Update 19D

Revision History

This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:

Date	Feature	Notes
07 OCT 2019	REST API for Third-Party Provisioning Tools	Updated document. Renamed Role Level Provisioning Rules and revised feature information.
20 SEP 2019		Created initial document.

Overview

This guide outlines the information you need to know about new or improved functionality in this update, and describes any tasks you might need to perform for the update. Each section includes a brief description of the feature, the steps you need to take to enable or begin using the feature, any tips or considerations that you should keep in mind, and the resources available to help you.

Give Us Feedback

We welcome your comments and suggestions to improve the content. Please send us your feedback at oracle_fusion_applications_help_ww_grp@oracle.com.

Feature Summary

Risk Management

Oracle Risk Management consists of three products: Oracle Fusion Financial Reporting Compliance documents your policies for identifying and resolving risk in your financial processes. Oracle Advanced Access Controls detects risk inherent in the access granted to users of business applications. Oracle Advanced Financial Controls uncovers risk exhibited by transactions completed on business applications. Advanced Financial Controls and Advanced Access Controls belong to a module called Advanced Controls Management.

Advanced Access Controls includes an Access Certification set of features. It enables an organization to perform periodic reviews to determine whether job roles are assigned appropriately to users.

Common

Risk Management Home Springboard Is Enhanced

To simplify the overall Risk Management navigation, all the springboard icons have been moved under the Risk Management icon. The icons are based on your user access, and you will see only the icons you have access to.

Risk Management Home Springboard

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

Following upgrade to the 19D release, one or more application icons may become invisible. Or, an icon may link to a blank page instead of the expected application landing page. This is typically caused by a customer's configuration of the root menu during implementation.

The implementation specialist should complete these steps: Create a "sandbox" (Edit Pages). In it, use the Appearance Tool to adjust the root menu such that all Risk Management application icons are listed under the <Risk Management> folder. Save, then verify that all application icons a user may have access to appear under that folder, and the application link renders the application landing page correctly. After verification, publish the sandbox, which will make the change permanent to all users.

Page Headers Are Enhanced

In the previous release, several page headers moved toward the common style called universal panel. As a reminder of what it looks like, the theme style below shows the page header with a black background and buttons in white text. Recall also, the Done button is replaced with a back arrow for navigation. You'll find more pages related to the below areas are converted:

ADVANCED CONTROLS

• Reports
• Models
• Controls
• Entitlements
• User-Defined Access Points
• Global Conditions 
• Simulations
• Results
• Mass Edit

FINANCIAL REPORTING COMPLIANCE

• Processes
  • All create and edit pages
  • Action Items pages
• Controls
  • All create and edit pages
• Risks
  • Models
  • All create and edit pages
• Assessments
  • Create and edit plan pages
  • Create and edit template pages
• Issues
  • All create and edit pages
• Remediation Plans
  • All create and edit pages
• All review and approve workflow pages

ACCESS CERTIFICATION

• All supporting pages

COMMON

• Setup and Administration pages

Here's an example:

Universal Panel

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

To change the color of the universal panel, from the navigator, go to Appearance under the Configuration section and change the Heading Color setting.

Universal Panel Color Setting

Notifications Tab Is Removed and Overview Label Is Replaced with Worklist Label

The landing page for each work area, across applications, was titled Overview in earlier releases. In it, you could select between two tabs to display worklists or notifications. Now, the Notifications tab is removed. The landing page displays only worklists, and its title has changed from Overview to Worklists.

Example of Worklist landing page

Steps to Enable

You don't need to do anything to enable this feature.

Nested Tabs Removed in Application Configuration

In prior releases, the Setup and Administration area for Application Configurations had nested tabs for General Maintenance, Datasource, and Global User Configurations. The functionality in these tabs is accessed differently within the same area.

• The Application Configuration tab is now renamed Advanced Controls Configurations. It includes functionality previously in the Data Sources nested tab that was removed.
• Global User Configuration functionality has been removed from the nested tab and now exists in its own tab on the main bar.
• Manage Configuration Options now allows you to configure email notifications to be enabled or disabled.
• Purge Results functionality has been removed from the nested tab and now exists in its own tab on the main bar.

Advanced Controls Configurations

Global User Configuration

Manage Configuration Options

Purge Results

Steps to Enable

You don't need to do anything to enable this feature.

User's Local Time Zone Enhancement

Your local timezone preference will now persist throughout the application.

Steps to Enable

You don't need to do anything to enable this feature.

Multiple Enhancements to Risk Management Lookup Values

The follow capabilities have been added in relation to the lookup values within Risk Management:

• Users can create custom lookup values to the following seeded lookup codes
  • GRC_ASSESSMENT_TYPE
  • GRC_CONTROL_AUDIT
  • GRC_CONTROL_FREQUENCY
  • GRCM_CONTROL_TYPE
  • GRC_CTRL_ASSERTIONS
  • GRC_ENFORCEMENT_TYPE
  • GRC_ISSUE_LIKELIHOOD
  • GRC_ISSUE_REASON
  • GRC_ISSUE_SEVERITY
  • GRCM_ISSUE_TYPE
  • GRCM_PERSPECTIVE_TYPE
  • GRCM_PROCESS_TYPE
  • GRCM_REMEDIATION_PLAN_TYPE
  • GRC_REMED_PLAN_PRIORITY
  • GRC_REMED_TASK_PRIORITY
  • GRCM_RISK_TYPE
  • GRC_SURVEY_QUESTION_TYPE
  • GRC_SURVEY_SURVEY_TYPE
  • GRC_CONTROL_METHOD
  • GRC_ASMT_RESULT
• Users can make predefined and custom lookup values active or inactive.

