In Oracle ERP/HCM Cloud there has been a long standing risk with the Employee Role, a role which on the face of it should just handle tasks such as Time Entry, Expenses, Vacation/PTO requests etc. The reality is that this role has been granted way too much access in it's delivered state. Giving the users attached to the role the ability to:
* Upload data.
* Manage the delegation of their own security.
* Manage Supplier Bank Accounts.
* Item Master Maintenance.
and many more..
This role is over-provisioned and has been used in every environment we have evaluated.
If you have been aware of these issues, you have been fortunate and no doubt had the opportunity to create a new Employee role, for everyone else, the access has been a major surprise!
Aside from the finance and supply chain issues mentioned above, Oracle provides the opportunity for users to delegate their security. This allows a user to assign their roles to other users (while making the role in question now available for delegation to other users). This process can bypass your security provisioning process and have changes made out of compliance.
The Employee should be limited to tasks that all Employees undertake such as entering their time, requesting time off, entering expenses, reviewing HR and other Employment documents.
Transactions and other processes should be split out into other Roles that are then provided to users who need this access specifically, and nothing more.
Your organization needs to decide whether delegating security is a process you want to use, let alone whether the Employee role should be granted the access or not. We find that many organizations are uncomfortable with this process being available to anyone.
If you are using the Employee role, it should be copied and its access restricted to the kind of access you wish your employees to have. This should restrict any processes that interfere with the security provisioning process and the ability to upload data that can impact your financial and other sensitive areas.
Seecuring provides everything from training through to full evaluation of your application controls. We can provide results and get you on the path to resolving any issues within a week!
Segregation of Duties.
Sensitive Access.
User Access Reviews.
Patch Impact Analysis & Configuration Changes.
If you need help further understanding the implications of this role and the other sensitive access it has access to please reach out, we have reviewed the delivered roles and many of them create segregation of duty and other risks to your processes.