06 Mar 19 Part 7: Concurrent Programs are a Risky Business too
Focus on Functions
For the most part, when people talk about access related risk within Oracle EBS, they are talking about “functions” that carry risk. A function is typically a screen (or form) that performs some task; for example, there are functions in Oracle EBS where the user can create new suppliers, invoices, purchase orders…etc.
Oracle EBS contains more than 47,000 functions (as of 12.2.8) and so most of the functionality provided by EBS is done via functions and so it stands to reason then that the focus of any risk analysis is in and around functions.
Considering Concurrent Programs
There is another, largely overlooked area of access related risk within Oracle EBS and that is with concurrent programs.
A concurrent program is a process that typically runs as a background job that performs some task or generates a report; the majority of concurrent programs are more the reporting type but there are many concurrent programs that perform tasks that could be said to carry some degree of risk and yet most organizations don’t even consider concurrent programs in their risk analysis.
More Than Just Reporting on Data
As of Oracle EBS 12.2.8 there are around 13,000 concurrent programs, based on our most recent analysis of these there could be over 2,000 that have some risk associated with them because they do more than just report on data; some of the things a “risky” concurrent program might do are…
- Archive data
- Purge data
- Process data
- Import data
- Decrypt data
- Export data
Users are typically given access to concurrent programs via something called a Request Group (there are other ways of providing access). They are not administered in the same way that functions are and even though for the most part a user accesses them initially via some menu option, it is not really the menu as such that requires analysis to determine exactly which concurrent programs a user can access; this can make trying to determine where risks are as it relates to concurrent programs quite tricky.
Treat Just Like Functions
In terms of Segregation of Duties, concurrent programs should really be treated just like functions. Some concurrent programs are a risk on their own and some are a risk when available with another concurrent program or even another function. So your chosen SoD solution should have the ability to identify and analyse concurrent program related risks just like it can for functions.
Furthermore, as well as using a software solution that can handle concurrent programs, your risk matrix should also include concurrent programs.
For most of the organizations we’ve worked with over the years, most of them have never even considered concurrent programs and the risk associated with them.
Want to find out how we can help you manage the risks associated with concurrent programs? Get in touch today and ask us about CS*Comply.
Next Week & Early Access
The next article in this series is “False positives are a pain“.
If you want to get access to these articles before anyone else, please subscribe to our newsletter.