GRC

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Oracle GRC Controls Suite
Fundamentals Ver.
8.6/7.3.3/5.5.1
Student Guide
D74761GC10
Edition 1.0 | September 2015 | D92592
Learn more from Oracle University at oracle.com/education/

Author Copyright 2015, Oracle and/or its affiliates. All rights reserved.
Ashwin Sadanandan Disclaimer
This document contains proprietary information and is protected by copyright and

Technical Contributors other intellectual property laws. You may copy and print this document solely for your
own use in an Oracle training course. The document may not be modified or altered
and Reviewers in any way. Except where your use constitutes "fair use" under copyright law, you
Bruce Ingram may not use, share, download, upload, copy, print, display, perform, reproduce,
publish, license, post, transmit, or distribute this document in whole or in part without
Barry Greenhut the express authorization of Oracle.
The information contained in this document is subject to change without notice. If you
Publishers find any problems in the document, please report them in writing to: Oracle University,
Jobi Varghese 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Giri Venugopal
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using

the documentation on behalf of the United States Government, the following notice is
applicable:
s a
U.S. GOVERNMENT RIGHTS
h
) a
The U.S. Governments rights to use, modify, reproduce, release, perform, display, or
o m
disclose these training materials are restricted by the terms of the applicable Oracle
e c uide
license agreement and/or the applicable U.S. Government contract.
p
Trademark Notice
@ h nt G
r
a tude
u m
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names
y -k his S
may be trademarks of their respective owners.
d
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Contents
1 Introduction to the Oracle Governance, Risk Compliance Controls Suite

Objectives 1-2
About Governance, Risk and Compliance Controls 1-4
Oracle Solutions for GRC 1-5
GRC Architecture 1-6
GRC Components 1-8
GRC Suite: Example 1-9
Continuous Controls Monitoring Overview 1-10 s a
Access to GRC Applications 1-12 h
) a
o m
p e c uide
CCM module(Access and Transaction Governor) - Common Features 1-13
New Features in CCM Module 1-14
@ h nt G
Applications Access Controls Governor 1-15 r
a tude
u m
d y -k his S
Enterprise Transaction Controls Governor 1-16
Configuration Controls Governor 1-17
r e d se t
a r ath e to u
Preventive Controls Governor 1-19
(bh icens
Preventative Controls Governor 1-20
Summary 1-21 y
dd ble l
Quiz 1-22 e
R ra
t h fe
ra ansControls
2ha
t
B Objectives
- r
Continuous Monitoring
on
nApplication 2-2
Navigation 2-3
Viewing the Home Page 2-4
GRC Controls Navigation 2-5
Continuous Control Monitoring Workflow 2-6
Continuous Controls Management 2-7
Results Management 2-9
GRC Security 2-10
Defining Roles 2-11
Roles Examples 2-12
User and Role Administration 2-13
User and Role Hierarchy 2-14
Manage User Security 2-15
Creating and Managing Job Roles 2-16
Data Role Composition 2-17
iii
Duty Role Composition 2-18
CCM Users Management 2-19
Creating Users 2-20
User Preference 2-21
Define Perspectives 2-22

Perspective Hierarchies 2-23
Perspective Management 2-25
Perspectives and Data Level Security 2-26
Perspectives - Data Level Security 2-27
Manage Incidents with Perspectives 2-28
Jobs Administration 2-29
Scheduling Administration 2-30
GRC Application Configuration 2-31
s a
DataSource Administration 2-32 h
) a
o m
Application Libraries 2-33
p e c uide
Data Migration 2-34
@ h nt G
GRC and Language 2-35 r
a tude
u m
Welcome Page Components 2-36
d y -k his S
Administration Creating Views 2-38
r e d se t
ath e to u
Sorting and Using 'View' Option for Filtering 2-39
Summary 2-40 a r
Quiz 2-41
y (bh icens
e dd ble l
t h R Access
3 Applications ra Controls Governor Overview
r a s f e
aObjectives n3-2
Bh AACG t r a
on- Overview
nAccess
3-3
Control Life Cycle 3-4
Access Points 3-5
Entitlements 3-6
Segregation-of-duties Conflicts 3-7
Environment Setup and AACG Implementation 3-8
Multi-Platform and Cross-Platform Support 3-9
Implementation Approach Overview 3-10
Implementation Approach Flow 3-11
AACG Setup Flow 3-12
Quiz 3-17
Summary 3-20
4 AACG Configuration Planning and Installation

Objectives 4-2
Application Configuration 4-3
iv
Configuration Planning 4-4
Defining Data Sources 4-5
Manage Application Data 4-6
Run Synchronization 4-7
Notifications 4-8
Defining Notification Schedules 4-9
Notification Configuration 4-10
Turning Off a Notification Schedule 4-11
Parallel Processing 4-12
Quiz 4-13
Summary 4-15
5 AACG Models and Control Planning and Setup

s a
Objectives 5-2 h
) a
o m
Planning Overview 5-3
p e c uide
Models & Controls Overview 5-4
@ h nt G
Models & Controls Workflow 5-5 r
a tude
u m
d y -k his S
Creating/Importing Access Models 5-6
Access Points 5-7
r e d se t
ath e to u
E Business Suite Access & SOD Challenges 5-8
a r
PeopleSoft Authorization Model 5-9
(bh icens
Fusion Authorization Model 5-10
y
e dd ble l
Manage Entitlements 5-12
t h R ra
Access Model Example 5-13
a r a nsfe
Access Model Creation 5-14
Bh n-tra
Model Analysis Flow 5-16
no View Model Results 5-17
Visualization 5-18
Initial Remediation 5-19
Define Conditions 5-20
Access Global Conditions 5-22
Recommended Global Condition 5-23
Access Path Condition 5-25
Before Deploying a Control 5-26
Continuous Access Controls 5-27
Assign Priorities 5-28
Assign Enforcement Type 5-29
Assign Perspectives 5-30
Quiz 5-31
Summary 5-33
v
6 Remediation
Objectives 6-2
Remediation 6-3
Application Access Controls Governor Remediation Steps 6-4

Remediation Steps 6-5
Remediation Checklist 6-6
Run Analysis 6-7
Focus on Areas with the Highest Risk, Priority, and Volume 6-8
Intra-Role Incidents 6-9
Intra-Role Example 6-11
Inter-Role Incidents 6-12
On-Line Views to Analyze Incidents 6-14
s a
Visualization 6-16 h
) a
o m
Reports and Extracts to Analyze Incidents 6-17
p e c uide
Assign Incidents to Business Owners 6-19
@ h nt G
Incident States 6-20 r
a tude
u m
Simulation 6-22
d y -k his S
Simulation Goals 6-23
r e d se t
ath e to u
Simulation Steps 6-24
a r
Utilize Corporate Change-Tracking Process 6-26
(bh icens
Remediation Plan 6-27
y
e dd ble l
Changes to Business System 6-28
t h R ra
Re-evaluate 6-29
a r a nsfe
Quiz 6-30
Bh n-tra
Summary 6-33
no
7 Manage Access Approvals
Objectives 7-2
Manage Access Approvals 7-3
Enforcement 7-4
Enforcement Types 7-6
Conflict Management 7-7
Order of Priority 7-11
Manage Notification Configuration 7-12
Notifications 7-13
Responding To Notifications 7-14
Email Notification 7-15
Manage Access Approval 7-16
Administer Access Approvals History 7-18
vi
Quiz 7-20
Summary 7-23
8 AACG Reporting
Objectives 8-2
Reporting Overview 8-3
Contextual Reporting for Control Summary 8-4
Contextual Reporting for Incident Results 8-5
CCM Control Management Reports 8-6
CCM Result Management Reports 8-7
Reporting File Types 8-9
Manage Report Parameters 8-10
Reporting Scheduling 8-12
s a
Report Generation 8-14 h
) a
o m
Report from Manage Controls Panel 8-15
p e c uide
Report Generation Manage Incidents Panel 8-16
@ h nt G
Report Management Menu 8-17 r
a tude
u m
Using the Report Management Menu 8-18
d y -k his S
Summary 8-19
r e d se t
a
9 Enterprise Transaction Controlsr ath Governor
t o u Overview
Objectives 9-2 ( b h
e n se
GRC Platformdand d yETCG Differentiators
l ic
R e b l e 9-3
AbouthTransactionra
r at s f e Governor 9-4
aETCGtSetup n Flowchart 9-6
Bh ETCG r a
on- Terminology
nCreate
9-7
Filters and Use Business Objects 9-8
Processes by Functional Area 9-9
Quiz 9-10
Summary 9-13
10 ETCG Configuration Planning and Installation

