Cloud Readiness / Oracle Fusion Cloud Risk Management
What's New
Expand All


  1. Update 23D
  1. Revision History
  2. Overview
  3. Feature Summary
  4. Risk Common
    1. Common Risk Management
        1. Risk Management Dashboard Icon
        2. Transaction Synchronization Job Is Seeded on the Scheduling Page
        3. Advanced Control Results Export Is Now a Job
    2. Transactional Business Intelligence for Risk Management
        1. New Default Result User Security Assignment in Advanced Controls Analyses
  6. Financial Reporting Compliance
    1. Financial Reporting Compliance
        1. Improvement to Survey Participant Lists
        2. Improvements to Automated Notifications
  8. Risk Management
    1. Access Certification
        1. Enhanced Access Certifier Worksheet
    2. Advanced Access Controls
        1. New and Revised Models in Content Library
        2. Access Analysis Extended to EPM-ARCS Data Source
        3. Larger Entitlement Names Now Allowed
    3. Advanced Financial Controls
        1. Changes Are Made to Business Objects

Update 23D

Revision History

This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:

Date Module Feature Notes
13 OCT 2023

Access Certification

Enhanced Access Certifier Worksheet

Updated document. Revised feature information.

13 OCT 2023

Advanced Access Controls

Access Analysis Extended to EPM-ARCS Data Source

Updated document. Added Tips and Considerations.
15 SEP 2023     Created initial document.

Overview

HAVE AN IDEA?

We’re here and we’re listening. If you have a suggestion on how to make our cloud services even better then go ahead and tell us. There are several ways to submit your ideas, for example, through the Ideas Lab on Oracle Customer Connect. Wherever you see this icon after the feature name it means we delivered one of your ideas.

GIVE US FEEDBACK

We welcome your comments and suggestions to improve the content. Please send us your feedback at oracle_fusion_applications_help_ww_grp@oracle.com.

DISCLAIMER

The information contained in this document may include statements about Oracle’s product development plans. Many factors can materially affect Oracle’s product development plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle.

This information may not be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates. Oracle specifically disclaims any liability with respect to this information. Refer to the Legal Notices and Terms of Use for further information.

Feature Summary

Column Definitions:

Report = New or modified, Oracle-delivered, ready to run reports.

UI or Process-Based: Small Scale = These UI or process-based features are typically comprised of minor field, validation, or program changes. Therefore, the potential impact to users is minimal.

UI or Process-Based: Larger Scale* = These UI or process-based features have more complex designs. Therefore, the potential impact to users is higher.

Features Delivered Disabled = Action is needed BEFORE these features can be used by END USERS. These features are delivered disabled and you choose if and when to enable them. For example, a) new or expanded BI subject areas need to first be incorporated into reports, b) Integration is required to utilize new web services, or c) features must be assigned to user roles before they can be accessed.

Ready for Use by End Users
(Feature Delivered Enabled)

Reports plus Small Scale UI or Process-Based new features will have minimal user impact after an update. Therefore, customer acceptance testing should focus on the Larger Scale UI or Process-Based* new features.

Customer Must Take Action before Use by End Users
(Feature Delivered Disabled)

Not disruptive as action is required to make these features ready to use. As you selectively choose to leverage, you set your test and roll out timing.

Feature

Report

UI or
Process-Based:
Small Scale

UI or
Process-Based:
Larger Scale*

Risk Common

Common Risk Management

Risk Management Dashboard Icon

Transaction Synchronization Job Is Seeded on the Scheduling Page

Advanced Control Results Export Is Now a Job

Transactional Business Intelligence for Risk Management

New Default Result User Security Assignment in Advanced Controls Analyses

Financial Reporting Compliance

Financial Reporting Compliance

Improvement to Survey Participant Lists

Improvements to Automated Notifications

Risk Management

Access Certification

Enhanced Access Certifier Worksheet

Advanced Access Controls

New and Revised Models in Content Library

Access Analysis Extended to EPM-ARCS Data Source

Larger Entitlement Names Now Allowed

Advanced Financial Controls

Changes Are Made to Business Objects

Risk Common

Common Risk Management

Risk Management Dashboard Icon

If you have created a Risk Management dashboard in OTBI, you can now open it from a Risk Management Dashboard springboard icon. The new Risk Management dashboard icon is optional, and you can hide it by removing the new privilege from your security profile.

