As more customers adopt cloud applications, they are facing new challenges as the security privileges within the roles granted to users are automatically updated. For example, Oracle Cloud ERP Cloud customers receive quarterly updates which include new privileges granted to users through existing roles and the inherited duty roles are updated, introducing new risk.
To ensure completeness and accuracy, external auditors expect ERP customers to review the impact of new privileges and update the SoD rules to ensure that the mutually exclusive activity sets include any new privileges that may generate violations of the SoD policies.
Until now, Rule Owners have reviewed SoD Rules by navigating to the Rules Management page where a full history of the current rule and past rule versions are available. A Rule Owner role in SafePaaS is assigned to a compliance manager or a business manager responsible for controls in certain business processes, activities or applications. Rule Owners have access to the rules reports under the analytics menu to review all the rules and the exceptions to those rules that have been accepted previously.
The latest Audit Access Policy Review feature further streamlines the periodic Rules Review process and provides an audit trail of the rules review process. It ensures that complete and accurate SoD rules are applied to detect control violations by enabling the Rule Owners to verify and record periodic review of each SoD Rule by validating rule details such as risk level, conflicting activities and privileges. Rule Owners can also review any exceptions to the SoD rules that may have been applied to accept certain risks where compensating controls prevent deficiencies.