Objectives 10-2
Configuration Planning 10-3
Defining Data Sources 10-4
Run Synchronization 10-5
Synchronizing Data 10-6
Manage Jobs 10-8
Administration Management 10-9
Application Configuration Properties Tab 10-10
Application Configuration Patterns Tab 10-11
vii
Business Object Administration 10-12
Example: Business Object Administration 10-13
Summary 10-14
11 ETCG Manage Models

Objectives 11-2
ETCG Modelling 11-3
Identify Models 11-4
Setup of Models 11-5
Create Models 11-6
Business Objects 11-7
Datasources 11-8
Model Logic 11-9
s a
Manage Model Page 11-10 h
) a
o m
Manage Models Menu 11-11
p e c uide
My Models Pane 11-12
@ h nt G
Example: Manage Model 11-13 r
a tude
u m
Manage Import and Export 11-14
d y -k his S
Export Model 11-15
r e d se t
Import Model Select File 11-16
r ath e to u
Import Model Select Model 11-17
a
(bh icens
Import Model Map Data Source 11-18
y
dd ble l
Import Model Import Statistics & Log 11-19
e
t h R ra
Manage Shared Models 11-20
a r a nsfe
Data Access and Security 11-21
Bh n-tra
Quiz 11-22
noSummary 11-26
12 ETCG Create and Edit Models

Objectives 12-2
Modeling 12-3
Adding Custom Objects to the Business Objects Library 12-4
Upload a Custom Object 12-5
Create Model Library Grid 12-6
Create Model Regions 12-7
Model Objects Region 12-8
Select Data Sources 12-9
Manipulate Objects in the Model Objects Pane 12-10
Custom Attribute 12-11
Model Logic Region 12-12
Filters, Functions, and Patterns 12-13
viii
Defined Filter Options 12-14
Example: Defined Filter Options 12-15
Create a Function 12-16
Create a Pattern 12-17
Model Type: Pattern Filters 12-18

Define Model Results 12-19
Save the Model 12-20
View Results 12-21
View Results Page 12-22
Example: View Results - Output 12-23
Example: Results Exported to xls 12-24
Use a Model to Create a New Model 12-25
Summary 12-26
s a
h
) a
o m
13 ETCG Create and Manage Transaction Controls
p e c uide
Objectives 13-2
@ h nt G
Create Transaction Controls 13-3 r
a tude
u m
Transaction Controls Components 13-4
d y -k his S
Run Control a Analysis 13-6
r e d se t
ath e to u
Remediation 13-7
Manage Result Incidents a r
13-8
(bh Flow
Incident Status and States
y c e s
n13-9
Focus on Areas
e l li Risk, Priority, and Volume 13-10
ddwith bHighest
e
t
Reportsh R Extracts
and ra to Analyze Violations 13-11
r a s f e
aMass-Editing n Incidents 13-12
Bh Viewing t r a
on- andIncidents
nAssigning
Editing Individual Incidents 13-13
13-14
Assigning Relationships 13-15
Contextual Reporting for Incident Results 13-16
Viewing Change History 13-17
Summary 13-18
14 Configuration Controls Governor Overview

Objectives 14-2
Oracle Applications Setup Overview 14-3
Why Monitor Your Oracle Applications Set-ups? 14-5
Why Oracle Application Set-ups Change 14-6
CCG Functionality 14-7
Snapshots and Comparisons 14-8
Change Tracking 14-9
Change Tracking Report 14-10
ix
Set-up Screen Example: AP Payment Terms 14-11
Terminology: Unique Identifiers and Primary Keys 14-12
CCG Definitions Example Screenshot 14-13
Snapshot HTML Report Example 14-14
Comparison Results Summary Example 14-15

Comparison Report Example (HTML) 14-16
Change Tracker Screenshot Example 14-17
Change Tracking Example 14-18
Repository Overview 14-19
Main Menu Choices 14-20
CCG Roles 14-21
View Current Jobs Example 14-22
The Monitor and Log Buttons 14-23
s a
Metadata 14-24 h
) a
Architecture Snapshots and Comparisons 14-25 o m
Architecture Change Tracking 14-26 p e c uide
@ h nt G
Summary 14-27 r
a tude
u m
d y -k his S
15 CCG Snapshots and Comparisons
r e d se t
Objectives 15-2
r th to u
a15-3
b h a
Create Snapshot Definitions
seDemand 15-4
(
Generate Snapshot Occurrences e non
ySnapshotliOccurrence
c
e d
Create and Readd l e Reports 15-5
R b
a Record Comparisons 15-6
Createhand Read rSame
r at s f e
aSummary n15-8
Bh n-tra
o
16nCCG Change Tracking
Objectives 16-2
Create and Read Change Tracking Reports 16-3
Create Change Tracking Definitions 16-4
Tracking the Tracker: The Change Tracking Status Reports 16-6
Transfer Change Tracking Data 16-7
Define Change Tracking Queries and Alerts 16-8
Using the Change Tracking Data Repository: Designating Change Tracking
Alert Recipients 16-9
Summary 16-10
17 CCG Additional Activities

Objectives 17-2
Lock Snapshot Definitions 17-3
Schedule Snapshots for Future Executions 17-4
x
Manage Baseline Snapshot Definitions 17-5
Perform a Forced Comparison 17-6
Create Templates 17-7
Purge Snapshot Definitions and/or Occurrences 17-8
Purge Change Tracking Data 17-9

Define Security Groups and Users 17-10
Configure Additional ERP Instances 17-11
Summary 17-12
18 Preventive Controls Governor Overview

Objectives 18-2
Preventive Controls Governor Overview 18-3
s a
User Interface 18-4
Summary 18-5 h
) a
o m
p e c uide
@ h nt G
19 PCG Form Rules
r
a tude
Objectives 19-2
u m
Overview 19-3
d y -k his S
Event Tracker 19-4 r e d se t
r ath19-5e to u
Set Security with Event Tracker
a
Form Rules 19-7 (bh ns
y c e
Setting Security
e dd19-8ble li
t h R ra19-9
Security Attributes
a r a Messages
Creating
n s fe 19-10
Bh Default
n - a Rule 19-11
trValue
o of Values Rule 19-12
nList
Navigation Tab 19-13
Field Attributes Tab 19-14
Oracle Flow Tab 19-15
Summary 19-16
20 PCG Flow Rules

Objectives 20-2
Overview 20-3
Process Rules 20-4
Trigger-Based and Periodic Process Rules 20-5
Constraint Process Flow 20-6
Approval and Notification Process Flows 20-7
Concurrent Request Process Flow 20-8
SQL Process Flow 20-9
xi
Condition Process Flow 20-10
Summary 20-11
21 PCG Audit Rules