Lookup Value Status Edit

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

As you create new configured lookup values, most likely the seeded values are not applicable. Make sure to make those inactive so they do not display in the UI for future selection by users.

Financial Reporting Compliance

Risk Models Are Enhanced

The Analysis Models tab consolidates the management of risk models to a single location. That page includes a panel for each model type: Manage Analysis Models, Likelihood Models, Impact Models, Context Models, and Manage Significance Models. You can simply expand a model panel to manage existing models or create new models

Steps to Enable

You don't need to do anything to enable this feature.

Surveys Are Enhanced

On the survey landing page, you will see the following tabs:

• Worklists
• Surveys
• Questions
• Choice Sets
• Templates

Survey Tabs

Steps to Enable

You don't need to do anything to enable this feature.

Workflow Navigation Is Enhanced

After an object is created or edited, a reviewer or approver may accept it, reject it, or return it for information. When that task is complete, the user is returned to the object worklist page rather than the review or approval page.

Workflow Activity

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

Depending on the type of workflow and whether the reviewer is also an approver, the navigation may take the user back to the record detail. However, this is also a change as the user no longer has to navigate manually back to this information, as in the past.

Sort Functionality Added to Assessment Component Train Stop

As you initiate a batch assessment, you use a Components page to select objects for assessment. You select among object records made available by an assessment plan and selection criteria you have specified in earlier pages. In the Objects panel of the Components page, you can now sort these records in ascending or descending order by name or perspective value.

Assessment Component Train Stop

Steps to Enable

You don't need to do anything to enable this feature.

Advanced Financial Controls

New Business Object Visualization Tool

The new Business Object Visualization page enables you to search on a business object and review its direct relationships to others in a graphical presentation. You can use this analysis tool to help identify related business objects and their attribute details as you design your models. Since you can search on any business object available, you will find objects such as audit do not have any relationships. This is a view-only tool and no actions can be performed.

You can access the Business Object Visualization page from the Advanced Control work area, if you have been granted the View Business Object Visualizations privilege. When you first open the page, a search box allows you to enter a name, which is applied across business object types or names. When it is a business object, the type is displayed after the name. For those that represent a name contained in type, a hierarchy icon is visible in the last column. You can hover your cursor over the icon to see the number of business objects associated to the type, or click the icon to drill into the list, You can return to the search by selecting All in the breadcrumb navigation under the search box. Alternatively, you can select a card view option instead of the default list view by selecting the icon on the right margin from breadcrumb navigation.

Search for Business Object Type or Name

Alternative Card View for Business Object Type or Name

Once you select a specific business object (Selected Record in legend), a graphical representation similar to a Security Console visualization shows other related objects. The graph represents direct business object relationships to the selected object (Level 1 Related Records in legend).  The number next to the business object represents the count of direct relationships. Hovering over related objects also displays information about how the objects are related.

Graph of Related Business Objects

To see the list of all available attributes for an object, right click over your selected business object and select See Attributes.

Attribute Details for Selected Business Object

You can change the focus of the visualization from one object to another. Right click on a business object and select Pivot.  For example, highlight the related Supplier business object, right click, and select the Pivot option. The graph refreshes to apply the relationship graph to the Supplier object.

Select Related Business Object to Change Graph

The icons and information in the graph are similar to those displayed in Security Console visualizations. For example, the graphical business object tool defaults to Layers layout.  An alternative Radial layout can be selected but provides no additional information. You can also zoom in, zoom out, or use the magnifying glass when the graph becomes large. The Search option is also the same, and you can use it to find related objects in graph that contain a name you enter.

Name Search Within Graph

Steps to Enable

Make the feature accessible by assigning privileges and updating job roles in the Security Console. Details are provided in the Role section below.

Key Resources

For more information about business object visualization, see the Using Advanced Controls Management guide at Oracle Help Center > Cloud Applications > Risk Management > Books.

Role Information

The new View Business Object Visualizations privilege is inherited by duties associated to two predefined job roles, Application Control Manager and Risk Management Auditor.

Duty Role Updated	Privilege Inheritance Added
Transaction Model Manager ORA_GTG_TRANSACTION_MODEL_MANAGER_DUTY	View Business Object Visualizations GTG_VIEW_BUSINESS_OBJECT_ VISUALIZATIONS
Auditor Advanced Control Analysis ORA_GTG_AUDITOR_ADVANCED_CONTROL_ANALYSIS_DUTY	View Business Object Visualizations GTG_VIEW_BUSINESS_OBJECT_ VISUALIZATIONS

New Models in Content Library

Advanced Financial Controls has three new models that can be imported through the delivered Content Library. When you have access to these models, you will be able to select the Import action on the Models tab and select them from the Content Library. The following table provides information on the content library, library type, model name and business objects associated to the new model.