The Risk Management Dashboard Springboard Icon

The creation of Risk Management reporting dashboard presents a significant business advantage by consolidating essential data and reports within a single, centralized location. This integrated approach brings together both the dashboard itself and the underlying application generating the reports. This seamless coexistence streamlines accessibility, fosters better collaboration, and reduces the time spent navigating between disparate systems.

Steps to Enable

Once you've created your dashboard in OTBI, copy its URL link. Then navigate to Risk Management Setup and Administration > Configuration Options > Risk Management Dashboard Configuration, and paste the URL into the Custom Dashboard URL field. The URL is global, meaning that all users with the View Risk Management Dashboard privilege have access to the dashboard. OTBI security manages the data-level security within the dashboard and determines which tabs each user can view.

Example of the Risk Management Dashboard Configuration

Tips And Considerations

When designing and creating your OTBI dashboard, consider incorporating multiple pages to capture the diverse analyses necessary to support your specific business needs. OTBI applies the same level of data security as defined for each Risk Management module, ensuring a comprehensive business solution for all active users.

By default, all Risk Cloud job roles include the View Risk Management Dashboard privilege. If you have already created your own dashboard icon and don't want the new dashboard icon to render you will need remove the new privilege from each predefined Risk Management job role.

Access Requirements

The new Risk Management dashboard icon feature requires one new privilege, which is added directly to six predefined job roles. If you've customized your job roles, you need to add the new privilege to it. If you use predefined job roles, you don't need to make any changes.

New Privilege Job Roles Inheriting Privilege

View Risk Management Dashboard 

(GTG_VIEW_RISK_MANAGEMENT_DASHBOARD)
  • Advanced Access Controls Analyst
  • Advanced Transaction Controls Analyst
  • External Auditor
  • Risk Activities Manager
  • Risk Administrator
  • Access Certification Administrator

Transaction Synchronization Job Is Seeded on the Scheduling Page

In the Setup and Administration > Scheduling page, the Transaction Data Source Sync job has been added as a seeded job. This job can be set up to run on a recurring basis or on demand. This seeding does not impact the existing locations where the Transaction Data Source Sync can be initiated.

Seeded Jobs

The Advanced Controls Configuration page also enables users to schedule or run the job. Users without access to that page can use the Scheduling page instead.

Steps to Enable

You don't need to do anything to enable this feature.

Advanced Control Results Export Is Now a Job

When you export results from the results page for a model or control, the export file is generated by a dedicated job. After you select the Export to Excel button, you'll be prompted with a job ID. In the Monitor Jobs page, a record of the export job displays the model or control name and the job ID number. Once the job is complete, select the download button to download the spreadsheet.

Spreadsheet Export Job

When you export data, the UI will no longer be locked while the export file is generated, which in some cases was for an extended period.

Steps to Enable

You don't need to do anything to enable this feature.

Transactional Business Intelligence for Risk Management

New Default Result User Security Assignment in Advanced Controls Analyses

Advanced Controls has security assignments associated to two objects, controls and results. On a control, there are two kinds of security assignments, control and control result. Previously, you could report only on security assignments associated to the control (for the control object) and results. In the Risk Management Cloud - Advanced Access Controls Real Time subject area and in the Risk Management Cloud - Advanced Financial Controls Real Time subject area, the Advanced Control Details folder has been enhanced to include Control Result User Security Assignment for the control object. You can now report on these control result user security assignments:

  • Advanced Control Details > Control > Default Result Group Security Assignment
    • Group Name
    • Object
    • Authorization Level
    • Eligibility Flag
    • Member Name
  • Advanced Control Details > Control > Default Result Group Security Assignment > Facts - Default Result Group Security Assignment
    • Count of Eligible Members
    • Count of Members Not Eligible
  • Advanced Control Details > Control > Control Result User Security Assignment > Default Result User Security Assignment
    • Group Name
    • Object
    • Authorization Level
    • Eligibility Flag
    • Member Name
  • Advanced Control Details > Control > Control Result User Security Assignment > Facts - Default Result User Security Assignment
    • Count of Editors
    • Count of Owners
    • Count of Viewers

New Dimensions Added to Advanced Control Details

The addition of Control Result User Security Assignments provides insight regarding the security assignments that will be defaulted on the results generated by the control.

Steps to Enable

You don't need to do anything to enable this feature.

Financial Reporting Compliance

Financial Reporting Compliance

Improvement to Survey Participant Lists

Survey Participant Lists, a new tab in the Surveys work area, empowers survey owners to manage survey participants effectively by utilizing participant lists. Survey owners can create new participant lists, each containing up to 500 participants, and can update the lists to include or exclude participants. (To do so, they must have a privilege called Complete a Survey.) A participant list can be active or inactive, and only active lists are available when a new survey is initiated.

