Applications Security

Get Involved. Join the Conversation.

Topic

    Amit Behrani
    Role Compatibility in Fusion Cloud R12 onwardsAnswered
    Topic posted July 31, 2019 by Amit BehraniGreen Ribbon: 100+ Points, tagged Financials, Security 
    64 Views, 13 Comments
    Title:
    Role Compatibility in Fusion Cloud R12 onwards
    Summary:
    Do we have Role Compatibility in Fusion Cloud R12 or onwards. It means if User has one role assigned, system should not allow to assign another specific role to the same user.
    Content:

    Do we have Role Compatibility in Fusion Cloud R12 or onwards. It means, if User has one role assigned, system should not allow to assign another specific role to the same user.

    Example: User has access to create Supplier using a Role Supplier Manager. He should not have access to Invoice creation or payment creation using any other Role.

    Hence If User has Supplier Manager assigned already, system should not allow to assign Accounts payable Supervisor.

    Can we do this compatibility setup anywhere in fusion cloud.

    If not, is it under future enhancements?

    Version:
    Fusion Cloud r12

    Best Comment

    Karthikeyan Sukumar

    Hi Amit- What is the need for this ? Per your needs above If user have Supplier role then don't assign the Payables role.We cant restrict the system automatically

    It depends on each customer needs.

     

    Thanks!

    Karthik

    Comment

     

    • Karthikeyan Sukumar

      Hi Amit- What is the need for this ? Per your needs above If user have Supplier role then don't assign the Payables role.We cant restrict the system automatically

      It depends on each customer needs.

       

      Thanks!

      Karthik

    • Amit Behrani

      Hi Karthik,

      You last comment got marked as best comment by mistake smiley. Let me elaborate why we need this.

      If the same user will have supplier creation, Invoice creation and payment creation at the same time. That User can fraudently create a dummy supplier, and then can raise a invoice and would release payment against the invoice. That can be tracked in Audit however this is possible.

      Similarly, If User has access to edit supplier info (such as bank account) with access to Invoice creation, User can create fraudlent invoice.

      Compatibility information has to be maintained manually.

      If system would allow to setup incompatible roles with each other, it can be restricted. It can save the main role and all the incompatible role against that; reversal should be automatic.

      Regards,

      Amit

    • Yasheswi Challa

      We cannot do that, the roles need to be designed accordingly. 

    • Wendy Ware

      Hi Amit, I understand what you're asking for and why you're asking for it.  The short answer is that the system does not enforce segregation of duties and I don't think it can be configured to do so.  Our manual solution is to regularly export a list of users and roles into Excel where we pivot the data to audit the combinations of roles per user.

      If there is a seeded report that helps enforce segregation of duties perhaps someone else is aware of it and would share the info here.

      Thanks, Wendy

      • Amit Behrani

        Thank you, Wendy !

        We are running these two reports for now.

        1. User Role Membership Report
        2. User and Role Access Audit Report

        Regards,

        Amit

        • Yasheswi Challa

          Privilege Discoverer Report can also be helpful to Review users and roles granted access to code artifacts within a navigation menu entry.

        • Glen Ryen

          Hi Amit,

          We've done a lot of custom reporting against the tables behind those reports, you can search these forums for a good starting point for one such report.  But if you need a more complete solution, then look into the Risk Management Cloud Service.  That's something we've implemented as well for systematic SoD controls.  Does that help?

          Glen

    • Lori Culp

      Looks like a SOD issue?

    • Yasheswi Challa

      We can also define different auto provision rules and assign roles accordingly.

      • Joshua Vincent

        I think this is the best solution, with proper HCM job / position structure, the HCM Role Provision Rules can automatically provision roles (and data security), and automatically deprovision when the rule's assignment criteria are no longer met. With the above comments about audit of role assignments, if you have a good HCM structure and use role auto provisioning, you should build your report to only examine manually assigned roles, rather than automatically provisioned roles. In this way, you are not burdened by looking at all role assignments, but only those which were not done by rule, predicated by you creating rules that will not generate impermissible role pairings (SOD).