Content Library	Library Type	Model Name	Business Objects
Enterprise Resource Planning Library	Advanced Transaction Controls	30008: Contract Payment Terms Different than Invoices	Purchasing Contracts (New) Purchase Order Payables Invoice Payables Payment Terms Supplier Contract Purchase Agreements (User-Defined Object)
Enterprise Resource Planning Library	Advanced Audit Controls	60018: Updates to Accounting Period Status	Audit - Accounting Period Status (New)
Supply Chain Management Library	Advanced Transaction Controls	34001: Sales Orders for Watchlist Customers	Sales Order (New) Customer Customer Watchlist (Imported Business Object)

Steps to Enable

No advance setup is required for you to import models. However:

• For audit models, you must review audit-level information configured under Manage Audit Policies in Oracle Fusion Applications. Models that use audit business objects in Advanced Financial Controls can return data only after the corresponding information is enabled and configured under Manage Audit Policies.
• A Risk Management administrator must set the Transaction and Audit Performance Configuration date options under Advanced Controls Configurations tab under Risk Management > Setup and Administration. Two created-as-of-date options are required, one for transactions and the other for audit events. This setting improves performance by eliminating older data from data-synchronization jobs.

Finally, once you have performed the above and imported the models, you must run data synchronization which retrieves the source data used during model analysis.

Tips And Considerations

Before using new model content, evaluate available models that match requirements for your organization under the Import action for models. The Import from Content Library page is organized by product area and model types. Once you identify models appropriate for you, import, review, and modify them in your test environment. Importing all available models is not recommended. In some cases, you may have already imported the model in a previous update. Or, some may source data from products or audit configurations you have not enabled. Moreover, models may contain user-defined or imported business objects that create data set controls or objects, respectively.

Key Resources

For more information about importing models, see "Import Models, Controls, or Conditions" chapter of Using Advanced Controls Management at Oracle Help Center > Cloud Applications > Risk Management > Books. You can find information on prerequisites to using audit model types in the same guide under "Create Models That Support Audit."

Changes Are Made to Business Objects

In this release there are updates and additions to business objects.

New Business Objects

• Three new business objects have been added to support new model content.  They include Sales Order, Purchasing Contracts, and Audit - Accounting Period Status.
• Customer Account Sites has been added as a business object to extend customer-related attributes.

New Business Object Attributes

The Expense Report Details business object was updated to add 28 requested flexfield attributes and include the following:

• Attribute Category
• Descriptive Flexfield Character 1
• Descriptive Flexfield Character 2
• Descriptive Flexfield Character 3
• Descriptive Flexfield Character 4
• Descriptive Flexfield Character 5
• Descriptive Flexfield Character 6
• Descriptive Flexfield Character 7
• Descriptive Flexfield Character 8
• Descriptive Flexfield Character 9
• Descriptive Flexfield Character 10
• Descriptive Flexfield Character 11
• Descriptive Flexfield Character 12
• Descriptive Flexfield Character 13
• Descriptive Flexfield Character 14
• Descriptive Flexfield Character 15
• Descriptive Flexfield Date 1
• Descriptive Flexfield Date 2
• Descriptive Flexfield Date 3
• Descriptive Flexfield Date 4
• Descriptive Flexfield Date 5
• Descriptive Flexfield Date and Time 1
• Descriptive Flexfield Date and Time 2
• Descriptive Flexfield Number 1
• Descriptive Flexfield Number 2
• Descriptive Flexfield Number 3
• Descriptive Flexfield Number 4
• Descriptive Flexfield Number 5

Various audit business objects were updated to add new attributes and are listed in the following table.

Business Objects	Attributes
Audit - AutoPost Criteria Set Setup	Use Batch Creator as Approval Submitter New Use Batch Creator as Approval Submitter Old
Audit - Deal Registration	CustomerSalesAccountId Submitted By
Audit - Person Allocated Checklist	ActionOccurrenceId New ActionOccurrenceId Old
Audit - Person Allocated Checklist Tasks	QuestionnaireId New QuestionnaireId Old Report Path New Report Path Old
Audit - Sales Lead Contacts	Primary New Primary Old Relationship ID
Audit - Sales Lead Products	Lead Product Number New Lead Product Number Old
Audit - Sales Lead Resources	Access New Access Old
Audit - Sales Lead Territories	AccessLevelCode New AccessLevelCode Old
Audit - Sales Territory Resource	Organization ID New Organization ID Old
Audit - Supplier	Business Relationship New Business Relationship Old
Audit - Supplier Bank Accounts	Agency Location Code New Agency Location Code Old Alternate Account Name New Alternate Account Name Old Conversion Rate Agreement Number New Conversion Rate Agreement Number Old Conversion Rate Agreement Type New Conversion Rate Agreement Type Old Conversion Rate New Conversion Rate Old Description New Description Old Factor account New Factor account Old From Date New From Date Old Inactive On New Inactive On Old Secondary Account Reference New Secondary Account Reference Old

Obsolete Attributes

The Tax Identifier attribute is removed from the transaction business object Expense Report Attendees and no longer available.

A number of attributes have been removed from various audit business objects that no longer exist.  These obsolete audit attributes by business object are listed in the following table.

