OTBI Enterprise For HCM: Security Overview

OTBI Enterprise for HCM
Security Overview
April 10, 2015
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 2
OTBI Enterprise Security Overview
1 Oracle Public Cloud

2 Application
3 Identity Management
4 Object Security
5 Data Security
Introduction
• OTBI Enterprise is protected by multiple
layers of security
• Security is integrated into the platform,
middleware, and application
• Security should be pervasive, but not
intrusive
Oracle Public Cloud
Oracle Public Cloud Security
• The following section is based on the content described in the Oracle Cloud
Hosting and Delivery Policies
– http://www.oracle.com/us/corporate/contracts/cloud-hosting-delivery-policies-
1881437.pdf
• This hosting policy applies to all of Oracle Cloud Services
Security Element Description
Physical Security Oracle office locations and production cloud data centers are compliant with
industry best practices, including safeguards for restricted access, visible
identification, monitoring, and more.
Additional physical security safeguards are in place for data centers that include:
• Premises are monitored by CCTV
• Physical barriers designed to prevent vehicles from unauthorized entry
• Entrances are manned 24 hours a day, 365 days a year by security guards
Firewalls Oracle Cloud Services utilize firewalls to control access between the Internet and
Oracle Cloud Services by allowing only authorized traffic.
Oracle managed firewalls are deployed in a layered approach to perform packet

inspection with security policies configured to filter packets based on protocol,
port, source, and destination IP address, as appropriate, in order to identify
authorized sources, destinations, and traffic types.
Network Access Control Oracle Cloud operations access customer environments through a segregated
network connection and is isolated from Oracle's internal corporate network.
Authentication, authorization, and accounting are implemented through standard
security mechanisms to manage approved access to the system.
Anti-Virus Controls Oracle Cloud employs industry standard anti-virus software to scan uploaded files.
Viruses that are detected are removed (or quarantined) automatically, and an alert
is automatically generated which initiates Oracle’s incident response process.
User Encryption for External SSL connections are negotiated for at least 128 bit encryption or stronger.
Connections
The private key used to generate the cipher key is at least 2048 bits. SSL is
implemented or configurable for all web-based SSL certified applications deployed
at Oracle.
System Hardening Oracle employs standardized system hardening practices across Oracle Cloud
devices.
This includes restricting protocol access, removing or disabling unnecessary
software and services, removing unnecessary user accounts, patch management,
and logging.
Oracle Software Security Oracle Software Security Assurance (OSSA) is Oracle's methodology for building
Assurance security into the design, build, testing, and maintenance of its services.
The OSSA program is described at:
http://www.oracle.com/us/support/assurance/overview/index.html.
Oracle Public Cloud Certifications
• ISO 27001
• Certificate of conformance for ISO 27002, SOC 1, SOC2
• US Federal Government NIST 800-53 & DIACAP, and 21 CFR part 11
• PCI compliant (level 1)
• Safe Harbor certified for onward transfer of data from the European Union.
Application
Application Security: Database Isolation
• Customer’s data that flows into OTBI
Enterprise from their Oracle Cloud, OTBI Enterprise Service: STAGE
Oracle On-premises, and 3rd party OTBI Enterprise Service: PROD
Application Tier
applications flow into a dedicated BIP
Server
Conf.
Tools
data warehouse database for the
Identity Manager
BI BI Repl.
Oracle Cloud
Server ODI
Storage
customer’s OTBI Enterprise instance ZFS Storage
(Stage or Production)
Data Tier
Dedicated
• Ensures that customer’s data does Database
not comingle with another customer’s

