Security tool

Hello

Has any one used tools like Qsoft and Allout for security maintenance.

I would like to get your views on these product. My company is looking into these tools and try to see what are the pro and cons of these tools. Why would be one better than the other.

Any suggestions, help would be appreciated

Nick

We looked at both. They are both good tools. We ended up buying All-out. Qsoft was crazy expensive, and that's an opinion coming from a Fortune 500 shop. We have have all-out installed in Europe and a project planned for Noth America in the first or second quarter of 2010.

- Gregg

[ QUOTE ]

Qsoft was crazy expensive, and that's an opinion coming from a Fortune 500 shop.

[/ QUOTE ]

Maybe it was expensive because you are a Fortune 500 shop. I didn't deal with the pricing but the company I work at now is the biggest bunch of penny pinchers I've ever been at or seen so I can't imagine we would have bought QSoft if the price was too out of sorts. We talked with both QSoft and All Out before making a decision too, but again I can't comment on the actual numbers.

With that said I haven't actually worked with All Out in an actual security implementation but have worked plenty with QSoft and I have nothing but good things to say about it.

Greg,


Thanks for your reply
IN terms of features, did they look comparable. What was the othe factor ( apart from cost) which went in favour of Allout.

I assume they provide you with Pack( ASU) for the implementation. How much time would you say, you had to spend to get the product up and running.

Thanks

CNCJ,

Simply stating that you have nothing good to say 'bout QSoft - sort of leaves the world hanging. Do they know about your issues, either? No one can fix what they don't know about!

What was the negative experience, why? I am aware of at least five client installs where they reviewed both - and went with Q because the support level of Consultants that could do the Initial Install, Training and On-Going Support had a better customer review rating than those of AO.

My current client is an AO users - and, they do seem to be happy with the product...

Each product is tailored by the teams that built them - to a different fit and feel. Yes, this is a Windows vs Fruit-Company type agreement and each customer needs to invite both companies for an implementation review. The tailoring of each product does fit each company specifically.

(db)

[ QUOTE ]
CNCJ,

Simply stating that you have nothing good to say 'bout QSoft - sort of leaves the world hanging. Do they know about your issues, either? No one can fix what they don't know about!


[/ QUOTE ]

Dan, re-read what CNCJ said. He said that he has nothing BUT good things to say about QSoft.

Danny - he actually said "I have nothing but good things to say about it."

Kinda puts a different spin on it. From a demo perspective, and from conversations with consultants from both companies, they both sounded good. The All out guys were a softer sell than Qsoft. Allout does not modify your system, Qsoft does. In our assessment, you could use Allout for a year or two until your security was stable, and then drop it. In fact, that was one of their sales pitches. The Qsoft solution seemed to be a bit more permanent. They had their own modified security tables. it was our impression that once you started with Qsoft, you needed to keep using it.

to get the maximum value out of EITHER product, you needed to have a fresh implimentation. Both products are good at using menus to do security definitions. That's one of the hardest parts of security. There is less value in using the products in a mature system, which is why we are not rushing to use Allout in our mature XE system. In our very very new 8.12 system, it has been a good tool for the project team.

- Gregg

The quote is "I have nothing but good things" (emphasis mine); supportive of the product, not negative.

Crap - I must be in a really 'stupid' mood today. All that negativity of the world has gotten to me, where I can't see the good in ANYTHING...

CNCJ - please accept my apology....

To twist - ... what were the good experiences with Q?

very sorry and playing the part of major dimwit, this day (and this day comes only occasionally, I hope)...

(db)

While I agree that both tools have a lot of good things to offer , these tools have a lot more to offer to ERP 8.0 and Xe customers since roles are not available.

For 8.9 and above customers it is really only reporting, while may be the latest versions of these products have SOD conflict prevention mechanisms (Ideally this prevention should happen in your access control approval process)

One thing I don't like about these tools though (I saw this at two different customers , one who was using QSoft and another who is using All Out. The later versions of these tools might behave differently, but I have had limited exposure to these tools) is that they both usually overwrite all records for a user / role when you make any changes. You basically loose all tractability as to when a specific access was originally granted or denied as may be the case. You have to rely on your external approval or control process for that audit trail. I agree that nearly every organization would have this but it would have been easier if I could have just looked at the UPMJ on the F00950.

