This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:
| Date | Feature | Notes |
|---|---|---|
| 20 DEC 2019 | Created initial document. |
This guide outlines the information you need to know about new or improved functionality in this update, and describes any tasks you might need to perform for the update. Each section includes a brief description of the feature, the steps you need to take to enable or begin using the feature, any tips or considerations that you should keep in mind, and the resources available to help you.
Give Us Feedback
We welcome your comments and suggestions to improve the content. Please send us your feedback at oracle_fusion_applications_help_ww_grp@oracle.com.
Column Definitions:
Features Delivered Enabled
Report = New or modified, Oracle-delivered, ready to run reports.
UI or Process-Based: Small Scale = These UI or process-based features are typically comprised of minor field, validation, or program changes. Therefore, the potential impact to users is minimal.
UI or Process-Based: Larger Scale* = These UI or process-based features have more complex designs. Therefore, the potential impact to users is higher.
Features Delivered Disabled = Action is needed BEFORE these features can be used by END USERS. These features are delivered disabled and you choose if and when to enable them. For example, a) new or expanded BI subject areas need to first be incorporated into reports, b) Integration is required to utilize new web services, or c) features must be assigned to user roles before they can be accessed.
| Ready for Use by End Users Reports plus Small Scale UI or Process-Based new features will have minimal user impact after an update. Therefore, customer acceptance testing should focus on the Larger Scale UI or Process-Based* new features. |
Action is Needed BEFORE Use by End Users Not disruptive as action is required to make these features ready to use. As you selectively choose to leverage, you set your test and roll out timing. |
|||||
|---|---|---|---|---|---|---|
| Feature |
Report |
UI or |
UI or |
|
||
Remove the Abilitiy to Create Records While Relating Records |
||||||
Initating an Access Certification and the Finalize Roles Scoreboard Enhanced |
||||||
Risk Management Cloud - Assessment Results Real Time and Compliance Real Time Subject Areas Enhanced |
||||||
Oracle Risk Management consists of three products: Oracle Fusion Financial Reporting Compliance documents your policies for identifying and resolving risk in your financial processes. Oracle Advanced Access Controls detects risk inherent in the access granted to users of business applications. Oracle Advanced Financial Controls uncovers risk exhibited by transactions completed on business applications. Advanced Financial Controls and Advanced Access Controls belong to a module called Advanced Controls Management.
Advanced Access Controls includes an Access Certification set of features. It enables an organization to perform periodic reviews to determine whether job roles are assigned appropriately to users.
Change to Direct Assignment Security Model
To simplify the implementation of granular access, the entire security model for Risk Management has been converted to a direct-assignment approach. General eligibility to access records or perform activities will continue to be determined based on functional, privilege-based security. However, the access to the specific record or activity will be determined at the individual record level.
Records can be secured either by individual users or predefined groups of users based on a specific object/authorization combination. There are three primary types of authorization across all secured records:
- Owner: This enables the user to create, view, and edit the record, and update security for the record
- Editor: This enables the user to view and edit the specific record, but only view the security assignments for that record
- Viewer: This enables the user to view the record and its security assignments
For some records, additional access can be defined, such as specifying whether the user is also a reviewer, approver, issue owner, etc.
The new Security Assignment button on each record displays the page where security assignments can be viewed and updated.
Security Assignment Navigation
The new Security Assignment page comprises two sections, one for the individual user assignment and the other for the group assignment.
Security Assignment Page with Owner Access
Also, a new work area called Risk Management Data Security provides three tabs:
- User Assignment Groups: This allows for organizing users with like access into groups. You can assign groups to records, rather than assign the same users over and over.
- Business Object Security: This enables the granting of access to analyze the data for business objects used in Advanced Financial models and controls.
- Mass Edit Security Assignment: This enables administrative-level access to search and mass-edit security assignments for all separately secured records.
User Groups
Business Object Security
In addition, Risk Management roles and privileges are updated. New privileges support new functionality. New roles simplify the user experience:
- The Risk Activities Manager job role is intended for assignment to Financial Reporting Compliance users. Its seeded duties are at a single level, in contrast to the nested duty hierarchy available previously to support Financial Reporting Compliance activity.