Managing Participant Lists

The Survey Participant Lists Tab

Example of Creating a Survey Participant List

Managing Participants for a Survey

During the survey creation process, the survey owner has the option to include participants by selecting from existing participant lists or adding individual participants. When an owner adds a participant list to a survey, the survey references that list as it is at that moment. If any changes are subsequently made to the list, the survey continues to recognize it as it was when it was added to the survey. Changes to the list don't affect surveys for which the list had previously been selected.

Example of managing the participants while creating a survey

Participant lists provide valuable benefits for your business. With participant lists, you can efficiently target specific groups, ensuring that your surveys reach the right audience and increasing the quality of responses or attendance. By maintaining organized participant lists, you establish a consistent communication channel that saves time and reduces errors, while also centralizing and managing participant data for better-informed decision-making.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

Although participant lists can be updated, any changes made will take effect only with the next use of the list within a survey. If you anticipate changes, it's essential to make those updates before utilizing the list in a survey.

Improvements to Automated Notifications

Automated email notifications have been improved, directing recipients to specific UI pages according to record status.

Rejected Object Record Scenario

In the Financial Reporting Compliance workflow, assigned reviewers and approvers may reject submitted records of processes, risks, controls, issues, or remediation plans. When a record is rejected, the submitting user receives an automated notification that prompts for action. By clicking the Take Action button in the notification, the user is now instantly directed to the relevant UI page for the rejected record in edit mode. This efficient process empowers users to promptly address the reason for the rejection.

Object Record Email Reminders

For records of issues and remediation plans, the owner can trigger an email reminder for an approved record. This reminder prompts the assigned owners and editors to take necessary action and move towards resolution. Once the users receive the reminder email and access it, they are now directed to the record in a view-only mode.

Approval History Section

Email reminders for issues and remediation plans now include an Approval History section.

Record Reaches an Approved State

Once an issue or remediation plan record has reached an Approved state, the application will not send a notification for either the owner or editor to take action. The owner can send an email reminder to the assigned owners and editors for them to take necessary action and move towards resolution.

These additional enhancements present a host of valuable business advantages by seamlessly guiding assigned users to the relevant record UI. The enhancement fosters a quicker and more intuitive engagement with critical tasks. This streamlined approach not only saves users time but also facilitates informed decision-making by providing immediate access to the necessary context. As a result, resolution processes become more agile, collaboration is enhanced, and operational efficiency receives a substantial boost

Steps to Enable

You don't need to do anything to enable this feature.

Risk Management

Access Certification

Enhanced Access Certifier Worksheet

An optional enhanced Certifier Worksheet page offers improved performance, usability, and a streamlined certification process.

The redesigned worksheet isn't enabled by default. To enable it and replace the original worksheet, use Oracle Functional Setup Manager to update a profile option. For instructions, see the Steps to Enable section below. (If you choose not to enable it, you would continue using the original worksheet.)

Having enabled the new worksheet, you can navigate to it as you would have to the original worksheet. The new UI offers multiple enhancements that improve the user experience.

The Redesigned Certifier Worksheet

Summary of Enhancements

  • The UI page header renders the certification name, and the subheader renders the certifier’s name.
  • Each row of the Certifier Worksheet table is a record of a user-role combination to be reviewed for certification. The table includes these default columns:
    • Role Name
    • User Name
    • Direct Manager (the manager of users whose role assignments are being reviewed for certification)
    • Action
    • File or URL
    • Comments
  • The Columns icon lets you manage the columns displayed in the table. You can choose which columns to show and which to hide, and you can also change the order of the columns. Please note that these selections won't be saved for future sessions.

