Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you may not be able to execute some actions.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Security audit suggestions?

Debbie Butler

I am wondering if anyone has suggestions for a process to perform a yearly audit of our PeopleSoft security roles. We want to ensure we have identified all roles that might be a segregation of duties violation and also verify that our users have not been assigned roles that will cause conflicts. Any feedback is appreciated.

Thank you,

Debbie Butler

Crawford and Company

4 Posts
347 Views

Dan Rech

Debbie -

I realize this is an old request but let me know if you're still looking for any additional guidance or tools. Our approach is similar to what Kevin described in his reply, and I agree with his comment around the effort to get things started... but once you have the tools and process in place, it's well worth it and fairly easy to review.

I don't mind at all sharing some of the queries that we use.

Daniel Rech
Director of Information Systems
Beth Israel Deaconess Medical Center
drech@bidmc.harvard.edu

Annette Bailey

We have written several queries that we download and use for review. We are required to review quarterly for segregation of duties and other issues. We have one query for users/roles and then details queries on roles and permission lists. It is not a fun exercise but everyone has to do it at some point.

Kevin Meyer

Debbie,

The process for security review initially takes some time to put in place but once in place (and documented properly), should be done on a yearly basis - for both segregation of duties and Oracle compliance. The process includes understanding current roles / responsibilities (an initial security matrix), developing SQL/Query to determine what access each user currently has (separated out by page access and profile options), and comparing that to what access each user should have. This is sort of a mini-project to get in place but very valuable going forward. The keys to the initial security matrix are the roles/responsibilities in your organization as well as understanding key regulations and licensing metrics.

I hope that helps but please let me know if any additional questions.

–
Kevin Meyer, JD
Meyer Consulting Group, LLC.

Phone: 516.713.0805

Email: <u>kmeyer@meyercgrp.com</u> | <u>meyercgrp.com</u>
Implementations | Support | Upgrades | Compliance