- The Risk Administrator job role supports administrative activities, separating them from day-to-day activities supported by other roles.
Steps to Enable
Make the feature accessible by assigning or updating privileges and/or job roles. Details are provided in the Role section below.
For new customers there are no steps to enable the new security. Existing customers are required to run the User Assignment Security Update job, which is found within the scheduling tab of the Setup and Administration icon under Risk Management. Users will see a message for this requirement immediately after the upgrade and upon selecting any of the Risk Management icons. Until this job is run, all users are prevented from performing any activities within the Risk Management application.
The ability to run the necessary job is available in two job roles: Enterprise Risk and Control Manager, and Risk Administrator.
Because new privileges have been added, seeded job and duty roles are updated. You must manually update any custom job and duty roles, or replace them with the new seeded job and duty roles.
Tips And Considerations
Because users must be directly assigned to records to have any access to them, it is no longer necessary to use multiple versions of the same roles to enforce data security striping. Instead fewer, more general roles can grant users generic access to functionality. User assignments to records can then restrict access to data.
With regard to Financial Reporting Compliance, where the functional security structure of jobs and duties has been changed so significantly, it may make the most sense to use the new Risk Activities Manager and Risk Administrator job roles and related duties. This is especially so in the case where custom duties were used to map functional access to specific data security policies, and where these custom duties will not be updated with the new required privileges.
Also note that in an upcoming release, the existing seeded Enterprise Risk and Controls Manager job role, the Compliance Manager job role, and their underlying seeded duty roles will be removed. So even if you rely on the seeded jobs and duties initially, you will require a review and uptake to the new jobs and duties sooner rather than later.
Once the upgrade has been completed, records may need to be assigned users or groups. Record owners can update assignments to individual records. Or, administrators can utilize the Mass Edit Security Assignment feature to update multiple records at once. In some cases, owners assigned to records may not be eligible to own them. If so, their security may be updated with the new privileges so that they become eligible. Or, administrators may use the Mass Edit tool to assign eligible owners to the records.
Key Resources
- For more information about the new security, see Securing Risk Management at Oracle Help Center > Cloud Applications > Risk Management > Books.
- Make sure to consult the Security Reference for Risk Management for much more information. It's found at Oracle Help Center > Cloud Applications > Risk Management > Books.
- Additionally, for greater information around new roles and privileges, see the available references in the following Role Information topic.
Role Information
The new direct-assignment approach involves many security-artifact changes and additions. Here are summaries of some of these, as well as links to reference documents.
NEW JOB ROLES
- Risk Activities Manager (ORA_GTG_RISK_ACTIVITIES_MANAGER) is used for Financial Reporting Compliance
- Risk Administrator (ORA_GTG_RISK_ADMINISTRATOR) is used for administrator activities, including Risk Management security
NEW AND REVISED DUTY ROLES
The new security approach introduces new job roles, duty roles, and revisions. This New and Revised Duty Roles in Release 20A document is a reference to additions and changes available in the Security Console.
NEW AND REPLACEMENT PRIVILEGES
Many new privileges are added in release 20A. In most cases, the new privileges replace previous functionality to implement the new direct-assignment security feature. This New and Replacement Privileges in Release 20A document is a reference to the privilege replacements you will find in the Security Console.
