Get Involved. Join the Conversation.


    Lori Adams
    Security - SOX controls
    Topic posted January 10, 2018 by Lori Adams, tagged PBCS, Security 
    85 Views, 2 Comments
    Security - SOX controls
    SOX controls require separation of duties and reporting

    One of our SOX controls is that the person that administers the data loaded to our environment should not be the same person that is adding users to be able to access our environment and vice versa.  I can have a user that is the Domain Administrator – and he/she will be able to set up the users to get to our environments, but in order to actually assign a user to a security group, he/she will also need to be a System Administrator…is there a way to give someone access to JUST the Access Control screen?

    Is there a way to get a report that shows WHICH system administrator made assignments to each of the security groups so that we can show that only the person authorized has made changes to Access Control groups?  I have read in the documentation that I should be able to go to System Reports and Select Auditing and then be able to mark changes to users/groups, but I don't have Auditing as an option in the System Reports, and I also haven't found anywhere that I can actually run a report once those options are marked.



    • Sidharda Chava

      There should be a role called Identity domain administrator. User with this role can add users. For data administrator role you can assign a planner with a group which has write access to all security dimensions(also members underneath it). This way only users to that group will have write access.

    • Peter Strayer

      The proposed answer does not address Lori's question. In the old on-prem world, you could grant someone provisioning admin role in shared services and they could provision and add users to groups. The Identity Domain Administrator can grant initial access to EPBCS, but then someone with Service Admin role (full admin access) has to actually add users to groups. Seems Oracle needs to allow a role that can provision users to groups without having admin access to the rest of the application (including data). I have a potential client wanting the same SOX compliant setup as Lori asked about in the initial question. There needs to be a role that can not only assign power user or planner/user access, but also manage security groups without any other access. Think help desks at companies that should be able to service tickets requesting provisioning/security to EPBCS applications. Right now, you'd have to give someone in IT help desk group full admin access (including to data such as salaries) just so they could add users to groups. Anyone figured a way around this?