Objectives 21-2
Audit Rules Overview 21-3
Creating Audit Groups 21-4
Defining Audit Columns and Translation Data 21-5
Activating an Audit 21-6
Reporting 21-7
The Online Audit Form 21-8
Audit Migration 21-9
Summary 21-10
s a
h
) a
o m
22 PCG Change Control Rules
p e c uide
Objectives 22-2
@ h nt G
Overview 22-3 r
a tude
u m
Change Control Rules 22-4
d y -k his S
Approval Change Control Rule 22-5
r e d 22-6se t
r th Content
Create Change Control Rules Manually
aRules t o u 22-8
h a
Load Optional Change Control
se
The Process 22-9 (b e n
d d y l ic
Re rab
Summary 22-11
l e
r t h
a nsfe
a
Bh n-tra
no
xii
Introduction to the Oracle Governance, Risk

Compliance Controls Suite
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
After completing this lesson, you should be able to:

Understand Oracle GRC Solutions

GRC Controls Architecture and Oracle GRC Products
Introduction of Continuous Controls Monitoring
Overview of:
Application Access Controls Governor (AACG)
Enterprise Transaction Controls Governor (ETCG) a
h a s
Preventive Controls Governor (PCG) )
o m
Configuration Controls Governor (CCG) ec ide p t Gu
h
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Abbreviations
Bh n-trApplication
AACG
a
Access Controls Governor

no
ETCG Enterprise Transaction Controls Governor
PCG Preventive Controls Governor
CCG Configuration Controls Governor
CCM Continuous Controls Monitoring - Continuous Control Monitoring (CCM) module
in the Governance, Risk and Compliance platform, regulates activity in business
applications for access and transaction controls (AACG & ETCG).
GRC Oracle Enterprise Governance, Risk and Compliance regulates activity in
business applications. GRC runs as a Continuous Control Monitoring (CCM) module in
the Governance, Risk and Compliance platform, and it consists of two components,
each of which implements "models" and "continuous controls" that define risks a
company may face.
Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 2

EGRCM Oracle Enterprise Governance, Risk and Compliance Manager (EGRCM)
forms a documentary record of a company's strategy for addressing risk and complying
with regulatory requirements. EGRCM consists of modules running within a
Governance, Risk and Compliance platform. It includes a Financial Governance module
by default, and users may employ a standard template to create other modules that
address other areas of the company's business.
Note: There is a separate class for GRCM Module. We do not cover EGRCM in this
course.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

About
Governance, Risk and Compliance Controls
GRC is the first software solution to not only monitor system
activity in real-time, providing notification, workflow, and an

automated remediation framework, but also to embed
governance policies and processes directly into the Oracle
E-Business Suite, PeopleSoft, Fusion, other Oracle business
applications, and non-Oracle business applications.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r th sfer
aonly
GRC ish a
the
t r n that manages business processes for greater efficiency, controls
solution
a
B
user access -to reduce risk, and tracks data changes to increase financial integrity. With
nonGovernance, Risk and Compliance Controls, you can build a better business and
Application
get compliance as a by-product; and identify transactions that pose unacceptable risk to a
company.
This continues monitoring of controls helps organizations to identify risks at the earliest
occurrence and take proactive actions accordingly.

Oracle Solutions for GRC
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
ath nsfeRisk r
a
Oracles r
Governance,
h -tra and Compliance (GRC) Solution
B
Oracle GRC n Solutions allow you to consolidate multiple requirements and address them,
norisk
automate and compliance activities, and embed preventive controls in the context of
business operations.
1. Oracle helps you to manage multiple GRC requirements. The core controls and content
management capabilities allow you to align multiple requirements with the same
superset of controls. This cuts down on duplication of documents, duplication of effort,
and provides the basis for a comprehensive view into GRC initiatives and how well
these are performing.
2. Oracle GRC Solutions helps you to automate critical GRC tasks. Oracle automates
critical cross-industry GRC processes like the documentation and communication of
your policies and procedures; the assessments of your risks and controls; the
remediation of control violations; as well the certification process across the multiple
levels of your organization.

GRC Architecture
GRC Controls Suite

GRC Intelligence
Continuous Controls Monitoring Configuration

Controls
Applications Enterprise Governor
Access Controls Transaction (CCG)
Governor Controls Governor
s a
EGRC Platform a
)h
m
co uide
e
Oracle E-Business Suite Instance
@ hp nt G
r
a(PCG) de
Preventive Controls Governor u m t u
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a nofsfthe
GRC is comprised
r e following Governors:
a
Bh nControls
Continuous - tra Monitoring regulates activity in business applications. Continuous
o
ControlnMonitoring (CCM) module in the Governance, Risk and Compliance platform (EGRC)
consists of two components as follows:
Application Access Controls Governor (AACG): Regulates access to duties
assigned in business-management applications. It implements access policies, which
identify duties that are considered to conflict with one another because, in combination,
they would enable individual users to complete transactions that may expose a
company to risk.
Enterprise Transaction Controls Governor (ETCG): Define models, each of which
specifies circumstances under which individual transactions would pose an
unacceptable risk to a company.
GRC Intelligence (GRCI): GRC Intelligence (GRCI) provides dashboards and reports
that present summary and detailed views of data generated in EGRCM and EGRC.
Preventive Controls Governor (PCG): Enforce GRC in real-time to prevent
unauthorized actions or business transactions. Examples include limiting access,
enforcing change management and creating an audit log on sensitive business functions
related to social security numbers, salary information and significant revenue accounts.

Configuration Controls Governor (CCG): Compare, and conduct impact analysis on
policies for critical application configuration or setups across one or more instances, as
well as maintain a full audit trail of changes.
Note: In GRC 8.6.4.3000 release, AACG and ETCG applications are part of Continuous
Controls Monitoring Module of the application.
If customers install GRC 8.6.4.3000 release, it comes with EGRC and EGRCM platforms.
EGRC platform has two applications (CCM module - AACG and ETCG). They are accessible
as Continuous Control Module in the front end application.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

GRC Components
Access Configuration Transaction Preventive

Controls Controls Controls Controls
Analyze and Continuously Prevent losses

remediate conflicts monitor critical and violations
configuration Identify and define
of interest or
models which
by regulating
s a
improper access settings and
operational data specifies under which ) h a
critical activity
for a given user or m
Provide
o ide
individual transaction
role Detect and
pose unacceptable
p e ccompensating
u
Perform what-if interpret
risk to a company
@ h ntcontrolsG for
analysis on variances from r
a tude Access,
proposed changes policies and best
u
k is Sm Configuration,
to access rights practices
d y - h Transaction
e d e t
t h r us
r a t o
( b ha nse
d d y 2015,
R e able
GRC:har
ath nsfer
B n-traand enforces business controls
Documents
no
Enables users to demonstrate regulatory compliance
Promotes operational efficiency
Allows you to create controls (and supporting elements) one at a time, or upload a
selection of pre-packaged controls and adapt them as needed
An essential aspect of creating controls in GRC is to describe and catalog them, enabling a
company not only to manage its controls effectively, but also to demonstrate compliance with
requirements imposed by regulations such as the Sarbanes-Oxley Act.