Updating the Column View

  • Select any number of rows representing user-role combinations about which you want to make certification decisions. Then click one of the following buttons.
    • Keep Roles: The assignment of selected roles to users is certified as appropriate.
    • Remove Roles: The selected roles assigned to users should be removed by the security administrator, with a required comment to be applied to all selected rows.
    • Investigate: The assignment of selected roles to users remains under investigation.
    • More Actions > Add Comments: The comment will be applied to all selected rows.
  • Select a single row, then click a More Actions button to complete any of the following actions.
    • Add Comments: Write a comment about a user-role combination.
    • Add File and URL: Add an attachment to a user-role combination.
    • Audit History: Open a panel drawer that displays historical activity, in reverse-chronological order.
    • Certification Details: Open a panel drawer that displays details of the certification.
  • Review your certification decisions. For each user-role combination, the Action column displays one of these badges:
    • Review: The user-role combination has not yet been acted upon. This is the initial action for all user-role combinations. The badge is neutral-colored.
    • Keep Role: The user-role combination is to be retained. The badge is green.
    • Remove Role: The user-role combination is rejected. The badge is red.
    • Investigate: The user-role combination is under investigation by the certifier. The badge is blue.
  • A self-certify flag indicates that the certifier is the user whose role assignment is being reviewed.
  • Smart filtering and search capabilities are available. Click filter chips to filter by:
    • Action
    • Role Name
    • User Name
    • Direct Manager
    • More Filters, to filter on the remaining columns in the worksheet. These include Role Code, Self-Certify, and configurable attributes such as Business Unit or Job Function.
  • By default, rows are sorted alphabetically by Role Name, and then by action of the user-role combination, in this order: Review, Investigated, Keep Role, and Remove Role.
  • Each of the Role Name, Role Description, and User Name columns has ascending and descending sort capability. You can sort on only one column at a time.

The new Certifier Worksheet UI page provides end-user performance enhancements and streamlines the certification process for stakeholders.

Steps to Enable

The new Certifier Worksheet is disabled by default. Use Oracle Functional Setup Manager to enable it.

  1. In the Navigator, select My Enterprise > Setup and Maintenance.
  1. Expand the Tasks panel tab and click Search.
  1. In the Search Tasks field, enter Manage Administrator Profile Values. Click the search icon.
  1. Click the Manage Administrator Profile Values item in the list.
  1. In the Profile Option Code search field, enter ORA_GTR_ACERT_ENHANCED_WORKSHEET_ENABLED. Click the Search button.
  1. A record of the ORA_GTR_ACERT_ENHANCED_WORKSHEET_ENABLED profile value appears. In its Profile Value field, select Yes.
  1. Click Save and Close.

Tips And Considerations

To perform certification analysis by user rather than by role, simply perform a sort on the User Name column.

Advanced Access Controls

New and Revised Models in Content Library

Oracle has introduced 2 new entitlements and made changes to 4 entitlements that are used by delivered-content models. If you're using any of the affected models, consider making the same changes. Oracle has renamed 1 existing model, and introduced 36 new models.

FINANCIALS

Updated Entitlement: Sensitive Accounting Period Statuses

The following five privileges have been added to the Sensitive Accounting Period Statuses entitlement:

  • Manage Accounts Payable Accounting Period Status (ORA_GL_ACCOUNTS_PAYABLE_PERIOD_STATUS_MANAGEMENT_DUTY)
  • Manage Accounts Receivable Accounting Period Status (ORA_GL_ACCOUNTS_RECEIVABLE_PERIOD_STATUS_MANAGEMENT_DUTY)
  • Manage General Ledger Accounting Period Status (ORA_GL_MANAGE_GENERAL_LEDGER_ACCOUNTING_PERIOD_STATUS_AGGR)
  • Manage Revenue Management Accounting Period Status (ORA_GL_REVENUE_MANAGEMENT_PERIOD_STATUS_MANAGEMENT_DUTY)
  • Manage Projects Accounting Period Status (ORA_GL_PROJECTS_PERIOD_STATUS_MANAGEMENT_DUTY)

The following privilege has been removed from the Sensitive Accounting Period Statuses entitlement:

  • Manage Accounting Period Status

Model affected:

  • 9803: Sensitive Accounting Period Status Privilege to 9803: Sensitive Accounting Period Status Privileges (made it plural).

The model definition has been updated to reference just this one sensitive access entitlement. Previously, the control was raising up where an accounting period status aggregate privilege was in an inappropriate role. For example, if the aggregate privilege Manage Accounts Payable Accounting Period Status was in a General Ledger job role assigned to a user, a result was generated. The intention, however, is to identify users who can open and close periods for any one of the following areas: accounts payable, accounts receivable, general ledger, revenue management, or project accounting. The model has been updated as such.

New Entitlement: Update Subledger Transactions

Add privilege:

  • Update Subledger Transactions (XLA_UPDATE_SUBLEDGER_TRANSACTIONS_PRIV)

New Model: 6930: Set Up Accounting Hub and Update Subledger Transactions

In general, one user should not manage set up activities and also transaction activities. End-to-end transactions could be created that lead to financial misstatements. Here specifically, someone could change data coming in from the source system.

