ITGC-Change Management testing is that

viewing the last update will show all previous updates. Unfortunately, there is no easy or reliable way to

obtain a seeded report of all Oracle Cloud application configuration changes. The Last Update Date will

not tell you how many times a field has been updated.

You will have to maintain your reporting to ensure you can track all configuration changes to the

system. Custom reports via BI Publisher (within Oracle Cloud) or GRC tools (like Fastpath) are

alternatives that can help provide this information.




TIP #29: Perform security changes in phases

Security changes don’t all have to be done at once. Performing your security changes in phases will let

you isolate issues and give you a much more reliable approach to security. Remember, each phase will

still help improve the overall system security.

TIP #30: Security is more than just Oracle Cloud

There are multiple layers to the Oracle Cloud application, and each layer has its own security issues and

mitigating actions. These Rings of Security include:

• The application database

• The Oracle Cloud application itself

• The network and system infrastructure

• The users themselves

As an administrator, you are responsible for asking the difficult

questions – and keep asking them – to make sure that security is

maintained:

• Why does the controller need to process AP?

• Why did the accountant make changes to our suppliers?

• What system does this functionality come from?

Also, look for any other systems that integrate with Oracle Cloud, like Salesforce and Workday.

Transaction flow between business systems can create segregation of duties issues between these

applications that might be hard to find without a dedicated search – don’t make any assumptions.

Conclusion

There are many facets to Oracle Cloud ERP system security, much more than is discussed here.

However, following these simple steps in the areas of system administration, application controls, and

general system controls will go a long way to helping you achieve a secure environment, get a handle

on user roles and privileges, and avoid unnecessary compliance risks.

About Fastpath

The Fastpath Assure suite is a cloud-based risk and compliance platform that helps thousands of

organizations track, review, approve, and mitigate user access risks and Segregation of Duties (SoD)

conflicts. Fastpath customers achieve process efficiency, streamlined audits, and enhanced control

over their security, compliance, and risk management efforts.