Business Objects	Attributes
Audit - Catalog People	ObjectId1 New ObjectId1 Old
Audit - Category People	ObjectId1
Audit - Deal Products	DealProdId New DealProdId Old
Audit - Deal Registration	ContactRelationshipId New ContactRelationshipId Old CustomerSalesAccountId New CustomerSalesAccountId Old Deal ID New Deal ID Old Deal Submitted By New Deal Submitted By Old DealFinalApprDecisionDate New DealFinalApprDecisionDate Old Partner Type New Partner Type Old Submitted Date New Submitted Date Old
Audit - Deal Resources	DealResourceId New DealResourceId Old PartnerOrgId New PartnerOrgId Old
Audit - Deal Territories	DealTerritoryId New DealTerritoryId Old
Audit - Item	OrganizationId1 New OrganizationId1 Old OrganizationId2 OrganizationId2 New OrganizationId2 Old OrganizationId3 OrganizationId3 New OrganizationId3 Old P S Structure Instance Number New P S Structure Instance Number Old P Y Structure Instance Number New P Y Structure Instance Number Old PSSubinventoryId New PSSubinventoryId Old PYSubinventoryId New PYSubinventoryId Old Secondary Inventory Name Secondary Inventory Name New Secondary Inventory Name Old Secondary Inventory Name1 Secondary Inventory Name1 New Secondary Inventory Name1 Old Secondary Inventory Name2 Secondary Inventory Name2 New Secondary Inventory Name2 Old Structure Instance Number New Structure Instance Number Old SubinventoryId New SubinventoryId Old
Audit - Item Category Association	InventoryItemId1 InventoryItemId1 New InventoryItemId1 Old OrganizationId1 OrganizationId1 New OrganizationId1 Old
Audit - Item Extensible Flexfields Security	ObjectId
Audit - Item People	ObjectId
Audit - Item Revision Extensible Flexfield	Item Number OrganizationId1
Audit - Item Structure Component	BillSequenceId1 BillSequenceId1 New BillSequenceId1 Old Name New Name Old Pk1Value1 New Pk1Value1 Old Pk2Value1 New Pk2Value1 Old
Audit - Item Substitute Component	Item New Item Number New Item Number Old Item Old Organization New Organization Old Primary UOM New Primary UOM Old
Audit - Item Supplier Association	InventoryItemId1 ItemDefinitionOrgId OrganizationId1 OrganizationId1 New OrganizationId1 Old
Audit - Item Supplier Extensible FlexField	InventoryItemId1 InventoryItemId1 New InventoryItemId1 Old ItemDefinitionOrgId New ItemDefinitionOrgId Old OrganizationId1 OrganizationId2 OrganizationId2 New OrganizationId2 Old
Audit - Key Flexfield Segment	DefaultValueSetId1 Value Set Code
Audit - Key Flexfield Segment Instance	Value Set Code New Value Set Code Old ValueSetId1 New ValueSetId1 Old
Audit - Key Flexfield Structure Instance	Structure Code StructureId1
Audit - Organization Unit	AddressId Effective Start Date3
Audit - Pack Component	BillSequenceId1 New BillSequenceId1 Old Name New Name Old
Audit - Payment System Transmission Protocols	Code
Audit - Position	JobIdFromJob
Audit - Profile Category Option	Application Id1 New Application Id1 Old Profile Option Code New Profile Option Code Old ProfileOptionId1 New ProfileOptionId1 Old
Audit - RelatedValueSetValueVO	RefValueId1 RefValueId2
Audit - Sales Lead Contacts	ExtnCorporateCurrencyCode New ExtnCorporateCurrencyCode Old ExtnCurrencyCode New ExtnCurrencyCode Old ExtnCurrencyConversionRateType New ExtnCurrencyConversionRateType Old Lead Contact ID New Lead Contact ID Old Relationship ID New Relationship ID Old
Audit - Sales Lead Products	Lead Product ID New Lead Product ID Old
Audit - Sales Lead Resources	ExtnCorporateCurrencyCode New ExtnCorporateCurrencyCode Old ExtnCurrencyCode New ExtnCurrencyCode Old ExtnCurrencyConversionRateType New ExtnCurrencyConversionRateType Old Lead Resource ID New Lead Resource ID Old
Audit - Sales Lead Territories	LeadTerritoryId New LeadTerritoryId Old
Audit - Security Profiles	PubPersonSecurityProfileId PubPersonSecurityProfileId New PubPersonSecurityProfileId Old
Audit - Supplier Address Contacts	PartyId New PartyId Old PartySiteId PartySiteId New PartySiteId Old VendorId VendorId New VendorId Old
Audit - Supplier Address Tax Classifications	PartyId2 PartySiteId Site Name New Site Name Old
Audit - Supplier Address Tax Reporting Codes	PartyId2 PartySiteId
Audit - Supplier Bank Accounts	ExtPayeeId ExtPmtPartyId InstrumentId InstrumentPaymentUseId PayeePartyId1
Audit - Supplier Payment Attributes	PartyId Procurement BU VendorId VendorSiteId
Audit - Supplier Sites	BusinessProcessId BusinessProcessId New BusinessProcessId Old DocumentId1 EnableFlag New EnableFlag Old ExternalPtnrRole New ExternalPtnrRole Old

Steps to Enable

If you use any of the obsolete attributes listed, ensure you have the most current models that correspond to your controls by exporting the controls from your 19C instance before you upgrade. Immediately import the controls as models in the 19C instance, because controls using any deprecated attribute in 19D will cause your controls to become invalid.

After you upgrade, identify models and controls that use obsolete attributes by searching on the Inactive status and the Invalid state.

• You can update models. Follow the inline guidance to do so.
• You cannot update controls. For any control that uses obsolete attributes, revise the model from which the control is developed so that it uses only valid attributes. Then redeploy the model as a control.

Tips And Considerations

Obsolete attributes impact only environments upgraded from 19C; they do not impact new implementations of 19D.

Key Resources

If you use any of the obsolete attributes listed, and are upgrading from 19C:

• For models, refer to the 19A topic "Upgrade Impact to Models with Obsolete Attributes." When you have used an obsolete attribute in your model, additional actions may be required.