OTBI ROLES FOR NEW RISK MANAGEMENT JOBS
Finally, existing OTBI roles are also associated to the new job roles. These include:
Risk Activities Manager job role:
- Financial Reporting Compliance Transaction Analysis Duty (FBI_FINANCIAL_REPORTING_COMPLIANCE_TRANSACTION_ANALYSIS_DUTY)
Risk Administrator job role:
- Financial Reporting Compliance Transaction Analysis Duty (FBI_FINANCIAL_REPORTING_COMPLIANCE_TRANSACTION_ANALYSIS_DUTY)
- Advanced Access Control Transaction Analysis Duty (FBI_ADVANCED_ACCESS_CONTROL_TRANSACTION_ANALYSIS_DUTY)
- Advanced Financial Control Transaction Analysis Duty (FBI_ADVANCED_FINANCIAL_CONTROL_TRANSACTION_ANALYSIS_DUTY)
- Access Certification Transaction Analysis Duty (FBI_ACCESS_CERTIFICATION_TRANSACTION_ANALYSIS_DUTY)
Security Configuration Tab Is Read-Only
Because of the change to the security model, the Risk Management implementation of data security policies is no longer utilized. There is no longer a need to define data security policies and to map them to related Risk Management job or duty roles. However, they have not been removed; instead, the Security Configuration tab has been retained as a read-only resource to provide reference information to customers who defined data security policies.
Steps to Enable
You don't need to do anything to enable this feature.
Tips And Considerations
The intent of leaving this as a read-only page is to allow users to review prior configurations in the event they want to use that as a basis for future role definitions.
Role Information
The access to this page can be granted through the Enterprise Risk and Control Manager and the Risk Adminstrator job roles.
Additional Attributes for Advanced Controls REST API
New attributes were added to the existing Advanced Controls REST API. Specifically these were
Advanced Controls
- Global User ID
- Global User
- User First Name
- User Last Name
Steps to Enable
Review the REST service definition in the REST API guides, available from the Oracle Help Center > your apps service area of interest > REST API. If you're new to Oracle's REST services you may want to begin with the Quick Start section.
Ability to Initiate a Global User Sync Using REST API
A new attribute, Job Type, was added to the existing Run Advanced Controls Job REST API. This will allow users to initiate an additional type of job, such as the Global User Sync, prior to running their advanced control jobs, and therefore utilizing the most up-to-date information in the analysis.
Steps to Enable
Review the REST service definition in the REST API guides, available from the Oracle Help Center > your apps service area of interest > REST API. If you're new to Oracle's REST services you may want to begin with the Quick Start section.
Tips And Considerations
The primary objective of this enhancement was to allow users of the REST services who initiate either Advanced Access or Advanced Financial control analysis to also initiate the global user synchronization.
Although no technical changes were made, please take note of some task name changes on the REST API Oracle Help Center page. Provisioning Rules was previously called Advanced Controls Role Segregations. Under that, you'll find Create an intrarole rules check which used to be called Perform post operation on runIntraRoleCheck and Create a rules check for role assignments which used to be called Perform post operation on runUserRoleCheck.
Steps to Enable
Review the REST service definition in the REST API guides, available from the Oracle Help Center > your apps service area of interest > REST API. If you're new to Oracle's REST services you may want to begin with the Quick Start section.
Tips And Considerations
There's no action here, even if you are using the APIs. This was simply a change to the names shown in documentation to better describe what the APIs are used for.
Financial Reporting Compliance
Enhancements to Managing Assessment Batches
MY ASSESSMENTS TAB
Within the My Assessments tab, the assessment tasks are sorted by object type: process, risk, and control. The default view is set to the control object type. In addition, the search component has been added to enable you to search for a specific assessment task. When there are no tasks to complete, the page will return the standard "Nothing here so far" message.
ASSESSMENT BATCHES TAB
Assessment batches are secured. The Assessment Batches page lists the batches you're assigned to as an owner, editor, or viewer. In each row, the name of the batch and a new Count value are links to pages that provide more detail about the batch.
Click the name of an assessment batch to view the criteria established for it as it was initiated. Among them:
-
Use a Batch Assessment Security Assignment region to manage user assignments to the batch: update them if you're an owner, or view them if you're an editor or viewer.
-
Click a View Assessment Records Security button to manage the assignments of users to individual assessments within the batch.
The Count value displays the number of assessment records for the batch. It's also a link to a list of those records. From that list, you can perform actions and view results.
The Count value reports only the number of assessment records you're assigned to work with. For example, suppose an assessment batch includes a total of twenty assessment records. The count for the assessment batch owner/creator would be twenty. However, suppose another user is authorized as a viewer of the assessment batch, and is also assigned as a viewer of two assessment records. That user's count would be two.
