1. Using Access Certifications
  2. Use Cases

Use Cases

Oracle Fusion Cloud Access Certifications can support both large-scale regularly scheduled audits and more narrowly defined reviews of assignments involving sensitive privileges.

Quarterly Audits

You can perform what's commonly known as the quarterly access certification audit. The objective is to review all the assignments of all roles in the organization each quarter. In this example, the certification owner, Lucy, creates a standard certification called Q1Y1.

Lucy elects to use top-down scoping, which is the better approach for a large-scale certification. Top-down means that the certification automatically starts with all roles that are assigned to users, but the owner can remove roles from that pool. For example, Lucy removes the General Reporting role, reasoning that every user in her organization has this role, so reviewing it serves no purpose.

In Lucy's organization, business process supervisors are responsible for making sure their roles are certified. So Lucy appoints her supervisors as role managers in the Q1Y1 certification, assigning each the roles for which he or she's responsible. She taps one of these, Susan, to manage the roles involved in the Procure to Pay business process.

As she initiates the certification, Lucy also appoints certifiers who work under each role manager. In Susan's case, Lucy selects Larry (Supplier Management), Alice (Payables and Invoicing), and Tom (Payments) as the certifiers for roles related to their areas.

After Q1Y1 has been initiated, Susan reviews her manager overview page to see what progress her certifiers have made, so that they meet the deadline. She notices that Tom is lagging, so she sends him an email message. To do so, she opens his employee card, which is available in his record on her overview page; it contains his email address and other contact information.

After the prompting from Susan, Tom reviews each of his roles in his worksheet, and determines which users should be allowed to keep their roles, and which should not. Once he completes his worksheet, he submits it to Susan for her review.

By this time, all three certifiers have submitted their worksheets for Susan's review. Susan notices that one user has the Payables Manager role and is approved, but she knows he's just accepted a new position. She reopens Alice's worksheet and lets her know that this user's status should be updated to Remove. Alice makes the change and resubmits the worksheet to Susan.

Susan is now ready to submit her roles to Lucy, the certification owner. Lucy performs similar monitoring. Once all the role managers have submitted their roles and Lucy has done her review, she finalizes the Q1Y1 certification. She then generates a report she created in Oracle Transaction Business Intelligence to list all the role-user combinations that have the Remove action. She sends the report to the security owner as a change request to have access to these roles removed.

Once completed, the Q1Y1 certification remains available as a template for the next quarterly audit. This significantly reduces the effort involved in creating recurring certifications.

Sensitive-Access Reviews

You can also monitor users who have access to specific sets of sensitive privileges. In this example, the controller, Jim, wants to make sure he's continually aware of who can post manual journal entries across his organization.

He begins by creating a standard certification, one that lets him review job assignments that already exist.

Because this is a very specific analysis, Jim uses bottom-up scoping as he creates the certification. Bottom-up means that the certification starts with no roles selected, and the owner must create one or more filters that select the roles he wants. Jim creates one filter that uses an entitlement, which is a set of related privileges or roles. Jim's entitlement includes four privileges that allow the posting activity. The scoping job returns roles that both include any of the four privileges and are assigned to users.

When Jim runs his scoping job, he notices it returns a job role he didn't expect. He makes sure to include this role so he can see which users it's assigned to. Because this is his analysis, and he's assigned the necessary security, he appoints himself as both role manager and certifier, and initiates the certification.

After reviewing the roles and their users in the certifier worksheet, Jim decides who should retain access. These users include one with access to the unexpected, suspicious role. Jim doesn't know this user, and so marks him as a Remove action. Once he's reviewed all the user-role assignments, Jim submits the worksheet.

As both the role manager and the owner, Jim performs the necessary actions to finalize the certification. He also generates the security removal report, sends it to the security owner, and schedules a meeting to determine who created the suspicious role and why.

Next, Jim creates a continuous certification, one that enables him to review new assignments of roles to users each day over an extended period.

During initialization, he creates the same scoping filter that specifies the same entitlement. In addition to the assigned roles selected for the standard certification, it returns roles that include any of the four posting privileges and that could be, but aren't necessarily yet, assigned directly to users. That's because these roles may be assigned at any point over the life of the continuous certification. Jim once again appoints himself as both role manager and certifier.

This certification initially returns no results, because at the moment Jim initiates it there aren't yet any new assignments of the scoped roles. The next day, however, the role Jim found suspicious is assigned to another user; the following day a record of the assignment appears in Jim's certifier worksheet. His meeting to discuss this role hasn't yet taken place, so he once again selects the Remove action and submits the worksheet.

For a continuous certification, a certifier's decision takes effect the day he submits it, unless the role manager acts to reverse it. In this example, of course, Jim is the role manager and so doesn't reverse his own decision. If a security owner were to run the removal report, she would find a request to remove the role assignment and could act on it immediately.

Subsequently, on some days there are no new assignments to review. On other days, new assignments appear in Jim's worksheet. On each of those occasions, the previously submitted worksheet reopens, and Jim receives a notification to act. By this time he's convened his meeting about the suspicious role, has determined that it should not exist, and so it's no longer available to be assigned to users. So the roles he's reviewing are those he's familiar with, and he approves their assignment to some users but rejects their assignment to others. As he does, he's able to use an audit history feature to review the decisions he's made. With each day's decisions, he opts to resubmit his worksheet.

When the quarter ends, Jim decides the continuous certification has served its purpose. Acting as role manager and owner, he performs the necessary actions to finalize the certification.