GRC Suite: Example
Product Example Output

CCM - Application Access A user who can create a Detects all the users and
Controls supplier cannot pay the the responsibilities that
supplier have these two privileges
CCM - Transaction Check any responsibility Detects suspects that point
Controls from Step1 for users who to some kind of fraudulent
have created a supplier activity
and approved a payment
Preventive Control A user who can create a Since this is preventive, s a
Governor supplier can pay other h a
this will prevent any fraud
)
suppliers but not the same o m
occurring in the application
one he created p e c uide
@ h allnkinds
t G of setup
Configuration Control Check if someone has r Detects e
a tud in a transaction
Governor changed the billing um changes
y
address of a supplier
d -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Continuous Controls Monitoring Overview
Continuous Controls Monitoring (CCM) includes both Access

and Transaction controls governor in the same platform.
GRC 8.6.4.3000
Governance, Risk and Compliance Intelligence
Financial Continuous Controls Monitoring (CCM)

s a
Governance h a
Applications Enterprise m)
(EGRCM)
Access Controls Transaction c oControls
d e
pe (ETCG) u i
Governor (AACG) h
Governor t G
a r@ den
- k um Stu
GRCM Platform d
GRC Platform
e dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r
An Oracle
a nsfeRisk and Compliance (GRC 8.6.4.3000) platform hosts two products
Governance,
Bh n-trControls
Continuous
a Monitoring, Oracle Enterprise Governance, Risk and Compliance
no(EGRCM) and GRC Intelligence (GRCI).
Manager
In this release the GRCM and GRC products that existed individually are merged into a single
GRC platform.
Continuous Controls Monitoring , in turn, consists of two subsidiary products, Application
Access Controls Governor (AACG) and Enterprise Transaction Controls Governor (ETCG).
Fusion GRC Intelligence (GRCI) provides dashboards and reports that present summary and
detailed views of data generated in EGRCM and EGRC.
Continuous Controls Monitoring regulates activity in business applications. Continuous
Control Monitoring (CCM) in the Governance, Risk and Compliance platform, and it consists
of two components, each of which implements "models" and "continuous controls" that define
risks a company may face:
Oracle Application Access Controls Governor (AACG) enforces segregation of duties in
Oracle E-Business Suite, PeopleSoft, and (if a "connector" is installed) Oracle Fusion.

Each model or control defines conflicts among duties that can be assigned in a
company's applications, and identifies users who have conflicting access to those
duties. AACG can either discover conflicts that existed before controls were written to
protect against them ("detective" analysis), or intervene when a user is assigned duties
after controls have been written to define them as conflicting ("preventive" analysis).
Oracle Enterprise Transaction Controls Governor (ETCG) evaluates transaction risk in
Oracle E-Business Suite and PeopleSoft. Each model or control specifies circumstances
under which individual transactions display evidence of error, fraud, or other risk. ETCG
implements only detective analysis, uncovering suspect transactions that have been
completed before a control is run.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

Access to GRC Applications
GRC Controls Applications
Continuous Controls E-Business Suite

Monitoring
Applications Preventive Controls

Access Controls
s a
Governor a
)h
m
co uide
e
Enterprise Transaction
Configuration @ hpControls
n t G
Access Controls r
a tude
u m
Governor
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Accessa r
to
athe GRC
n s fe Suite Components
Control
Bh n-tra Suite Components are accessed differently:
The GRCoControl
n
Access Controls and Transaction Controls are web-based applications. You will access
CCM modules (GRC 8.6.4.3000 release) through your web browser.
Preventive Controls Governor (PCG) is accessed via Oracle E-Business Suite, using the
GRC responsibility.
Configuration Controls is also a web based application, which you will access from your
web browser. This will be via a different URL than EGRC Platform.

CCM module(Access and Transaction Governor) -
Common Features
AACG and ETCG have distinct feature sets, and they share
functionality provided by the CCM module.

These features include tools to:
Connect AACG/ETCG to Oracle, PeopleSoft, and other
business-management-application data sources
Schedule and Synchronize of data gathered from those
applications
Create CCM users, roles and perspectives s a
h a
) to
m
Connect with your email server to send notifications
o
p e c uide
CCM users h nt G
r @
Manage Reports ma tude ku is S
d y -
r e d e th
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
AACGhandaraETCG
t r a nconnects to Oracle E-Business Suite, PeopleSoft, and (if a "connector" is
B n- Fusion.
installed) Oracle
n o
A model returns "temporary" results a snapshot of risk that is replaced each time the model
is evaluated. A control returns "permanent" results records of violations that remain
available to be resolved no matter how often the control is run.
A user creates a model, and may then convert the model into a control; users cannot create
controls directly. Although the creation of a model is a preliminary step in the creation of a
control, models may be created to run on their own, so that users such as auditors can assess
the risk inherent in a system at a given moment.
Records of control violations are known as "incidents," and each control names one or more
GRC users as "result investigators" who are responsible for resolving incidents.
Users may create perspectives, each of which is a set of hierarchically arranged values. Each
represents a context in which models, continuous controls, and incidents exist. Users can
relate individual perspective values to individual models, controls, or incidents, thus
cataloging them by organization, region, or any other concept the company finds meaningful.
Perspective values also play a part in GRC security. In particular, perspective values
associated with controls or incidents determine which users are eligible to be result
investigators those assigned data roles with matching perspective values.

New Features in CCM Module
Continuous Control Monitoring, or CCM, applies to all

the functionality offered by earlier EGRC product.

Perspectives (formerly Tags)
GRC Security Three Role Types
Result Investigators (formerly participants)
Workflow Routing Worklists and Notifications
Revised robust Search and Saved Search (formerly a
Manage Saved Views) h a s
m )
o ide
Robust saved report parameters ec h p t Gu
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
e
CCM h ara transf
Features
B n- Hierarchies of the perspective values. Users can associate individual
Perspectives
no
perspective values or the perspective values defined in the hierarchy with individual objects
(such as models and controls), thus cataloging objects by organization, region, or any other
concept a company determines to be meaningful. Perspectives are more powerful: First, they
are hierarchical values have parent/child relationships to one another. Second,
perspectives do more than serve as filtering values in the pages in which users manage
objects. They also play an important role in GRC security, and in the assignment of incidents
generated by controls to result investigators (formerly participants).
Redesigned security, in which job roles, consisting of duty roles and data roles, provide a
much more granular means of safeguarding access to GRC functionality and data.
The use of worklists and notifications to alert users to tasks awaiting their attention. This
involves modification of the system for email notification that was used in earlier EGRC
versions.
Revised search and saved search functionality, which replaces the views that existed in
earlier EGRC versions.

Applications Access Controls Governor
Application Access Controls Governor regulates access to

duties assigned in business-management applications.

AACG simplifies segregation of duties enforcement with
simulation and remediation
The CCM platform consists of Models & Controls-that work
across heterogeneous platforms to detect and prevent
undesired user access.
Accelerate deployment and time to value with pre- has
a
delivered controls library )
om c uide
p e
h nt G
r @
Detection
u m a tuPreventionde
y -k hPreventivei s S
Define Access Access d
Remediation
e d t Compensatin
Controls Analysis
h r
(Clean-up)
u s e Provisioning g Policies
r t
a e to
a
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
e
ara transf
AACGhOverview
B n- Access Controls Governor (AACG) enforces segregation of duties in
Oracle Application
no
Oracle E-Business Suite, PeopleSoft, and (if a "connector" is installed) Oracle Fusion. Each
model or control defines conflicts among duties that can be assigned in a company's
applications, and identifies users who have conflicting access to those duties. AACG can
either discover conflicts that existed before controls were written to protect against them
("detective" analysis), or intervene when a user is assigned duties after controls have been
written to define them as conflicting ("preventive" analysis).

Enterprise Transaction Controls Governor
Identify setup changes that violate financial or regulatory

policy
Create & Manage Transaction Models & Controls that
specifies circumstances under which individual
transactions pose unacceptable RISK to a company.
Pattern Based Detection - Assist control definition and
detection of fraud based on patterns or complex
algorithmic rules. For example, Benford, Mean, etc. as a
m )h
e co uide
p tG
hPrevention
Detection
a r @ e n
m Stu
uReview d
Define Perform - k
y thAddress isand Preventive
Transaction Transaction dd Transaction
Controls h re use Suspects
Analysis
t Controls
a r a e t o
h
(b 2015, s
n and/or its affiliates. All rights reserved.
d y
Copyright l i c eOracle
R ed able
Oracle a r
Enterprise s fer
ath nTransaction Controls Governor (ETCG) evaluates transaction risk in
B h - t r
Oracle E-Business
a Suite and PeopleSoft.
non
Oracle Enterprise Transaction Control Governor creates & manages Transaction Models &
Controls that enable users to define models each of which specifies circumstances under
which individual transactions pose unacceptable RISK to a company.
Once Models are designed for a risk definition/criteria, to generate expected incidents,
controls are created using these models and the incidents are monitored to manage the risk
levels for the business application.
Pattern Based Detection - Assist control definition and detection of fraud based on patterns or
complex algorithmic rules. For example, Benford, Mean, etc
Oracle Enterprise Transaction Controls Governor (ETCG) evaluates transaction risk in Oracle
E-Business Suite and PeopleSoft and other business applications. Each model or control
specifies circumstances under which individual transactions display evidence of error, fraud,
or other risk. ETCG implements detective analysis, uncovering suspect transactions that have
been completed before a control is run.