Assessment Batch Tab View
View After You Click on the Count to View Assessment Records
A Partial View of the Assessment Batch Criteria After You Click on an Assessment Batch Name
By clicking the View Assessment Records Security button, the owner can update user assignments for individual assessment records. (By default, only the assessment batch creator is assigned as a viewer of those individual assessments, but during initiation, other users may be selected as assessors, reviewers, or approvers.) Once initiation is complete, an owner can add new users, but can't remove user assignments. Changes to the security are applied immediately. For new users to receive worklist notifications, the Security Synchronization job must run.
View Assessment Records Security Assignment
INITIATE AN ASSESSMENT BATCH
The process to initiate an assessment batch has been enhanced to be a guided process flow. In addition, the assessment batch is now separately secured. That means you are able to assign owners, editors, and viewers for the batch and separately secure the assessment result records.
Initiate Assessments Guided Process Flow
The final step is the assessment records security assignment. It allows you to assign one or multiple users and user groups to the assessment records. Here you are able to define the assessor, reviewer, approver (workflow), and viewer. Workflow as a whole works as it worked in prior releases, meaning if you only need an approver to approve the assessment record, then you only assign a user or user group as the approver. If both the reviewer and approver are left blank, once the assessor submits the assessment record, the state is updated to completed and no additional action can be taken.
Assessment Records Security Assignment
Once there is at least one assessor for each record, the assessment batch can be initiated.
ASSESSMENT TEMPLATES AND PLANS
Users with the appropriate privileges can create, edit, and view all templates and plans. In addition, assessment template and plan workflow features have been removed. That means you can now simply create or update these elements without standard workflow being enabled.
CREATING AN IMPROMPTU ASSESSMENT
The process to initiate an impromptu assessment has been enhanced to be a guided process flow. In addition, the impromptu assessment is now separately secured. That means you are able to assign owners, editors, and viewers for the batch.
Create an Impromptu Assessment
Steps to Enable
You don't need to do anything to enable this feature.
Tips And Considerations
INITIATING AN ASSESSMENT BATCH
- Only the user who initiates the assessment batch has access to view all of the assessment result records within the assessment batch. To manage assessment security at the record level, you need to assign users at the Assessment Record Security page. Prior to clicking the Save and Define Assessment Record Security button, be sure the list of records to be assessed is accurate. Once you click the button, you will no longer be able to update the records to be assessed.
- An assessment batch inherits perspective selections from the plan it's based on. But if your plan accepts a default No Perspectives selection, and if you select no perspective values as you initiate the batch, then your batch includes records of the primary object regardless of what perspective values, if any, the records have been assigned.
- By default the owner defined when the assessment batch was initiated is the owner for the assessment result records. This assignment, at the assessment-result-record level, cannot be changed. You can add and remove owners to the assessment batch after it has been initiated. These changes will not be reflected in, nor impact, the assessment result records.
MANAGING ASSESSMENT BATCHES
- You can assign new users, but not remove user assignments once the assessment batch has been initiated. Changes to the security are applied immediately. For new users to receive worklist notifications, the Security Synchronization job must run.
MANAGING IMPROMPTU ASSESSMENTS
- Impromptu assessments are now managed as assessment batches. You will be able to manage these assessments within the Assessment Batches tab.
COMPLETING ASSESSMENTS
- While completing an assessment you can navigate to the object record at a glance pages. If you navigate to the Assessments tab within the at a glance, you will not be able to take any assessment action. You must navigate back to the complete assessment flow.
Remove the Abilitiy to Create Records While Relating Records
You no longer can create a new object record while you are within a Related Records section. You still have the ability to view and add object-record associations.
Steps to Enable
You don't need to do anything to enable this feature.
Tips And Considerations
When you have a new object record to associate with another object record, create the record first within its work area and then associate it to the object record.
Update to Survey Notifications
Once a survey has been initiated, the application sends an email message to each survey responder. Now the responder can simply click the embedded survey link within the message, and be redirected to the complete-survey pages.
Steps to Enable
You don't need to do anything to enable this feature.