Updated Entitlement: Sensitive General Ledger Privileges

Add privileges:

  • Activate Subledger Journal Entry Rule Set Assignments (XLA_ACTIVATE_SUBLEDGER_JOURNAL_ENTRY_RULE_SET_ASSIGNMENT_PRIV)
  • Manage Subledger Account Rule (XLA_MANAGE_SUBLEDGER_ACCOUNT_RULE_PRIV)

Model affected:

  • 9806: Sensitive General Ledger Privileges

New Models:

  • 10017: Import Subledger Accounting Transactions and Maintain Project Accounting Transactions, Reporting
  • 10018: Import Subledger Accounting Transactions and Maintain Project Accounting for General Ledger
  • 5243: Import Subledger Accounting Transactions and Enter Accounts Receivables Invoice
  • 6751: Import Subledger Accounting Transactions and Approve Payables Invoices
  • 6771: Import Subledger Accounting Transactions and Assets Depreciation
  • 6781: Import Subledger Accounting Transactions and Assets Workbench
  • 6791: Import Subledger Accounting Transactions and Capitalizing Assets
  • 6801: Import Subledger Accounting Transactions and Create Payables Invoices
  • 6811: Import Subledger Accounting Transactions and Create Payments
  • 6821: Import Subledger Accounting Transactions and Create Purchase Orders
  • 6841: Import Subledger Accounting Transactions and Enter Customer Receipts
  • 6861: Import Subledger Accounting Transactions and Physical Inventory
  • 6872: Import Subledger Accounting Transactions and Post Journal Entry
  • 6873: Import Subledger Accounting Transactions and Manage Financial Applications Workflow Rules
  • 6881: Import Subledger Accounting Transactions and Release Sales Order
  • 6891: Import Subledger Accounting Transactions and Remittances
  • 6901: Import Subledger Accounting Transactions and Set Up Assets
  • 6902: Import Subledger Accounting Transactions and Set Up General Ledger Chart of Accounts
  • 6931: Import Subledger Accounting Transactions and Set Up General Ledger Currencies
  • 6932: Import Subledger Accounting Transactions and Set Up General Ledger Daily Rates
  • 6933: Import Subledger Accounting Transactions and Manage Accounting Data Security
  • 6934: Import Subledger Accounting Transactions and Set Up General Ledger Sets
  • 6935: Import Subledger Accounting Transactions and Set Up General Ledger Options
  • 6936: Import Subledger Accounting Transactions and Set Up General Ledger Statistical Units of Measure
  • 6937: Import Subledger Accounting Transactions and Manage Accounting Period Statuses for General Ledger
  • 6938: Import Subledger Accounting Transactions and Define Accounting Calendars
  • 6939: Import Subledger Accounting Transactions and Manage Journal Approval Rules
  • 6940: Import Subledger Accounting Transactions and Set Up General Ledgers
  • 6941: Import Subledger Accounting Transactions and Manage General Ledger Balances Cube
  • 6942: Import Subledger Accounting Transactions and Manage General Ledger Enterprise Structures
  • 6943: Import Subledger Accounting Transactions and Post Journal Entry and Manage Accounting Period Statuses for General Ledger
  • 6944: Import Subledger Accounting Transactions and Post Journal Entry and Manage Journal Sources
  • 6945: Import Subledger Accounting Transactions and Post Journal Entry and Setup General Ledgers

The combination of the conflicting privileges allows a user to execute an end-to-end transaction that could result in a misstatement in financials. Many customers choose to automate the process of importing subledger accounting transactions from source applications such as accounts receivables and accounts payables. Generally, an automated user account is associated to these transactions. A user, even an automated user account, must have a set of access points related to importing files containing subledger transactions in order to actually import subledger accounts and create journals. Those access points are defined in these controls and set in conflict with another entitlement.

There are two additional access points to consider adding to the model logic if the features are enabled:

  • If multi-period accounting feature or accrual reversal feature is turned on, then also include this privilege in control logic:
    • Create Subledger Multiperiod and Accrual Reversal Entry (XLA_CREATE_SUBLEDGER_MULTIPERIOD_AND_ACCRUAL_REVERSAL_ENTRY_PRIV)
  • If JE rule set is configured to allow balance updates, then also include this privilege in control logic.
    • Update Subledger Accounting balance (XLA_UPDATE_SUBLEDGER_ACCOUNTING_BALANCE_PRIV)

New Entitlement: Set Up Accounting Hub

Add privileges:

