9.2 Upgrades for SecURITY

9.2 Upgrades for SecURITY Admins: Lessons Learned

SESSION 35354March 8, 2016

presenters

Matt Lemme

PS Security Administrator

University of Colorado

matt.lemme@cu.edu

PS Security Admin with CU System Administration since November 2014.

6 years of experience with PeopleSoft security (4 as a distributed security coordinator)

Focus on student systems and portal

presenters

Ryan McDaniel

Assistant Director of IAM

University of Colorado

ryan.mcdaniel@cu.edu

Becky Kimminau

PS Security Administrator

University of Colorado

rebecca.kimminau@cu.edu

Lorem ipsum dolor sit

amet

,

consectetur

adipiscing elit. Aliquam molestie lectus at nibh semper egestas. Maecenas vel nisi blandit, egestas sapien eget, accumsan leo. Curabitur orci massa, blandit sed sollicitudin vitae, eleifend posuere sem.

Lorem ipsum dolor sit

amet

,

consectetur

adipiscing

elit

.

Aliquam

molestie

lectus

at

nibh

semper

egestas

. Maecenas

vel

nisi

blandit

,

egestas

sapien

eget

,

accumsan

leo

.

Curabitur

orci

massa

,

blandit

sed

sollicitudin

vitae,

eleifend

posuere

sem.

UNIVERSITY OF COLORADO

ORGANIZATION & ORACLE

If relevant,

organizations include

their recent and current

version or status

with Oracle/PeopleSoft

modules

Overview

1

BACKGROUND

Legacy

Scope

Timeline

Participation

2

CHALLENGES

3

LESSONS LEARNED

Delegation

Environments

Change Management

Production4Q&A

DISCLAImERMuch of what we will cover regarding our experience with our recent 9.2 upgrades applies to upgrades generally and is not technically specific to 9.2.

BACKGROUND

Are we really doing this??

Legacy - sharedPeopleTools

8.49No upgrades/bundle applications in many yearsHeavily customizedSecurity

Many

users with secondary accounts due to

customizations

Inconsistent naming of security (and other) objects

FIN legacyFIN 8.4

1 Business Unit segregated in separate FIN instance

Hcm legacy

HRMS 8.9SecurityRoles did not make sense to users1 permission list per role

9.2 upgrade SCOPE - SHARED

PT 8.54DecustomizationWorkflow implementationSecurity

Retiring secondary accounts

Redesign

Roles based on job functions

Permission lists based on business processes

Principle of Least PrivilegeService accounts as well as end usersNon-page security (component interfaces, web services)Naming standardization

Oracle Upgrade Lab

Phire

for change management

9.2 upgrade SCOPE - SHARED

9.2 security needsWorkCentersActivity Guides – hardcoded roles

Unified Navigation

Fluid

FIN 9.2 upgrade SCOPE

Implementation of Grants module, including Grant SecurityReimplementation of security due to significant change in objects

HCM 9.2 Upgrade SCOPE

Employee portal redesignEmployee portal security redesignMove away from Public content referencesContent Reference Security by Permission List instead of

Role

MFA

for privileged users

9.2 upgrade TIMELINE

2-year programInitial project for fit-gap analysis aimed at decustomizationUpgrade/Execution

projects

University Information Services

Office of the University Controller (FIN)

Employee Services (HCM)

3 weeks from scheduled cutovers go live was postponed for 4 weeks because FIN campus users were not yet comfortable with new systemEarly December 2015 go live

SECURITY TEAMAssistant Director

2 FT PS Security AdminsConsultantsCount1 for 6 months until original go live

2 for 2 months around go live

1 for an additional month after go live

Responsibilities

Creating cutover provisioning scripts

Grants Security in FINPOI Security in HCMMonitoring and assisting with resolution of production issues

Business office security

approvers

9.2 upgrade CURRENT STATUS

3 months since go liveSecurity: Go-live/Crisis mode for 2 months after actual go liveBrought in a change management consultancy to run command center, track issues, and stabilize system

Stabilization project

#

1 priority – Grants on FIN side

Campuses needing to close books

Closed December in last FebruaryElevate Phase 2 – Projects that were descoped for go live

CHALLENGES

What could go wrong??

Challenges

Dual UpgradeDevelopers, business office staff only working in one environmentTough to go back and forthNumber of environments

CU had a dozen environments for each application

Oracle

Upgrade

Lab

Not sure what to expect, what would come throughWhich objects sourced from HR89 vs UPGUsers from HR89Security objects from UPGUpgrade process blew away custom permission

lists, which created orphans

Blew

away directory

configuration

in one app but not the other

Staffing

levels

Challenges

Delegated responsibility for some security administration workSecurity approvers had other responsibilities and often were not able to provide requirements on time

If they occurred, we were not included in conversations with campus users regarding Business Unit security, POI security, etc.

Issues with boundaries and consequences

Provisioning of IT staff

Messing with service accounts

Granting admin rolesKnowledge transfer to security admins, security coordinatorsBusiness

office-engaged third-party development

Knowledge transfer to security admins, security coordinators

Challenges

Interim securityProductionLate development

LESSONS LEARNED

Never make the same mistake twice. Make it five or six times, you know, just to be sure.

GENERALDual upgrade – DON’T DO IT!!

Interim securityBe careful with admin roles

DELEGATION

Recommend against delegating security work to business officesBusiness office approves should provide requirements

Development responsibility of security admins

If you are going to delegate,

s

et expectations

DeadlinesBoundariesConsequencesNaming conventions

DELEGATION

Clearly delineate responsibility for objectsBusiness office permission lists and rolesSelf Service permission lists and rolesIT

permission lists and roles

PeopleTools

security

Query trees

Row-level securityUser PreferencesDevelop clear transition plan after go-live and communicate eventsRemoval of admin roles

ENVIRONMENTSHave a clear environment strategy and hold to it

Resist environment proliferation!Maintenance involvedNew environment setup

Refreshes

Less clarity regarding purpose of environment

More opportunity for security to scatter

Have a dedicated security environment (SEC)

Change manAgement

Group related security objects in projectsSource all security objects from same environmentRespect your sources!Make changes in designated source environment and migrate instead of making same change in multiple environments

Easy to evaluate compares

Migrate

all changes to all environments (where

appropriate)

Isolate security objects that may have a lot of last minute changes (e.g., Production Services/Scheduler) in dedicated projectMore, smaller projects better than fewer, larger projectsCan quickly evaluate compares

Migrations do not take as

long

Designate

one detail-oriented, organized individual to manage migrations

Change manAgement

Object group

Change

Request

Source

UPG migration

dttm

Business Office

CR000314

SP3

11/17/15 10:24PM

Service Accounts

CR000284

SP211/17/15 10:38PM ITCR000588SP311/17/15 7:50PM SmartCR000595SP311/16/15 2:33PM TreesCR000731SP311/17/15 10:50PMLate ChangesCR000799

TST

Change tracking spreadsheet

PRODUCTION ISSUESStrategize

Triage for x days/weeks, then return to normal change management processConsider outliersConsultants

Go-live needs

Continued development

Emergency changes

Issue tracking

Distribution list

RELATIONSHIPSIf anything is off, it’s security.

Manage perceptionsSmile 

Concluding thoughts

ANY QUESTIONS?

SUMMARY

presenters

Jane Doe

Title of Presenter

Company Name

email@address.com

John Doe

Title of Presenter

Company

Name

email@address.com

all Alliance presentations

will be

available for download from the Conference Site

THANK YOU!