Universal Panel Applied to Risk Context
The universal panel has been applied to the page in which users define criteria and details for risk context models.
Create Risk Context Criteria
Steps to Enable
You don't need to do anything to enable this feature.
Advanced Financial Controls has two new models that can be imported through the delivered Content Library. When you have access to these models, you will be able to select the Import action on the Models tab and select them from the Content Library. The following table provides information on the content library, library type, model name and business objects associated to the new model.
| Content Library | Library Type | Model Name | Business Objects |
|---|---|---|---|
| Enterprise Resource Planning Library |
Advanced Transaction Controls |
33002: Receivable Invoice Credit Memos Created by the Same User |
Customer Receivables Invoice (New) |
| Enterprise Resource Planning Library |
Advanced Transaction Controls |
33003: Receivables Invoice Balance Exceeds Customer Credit Limit |
Customer Receivables Payment Schedule (New) |
Steps to Enable
No advance setup is required for you to import models. However:
- For audit models, you must review audit-level information configured under Manage Audit Policies in Oracle Fusion Applications. Models that use audit business objects in Advanced Financial Controls can return data only after the corresponding information is enabled and configured under Manage Audit Policies.
- A Risk Management administrator must set the Transaction and Audit Performance Configuration date options under Advanced Controls Configurations tab under Risk Management > Setup and Administration. Two created-as-of-date options are required, one for transactions and the other for audit events. This setting improves performance by eliminating older data from data-synchronization jobs.
Finally, once you have performed the above and imported the models, you must run data synchronization which retrieves the source data used during model analysis.
Tips And Considerations
Before using new model content, evaluate available models that match requirements for your organization under the Import action for models. The Import from Content Library page is organized by product area and model types. Once you identify models appropriate for you, import, review, and modify them in your test environment. Importing all available models is not recommended. In some cases, you may have already imported the model in a previous update. Or, some may source data from products or audit configurations you have not enabled. Moreover, models may contain user-defined or imported business objects that create data set controls or objects, respectively.
Key Resources
- For more information about importing models, see "Import Models, Controls, or Conditions" chapter of Using Advanced Controls Management at Oracle Help Center > Cloud Applications > Risk Management > Books.
Changes Are Made to Business Objects
In this release there are additions and updates to business objects.
NEW BUSINESS OBJECTS
Two business objects have been added to support new model content. They include Receivables Invoice and Receivables Payment Schedule.
NEW BUSINESS OBJECT ATTRIBUTES
The Audit - Item business object was updated to add the InventoryOrganizationId1 attribute.
The Audit - Supplier business object was updated to add descriptive flexfield attributes and include the following:
- Descriptive Flexfield Character 1 New through Descriptive Flexfield Character 20 New
- Descriptive Flexfield Character 1 Old through Descriptive Flexfield Character 20 Old
- Descriptive Flexfield Date 1 New through Descriptive Flexfield Date 5 New
- Descriptive Flexfield Date 1 Old through Descriptive Flexfield Date 5 Old
- Descriptive Flexfield Number 1 New through Descriptive Flexfield Number 5 New
- Descriptive Flexfield Number 1 Old through Descriptive Flexfield Number 5 Old
OBSOLETE ATTRIBUTES
A number of attributes have been removed from several business objects. These obsolete attributes by business object are listed in the following table.
| Business Objects | Attributes |
|---|---|
| Asset Workbench | Adjustment Header Identifier Adjustment Line Identifier Adjustments: Creation Date Adjustments: Created By User Adjustments: Last Updated On Adjustments: Last Updated By User |
| Payment Process Request | Document Type Reference Number Documents Payable Document Amount Paid Amount Document Date Document Payables Identifier Documents Payable: Creation Date Documents Payable: Created By User Documents Payable: Last Updated On Documents Payable: Last Updated By User |
| Audit - Item | Organization Old Organization New Inventory ItemId1 Old Inventory ItemId1 New InventoryOrganizationId1 Old InventoryOrganizationId1 New |
ATTRIBUTE NAME CHANGES
Business objects have attributes that correspond to various business areas such as Expenses, Procurement, General Ledger and so on. In an effort to align the attribute labels shown in the Advanced Financial Controls business objects to labels defined in the corresponding application pages, several are updated. For example, the Expense Report Credit Cards business object had an attribute label "Card Member Name." This has been updated to "Name on the Card."