• For controls refer to the 19B topic "Pre-Upgrade Impact to Controls with Obsolete Attributes." When you have used an obsolete attribute in your control, additional actions will be required.

For the new business objects that support new models in the content library, refer to the 19D topic "New Models in Content Library" for Advanced Financial Controls.

Import Validation of Models and Controls

A validation is performed when you import model or control xml files. If imported models reference obsolete attributes or business objects, the import job indicates "Job completed with warnings," the status of models with obsolete artifacts is set to Inactive, and their state is set to Invalid. Search and select the inactive model and follow the inline guidance to update it. If imported controls reference obsolete attributes or objects, they are not imported, and the import job indicates "Job completed with errors."

Example of Message for Invalid Model

Steps to Enable

You don't need to do anything to enable this feature.

Filter Condition Used for Delivered Business Objects

As you define a standard filter for a transaction model, you can use the "Is not related to" condition only between delivered business objects. This condition is no longer available for filters that call user-defined or imported objects.  The logic of this condition remains the same, where the records from one business object do not exist in another related object.

Example of 'Is not related to' Filter

Steps to Enable

You don't need to do anything to enable this feature.

Related Links Tab Is Removed

Several pages included a Related Links panel tab. This tab has been removed, and each link is relocated elsewhere — in the Actions menu, as a new tab, or as a button directly on a page. Here's an example of how that looks:

Manage Controls Without Tab

Steps to Enable

You don't need to do anything to enable this feature.

Control Details Extract Report Is Removed

The Control Details Extract report for Advanced Controls no longer exists. You can now use OTBI to create the same report.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

To create the control detail extract report, navigate to either the Advanced Access Controls or Advanced Financial Controls subject area. In the Advanced Control Details folder you will find all the attributes you need to create a control details report that fits your needs. Here's an example:

Build Control Detail Extract Report

Control Detail Extract Report Example

Bell Notification Link Now Displays Results

In prior releases, the Fusion notification link with title New Incidents for Control would open a page that showed the springboard. Now, when you select the link in the notification, the results related to that control are displayed.

Bell Notification Opens Related Results

Steps to Enable

You don't need to do anything to enable this feature.

Perspective Shuttle Hover Text Is Clearer

In the model definition page, the perspective shuttle has buttons that allow you to move perspective values from the available perspective values side to the selected perspective values side, and vice versa. The hover text for these buttons was ambiguous, but now clearly communicates what each does.

Perspective Shuttle

Steps to Enable

You don't need to do anything to enable this feature.

Purge Control Analysis Data Job Summary Enhanced

When the Purge Control Analysis Data job finishes running, you can click on the hyperlink of the job status to view the purge parameters and the number of records purged.

Purge Control Analysis Data Job Summary

Steps to Enable

You don't need to do anything to enable this feature.

Advanced Access Controls

REST API for Third-Party Provisioning Tools

A new synchronous REST API capability enables you to integrate rules with third-party user-provisioning workflows. In a new page in Advanced Access Controls, security administrators can quickly create provisioning rules that define pairs of Oracle Cloud job roles that are considered high risk. Once these rules are created, the third-party provisioning tool can call the REST API to determine if a job-role assignment violates any of these provisioning rules.

Below is the page where provisioning rules are defined.

Provisioning Rules

Steps to Enable

Review the REST service definition in the REST API guides, available from the Oracle Help Center > your apps service area of interest > REST API. If you're new to Oracle's REST services you may want to begin with the Quick Start section.

Make the feature accessible by assigning or updating privileges or job roles in the Security Console. Details are provided in the Role section below.

Role Information

This new Access Provisioning feature is supported by a new delivered duty that includes five privileges. This duty is delivered to Application Access Auditor (ORA_GTG_APPLICATION_ACCESS_AUDITOR) job role.

Duty Role Updated	Privilege Inheritance Added
Access Provisioning Rules Manager Duty ORA_GTG_ACCESS_PROVISIONING_RULES_ MANAGER_DUTY	Create Access Provisioning Rules Delete Access Provisioning Rules Edit Access Provisioning Rules Use REST Service for Advanced Access Control Role Analysis View Access Provisioning Rules

Audit Is Enabled for Access Entitlements and Global Users

You can now track changes made to Advanced Control access entitlements and global users. For example, if access points are added to or removed from an entitlement, you can now run a report to see what changed, who changed it, and when. 

Steps to Enable

1. As a user such as Application Implementation Consultant, navigate to Setup and Maintenance and look for the Manage Audit Policies task. Go to Configure Business Object Attributes and then select Risks and Controls from the Product drop down.

Attributes Available to Enable for Audit

2. Select an object such as Access Entitlement Access Point, then select the plus icon in the Access Entitlement Access Point: Audited Attributes section. Check each of the attributes you'd like to track changes for.

Audit Entitlement

3. Now make a change to the audited attributes. For example, remove an access point from an entitlement.

4. Again, logged in as a user such as Application Implementation Consultant, navigate to Audit Report.

Navigation to Audit Report

5. Search for product Risks and Controls and click Search to see the history of inserts, updates, and deletes. Below is an example of changes made to an access entitlement.

Audit Report

New and Updated Delivered Model Content

Oracle delivers one new model to detect segregation-of-duties conflicts, and has revised several entitlements used by models delivered with earlier updates.