  • Create and Assign Subledger Standard Source (XLA_CREATE_AND_ASSIGN_SUBLEDGER_STANDARD_SOURCE_PRIV)
  • Define Subledger Application (XLA_DEFINE_SUBLEDGER_APPLICATION_PRIV)
  • Manage Subledger Accounting Attribute (XLA_MANAGE_SUBLEDGER_ACCOUNTING_ATTRIBUTE_PRIV)
  • Manage Subledger Accounting Existing Scope (XLA_MANAGE_SUBLEDGER_ACCOUNTING_EXISTING_SCOPE_PRIV)
  • Manage Subledger Accounting Method (XLA_MANAGE_SUBLEDGER_ACCOUNTING_METHOD_PRIV)
  • Manage Subledger Accounting Option (XLA_MANAGE_SUBLEDGER_ACCOUNTING_OPTION_PRIV)
  • Manage Subledger Application Transaction Object (XLA_MANAGE_SUBLEDGER_APPLICATION_TRANSACTION_OBJECT_PRIV)
  • Manage Subledger Description Rule (XLA_MANAGE_SUBLEDGER_DESCRIPTION_RULE_PRIV)
  • Manage Subledger Formula (XLA_MANAGE_SUBLEDGER_FORMULA_PRIV)
  • Manage Subledger Journal Entry Rule Set (XLA_MANAGE_SUBLEDGER_JOURNAL_ENTRY_RULE_SET_PRIV)
  • Manage Subledger Journal Line Rule (XLA_MANAGE_SUBLEDGER_JOURNAL_LINE_RULE_PRIV)
  • Manage Subledger Mapping Set (XLA_MANAGE_SUBLEDGER_MAPPING_SET_PRIV)
  • Manage Subledger Mapping Set Value (XLA_MANAGE_SUBLEDGER_MAPPING_SET_VALUE_PRIV)
  • Manage Subledger Standard Source (XLA_MANAGE_SUBLEDGER_STANDARD_SOURCE_PRIV)
  • Manage Subledger Supporting Reference (XLA_MANAGE_SUBLEDGER_SUPPORTING_REFERENCE_PRIV)
  • Update Subledger Application (XLA_UPDATE_SUBLEDGER_APPLICATION_PRIV)

New Models:

  • 6928: Set Up Accounting Hub and Enter Journals
  • 6929: Set Up Accounting Hub and Post Journal Entry

In general, one user should not manage set up activities and also transaction activities. End-to-end transactions could be created that lead to financial misstatements.

Updated Entitlement: Enter Journals

Add privileges:

  • Override Subledger Journal Entry (XLA_OVERRIDE_SUBLEDGER_JOURNAL_ENTRY_PRIV)
  • Manage Subledger Journal Entry Manually (XLA_MANAGE_SUBLEDGER_JOURNAL_ENTRY_MANUALLY_PRIV)
  • Manage Subledger Account Rule (XLA_MANAGE_SUBLEDGER_ACCOUNT_RULE_PRIV)

Models affected:

  • 10015: Maintain Project Accounting Transactions, Reporting and Enter Journals
  • 10016: Maintain Project Accounting for General Ledger and Enter Journals
  • 5241: Enter Accounts Receivables Invoice and Enter Journals
  • 6750: Enter Journals and Approve Payables Invoices
  • 6770: Enter Journals and Assets Depreciation
  • 6780: Enter Journals and Assets Workbench
  • 6790: Enter Journals and Capitalizing Assets
  • 6800: Enter Journals and Create Payables Invoices
  • 6810: Enter Journals and Create Payments
  • 6820: Enter Journals and Create Purchase Orders
  • 6840: Enter Journals and Enter Customer Receipts
  • 6860: Enter Journals and Physical Inventory
  • 6870: Enter Journals and Post Journal Entry
  • 6871: Enter Journals and Manage Financial Applications Workflow Rules
  • 6880: Enter Journals and Release Sales Order
  • 6890: Enter Journals and Remittances
  • 6900: Enter Journals and Set Up Assets
  • 6911: Enter Journals and Set Up General Ledger Chart of Accounts
  • 6912: Enter Journals and Set Up General Ledger Currencies
  • 6913: Enter Journals and Set Up General Ledger Daily Rates
  • 6914: Enter Journals and Manage Accounting Data Security
  • 6915: Enter Journals and Set Up General Ledger Sets
  • 6916: Enter Journals and Set Up General Ledger Options
  • 6917: Enter Journals and Set Up General Ledger Statistical Units of Measure
  • 6918: Enter Journals and Manage Accounting Period Statuses for General Ledger
  • 6919: Enter Journals and Define Accounting Calendars
  • 6920: Enter Journals and Manage Journal Approval Rules
  • 6921: Enter Journals and Set Up General Ledgers
  • 6922: Enter Journals and Manage General Ledger Balances Cube
  • 6923: Enter Journals and Manage General Ledger Enterprise Structures
  • 6925: Enter Journals and Post Journal Entry and Manage Accounting Period Statuses for General Ledger
  • 6926: Enter Journals and Post Journal Entry and Manage Journal Sources
  • 6927: Enter Journals and Post Journal Entry and Setup General Ledgers

