06 Mar 19 Part 7: Concurrent Programs are a Risky Business too
Focus on Functions
For the most part, when people talk about access related risk within Oracle EBS, they are talking about “functions”. A function is typically a screen (or form) that performs some task; for example, there are functions in Oracle EBS where the user can create new suppliers, invoices, purchase orders…etc.
Oracle EBS contains more than 47,000 functions (as of 12.2.8).
Most of the functionality provided by EBS is done via functions.
So it stands to reason then that the focus of any risk analysis is in and around functions.
Considering Concurrent Programs
There is another area of risk that is largely overlooked within Oracle EBS, and that is with concurrent programs.
A concurrent program is a process that typically runs as a background job that performs some task or generates a report. The majority of concurrent programs are more the reporting type but many concurrent programs perform tasks that could be said to carry some degree of risk and yet most organizations don’t even consider concurrent programs in their risk analysis.
More Than Just Reporting on Data
As of Oracle EBS 12.2.8 there are around 13,000 concurrent programs. Based on our most recent analysis, there could be over 2,000 that have some risk associated with them because they do more than just report on data.
Some of the things a “risky” concurrent program might do are…
- Archive data
- Purge data
- Process data
- Import data
- Decrypt data
- Export data
Users are given access to concurrent programs via something called a Request Group (there are other ways of providing access). They are not administered in the same way that functions are, and even though for the most part a user accesses them initially via some menu option, it is not the menu that requires analysis to determine precisely which concurrent programs a user can access. This can make trying to determine where risks are as it relates to concurrent programs quite tricky.
Treat Just Like Functions
In terms of Segregation of Duties, concurrent programs should be treated just like functions. Some concurrent programs are a risk on their own and some are a risk when available with another concurrent program or function. So your chosen SoD solution should have the ability to identify and analyze concurrent program related risks just like it can for functions.
Furthermore, as well as using a software solution that can handle concurrent programs, your risk matrix should also include concurrent programs.
For most of the organizations we’ve worked with over the years, many don’t consider concurrent programs and the risk associated with them.
Want to find out how we can help you manage the risks associated with concurrent programs? Get in touch today and ask us about CS*Comply.
Next Week & Early Access
The next article in this series is “False positives are a pain“.
If you want to get access to these articles before anyone else, please subscribe to our newsletter.