Configuration Controls Governor
Controls setup changes that can have significant financial

or regulatory impact
Identify setup changes that violate financial or regulatory
policy
Accelerate documentation and analysis of setup values
s a
)h a
m
co uide
e
p tG
@ hPrevention
n
Detection
a r d e
- k um StEnforce u
Define
Configuration
Document or
Compare d dy this Change
Monitor
Configuration
e
Manage
Controls Configurations hr u
Changess e Data Integrity
r a t t o Control
h a s e
y (b 2015,i c n and/or its affiliates. All rights reserved.
eOracle
d
Copyright
ed able l
R
a r ath nsfer
CCG Overview
Bh n-tControls
Configuration
ra
no Enterprise. Governor
PeopleSoft
(CCG) monitors setup data in Oracle E-Business Suite and
It takes snapshots that document application set-ups; compares
snapshots with one another, to show how application setups differ; and employs change
tracking to monitor changes in setups.
Change Tracking
Alert users whenever changes occur
Dashboard summarizes changes in all environments
Drill down to see details of all changes
Export change details to CSV (Excel) and PDF
Snapshots & Comparisons
Document all setup values seen in the original applications
Compare two environments values (e.g., Production vs. a best-practice baseline), or
snapshots from two points in time
Export all details to CSV (Excel) and PDF

Configuration Controls Governor
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Preventive Controls Governor
Enforce preventive
controls for specific

users and events.
Mitigate risk of
application changes
Protect sensitive
application data
Reduce audit costs,
reduce maintenance a
costs, increase IT a s
productivity m )h
e co uide
@ hp nt G
Prevention
m ar tude
Define y - ku isEnforce
Initiate S
Preventive
Prevent Read or
e d d
Approval t h Field
Review Audit
Controls
Write Access
h r Workflow
u s e Validation
Reports
r t
a e to
a
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
Preventiver s fe manages the Form Rules, Flow Rules, Audit Rules and Change
aControlnGovernor
Bh Rules
Control n - tinrathe EBS application.
no

Preventative Controls Governor
EBS
Environment
(PCG)
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
PCG User r aInterface
n s fe
Bh n-tra are performed in the EBS environments, including reporting.
All PCG activities
no

Summary
In this lesson, you should have learned:

Oracle GRC Solutions

GRC Controls Architecture and Products
Continuous Controls Monitoring Overview (AACG &
ETCG)
Preventive Controls Governor Overview
Configuration Controls Governor Overview a
h a s
m )
o
c uide
p e
h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Quiz
Question: Preventive Control Governance resides on Oracle

EBS ERP only?

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no

Quiz
Question: Access Governor manage risks related to

Segregation of Duties?
a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no

Quiz
Question: Which GRC applications are part of Continuous

Controls Monitoring?
a. Access Control Governor
b. Transaction Control Governor
c. Preventive Control Governor
d. Continuous Control Governor
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:a r
a,b
a nsfe
Bh n-tra
no

Quiz
Question: Which GRC Intelligence reports on

a. Access Control Governor

b. Transaction Control Governor
c. Preventive Control Governor
d. Continuous Control Governor
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:a r
a,b
a nsfe
Bh n-tra
no

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Continuous Controls Monitoring
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Understand Application Navigation

Understand Continuous Controls Monitoring features
Users and Roles Administration
Perspectives
Manage Administration of Controls, Incidents, Jobs &
Reports a
Manage Application Data, Configuration, Notificationsh a
&
s
m )
Approvals. c o de
h pe t Gui
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Application Navigation
To start the GRC application:

1. Open a web browser.

2. In the Address field, type the URL for your instance of
Governance, Risk and Compliance Controls, and press the
Enter key.
3. A Login dialog box appears. Type your user name and
password in the appropriate fields, and click on the Login
button. s a
h a )
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Viewing the Home Page
The left column in the user interface is a Navigation panel. To

its right, a frame initially displays a Home page (shown below),

but then presents items you select in the Navigation panel.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
Click onaarNavigator
fernear the upper left of any GRC page to display lists of links to
ath nslink
Bh youn-can
features trause. The lists are organized by module, and the links you see depend on the
no to you by your roles.
rights granted

GRC Controls Navigation
Top level nodes in the Navigation Home panel for EGRC

Controls include:
Continuous Monitoring
Continuous Control Management
Results Management
Tools
Report Management
s a
Perspective Management a
)h
Setup & Administration m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
Click onaarNavigator
fernear the upper left of any GRC page to display lists of links to
ath nslink
Bh youn-can
features trause. The lists are organized by module, and the links you see depend on the
no to you by your roles.
rights granted
The list for the Continuous Control Monitoring module includes two links: Continuous Control
Management enables you to create GRC models, controls, and their components; run them;
and review model results. From Result Management, you can resolve the incidents generated
by controls.
EGRCM provides a Financial Governance module to manage Process, Risk, Controls and
Issues.
A Tools list provides access to features that apply across modules. Its perspective
management, reports and administrative features apply to CCM.

Continuous Control Monitoring Workflow
Governance, Risk and Compliance Controls (GRC) provides a

Continuous Controls Monitoring (CCM) in GRC version 8.6.4

which Models and run Controls for both Access & Transactions.
Controls
Design & Update Continuous Monitoring Scheduling has
a
Periodic Testing Investigators m
Perspective
)Values
c o i d e
Ad hoc results Status pe Assignemnts
User u h nt G
Models r @
a tudeReporting
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
OraclehEnterprise sfe
ara tranGovernance, Risk and Compliance Controls (GRC) regulates activity in
B -
business applications. GRC runs as a Continuous Control Monitoring (CCM) module in the
non Risk and Compliance platform, and it consists of two components, each of which
Governance,
implements "models" and "continuous controls" that define risks a company may face:
Oracle Application Access Controls Governor (AACG) Each model or control defines
conflicts among duties that can be assigned in a company's applications, and identifies
users who have conflicting access to those duties. AACG can either discover conflicts
that existed before controls were written to protect against them ("detective" analysis), or
intervene when a user is assigned duties after controls have been written to define them
as conflicting ("preventive" analysis).
Oracle Transaction Controls Governor (ETCG) evaluates transaction risk in Oracle E-
Business Suite and PeopleSoft. Each model or control specifies circumstances under
which individual transactions display evidence of error, fraud, or other risk. ETCG
implements only detective analysis, uncovering suspect transactions that have been
completed before a control is run.

Continuous Controls Management
Continuous Controls Management includes :

Controls
Mass-Edit Controls
View and Edit Individual Controls
Run Controls
Import and Export Controls
Access Models a
Create and Edit Models a s
m )h
Run Models
e co uide
Import and Export
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
a
Controls r ath nsferControls are created and run to generate incidents
Management:
Bh n-tra
Access Management: Access models are created and managed using and Create Access
o
Modelsnand Manage Access Models links

Continuous Controls Management
Tasks in Continuous Controls Management are :

Transaction Models
Create and Edit Models
Run Models
Import and Export Models
View or Export Model Results
Control Administration a
Create and Edit Access Entitlements a s
m )h
Access Global Conditions
e co uide
Access Path Conditions
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r h sfer
atModels:
h a
Transaction
t r a n Transaction models are created and managed using Create
B
Transaction -
nModels and Manage Transaction Models links
n o
Control Administration: In this task, all the access control administration and Entitlement
creation and modifications are done in this section.