data, ensuring the highest levels of
data segregation and security.
Application Security: Transparent Database Encryption (TDE)
• OTBI Enterprise takes advantage of
the Transparent Database Encryption
capabilities of the Oracle 12C Database
to safeguard the contents of the data
warehouse, ensuring that data-at-rest
is inaccessible to any unauthorized access attempt.
• TDE encrypts the entire set of application tablespaces and its high-speed
cryptographic operations make performance overhead negligible.
Application Security: Restricted Access
Element Description
Operating System • OTBI Enterprise administrators and integration partners do not have access to the
underlying operating system supporting OTBI Enterprise. All configuration is performed
through the BI Applications Configuration Manager.
• Access to BIACM is managed via the administration roles available, ensuring that
customers can securely manage access to the configuration utility.
Middleware • Similar to the operating system, the only access to the Fusion middleware that supports
OTBI Enterprise is through the BIACM configuration utility.
Database • No external access is allowed directly to the database. Data may only be access via the
OTBI Enterprise application, ensuring that business, security, and role based access
controls are maintained.
• OTBI Enterprise does allow users to export data to common formats, such as CSV, XML,
or Excel files, but the exported data is subject to that individual users data access
privileges (see “Data Security” on page 9 for more information).
Application Security: Integration – Data-in-Transit
• Data transferred from source
applications, including HCM,
Talent, Sales, or Service Clouds
or from on-premises Oracle
applications is secured via HTTPS
• SSL connections are negotiated
for at least 128 bit encryption or
stronger. The private key used to
generate the cipher key is at least
2048 bits.
Application Security: Integration – Data-at-Rest
• Additionally, customer may
encrypt the HCM Cloud or
Sales Cloud extraction files while
stored in Oracle Cloud Storage.
• Customers have the choice of
generating a new key or
uploading an existing key at the
time of registering either an
HCM Cloud or Sales Cloud source.
• When OTBI Enterprise retrieves the encrypted extraction files from Oracle Cloud
Storage, the contents of the file will be decrypted upon loading into the OTBI Enterprise
data warehouse.
Identity Management
User & Application Role Management
• OPC Identity Management in the Oracle
Cloud is responsible for managing user
access to OTBI Enterprise.
– In some cases, OPC Identity Management will
federate SSO with a Fusion Cloud Application
Users and Role and in other cases will serve as the Identity
OPC Identity Managed via Provider itself.
Management Oracle Cloud
MyServices • OTBI Enterprise maintains the Policy
Store in its local database which stores
the security definitions of the roles as
OTBI Enterprise
well as individual user object security
Policy Store
Maintained in definitions.
OTBI Enterprise
Database
Scenario 1: Fusion HCM Only
• When OTBI Enterprise is
connected to a Fusion cloud
application (HCM or CRM), the
Fusion HCM Fusion application will function as
the Identity Provider (IdP).
• When users are challenged for
their credentials by OTBI
Enterprise (the Service Provider in
OTBI Enterprise OPC Identity this case), Fusion HCM will
Management authenticate user, allowing access
to OTBI Enterprise.
Scenario 1: Fusion HCM Only Process
1. User challenged for credentials upon
accessing OTBI Enterprise
2. OTBI Enterprise requests access
Fusion HCM authorization from MyService IDM.
4 3
3. As part of Federated SSO, request
identity verification from Fusion HCM.
6 5
4. If verified, Fusion HCM return Identity
Verification.
1 2
OTBI Enterprise OPC Identity 5. If user has access privileges,
Management MyServices IDM returns authenticated
request
6. User receives new OTBI Enterprise
session.
Scenario 2: Fusion HCM (as IdP) and Taleo
• In a Fusion/Taleo hybrid scenario where
Fusion HCM serves as the IDP, the Fusion
cloud application (HCM or CRM), OTBI
Enterprise users will be authenticated
Fusion HCM against Fusion HCM.
• Taleo only users (meaning users who
have access to Taleo but not Fusion
HCM), will need to be added as users to
Fusion HCM to have access to OTBI
Enterprise.*
OTBI Enterprise OPC Identity
Management
Note: In Fusion HCM, this should not be an issues
since licensing is based on number of
employees in a company. For Fusion Sales
Cloud, this could result in additional Fusion
Sales Cloud licensing costs.
Taleo
Scenario 2: Fusion HCM (as IdP) and Taleo Process
Fusion HCM authorization from MyService IDM.
User Must Exist in Fusion HCM

4 3
3. As part of Federated SSO, request
identity verification from Fusion HCM.
6 5
4. If verified, Fusion HCM return Identity
Verification. All users must be in
1 2
Fusion HCM
Management 5. If user has access privileges,
MyServices IDM returns authenticated
request
session.
Taleo
Scenario 3: Fusion HCM and Taleo, OPC as IdP
• In a Fusion/Taleo hybrid scenario where
Fusion HCM serves as the IDP, the Fusion
cloud application (HCM or CRM), OTBI
Enterprise users will be authenticated
Fusion HCM against Fusion HCM.
• Taleo only users (meaning users who
have access to Taleo but not Fusion
HCM), will need to be added as users to
Fusion HCM to have access to OTBI
Enterprise.*
Management
Note: In Fusion HCM, this should not be an issues
since licensing is based on number of
employees in a company. For Fusion Sales
Cloud, this could result in additional Fusion
Sales Cloud licensing costs.
Taleo
Scenario 3: Fusion HCM and Taleo, OPC as IdP Process
User Must Exist in OPC Identity Management

Fusion HCM authorization from OPC Identity
Management.
3. OPC Identity manager verifies identity
4 3 and access privileges and returns
authentication request.
1 2
OTBI Enterprise OPC Identity session.
Management
Taleo
Scenario 4: Fusion HCM and PeopleSoft, OPC as IdP Process
User Must Exist in OPC Identity Management

Fusion HCM authorization from OPC Identity
Management.
3. OPC Identity manager verifies identity
4 3 and access privileges and returns
authentication request.
1 2
OTBI Enterprise OPC Identity session.
Management
PeopleSoft
Object Security
OTBI Enterprise Role Management
Role Based Access Control (RBAC)
• Recognized job roles are Oracle Public Cloud Identity Management
manually entered into Oracle Brandon (user)
Public Cloud Identity