Advanced Access Controls 19D includes the following new model:

• 5892: Maintain Supplier Bank Accounts and Create Payments

Advanced Access Controls 19D includes the following entitlement revisions:

• The Approve Payables Invoices entitlement now includes this privilege:

  • Force Approve Payables Invoice

The following models use this entitlement: 5800, 5810, 6090, 6370, 6750, 7550, 9373.

• The Create Payments entitlement removed this privilege:

  • Manage Payables Payments

The following models use this entitlement: 5810, 9300, 5890, 5896, 5970, 5980, 6810, 5892, 9012, 7610, 6680.

• The Cycle Counting entitlement now includes these privileges:

  • Create Cycle Count
  • Approve Cycle Count Sequences
  • Purge Cycle Count

The following models use this entitlement: 8090, 8140.

• The Inventory Transactions entitlement now includes these privileges:

  • Create Inventory Transaction by Web Service
  • Manage Pending Inventory Transaction
  • Manage Pending Inventory Transaction Web Service

The following models use this entitlement: 8100, 8150.

• The Inventory Transactions entitlement removed these privileges:

  • Generate Item Serial Number
  • Manage Item Lot and Item Serial Number
  • Manage On-Hand Quantity
  • Monitor Counts Work Area
  • Monitor Inventory Work Area
  • Record Cycle Count Sequence
  • Record Physical Inventory Tags
  • Review Completed Inventory Transaction
  • Review Pending Inventory Transaction
  • Search Inventory Reservation and Picks

The following models use this entitlement: 8100, 8150.

• The Payroll Personal Data entitlement now includes this privilege:

  • Manage Worker Personal Payment Method

The following model uses this entitlement: 9701.

• The Payroll Personal Data entitlement removed this privilege:

  • Manage Personal Payment Method

The following model uses this entitlement: 9701.

• The Physical Inventory entitlement removed these privileges:

  • Generate Physical Inventory Snapshot
  • Generate Physical Inventory Tag
  • Print Physical Inventory Reports
  • Record Physical Inventory Tags

The following models use this entitlement: 6860, 7660, 8250.

• The Pick Release Goods entitlement removed these privileges:

  • Monitor Pick Wave Work Area
  • Manage Pick Wave Release Rule
  • Confirm Pick Slip

The following models use this entitlement: 6860, 7660, 8250.

• The Receive Goods and Services entitlement now includes this privilege:

  • Create Receiving Receipt by Web Service

The following models use this entitlement: 5770, 5895, 5896, 5897, 6190, 8140, 8150, 8250.

• The Receive Goods and Services entitlement removed these privileges:

  • Send Receiving Receipt Confirmation
  • Confirm Receiving Receipt Process
  • Correct Self-Service Receiving Receipt
  • Create Self-Service Receiving Receipt
  • Review Receiving Receipt Summary
  • Monitor Receiving Receipt Work Area
  • Print Receiving Receipt Traveler Report
  • Review Receiving Transaction
  • View Receiving Open Interface
  • Create Self-Service All Requisition Receiving Receipt
  • Manage Receiving Receipt ReturnsManage Receiving Parameter
  • Create Advance Shipment Notice
  • Manage Receiving Receipt Advice
  • Upload Advance Shipment Notice or Advance Shipment Billing Notice
  • Create Advance Shipment Billing Notice
  • Generate Changed Receiving Receipt Advice
  • Generate Receiving Receipt Advice
  • Transfer Ownership Change Events to Receiving
  • Transfer Receiving Transactions from Receiving to Costing

The following models use this entitlement: 5770, 5895, 5896, 5897, 6190, 8140, 8150, 8250.

• The Release Sales Order entitlement removed this privilege:

  • Monitor Pick Wave Work Area

The following models use this entitlement: 4210, 4573, 5170, 5240, 5520, 5730, 5780, 6880, 7670, 8200.

• The Ship Confirm Goods entitlement now includes this privilege:

  • Manage Shipment Web Service

The following models use this entitlement: 8210.

• The Ship Confirm Goods entitlement removed these privileges:

  • Manage Shipment Note
  • Monitor Shipment Work Area
  • Pack ShipmentPrint Shipping Reports
  • Receive Manifest Response
  • Receive Shipment Request
  • Send Manifest Request
  • Send Shipment Advice

The following models use this entitlement: 8210.

Steps to Enable

As a rule, when you import a model that uses entitlements, you import the entitlements automatically. But if an earlier version of an entitlement exists in your target environment, the content-import job cannot replace it with a newer version. So:

• If an entitlement has been revised, but you have not yet imported any of the models that use it, you can import one of these models now. The import operation includes the new entitlement along with the model.

• If an entitlement has been revised, and you imported a model that uses it during an earlier update, you also imported the earlier version of that entitlement. To use the new version, your only option is to edit your existing entitlement to incorporate its revisions.

User-Defined Access Point Automatically Removes Invalid Access Points

Although rare, it is possible for an access point such as a role or privilege to become obsolete. Previously, if even one access point in a user-defined access point was obsolete, no values would be returned in the user-defined access point definition. Now, only the obsolete access point will be removed from the definition.

As an example, suppose you have this user-defined access point: Human Resource Analysis - View All > Human Resource Analyst > View Work Terms and Assignment > Manage Work Terms and Assignment.

Now, assume View Work Terms and Assignments no longer exists after an upgrade. The user-defined access point would be updated automatically to remove that nonexistent value. So it would look like this: Human Resource Analysis - View All > Human Resource Analyst > Manage Work Terms and Assignment

Any models that reference this user-defined access point would use this new definition.

Steps to Enable

You don't need to do anything to enable this feature.