QSoft I believe stages a lot of things in custom tables before it writes it out to the E1 security tables, while AO deals directly with the E1 security tables (I actually prefer this)

With respect to automating the Menu/ Task Security (Finecut) , it is pretty neat , and may improve the end user experience by not showing menu structures they do not need , but one should in no way be relying on Menu Security to prevent access to something a user should not have access to. I have had to deal with "Security Officers" and auditors who get all up in my face because a menu is open without understanding that menu visible or not, my F00950 security will ultimately allow users to run only what they have been granted (Sorry that rant should probably not be there in this post , can we start a raves and rants section .? haha)

We're using E1 Qsecure and given the circumstances that the process was started while live for some time I thought it went pretty well. You install via the boomerang tool and set up probably only took and hour or two.

In particular I would say that the customer support was excellent although you have to consider the time difference as they are in the UK.

Its funny reading this thread since Q secure is forever sending me emails offering to help consult or extend my purchase. The thing is that the system works exactly as described and I'm happy with it.

There's not a lot of software in that category in general I'm sad to say.

Morglum

[ QUOTE ]
The later versions of these tools might behave differently, but I have had limited exposure to these tools) is that they both usually overwrite all records for a user / role when you make any changes. You basically loose all tractability as to when a specific access was originally granted or denied as may be the case. You have to rely on your external approval or control process for that audit trail. I agree that nearly every organization would have this but it would have been easier if I could have just looked at the UPMJ on the F00950.

[/ QUOTE ]

QSoft has full auditing available for all it's changes so as long as you make all your security changes via the QSoft E1Config tool you will have a record of all your security changes by looking at the audit of the component changes made.

A new version of QSoft E1Config was released not too long ago, version 4.0, with various minor enhancements (nothing major that I recall), but some did make the tasks to perform security administration a lot easier as I recall. I haven't worked with the 4.0 yet though.

All,

Thank you all very much for your inputs.

In my company we are already auditing Security tables and lot of paper work(!) in the name of change Management to track each specific security changes. SO trackign changes are not a big issue

As we are on E810, I don't want to just buy it for reporting purposes as we can always create reports on our own.

Menu security ( If you call it security) is not even an consideration here.

One big thing, which is of value is SOD. However, even that I would assume is unique to companies as each company have to manaully define what they would consider Transgression. Does these tool comes with well defined SOD( I.e this application should not be used with aother application) or is is part of the consulting engagement to really understand the companies requirement and build on that.

Would apreciate if you could share your expereince on that

Thanks

[ QUOTE ]


One big thing, which is of value is SOD. However, even that I would assume is unique to companies as each company have to manaully define what they would consider Transgression. Does these tool comes with well defined SOD( I.e this application should not be used with aother application) or is is part of the consulting engagement to really understand the companies requirement and build on that.



[/ QUOTE ]

Here's my $.02 worth..

Can't speak about SOD and Qsoft, but on AllOut, it has a section of predefined SOD rules. It has a rating system for the mildly interested to totally paranoid (my scale, they call them something else). It is set up like a Wizard. You pick the rule, it does an analysis, then you make intelligent choices. It's pretty slick. It also has some pretty good reporting for auditors and process owners.

The biggest value for a mature system is it's ability to combine roles. Typical example I get. Someone is in role A. Their job responsibilities change. They need to keep what they have, plus add in all of the menus and security access of role B. Right now, in XE, I have to do a manual comparision of the two roles, and create a new third role C. In all-out, the application does the analysis, and creates role C. Very slick.

For 8.10 users, it allows for multiple roles. Rather than the silly way that E1 uses, role sequencing, All-out creates a new superrole (they call it a combi-role) to merge two roles together. I think Q-Soft has a similar feature.

