| Sarbanes Oxley (SOX) And Hyperion Enterprise Security [ID 809234.1] | |||||
Applies to:
Hyperion Enterprise - Version: 6.3.0.0.00Hyperion Enterprise - Version: 6.3.0.0.00 and later [Release: 6.3 and later]
Information in this document applies to any platform.
This knowledge document is a replacement for 587872.1and 589129.1 which have been deleted.
Goal
Sarbanes Oxley and Hyperion Enterprise Security options.Solution
For most file-based applications, all users must have Read, Write, and Execute access to Hyperion Enterprise program and database files. Only Delete access can be restricted.In response to Sarbanes Oxley, Oracle Hyperion Enterprise 6.3 and above can offer the following with regard to application security:
1. Starting with Hyperion Enterprise 6.3 offers a new option - External Authentication.
This allows users the convenience of a single sign on using their network UserID while allowing for current operating system security to be used to require minimum length passwords, password expiration, etc.
2. Hyperion Enterprise's security module allows you to create separation of duties via the access rights granted to specific tasks and elements.
For instance, while one user is granted the right to create journal entries, another user must review that journal before it can be posted by yet another user.
The account that was used to creaste the application ( often the "ADMIN" accountI) cannot be deleted or locked.
The only alternative would be to set the rights of this user so that it has no access within the application (although it will still exist).
To do this set the rights of 'Admin' to NONE for all Security Classes.
Please ensure that there is at least one other administrative user set up in the application with full rights to everything, otherwise it is possible to become locked out of the application.
The recommended approach is to leave the 'Admin' account in place but to protect it with a very strong password.
It is advisable that each user has username and password for accessing the application.
3. With Hyperion Enterprise Reporting Web (HERW) Server, you can limit access of users who only need to run reports.
These users need no direct access to the Enterprise application files on the HER web server. They need only a link to the web page. The HER Web users need write access to the spider.ini but only read access for everything else. Only the HERW Server impersonation account needs full access to the Hyperion Enterprise program and database files.
4. Starting with Hyperion Enterprise 6.3, you can implement the Enterprise Web Component.
Again, all the individual user needs is access to the web site. They can then view data, submit files for loading, etc. A network ID with full access to Enterprise files actually accesses the application data based on the individual users' internal Enterprise access rights as set up in the Enterprise security module.
5. Install and implement the Hyperion Data Server Controller in Hyperion Enterprise. Only the ID that runs the Data Server Service needs full access to the database files. Users will need only Read access.
6. Use the Journals module for any post-load adjustments.
7.Consider using Hyperion Financial Data Quality Management (FDM) for an data load audit trail.
No comments:
Post a Comment