Enforcement Type Is Removed

In prior releases, an enforcement type — Prevent, Monitor, or Approval Required — could be assigned to each control. To eliminate a false perception that an automated enforcement was in place, rather than just a suggested treatment, the field is removed entirely.

Pages where you may notice the field's absence include:

• Manage Controls
• Edit/View Control
• Import Control
• Deploy Control
• Results

Steps to Enable

You don't need to do anything to enable this feature.

Obsolete Access Condition Attribute

As a heads-up, a redundant access condition attribute will be removed in an upcoming release. The HCM Data Role attribute lists all roles. Roles are just access points and the same can be found in the access point condition attribute.

If you have any existing global or model level conditions referencing that attribute, be sure to replace them with the access point attribute so that you won't be affected when we make it obsolete in the future.

HCM Data Role Attribute

Steps to Enable

You don't need to do anything to enable this feature.

Based on Control Field Is Added for Simulations

You can create a simulation from a visualization; its remediation steps would apply to the one control depicted by the visualization. Or you can create a simulation from LOV fields; its remediation steps would encompass all active controls. Previously, there was no way to tell if the simulation applied to one control or across all active controls. This information is now exposed on the Access Simulations management page and the pages to create and edit simulations.

Simulation Based On a Control

Steps to Enable

You don't need to do anything to enable this feature.

Visualization Is Enhanced in Simulations

Remediation steps in a Simulation can now be removed graphically using the visualization tool. Dashed lines that connect nodes in a visualization indicate there is a remediation step that exists. If the remediation step is no longer desired, it can be removed by selecting the dashed line and clicking Reset.

Remove Remediation Step via Visualization Graph

Steps to Enable

You don't need to do anything to enable this feature.

Related Links Tab Is Removed

Several pages included a Related Links panel tab. This tab has been removed, and each link is relocated elsewhere — in the Actions menu, as a new tab, or as a button directly on a page. Here's an example of how that looks:

Manage Controls Without Tab

Steps to Enable

You don't need to do anything to enable this feature.

Control Details Extract Report Is Removed

The Control Details Extract report for Advanced Controls no longer exists. You can now use OTBI to create the same report.

Embedded Control Detail Extract Report Removed

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

To create a control detail extract report, select either the Advanced Access Controls or Advanced Financial Controls subject area. In the Advanced Control Details folder, you'll find all the attributes you need to design a report that fits your needs. 

Build a Control Detail Extract Report

Control Detail Extract Example

Bell Notification Link Now Displays Results

In prior releases, the Fusion notification link with title New Incidents for Control would open a page that showed the springboard. Now, when you select the link in the notification, the results related to that control are displayed.

Bell Notification Opens Related Results

Steps to Enable

You don't need to do anything to enable this feature.

Perspective Shuttle Hover Text Is Clearer

In the model definition page, the perspective shuttle has buttons that allow you to move perspective values from the available perspective values side to the selected perspective values side, and vice versa. The hover text for these buttons was ambiguous, but now clearly communicates what each does.

Perspective Shuttle

Steps to Enable

You don't need to do anything to enable this feature.

Purge Control Analysis Data Job Summary Enhanced

When the Purge Control Analysis Data job finishes running, you can click on the hyperlink of the job status to view the purge parameters and the number of records purged.

Purge Control Analysis Data Job Summary

Steps to Enable

You don't need to do anything to enable this feature.

Access Certification

Applied Finalize Roles Scoreboard

The Finalize Roles page enables you to view the count of total roles returned by the scoping filters you defined. In addition, you can see the number of roles that will be included and excluded as part of the certification.

Finalize Roles

Steps to Enable

You don't need to do anything to enable this feature.

Users' Direct Managers Can Review Role Assignments

You can now initiate two additional types of certification, standard with manager review and continous with manager review.  These types function in the same manner as their counterparts, except that direct managers of users also review the assignments of scoped roles to users who report to them. Direct managers use worksheets to review user-role assignments and recommend whether they should be approved or rejected.

The direct-manager review is different from the certifier review in a few aspects:

• Each direct manager can view only records of users who report directly to him or her.
• Direct managers are not assigned to any one certification, and are not made aware of the certifications in which records exist. Instead, a direct manager's worksheet contains records of user assignments that may belong to any number of active standard or continous certifications.
• Direct managers' judgments are considered advisory: Records of user-role assignments appear both in the worksheets of certifiers working within certification projects and, for each user, the worksheet of that user's manager. Typically, direct managers act on their role-assignment records first, and their judgments update records in the certifiers' worksheets. However, a certifier can override managers' judgments, and may even act without waiting for the managers' judgments.
• Once the direct manager has submitted his or her user-role combinations the manager can no longer view the tasks, nor what's been submitted.

As a certification proceeds, the people working on it receive notifications. Each alerts its recipient to a task to be completed, or to a deadline that's approaching or has passed. When appropriate, a notification includes a direct link to the page to complete a task.

Initiate Certification Page

Steps to Enable

Make the feature accessible by assigning privileges and updating job roles in the Security Console. Details are provided in the Role section below.

Tips And Considerations

• The direct manager does not have access to the Access Certifications page or other pages accessible from it. For ease of use, the direct manager can navigate directly from notificaitons to the Manager Worksheet. Or, the direct manager can click the Access Certification root icon to view the Manager Worksheet. In some cases the administrator, owner, or certifier may also be a direct manager. These users have an additional tab to navigate to the Manager Worksheet to review user-role combinations as manager, versus as certifier, owner or administrator.