Updated Entitlement: Sensitive IT Security Privileges

Add privilege:

  • Manage All Application Profile Values (FND_APP_MANAGE_ALL_PROFILE_VALUES_PRIV)

Model affected:

  • 9361: Sensitive IT Security Privileges

The content library is continually reviewed by experts in relevant business areas to provide the most accurate and comprehensive SoD and sensitive access control definitions. Consider uptaking these new and revised models based on your business requirements.

Steps to Enable

As a rule, when you import a model that uses entitlements, you import the entitlements automatically. But if an earlier version of an entitlement exists in your target environment, the content-import job cannot replace it with a newer version. So:

  • If an entitlement has been revised, but you have not yet imported any of the models that use it, you can import one of these models now. The import operation includes the new entitlement along with the model.
  • If an entitlement has been revised, and you imported a model that uses it during an earlier update, you also imported the earlier version of that entitlement. To use the new version, your only option is to edit your existing entitlement to incorporate its revisions.

Access Analysis Extended to EPM-ARCS Data Source

Access models and controls can now perform an optional analysis of access data from the EPM-ARCS data source, which serves the Oracle EPM Account Reconciliation application. Once you set up a connection to the EPM-ARCS data source, you'll see enhancements in these features:

  • You can import delivered-content models that evaluate access data from the EPM-ARCS data source. These models perform both separation-of-duties analysis across EPM-ARCS and Oracle Cloud (which is the default data source), and sensitive-access analysis within the EPM-ARCs data source. The Import from the Content Library page contains an EPM-ARCS library from which you can select these models for import.
  • The page to create a model continues to offer three Oracle Cloud business objects by default. Now, however, you can select three additional business objects that supply EPM-ARCS data. Each set enables you to build access-point, entitlement, and condition filters appropriate for its data source. A model can include business objects from one of the data sources, to detect access conflicts within that data source, or a model can use business objects from both data sources, to test for access conflicts that occur across the data sources.
  • A model-result or control-incident record continues to consist of information about the path through which a user has access to one of the access points involved in a conflict. The grid displaying these records now contains a Data Source column, which identifies the data source in which the access path exists.
  • Entitlements, global conditions, and user-defined access points are now specific to a data source. As you create any of these elements, you use a Data Source field to select a data source. Only access points from that data source are then available for use in the element you're creating. As you edit the element, you can't change its data source.
  • The Global Users grid now contains columns that indicate the number of data sources in which each user has business-application accounts, and identify the data sources. If the number is greater than one, the value in the column that identifies the data sources is "Multiple." In that case, you can open a Related Global Users page that displays a user's global-user and related-user records, and identifies the data source for each record.

You can now analyze users and their assigned roles for sensitive access and separation of duties within each of the Oracle Cloud and EPM-ARCS data sources, and across the two data sources.

Steps to Enable

To make EPM-ARCS data available for analysis in Advanced Access Controls, you have to establish a connection to the data source:

  1. If you use customized roles, ensure that two new privileges are added to your version of the Advanced Controls Administrator duty role. (See Access Requirements, below.) If you use predefined roles, you don't need to make any changes.
  1. Establish a connection to the EPM-ARCS data source and synchronize data: Follow instructions in the guide titled Oracle Fusion Cloud Risk Management: Implementing Risk Management. Look for a topic titled "Set Up Data Sources.”
  1. Import the model library for the EPM-ARCS data source. See a series of topics, beginning with "Import Models, Controls, or Conditions,” in the guide titled Oracle Fusion Cloud Risk Management: Using Advanced Controls.  (Of course, you can create your own models as well.)

Tips And Considerations

Here's how to resolve an error that may occur during the import of delivered-content models for EPM-ARCS.

All delivered-content models for EPM-ARCS use an entitlement that's imported the first time you import any of the models. The entitlement contains a list of sensitive EPM-ARCS roles. If any of these roles haven't been assigned to EPM-ARCS users, the import job fails. An error message identifies the unassigned roles, referring to them as access points that don't exist in the data available for model analysis. To fix this:

  1. Create a fictional EPM-ARCS user.
  2. Assign that user either the Viewer or User role, and all the application roles identified in the error message.
  3. Run the EPM-ARCS External Access Synchronization job (see Set Up Data Sources).
  4. Run the Global User Synchronization job (see Configure Global Users).
  5. Import the models again.