Results Management
Incident Workflow
View Controls or Incidents in Summary

Mass-Edit Incidents
View and Edit Individual Incidents
Assign Incidents
Assign Relationships
Visualize Access Incidents s a
a
)h
Simulations m
Access Approvals e co uide
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
ara twe
In thishsection
r a nmanage incidents created by the model execution.
B
on- or Incidents in Summary
View Controls
n
You can set the Manage Results home page to display either a list of controls that have
generated incidents, or a list of incidents generated by those controls. In the control list, each
control links to a list of the incidents only it has generated. From any list of incidents, you can
open pages that provide details of individual incidents.
Mass-Edit Incidents
You can set status for any number of incidents, or write comments for them, all at once.

GRC Security
Industry Standard Security Pattern

Privileges provide functional security

Data roles provide record level security
Managing Roles
Users assigned Job Roles
Consider who will use EGRCM and for what purpose
Job Roles Comprised of Duty and Data Roles s a
h
) a
Duty Role: Defines What a user can Do m
o
c uide
Data Role: Defines Which set of Data p e
h nt G
Many to many relationship r @
a tude
u m
State Data Roles d y -k his S
r e d se t
Identifies where an object
th record u is within its lifecycle
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Defining Roles
Before you begin setting up your roles, consider who will

use AACG and ETCG, and for what purposes.

Seeded data, duty, and job roles are provided as
templates.
Common practice is to copy seeded roles and modify them
as required.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Roles Examples
Examples of roles may include:

Auditors
Internal Controls Group
Business Area / Application Owners
System Administrator
Access Approval Investigators
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
arabegin
Beforehyou
t r a n up your roles, consider who will use AACG, and for what purposes.
setting
B
on- - May be able to review generated conflicts and run reports.
Auditors
n
Internal Controls Group - May help define dimensions, review/create policies, and run
reports.
Business Area/Application Owners - May conduct activities such as creating policies,
creating entitlements, viewing conflicts, updating conflict statuses, and simulating the
resolution of conflicts.
System Administrator - May set up data sources, application configuration, and
notification configurations.
Access Approval Investigator (Earlier User Provisioning Participants) - May review
access requests in the Manage Access Approvals panel.
See the GRC Security Implementation Guide, as well as the Security Management chapter
of the GRC User Guide.

User and Role Administration
In the Setup and Administration, the Security tasks include,

Managing Roles and

Create Users and assign roles
Note: Each user can have any number of roles
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r h sfer
atAdministration
In Setup
h aand
t r a n section, in the Security section, you can create roles, each of
B
which grantsn-access to a set of features in Governance, Risk and Compliance Controls. You
nocreate
can then users and assign roles to them. Each user can have any number of roles.
Note: Each user can have any number of roles

User and Role Hierarchy
User Profiles can
have multiple Job
Duty Role provides Roles
functional access
(i.e. Manage Data Role grants

Controls) data access to
specific data.
(i.e. Controls
Security Profile
related with the

Security
Perspective.)
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r th sfer
aUser
a
User: n
h -traProfiles can have multiple Job Roles
B
n n The
JoboRole:
references
job role is the combination of functional access and data access. It
one or multiple duty roles and data roles, defining the complete set of
functional and data access needed for a job.
Duty Role: Duty Role provides functional access (i.e. Manage Controls). A duty role is
a set of privileges. Each duty role defines one or more tasks a user can complete in the
application for example creating controls, or approving changes to them.
Privilege is the most granular aspect of functional access: A reference to a specific
application resource, and the means to grant functional access to the user. Each
privilege has a name that describes its functionality, a navigator entry identifying the
navigator component in which it is included, and an activity identifying the type of activity
it is part of.
Data Role: Data Role grants data access to specific data. (i.e. Controls related with the
Security Perspective.)
A data role defines a narrowly focused set of data. Primary data role supports work with
models, continuous controls, or incident results in GRC and it sets a fourth condition: data
must be associated with a value for a seeded CCM Type perspective, which distinguishes
between data for use by AACG and data for use by ETCG.

Manage User Security
Leverage seeded Job, Data and Duty Roles.

Manage user community across the application.
Manage all Roles in a

single location.
s a
a
)h
m
co uide
e
@ hp nt G
Manage users and their
m ar tude
specific job function.
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
arasecurity
Usershlevel
t r a n to access the application is controlled by the roles defined and assigned
B
to them. n-
no who can access the application screens, based on the jobs and duties that are
Roles define
functionally assigned to the user and also the data that they need to be exposed to work
upon. Further the security can be enhanced by associating the perspectives to the roles to get
more granular control on the data that the user accesses in the application.

Creating and Managing Job Roles
Job Role associates the Duty and Data roles.

Create specific Job Roles based on the user community and their job
functions.
Best Practice: When possible create Job Role Templates that can be
copied and modified to meet the specific data access.
Leverage seeded
Job Duty Roles.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku data
Specify i s S security
level
e d
d sbased h
t by Job Role.
r e
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
In theh arapane,
Roles n s feon the row for a role whose information you wish to review. In the
click
Role - tra pane, labeled with the name of the selected role, displays detailed
BLogic,nlower
no about the role. In the Roles Pane, click the Role Name to view the details of the
information
Role.

Data Role Composition
Data Roles
Objects
Data Role Access Model
Controls
Incidents
Module
Actions
Create, View, s a
State/Action a
)h
Base Edit, and m
Delete/Retire e co uide
@ hp nt G
Perspectives
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r athdefines s f er
The data
h a role
t r a n which set of data the user has access to within the application. The
B n- on the criteria for all the data roles within each users job roles to determine
system matches
ofodata to which the user has access.
the set n
Two types of data role are delivered: primary data roles that include module, state, and state
action, and composite data roles that reference a set of primary data roles to form the basic
data access needed for a job role. As primary data roles are created for each object (model,
control, incident result), each state (Create, Edit, Delete, and View), each CCM Type (Access
and Transaction), and the variations of each state and state action allow for extremely
granular data-level security that may be assigned to users to control their access.
Each primary data role is intended to be referenced by many composite data roles,
depending on what actions are needed. You should not need to create primary data
roles with module, state, and state action, but simply reference the delivered primary
data roles.
For CCM, the application is delivered with primary data roles for models, continuous
controls, incident results, access requests, entitlements, and global and path conditions.

Duty Role Composition
Duty Roles are comprised of Privileges which addresses

the functional aspect.

Objects
Duty Role Access Model
Controls
Incidents
Privilege(s) Actions
s a
Create, View, a
)h
Edit, and m
co uide
e
Delete/Retire
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
arais atrcollection
A dutyhrole a n of privileges. Each represents a set of functional tasks needed for a
B - the application.
unit of worknwithin
n o
A privilege is the most granular aspect of functional access a reference to a specific
application resource, and the means to grant functional access to the user.
Privileges are seeded within the application and cannot be created by the user. A privilege
grants the user access to a page, but it also enables navigation links as well as page and
table actions.