Access the list of business object attribute name changes.
Steps to Enable
If you use any of the obsolete attributes listed, ensure you have the most current models that correspond to your controls by exporting the controls from your 19D environment before you upgrade. Immediately import the controls as models in the 19D environment, because controls using any deprecated attribute in 20A will become invalid.
After you upgrade, identify models and controls that use obsolete attributes by searching on the Inactive status and the Invalid state.
- You can update models. Follow the inline guidance to do so.
- You cannot update controls. For any control that uses obsolete attributes, revise the model from which the control is developed so that it uses only valid attributes. Then redeploy the model as a control.
Tips And Considerations
Obsolete attributes impact only environments upgraded from 19D; they do not impact new implementations of 20A.
For renamed attributes, you don't need to do anything to models or controls that reference these names, just be aware they have changed.
Key Resources
Reference for the List of Business Object Attribute Name Changes.
If you use any of the obsolete attributes listed, and are upgrading from 19D:
- For models, refer to the 19A topic "Upgrade Impact to Models with Obsolete Attributes." When you have used an obsolete attribute in your model, additional actions may be required.
- For controls refer to the 19B topic "Pre-Upgrade Impact to Controls with Obsolete Attributes." When you have used an obsolete attribute in your control, additional actions will be required.
For the new business objects that support new models in the content library, refer to the 20A topic "New Models in Content Library" for Advanced Financial Controls.
Upgrade Validation When Business Objects Are Removed
During an upgrade, validation is in place to identify transaction models and controls that use attributes that have been removed, and for each, to set its state to Invalid and status to Inactive. This same validation is now in place if a business object is removed and a model or control uses the obsolete object. If this were to occur, you could edit models and follow the inline guidance; for controls, you would need to use model backup to update and deploy as a new control.
No business objects are removed from release 20A.
Steps to Enable
You don't need to do anything to enable this feature.
Direct Link to Worklist from Email
If you are a result investigator for a control, you're notified via email when new incidents are generated for that control. Previously, the link in the email message brought you to the springboard. Now, it brings you to the worklist page.
Worklists
Steps to Enable
You don't need to do anything to enable this feature.
Tips And Considerations
Although you don't need to do anything to enable this feature, if you don't already have email alerts enabled you'll need to do that. Navigate to Risk Management > Setup and Administration then click the Configure Module Objects tab to manage configuration options.
Enable Email
Drill from Advanced Control or Result to Related Records
You've always been able to relate advanced controls and results to Financial Reporting Compliance records such as processes, risks and controls. What's new is you can click on the related record and open the related record definition.
Related Record Hyperlink
Steps to Enable
You don't need to do anything to enable this feature.
Procurement Agent Buyer Attribute Is Removed
Beginning in 19C, procurement-related advanced access controls automatically exclude false positives when a user isn't set up as a procurement agent, or hasn't been allowed access to an action as a procurement agent. There is no longer a need to manually define the exclusion condition. So the attribute you would use to do so, Procurement Agent Buyer, is removed from the Access Conditions business object.
Procurement Agent Buyer Attribute
Steps to Enable
You don't need to do anything to enable this feature.
Tips And Considerations
If you created conditions that reference this attribute, no need to worry. Although they continue to exist, they are ignored since the exclusion now happens automatically.
Restrict Visualization Record Selection
As an aid in resolving access incidents, you may create visualizations. These are graphic depictions of paths that lead from users to the roles they're assigned and ultimately to conflicting access points. The graph can be unwieldy when too many records are visualized at once. Therefore the number of records that can be selected is now limited to twenty-five.
A warning message alerts you if you have selected too many records.
Steps to Enable
You don't need to do anything to enable this feature.