If you're creating an entitlement for the EPM-ARCS data source, you may find that some access points are unavailable for selection. That's because they represent application roles that aren't assigned to any EPM-ARCS users. To make these access points available:

  1. Create a fictional EPM-ARCS user.
  2. Assign that user either the Viewer or User role, and the application roles that are unavailable for selection.
  3. Run the EPM-ARCS External Access Synchronization job (see Set Up Data Sources).
  4. Run the Global User Synchronization job (see Configure Global Users).

Access Requirements

To configure the target EPM-ARCS data source requires two new privileges. The new privileges are added to one predefined duty role. If you've customized your role, you need to add the new privileges to it. If you use predefined duty roles, you don't need to make any changes.

New Privileges

Updated Duty Role

Job Roles Inheriting Duty

1. Manage Additional Advanced Control Data Sources (GTG_MANAGE_ADDITIONAL_RISK_
MANAGEMENT_DATA_SOURCES)


2. View Additional Advanced Control Data Sources (GTG_VIEW_ADDITIONAL_RISK_
MANAGEMENT_DATA_SOURCES)

Advanced Controls Administrator Duty
  • Risk Administrator
  • Advanced Access Controls Analyst
  • Advanced Transaction Controls Analyst

Larger Entitlement Names Now Allowed

When you create or edit an entitlement, you can now give it a name of up to 250 characters.

This will allow customers who need a bit longer name to properly define their entitlement.

Steps to Enable

You don't need to do anything to enable this feature.

Advanced Financial Controls

Changes Are Made to Business Objects

This release includes attribute additions as well as label and data-size changes, and removes one obsolete business object.

Obsolete Business Object

In this quarterly update, the Journal Entry Expanded business object has become obsolete.  Specifically, any model or control (incident or data set type) using the obsolete object will be set to Inactive status and Invalid state. You can search on Inactive models and update them, changing their design to use Journal Entry object instead. You can't update inactive controls; instead, you must redeploy them from revised models.

NOTE: The decommission of the Journal Entry Expanded object has been announced in our What's New documents since 22B.  If you still use this object in your models or controls, refer to the IMPORTANT Actions and Considerations section in this What's New for additional information.

New Business Object Attributes

The following business objects have been updated with new attributes.

Business Object New Attribute

Audit - Absence Entries
  • Uom

Audit - General Payables Options
  • Account Derivation Method Old
  • Account Derivation Method New

Audit - Item
  • CreatedFromItemId Old
  • CreatedFromItemId New
  • CreatedFromRevisionId Old
  • CreatedFromRevisionId New

Audit - Key Flexfield
  • FlexfieldIdentifier Old
  • FlexfieldIdentifier New

Requisition
  • Line: Assessable Value
  • Line: Status
Roles
  • Effective Start Date
  • Effective End Date

Attribute Name Changes

Business object attributes correspond to various business areas. In an effort to align the attribute labels shown in the Advanced Financial Controls business objects to labels defined in the corresponding application pages, some are updated.

Business Object

Old Attribute Names

New Attribute Names
Audit - Item

Default Repair Transaction Code Old

Default Repair Transaction Code Name New

Audit - Item

Default Repair Transaction Code New

Default Repair Transaction Code Name Old

General Ledger Accounts

Account

Code Combination ID

General Ledger Accounts

Chart of Accounts

Chart of Accounts ID

Attribute Data Size Changes

Each business object attribute supports a fixed character length. The following attributes had their character length increased to 400 in the Audit - Person Allocated Checklist Tasks object:

  • Document to Be Signed Old
  • Document to Be Signed New
  • Email Old
  • Email New

NOTE: If you use these attributes in your control results, your incidents may be impacted. The change may cause some to be closed and recreated for those attribute values previously truncated due to character length. Delivered library content models do not use this business object.

Updates to business objects provide additional attribute criteria for your controls, and those updated for audit maintain alignment to Manage Audit Policies data source.

Steps to Enable

When you use business objects that introduce new attributes, you must run the Transaction Data Source Synchronization job. Business objects with attribute changes require that the data synchronization job be run in order to return the related values. Depending upon the number of business objects you are using across models and controls, the data synchronization job may take a little longer than usual.

Tips And Considerations

For renamed attributes, you don't need to do anything to models or controls that reference these names. Just be aware they have changed.