I am in the process of writing up a white paper on JDE security best practices, and am contemplating writing a book on the subject. In my opinion, there is value to be had from adding on either one of these tools, especially if a company is doing a new implimentation or upgrade and redoing security. The tools that come natively with E1 leave much to be desired.

- Gregg

I have used them both and I would have to say I prefer all out over Qsoft. I have done seven new implementations in the last couple years and the companies are amazed that we can implement an "all doors closed" security approach right from day one. On our current implementation, we are still 3 months from go-live and yet security is already 90+% complete. The rest will be flushed out in iCRP next month. The ability that all out has to sniff through a solution explorer task tree and idnentify embedded UBEs, pre-requisite tasks, and grant authority to row and form exits is quite impressive. That and the price is usually better than QSoft unless they have changed their pricing model in the last few years.

You ought to take a fresh look at Q Software. They have some neat new security automation tools to set up new security really quickly. Several people have told me they now prefer the Q Software user interface for new security. It is cleaner and less cluttered than Allout.

They have a really good and simple way to capture your existing security too to make ongoing maintenance much easier.

John

Heres my view - and I think it reflects others' views on the two products.

First of all, AllOut seems to be less expensive than QSoft in many respects. That might not be totally correct with all customers - but a lot of customers who choose AllOut do so because of price.

Secondly, QSoft likes to "replace" standard JDE security with their own model. That means that QSoft is certainly a "permanent" tool and will require ongoing maintenance etc. AllOut, on the other hand, was developed with the 8.x security model in mind - and so is more of a "management" tool for standard JDE security. That means that after a while, certain companies have dropped AllOut maintenance after they've implemented because the need for the product has gone.

However, because QSoft has its own model, it can perform a lot more reporting and "added functionality" compared to the AO toolset. With QSoft having been out a lot longer than AllOut, they have more modules and more functionality.

For smaller corporations with SOX requirements - AllOut works very well. For larger corporations, Qsoft seems to often suit those companies better. However, depending on your version/requirements - that can be interchangeable.

I thoroughly recommend getting both products in to trial, and comparing your requirements against their functionality before committing one way or the other.

Just one more opinion about AllOut and QSoftware...

To summarize the other posts, I agree Allout is more affordable and QSoftware has several technical advantages. I would go futher to say that if you have more than 100 user accounts, you must have a tool. You cannot implement E1 "all doors closed" security economically without a tool. Also, if you have to meet Sarbox requirements, you have to have a tool; P00950 will not cut it. I think many companies choose Allout because it is more affordable. However, if you have more than 250 users and / or 25 roles, I would highly recommend QSoft.

The challenge of setting up E1 security is getting all of the objects id'd and secured in a reasonable period of time. It is somewhat difficult to know the finite list of objects that must be secured. V4 of QSoft has an awesome new feature that allows you to use your custom solution explorer menus to set up security. Also, QSoft pulls out the security for hidden programs and exit programs out too.

One other thing about QSoft I have learned is that they have two pricing models: discounted list prices and "value proposition" licensing. If you work both sides of the pricing, you can get a price that is very competitive with Allout security.

In our case we chose QSoftware. The pricing from QSoft was very competitive with Allout. We did not purchase the Segregation of Duties modules.

Hi,

I update this post to get further informations. My question is simple : are those two tools the only security solutions ? I mean that I did not found out much information especially at :

http://www.oracle.com/us/partnerships/solutions/index.html#

I have used AllOut working on SOX compliance projects. The major JDE portion, using AllOut installs in a day and you can get a comprehensive security reporting on current state, including SODs the same day without affecting your current security settings.

You can then easily customize the AllOut, fairly comprehensive and generic SOD rules to suit your particular requirements including custom programs and then add mitigating controls to them later. It is very simple to do.

How you want to streamline the security (add/change user/roles, combi/super roles, menus access, mitigating controls, etc.) may require some experience and require a change management process in place. For instance if you have a major organization change or a merger, and need to make extensive security changes. The tool helps you do this rather well.