Create Application Connectors for Deep SOD Analysis

Advanced controls can analyze data from multiple data sources. By default, an Oracle Cloud source supplies data from Fusion ERP, SCM, HCM, and CX applications, and you can configure seeded connectors that enable EPM-ARPS, EPM-FCCS, OCI, and EBS to supply data. You can now create additional connectors for other Oracle and non-Oracle applications that have role-based access models, enabling them to supply access data for deep separation-of-duties (SOD) analysis. 

To configure a connector, you create two flat files that specify user-to-role-assignment and role-to-permission-hierarchy data for an application:

• Users_to_Security_Groups_Mapping_<your app name>.csv includes these columns: User ID, User Name, First Name, Last Name, Email, and Security Group.
• Security_Groups_to_Permissions_Mapping_<your app name>.csv includes these columns: Security Group, Security Group Type, Permission, Permission Type, and Security Policy. 
  In the second file, valid values for Security Group Type and Permission Type are ROLE, GROUP, PERMISSION, PERMISSION_SET, PROFILE, PRIVILEGE, SECURITY_GROUP, DOMAIN, and BUSINESS_PROCESS. In both files, the Security Group value is a name that's the same in both files, and pairs users in the first file with security objects in the second file.

When you create a connector for an application, a record of it appears in the Non-Fusion Data Sources panel of the Advanced Controls Configuration page in Risk Management Setup and Administration. There, you can run or schedule synchronization jobs that keep data current and you can complete maintenance tasks, as you would for seeded connectors you've configured.

Once access synchronization and global-user synchronization are complete, Advanced Controls users can create entitlements, access models, and access controls, and perform SOD and sensitive-access analysis.  

Business Benefit

Users can perform cross-application SOD analysis between Fusion and the other applications, thus enabling stronger risk management and compliance across multiple applications.

Steps to Enable and Configure

1. Map the application's user-to-role-assignment and role-to-permission-hierarchy data in two flat files.
2. Configure a storage bucket in your OCI Object Storage and an associated pre-authenticated request.
3. User curl commands to upload both the flat files to the bucket. Here's a sample command to upload a flat file:
   curl -X PUT --data-binary '@Users_to_Security_Groups_Mapping_sf.csv' <pre-authenticated request URL>/Users_to_Security_Groups_Mapping_sf.csv
4. Create a new data source: Specify a connector name. As its connector type, specify User-Defined. As its connector type, select Connector Template 1. Specify the names of the flat files and the URL of the pre-authenticated request in the data source configuration.

Key Resources

• For more information, see Overview of Object Storage in the Oracle Cloud Infrastructure Documentation.
• For more information, see Object Storage Pre-Authenticated Requests in the Oracle Cloud Infrastructure Documentation.

Access Requirements

Users need the GTG_MANAGE_DATA_INTEGRATION_PRIV privilege to configure a new data source.