CCM Users Management
Using Manage Users tool, available in Security section, you
can mange users, and assign /revert roles for the users. Each
user can have any number of roles.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r h sfer
atoptions
You can
h ause
t r a n available from the Manage Users page to create, edit or copy, or unlock
B - or import them from an LDAP repository.
user accounts,
non

Creating Users
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
In theh ara trUsers
Manage a n page, click on Actions > Create User. A Create User page opens.
B n-
Enter theofollowing:
n
User Name for logon, Last Name, First Name, Middle Name, Email1
User Name cannot be changed after it has been saved
Indicate a status
Active or Inactive; Locked usually set by system
Add other optional user information
Contact information, Position, Organization
Language preference
Passwords
Roles
Select roles for users

User Preference
All users access this page from the top right Preference link. Users
can see their details and assigned roles.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
From hany s ferthe user who is currently logged on can open User Preferences,
ath in nGRC,
arpage
review n - tra pertaining to his own user account, and change some of it. To open User
B information
no click on the Preferences link near the upper-right corner of any GRC page. A
Preferences,
User Preferences dialog appears, divided into three sections:
A Details section displays your username and status as read-only values. It also
provides write-enabled fields in which you can modify your first, middle, and last names,
email address, password, a second email address, office and mobile phone numbers,
physical address, and position and organization.
Email Address 1 is the address to which GRC sends worklist advisories (if notifications
are enabled under Manage Application Configurations in the Setup and Administration
tasks). A password is case-sensitive and must consist of at least eight characters, taken
from each of four character sets: uppercase letters, lowercase letters, numbers, and
special characters, which comprise !@#$%&*. A password is invalid if it matches or
contains the username, and it must not match any of the previous three passwords.

Define Perspectives
Import/ Export Perspectives

Define Perspective Values

Create Perspective Hierarchies
Associate Perspectives to Data Roles (Using Mange
Roles)
Associate perspectives with Access Objects (Controls,
Incidents or Results) a
h a s
m )
o
c uide
p e
h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Definehperspective sfe
ara tranhierarchies, each of which is, in effect, a set of related values that define a
B n- GRC objects may exist. Individual perspective values may be assigned to
context in which
nomodels,
individual controls, and incidents (control violations). Perspectives may then be used
for reporting and filtering purposes (for example, a user may generate a report about all
controls associated with a particular perspective value).
Perspectives are also instrumental in GRC security: data roles define the data to which
individual users are granted access, and if associated with perspective values, these roles
grant access only to models, controls, and incidents associated with those values.
GRC Perspective Management enables you to create (or edit) perspectives. Or, Data
Migration enables you to import them from a template. (Oracle supplies an import template
that includes Business Process and Risk perspectives. You may edit these, or create others,
for import.)
System perspectives for Datasource, Business Object, and CCM Type are used for securing
data. These are not accessible in Perspective Management and cannot be modified directly.

Perspective Hierarchies
Define hierarchical structures specifically designed to meet

unique business requirements.

For Example:
Organization
Departments
Region
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Perspective Hierarchies
Create and manage multiple nodes within a hierarchy.

Define hieratical tree View perspective

structure. details.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Perspective Management
Manage perspectives availability by object.

Models
Continuous Controls
Results (Incidents)
s a
) h a
Manage m
perspectives byec o ide
object h p G u
r @ n t
m a tude
u
-k his S
d y
d se t
r e
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Perspectives and Data Level Security
Perspectives can be leveraged across all the three objects

(control, result and models).
Manage granular data level security.

Allow up to 25 perspectives to display in the object UI.
Relate objects 1:N
perspectives
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Perspectives - Data Level Security
In CCM, perspectives are associated to data roles and users

with the job roles are managed through perspective definitions.

This would grant access only to data concerning objects
associated with that perspective value.
User
GRC Security Model
s a
Job Role a
)h
m
co uide
e
Data Role @ hp nt G
m ar tudPerspectives
e
u
-k his S
d y
d se t
r e
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
Data Levelr aSecurity
n s fe
Bh n-also
Perspectives
tra play a part in GRC security. Users are assigned job roles, which contain
nothat define functionality available to users, and data roles that define sets of data
duty roles
available to users. A data role may be associated with a perspective value, and if so would
grant access only to data concerning objects associated with that perspective value. To use
the Organization example, a data role might be associated with the perspective value for a
specific operating unit within a particular division. That role would grant access only to data
pertaining to that operating unit.

Manage Incidents with Perspectives
Perspectives also help determine which users resolve incidents

generated by continuous controls.

As a continuous control is created, perspective values are
assigned to it.
A user can review its incidents if his job role contains a data
role associated with perspective values that match values
assigned to the control.
Note: The job role would also need to contain a duty role hwith
a sa
the privilege for incident review. )
om c uide
p e
h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
In CCM a r
module, n s fe
a perspectives also help determine which users resolve incidents generated by
B h - t r a
continuousncontrols. As a continuous control is created, perspective values are assigned to it.
no
A user can review its incidents if his job role contains a data role associated with perspective
values that match values assigned to the control. (The job role would also need to contain a
duty role with the privilege for incident review.)

Jobs Administration
Jobs are programs that synchronize data to:

Identify Access Conflicts

Run ETCG models and export results,
Generate reports
Some jobs can be run on demand, or can be scheduled to run.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
araindividual
"Jobs"hare
t r a n requests to synchronize data, evaluate models or continuous controls,
B - generate reports, or perform other background tasks. Some jobs can be run on
export results,
demand,noorncan be scheduled to run. In general, a job is run or scheduled from a page to
which it applies for example, one might synchronize data from the Manage Application
Data page or run controls from the Continuous Control Management > Manage Controls
page.
In the Manage Jobs page, users may view jobs, cancel them, or purge job history. Each row
in the Manage Jobs page presents the following information about one occasion when a job
was run:
Job ID: An identification number assigned internally to the job by GRC.
Name: The name of the job that was run.
Start Date and End Date: The dates and times on which the job began to run and
finished running.
Status: The current state of a job. Most statuses are assigned by GRC. These include
Not Started, Started, Queued, Pause Requested, Paused, Completed, and Error. GRC
updates the status until a final state (either Completed or Error) is reached.
Message: An informational message about the job status.
Run By: The user name of the user who ran the job.

Scheduling Administration
Jobs can be scheduled to run, and typically the schedule is

created in the page to which the job applies; the job may be run
manually from that page as well.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
A job h ara
may n to run, and typically the schedule is created in the page to which the
be scheduled
t r a
B - job may be run manually from that page as well. For example, one may
job applies;nthe
updatenao data analytics schema, or schedule it to be updated, from the Manage Application
Configurations page. However, any schedule created elsewhere is listed in the Manage
Scheduling page, where you may modify schedules or run jobs manually.
View Schedules
In the Manage Scheduling page, each row presents the following information about a job
scheduled to run in the future:
Schedule Name: The name assigned to the schedule when it was configured.
Name: The name of the job itself for example, the name of a report if the scheduled
job is to generate the report.
Last Run Date: The date and time on which this schedule last caused the job to be run.
Next Run Date: The date and time on which this schedule will next cause the job to be
run.
Scheduled By: The user name of the GRC user who created the schedule.

GRC Application Configuration
The Manage Application Configuration page contains eight

tabs:
Properties
Worklist
Security
Analytics
User Integration a
Notification a s
m )h
Maintenance
e co uide
Attachments @ hp nt G
m ar tude
To open the Application Configuration kupage, Sselect Mange
y -
dthe Setup i s
Application Configuration under
r e d e th Menu section of the
s
Navigation panel. ath o u a r e t
h
(b 2015, s
d y
R ed able
r h sfer
atApplication
h a
The Manage
t r a n Configurations page is divided into tabs, in each of which you can
B - determine how GRC works.
set optionsnthat
n o
1. Properties: The Properties tab opens a page in which you can set values required for
GRC to connect to its database. You can also select performance and language
options, and back up or restore the GRC database schema.
2. WorkList: Fields available in the page opened from the Worklist tab apply only if
EGRCM is installed with Service Oriented Architecture (SOA). Typically, these fields are
set during installation and would not be changed subsequently.
3. Security: The Security tab opens a page in which you can set login, password, and other
security values.
4. Analytics Integration enables GRC to supply data Oracle Business Intelligence
Publisher (BIP), in which you can create custom AACG reports, or to Global Risk
Compliance Intelligence (GRCI), another Oracle product.
5. User Integration sets up GRC to recognize users created externally in a database that
uses LDAP technology to share user information.