Administrator View of the Manager Worksheet with No Actions to Complete

• For ease of use, the new types of certifications can also be reused for a new certifications, to enable you to use the same scoping criteria and security defined.

Key Resources

For more information about continuous certification, see the Using Access Certification guide at Oracle Help Center > Cloud Applications > Risk Management > Books.

Role Information

The new Edit Access Certification Manager Worksheet privilege was added to the predefined Line Manager role.

Role Updated	Privilege Inheritance Added
Line Manager ORA_PER_LINE_MANAGER_ABSTRACT	Edit Access Certification Manager Worksheet GTR_EDIT_ACCESS_CERTIFICATION_MANAGER_ WORKSHEET

Transactional Business Intelligence for Risk Management

Security Associated to New BI Reporting Role

All family-specific folders such as Human Capital Management, Financials, and Risk Management are visible in the OTBI catalog under Shared Folders. Even if you don't have data access to the delivered reports in these folders, you can still see the folders. New reporting duty roles are introduced so that you can control which folders are visible through Security Console.

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports.  For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User).

Tips And Considerations

If you use delivered roles and want to remove folders seen in OTBI shared folders, you need to create custom roles. For example, if you want to hide the Risk Management folder in Shared Folders, there are two steps:

1. Copy a seeded role (such as Application Control Manager) and remove "Risk Management Folder Reporting Duty" role.
2. Remove "Risk Management Folder Reporting Duty" role from "Custom BI WebCat Reporting Duty".

Similar steps are performed to control the visibility of any family folder.

Reporting Access Granted to Risk Management Auditor Role

A new predefined job role, called Risk Management Auditor, was made available in 19C. The role did not have access to run reports in OTBI, it now does. A user with this role can navigate to Reports & Analytics and create analysis using any of the Risk Management Cloud subject areas.

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports.  For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User).

Risk Evaluation Fields Are Added

Additional risk-evaluation attributes are added to the Risk Analysis dimension in the Risk Management Cloud - Compliance Real Time subject area. These attributes are Residual Impact and Evaluation Result.

Risk Analysis Folder

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports. For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User).

The report synchronization program must be run to gather real-time information pertaining to the control test plans. By default, this job is scheduled to run every Sunday. To change the scheduled frequency or to run the program on demand, navigate to Risk Management Tools > Setup and Administration > Scheduling

For existing user defined reports, you can simply update your report/s and add the additional attributes if needed and run the report.

Tips And Considerations

You must run the report synchronization program to gather real-time information pertaining to the control test plans. By default, this job is scheduled to run every Sunday. To change the scheduled frequency or to run the program on demand, navigate to Risk Management > Setup and Administration > Scheduling

For existing user defined reports, you can simply update your reports and add the additional test plan attributes if needed.

Test Plans Dimension Is Added

A new Control Details subfolder Test Plans dimension has been added to the Risk Management Cloud - Compliance Real Time subject area. This new dimension will allow you to create reports to view the control record information and the documented test plans.

Control Test Plan Dimension

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports. For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User).

Tips And Considerations

The report synchronization program must be run to gather real-time information pertaining to the control test plans. By default, this job is scheduled to run every Sunday. To change the scheduled frequency or to run the program on demand, navigate to Risk Management > Setup and Administration > Scheduling

For existing user defined reports, you can simply update your report/s and add the additional test plan attributes if needed. Once the reporting Once you run the report.

Run Status Attribute Is Added

The Advanced Control Details dimension now contains a Run Status attribute. This dimension exists in two subject areas: Risk Management Cloud - Advanced Access Controls Real Time and Risk Management Cloud - Advanced Financial Controls Real Time. Examples of the values returned by the new attribute are Failed, Completed, and Not Started.

Run Status

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports. For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User).

New Dashboard Documents Remediation Plans in Simulations

Simulation enables you to preview the effects of changes you might make in your security model to resolve incidents identified by access controls. A simulation consists of remediation steps, each of which hypothesizes the removal of an access point from a role hierarchy. Incidents involving that access point (reached from within that hierarchy) would therefore be resolved.

A new Simulation Remediation Plan dashboard is delivered in OTBI. In a future release, this dashboard will replace the report currently run from the Simulation page.

A security administrator can use the data in this report to restructure roles in the Security Console such that segregation of duties conflicts are resolved.

Simulation Remediation Plan

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports. For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User)

You must run a synchronization program to gather real-time information pertaining to simulation. By default, this job is scheduled to run every Sunday. To change the scheduled frequency or to run the program on demand, navigate to Risk Management Tools > Setup and Administration > Scheduling.

New Simulation Dimensions in Advanced Access Controls Subject Area

To support the new Simulation Remediation Plan Dashboard, you will find three new dimensions in the Advanced Access Controls subject area: Simulation, Simulation and Incident Path Counts, and Simulation User and Role Impact.

The Simulation dimension can't be combined with any other dimension or fact. It is meant to be stand-alone.

Simulation Dimensions

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports. For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User).

A synchronization program must be run to gather real-time information pertaining to the Simulation dimensions. By default, this job is scheduled to run every Sunday. To change the scheduled frequency or to run the program on demand, navigate to Risk Management Tools > Setup and Administration > Scheduling.

Access Entitlement Created By and Last Updated By Populated

Previously, Access Entitlement created by and last updated by attributes were not populated, now they are.

Entitlement Created By and Last Updated By

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports. For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User).