Audit Is Enabled for User-Defined Access Points
You can now track changes made to Advanced Controls user-defined access points. For example, suppose a user-defined access point reads Human Resource Specialist - View All > Human Resource Specialist > Employee Hire > Rehire Employee. It's updated to remove Employee Hire, so the new value would read Human Resource Specialist - View All > Human Resource Specialist > Rehire Employee. You can now run a report to see that change, who changed it, and when.
Steps to Enable
- As a user such as Application Implementation Consultant, navigate to Setup and Maintenance and look for the Manage Audit Policies task. Go to Configure Business Object Attributes and then select Risks and Controls from the Product drop down.
- Select User-Defined Access Point under the User-Defined Access Points header. Then select the plus icon in the User-Defined Access Point: Audited Attributes section. Check each of the attributes you'd like to track changes for.
User-Defined Audit Attributes
- Now make a change to a user-defined attribute.
- Again, logged in as a user such as Application Implementation Consultant, navigate to Audit Report.
- Search for product Risks and Controls and click Search to see the history of inserts, updates, and deletes.
Provisioning Rules Integration with Security Console
You can now quickly assess segregation of duties (SoD) risk before provisioning new roles or editing existing roles within Security Console. To do this, create provisioning rules that define conflicts between roles. Then, while editing or creating roles in the Security Console, analyze the role structure for segregation-of-duties conflicts determined by the provisioning rules, and make changes to the role structure as needed until your role is conflict-free.
Here's an example of how it works:
- First, follow the steps to enable the Segregation of Duties train stop in the Security Console.
- Next, create some provisioning rules. Below a rule has been defined that considers the combination of Journal Management and Enterprise Structures Administrator duties a risky combination.
Provisioning Rules
- Now, in the Security Console, create a role that has Journal Management and Enterprise Structures Administration duty roles in it.
- On the Segregation of Duties train stop, select Analyze. Any roles that together cause a conflict as defined in the provisioning rules page will appear:
Segregation of Duties Train Stop
At this point, you'd probably want to go back to the Role Hierarchy train stop and eliminate one role in each pair.
Steps to Enable
ENABLE SEGREGATION OF DUTIES TRAIN STOP IN SECURITY CONSOLE
- As a user with a role such as IT Security Manager, navigate to Setup and Maintenance.
- Search and select Manage Administrator Profile Values.
- Search for Application equal to Application Security.
- Select the row with profile option code ASE_SEGREGATION_OF_DUTIES_SETTING.
- Select Profile Level Site and set Profile value to Yes.
- Save and Close > Done.
Navigate to the Security Console. When a user creates or edits a role, the Segregation of Duties train stop will be enabled.
CREATE PROVISIONING RULES
- As a user with a role such as Application Access Auditor, navigate to Advanced Controls.
- Select the Provisioning Rules tab.
- Add provisioning rules.
Tips And Considerations
Keep in mind, provisioning rules operate entirely separately from, but may complement, the rigorous segregation-of-duties analysis performed by access models and controls.
Role Information
- The Application Access Auditor role has the privilege that allows the creation of provisioning rules.
- IT Security Manager (among others) can manage administrator profile values in Setup and Maintenance (as well as access to Security Console).
Direct Link to Worklist from Email
If you are a result investigator for a control, you're notified via email when new incidents are generated for that control. Previously, the link in the email message brought you to the springboard. Now, it brings you to the worklist page.
Worklists
Steps to Enable
You don't need to do anything to enable this feature.
Tips And Considerations
Although you don't need to do anything to enable this feature, if you don't already have email alerts enabled you'll need to do that. Navigate to Risk Management > Setup and Administration then click the Configure Module Objects tab to manage configuration options.
Enable Email
Drill from Advanced Control or Result to Related Records
You've always been able to relate advanced controls and results to Financial Reporting Compliance records such as processes, risks and controls. What's new is you can click on the related record and open the related record definition.
Related Record Hyperlink
Steps to Enable
You don't need to do anything to enable this feature.
Initating an Access Certification and the Finalize Roles Scoreboard Enhanced
The process to initiate an access certification has been enhanced to a guided process flow.