Management Sales VP Line Manager
• OTBI Enterprise v2 supports

only pre-delivered job roles OTBI Enterprise
Sales VP Line Manager

• OTBI Enterprise v3 will provide
greater control over role
creation/management Application
Roles
Application
Roles
OTBI-E v2 Supported Job/Enterprise Roles
Role Role ID
OTBI Enterprise Service Administrator ASM_APPLICATION_IMPLEMENTATION_ADMIN_ABSTRACT
Payroll Manager PAY_PAYROLL_MANAGER_JOB
Line Manager PER_LINE_MANAGER_ABSTRACT
HR VP PER_HUMAN_RESOURCES_VP_JOB
Recruiting Manager
Compensation Analyst CMP_COMPENSATION_ANALYST_JOB
Compensation Manager CMP_COMPENSATION_MANAGER_JOB
HR Analyst PER_HUMAN_RESOURCE_ANALYST_JOB
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 29
Creating OTBI Enterprise Roles in OPC Identity Manager
1 1. In the Users section of Cloud
MyServices, select Custom Roles tab
and press Add.
2 2. Create a custom role in OPC Identity
Manager that matches the display and
role name as defined by the OTBI
Enterprise Policy Store.
3
3. Custom roles will then be assignable
to users to provide access privileges to
OTBI Enterprise.
NOTE: Role definitions can also be

imported into OPC Identity Manager for
bulk loading via a CSV file.
Data Security
Data Security: Employee Position Hierarchy
• You’ll notice that the VP of Sales (A) has two direct reports, the
West Regional Manager (B) and the East Regional Manager (C).
And the West Regional Manager (B) has a direct report, West
Sales Rep 1, and so on.
• Consequently, we’d expect that the VP of Sales (A) would be
able to view data that can be seen by direct reports West
Regional Manager (B) and East Regional Manager (C). But this
also means that the VP of Sales can also view data for West
Sales Rep 1 (M).
• Yet, the West Regional Manager (B) can only see data at his/her
level and below and can not, unless explicitly granted additional
data acces privileges, view data for the East Regional Manager
(C) or below.
Top Level Level 1 Level 2 Base
A A A A
A B B B
A B M M
A C C C
A C D D
A C E E
A C D N
B B B B
B M M M
M M M M
C C C C
C D D D
C D N N
C E E E
Top Level Level 1 Level 2 Base • This flattened position dimension is used to filter content
A A A A by user position within the company and manage their
A B B B scope of visibility consistent with their responsibility within
A B M M the company hierarchy. This automatic filtering ensures
A C C C that regardless of when or where your users access
A C D D
content, they see only data that they are entitled to; this
A C E E
applies to their access from a web browser, tablet or
A C D N
smartphone, as well as to their viewing of default reports,
B B B B
custom dashboards built by your integration partner, or
B M M M
exported data to Excel.
M M M M • Regardless of where an individual exists in the overall
C C C C hierarchy of the company, when that user logs in, the
C D D D above tables will be used to determine their Top Level
C D N N position and any visibility below them if appropriate. If an
C E E E individual does not have any visibility below them, their
entire scope will be limited to only their individual data (as
in the case of M, N, and E).
OTBI Enterprise Data Security
• In addition to filtering data based on position within the company
employee position hierarchy, there may be additional security variables to
filter data when filtering based purely on position in hierarchy doesn’t
make sense. For example, data scope visibility may be further filtered
based on the Legislative or Payroll ID for data scope visibility with OTBI
Enterprise for HCM.
• In addition to role based access control,
OTBI Enterprise provides further data
security protection by row-level data
security.
– This supports use cases, for example, where a
user should only see data within their
department or a sales manager should only
see data within their territory.
• Data security definition takes into
consideration:
– Source
– User NOTE: When possible, OTBI Enterprise will automatically populate
values from source system to ensure row-level security. When not
– Object possible, these security definitions will need to be created in OTBI
Enterprise BI Applications Configuration manager.
HCM CRM
• Department • Territory Hierarchy
• Supervisor Hierarchy • Resource Hierarchy
• Legislative Data Group • Partner Organization
• Payroll ID • Service Organization

OTBI Enterprise For HCM: Security Overview

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

OTBI Enterprise For HCM: Security Overview

Transféré par

Droits d'auteur :

Formats disponibles

OTBI Enterprise for HCM

April 10, 2015

1 Oracle Public Cloud

Oracle managed firewalls are deployed in a layered approach to perform packet

Oracle On-premises, and 3rd party OTBI Enterprise Service: PROD

data warehouse database for the

• Ensures that customer’s data does Database

not comingle with another customer’s

User Must Exist in Fusion HCM

User Must Exist in OPC Identity Management

User Must Exist in OPC Identity Management

manually entered into Oracle Brandon (user)

Public Cloud Identity

• OTBI Enterprise v2 supports

Sales VP Line Manager

NOTE: Role definitions can also be

• Payroll ID • Service Organization

Vous aimerez peut-être aussi