CloudOracle

Migrating Security in Oracle ERP Cloud

Sriram ChandranKristin Jenison
February 17, 2020
4 min read

As security and Segregation of Duties (SoD) risks are becoming more scrutinized by the Public Company Accounting Oversight Board (PCOAB) and external auditors, it is increasingly important to establish a clean and compliant security role design in your Oracle ERP Cloud application. Whether you develop custom roles as part of your implementation or redesign security in your existing environment, role design and build may come with its own set of technical challenges – one of which includes role migration.

Like most configurations, custom roles are typically required to flow through the hierarchy of Oracle environments during their development lifecycle (e.g. roles are developed in a DEV environment, moved to a QA/UAT environment for testing, and finally migrated to Production only after they are fully vetted and approved). A major issue security teams face is that role migration in Oracle ERP Cloud can be a very tedious and time-consuming task. In fact, historically there was no feasible way to “migrate” roles at all – rather, security teams were forced to manually rebuild roles from the ground up in each environment.

New Role Migration Functionality

Starting with release 19A, Oracle introduced a new feature allowing users to export and import custom role hierarchies. The export function extracts the role hierarchies in three .csv files that together comprise the role to duty role to privilege mapping. Once exported from your source environment, the roles can be uploaded or imported into your target environment through the same navigation path.  This feature has reduced the level of effort required to migrate custom roles from one environment to another. As an added benefit, eliminating the need to manually recreate role hierarchies also reduces the risk of incomplete or inaccurate role configurations through manual error.

Navigation: Setup and Maintenance > Users and Security > Manage Job Roles > Actions > Export to CSV File or Import from CSV File

Items to Note

  • Using this feature does not require any prerequisite setups
  • The IT Security Manager role has access to this feature
  • You can migrate all custom roles or select only specific roles using available filter criteria

What Can’t be Migrated?

While the feature has dramatically increased the efficiency of migrating roles, there are some limitations around what can be exported and imported.  Some examples include:

  • Data Security Policies: Currently, the export and import utility only migrates the role hierarchy. The utility is not capable of migrating data security policies, which are critical for roles to function properly. This is a known Oracle design gap (#29337499). Unfortunately, this means the data security policies still need to be reconfigured manually for each role after migration between environments.
  • Seeded Roles: The export feature only allows the export of custom security artifacts. You cannot export seeded roles or seeded role to seeded privilege mapping. For example, if a custom job role contains a seeded duty role, the export data will include the job role to duty role mapping but will not contain the seeded duty role to seeded privilege mapping. In any case, it is best practice to never modify seeded security artifacts, so there should not be a requirement to migrate changes to these roles.
  • User Role Mapping: This specific feature does not support the export and import of user role assignments. Fortunately for teams going through a security design or redesign, the HCM data loader tool can be leveraged for this time-consuming task.

Conclusion

While the ability to migrate role hierarchies has been improved, the tool’s inability to migrate data security policies leaves significant challenges for organizations that need to build custom roles. Many teams who have leveraged the tool are left feeling as if the feature is incomplete or “half-baked” – and it has been nearly a year since Oracle has revisited the tool’s functionality.

To increase visibility of this issue, security teams who may require this functionality (or just want to help those that do) are encouraged to vote for the enhancement. If you would like to vote, visit the Oracle Cloud Customer Connect page and click the green thumbs up button. (If the link does not take you directly to the idea page, enter the idea number DF96E33E07 into the search box). Hopefully Oracle will hear us and include the functionality in a future release.

To learn more about how Protiviti can help with Oracle security, please visit our Oracle Solutions site or contact us.

 

Sriram Chandran

Senior Manager
Technology Consulting - Enterprise Application Solutions

View all posts

Kristin Jenison

Senior Manager
Enterprise Application Solutions

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
25 Jul

Protiviti’s @KonstantHacker chats with guest @RichardBlech of @XsocCorp about a high-performance symmetric encryption solution that will provide in-depth defense against the threat of fault-tolerant #QuantumComputing. Listen now: https://ow.ly/9oVU50SJklj #ProtivitiTech

Reply on Twitter 1816504643360358712 Retweet on Twitter 1816504643360358712 1 Like on Twitter 1816504643360358712 1 Twitter 1816504643360358712
protivititech Protiviti Technology @protivititech ·
25 Jul

Protiviti’s Joe Corrado will join a #Nintex panel for a July 30 webinar to discuss how document automation boosts #RevOps efficiency and sales. Register today to get access to expert tips and real-world success stories. https://ow.ly/LSsf50SJnaY #ProtivitiTech

Reply on Twitter 1816443898970898615 Retweet on Twitter 1816443898970898615 Like on Twitter 1816443898970898615 Twitter 1816443898970898615
protivititech Protiviti Technology @protivititech ·
24 Jul

The world was dealt a massive wakeup call after a #CrowdStrike software update caused global IT outages. In the aftermath, business leaders should take the opportunity to reboot tech resiliency. Learn more from the latest #VISIONbyProtiviti: In Focus: https://ow.ly/R2vU50SJrAT

Reply on Twitter 1816169832544432319 Retweet on Twitter 1816169832544432319 Like on Twitter 1816169832544432319 Twitter 1816169832544432319
protivititech Protiviti Technology @protivititech ·
24 Jul

#VISIONbyProtiviti: In Focus discusses a U.S. judge’s recent ruling that rejected #SEC oversight of #cybersecurity controls in the case against SolarWinds, the impact of the decision, and why it matters. https://ow.ly/Ph7j50SIbLH #ProtivitiTech

Reply on Twitter 1816111993767547294 Retweet on Twitter 1816111993767547294 Like on Twitter 1816111993767547294 Twitter 1816111993767547294
protivititech Protiviti Technology @protivititech ·
17 Jul

How can organizations tackle internal tech tickets when a team is remote? Protiviti’s Kim Bozzella recommends fully leveraging the features of their #IT service management software. Learn more: https://ow.ly/Yf3J50SEy7u #ProtivitiTech #Forbes

Reply on Twitter 1813635582964183412 Retweet on Twitter 1813635582964183412 Like on Twitter 1813635582964183412 Twitter 1813635582964183412
Load More