Access Certfication Guided Process
Once you have clicked Save and Continue, the certification will be saved and be available from the Access Certification page. The process will guide you through the creation of a certification. The Security Assignment has been enhanced, where you assign the owner, editor, and viewer of the certification. Since the term owner was already being used as a specific certification actor, the terminology of access certification actors have been updated. Administrator is now owner, owner is now referred to as manager, and the term certifier has not been updated.
Access Certification Guided Process
Once the certification has been submitted, the next step is to finalize the roles. The scoreboard has been enhanced to include the total number of unique users that are associated to the proposed roles. As you include or exclude roles the scoreboard will update automatically. In addition, a new User Count column has been added. This column allows you to view the number of users by role. This feature enables you to view the overall number of user/role combinations to certify.
Finalize Roles Scoreboard
Steps to Enable
You don't need to do anything to enable this feature.
Transactional Business Intelligence for Risk Management
Updated Inaccessible Records Report
The existing Inaccessible Records report identifies records no one has access to. Since security used to be based on perspectives, but is now based on user authorization, this report is updated to show inaccessible records based on the new security. Below is an example of the report.
Inaccessible Records Report
Steps to Enable
Leverage new subject area(s) by adding to existing reports or using in new reports. For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User).
Risk Management Cloud - Assessment Results Real Time and Compliance Real Time Subject Areas Enhanced
The Risk Management Cloud - Assessment Results Real Time subject area has been enhanced to allow you to create a report that includes survey results with assessment results. In addition you can now report on the comments the assessment reviewer or approver submitted.
Example of Assessment and Survey Responses
Additional attributes have been applied to the Risk Management Cloud - Assessment Results Real Time and the Compliance Real Time subject areas.
RISK MANAGEMENT CLOUD - ASSESSMENT RESULTS REAL TIME
- Assessment Results Details
- Approver Comments
- Approver Comment Created By
- Approver Comment Creation Date
- Assessment Result label was changed to Response
- Assessment Result > Control Test Plan Results
- Test Step Result label was changed to Test Step Response
- Assessment Result > Control Test Plan Results
- Test Step Result Summary
RISK MANAGEMENT CLOUD - COMPLIANCE REAL TIME
- Control Details
- Last Updated Date
- Enforcement Type
Steps to Enable
Leverage new subject areas by adding them to existing reports or using them in new reports. For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User).
Additional Employee Attributes Added
Sixteen user/employee attributes are now available in the Access Certification Details dimension of the Risk Management Cloud - Access Certification Real Time subject area.
Additional Attributes
Steps to Enable
Leverage new subject areas by adding them to existing reports or using them in new reports. For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User).
IMPORTANT Actions and Considerations
COMMON
Security
Due to the new features in 20A around Change to Direct Assignment Security Model, security artifacts will be removed or renamed in future releases. Those to be removed include:
- The Enterprise Risk and Controls Manager job role, and its nested primary and composite duties.
- The Compliance Manager job role, and its nested primary and composite duties.
- Privileges that will no longer be required, because new ones for the direct-assignment security model will replace them. You can identify the privileges planned for removal: In the 20A version of the Security Reference for Risk Management, the name of each contains the suffix "To Be Deprecated." You can search for this suffix.
The following job roles will be renamed. (You may see the new names in the Security Reference, but the new names will appear in the Security Console in a future release.)
- Application Access Auditor will be renamed Advanced Access Controls Analyst
- Application Control Manager will be renamed Advanced Transaction Controls Analyst
- User Access Certification Manager will be renamed Access Certification Administrator
The Security Reference for Risk Management is available at Oracle Help Center > Cloud Applications > Risk Manager > Books.
ADVANCED ACCESS CONTROLS
Reports to Be Discontinued
As a heads-up, three reports found in the Advanced Controls Report work area will be removed in the quarterly update 20B because they are easily created in OTBI. These include the Conditions report, Entitlements report, and Result Summary Extract report.
Please take this opportunity to create your desired reports in OTBI and be sure to check Cloud Customer Connect in case someone has already created and posted what you are looking for.