DataSource Administration
Using Setup and Administration tool, in Manage Application

Datasource Page,
You can configure connections between GRC and instances of
the business-management applications subject to its controls
Run synchronize option to run ETL against the defined data
source, to display information in varying languages, or to
integrate with other applications
Synchronize Business Data either for Access or Transaction
Data, one at a time, with GRC Database with progress barhas
a
indicating % of progress, located in lower portion of the m )
page.
o ide
cprogram.
We have an option to schedule the Synchronization p e
h nt G u
We can also continue to navigate and work r @
a tuother
on e pages when
m d
y - ku is S
the synchronization process is running.
d h use with models
You can also import business edobjects e tfor
h r us
r a t t o
( b ha nse
d d y 2015,
R e able
r s f er
ath Application
Use the
h a
Manage
t r a n Datasources page to set up Oracle EBS, PeopleSoft, Fusion, or
B - and to synchronize data for those datasources. Datasource management
other datasources,
non
applies only to GRC (the CCM module)
Working with Data Sources
Governance, Risk and Compliance Controls works with data gathered from business
management applications. For it to do so, you must configure connections to data sources for
instances of these applications. GRC comes prepared for you to configure connections to
Oracle or PeopleSoft data sources. If you intend to configure a connection to an instance of
another business-management application, you must first configure a data source type for
that application. Once connections are established, you would periodically synchronize GRC
data with that in the data sources; there are distinct synchronization procedures for data used
by AACG and data used by ETCG.
ETL synchronization may be run on demand, or it may be scheduled to run at regular
intervals. Various factors dictate how often either on-demand or scheduled synchronization
should occur.

Application Libraries
For GRC (the CCM module), this library contains business

objects, patterns and connectors to be used by only to GRC

(the CCM module)
You can upload new business objects or patterns for use in
models and continuous controls.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r th sfer
aObjects
a
h -tran
Business
B
on ormodels,
As you create
none
label for
you work with business objects, each essentially a business-language
more database tables that hold information pertinent to access or
transactions. Business objects contain attributes, each a business-language name for a
column within the selected object. Although GRC comes with a selection of business objects
already configured, more will be developed over time.
Patterns
They are statistical functions, supplied by Oracle, that may be used in transaction models and
controls.
Custom Connector
A custom connector uses ETL technology to collect data from a business-management
application and provide it in a format that GRC recognizes. A default connector, provided with
GRC, does this for instances of Oracle EBS and PeopleSoft. Custom connectors may be
developed (outside of GRC) to do the same for other business-management applications, and
then uploaded to GRC. Once uploaded, a custom connector would be selected for a particular
datasource in the Manage Application Datasources page.

Data Migration
Data Migration utility enables you to upload:

Perspective data for the CCM module

Initial and incremental loading of operational data
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath utilitys f er
A Data
h a
Migration
t r a n enables you to upload perspective data for the CCM module. The
B
procedure n -
oinvolves
nupdating
module,
generating an XML template that reflects the specific configuration of the
the template with your operational data, and running an import process.
The Data Migration utility supports both initial and incremental loading of operational data:
Initial Load indicates that all the data contained in the import file is new to the module
(and Initial Load can be run even when other data already exists in the module).
Incremental load supports the addition of new operational data as well as the updating
of existing object, association, and perspective data. New transaction data for existing
objects can also be imported during an incremental load, but updating an existing
transaction is not supported.

GRC and Language
CCM supports 12 languages:

English (US), Chinese Standard/Simplified,

Chinese/Traditional, Danish, Dutch, French, German, Italian,
Japanese, Korean, Portuguese (Brazilian), or Spanish.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath uses s f er
h a
An administrator
t r a n the Application Configuration panel to make a selection of these
B
languagesn -
available to users.
n o
Each individual user may select one of the available languages while logging on, while
configuring a user profile, or both.
For a given user,
CCM selects a language in the following order of preference:
The language specified during logon.
If none is selected then, the language specified in the user profile.
If no language is chosen in either place, the language specified in the users web
browser.
If the web browser language does not match one available in the AACG instance, US
English.

Welcome Page Components
Worklist is a record of, and link to, a task that a user must
complete; each user has his own set.

Watchlist is a summary of your worklist entries,
categorized by module and, within each module, by activity
type.
Notifications is a record of a task in which you have an
interest, but for which no action is required from you.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
a
Worklist r ath nsfer
Bh nboth
A worklistois -traa record of a task that has been assigned to you and a link to the CCM page
n you can complete the task. The worklist displays a name for the task, a description,
on which
and the name of the object to which the task applies. The task description is a brief statement
of the action you are intended to take.
Draft indicates work that you have begun but not yet completed, such as a control that you
have saved but not yet submitted for review. Other task descriptions, such as Review or
Complete Assessment, are self-explanatory. To view your worklists, select the Worklists tab
in the Pending Activities area of your home page or any object overview page. You can
search for worklist entries. Each of the standard search fields assumes a Starts With
operator the search returns all values starting with the text you enter. You can select an
Advanced search to use other search operators or add to search parameters.
A worklist is a record of, and link to, a task that a user must complete; each user has his own
set. Changes to GRC security components may alter the rights of individual users, making
them ineligible to open worklists to which they previously had access. Or, users may become
eligible to receive worklists to which they previously had no access. When such changes are
made, Security Optimization ensures that users see only the worklists they should. A Security
Optimization job may be run manually in the Manage Scheduling page.

Worklist Values
Note: Fields available in the page opened from the Worklist tab apply only if GRC is installed
with Service Oriented Architecture (SOA). Typically, these fields are set during installation
and would not be changed subsequently.
Watchlist
The watchlist is a summary of your worklist entries, categorized by module and, within each
module, by activity type. You can expand or collapse sets of watchlist entries so that you can
focus only on a particular set. The watchlist appears only on your home page, near the upper
left corner
Notifications
A notification is a record of a task in which you have an interest, but for which no action is
required from you. Like a worklist, a notification is also a link to the page on which the task
has been undertaken. To view your notifications, select the Notifications tab in the Pending
Activities area of your home page or any object overview page. You can search for
notifications in the same way you search for worklists.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

Administration Creating Views
In the Manage Users pane of the Manage User page - you can
limit the display of entries to those that satisfy filtering criteria,

and you can sort the entries.
You can also:
Remove columns from display
or restore them
Rearrange the order in which columns appear
s a
and resize them h
) a
Save your selections as a view o m
p e c uide
either select your view for display @ h nt G
r
a tude
or cause it to be displayed by default u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Sorting and Using 'View' Option for Filtering
Filtering Data Sorting Data

To filter the values displayed in a To set a sort order for items in a

list: list, click in the heading for one
1. Determine where to enter of its columns.
filtering criteria. 1. Entries in that column are
2. In any combination of then arranged in
columns in the view row or alphanumeric order.
text boxes, enter (or select) 2. Click in the column heading a
values appropriate to the a second time to arrangeh a s
columns. entries in reverse m )
o
c uide
3. Click on the View button in alphanumeric p eorder.
h nt G
the tool bar above the list. r @
a tude
The list then contains only u m
d y -k his S
entries that match the valuesed
r e t
s
youve entered.
a rath o u e t
h
(b 2015, s
d y
R ed able
a r ath nsfer
Bh n-tra
no

Summary
In this lesson, you should have learned:

Application Navigation
Understand Continuous Controls Monitoring features
Users and Roles Administration
Perspectives
Manage Administration of Controls, Incidents, Jobs &
Reports a
Manage Application Data, Configuration, Notificationsh a
&
s
m )
Approvals. c o de
h pe t Gui
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Quiz
Question 1: Duty Roles can be assigned directly to Users?

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:abr a nsfe
Bh n-tra
no

Quiz
Question 2: Perspectives are associated to Data Roles?

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no

Quiz
Question 3: Perspectives are equivalent to Tags (used earlier)

for Controls?
a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Applications Access Controls Governor

Overview
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Identify AACG implementation considerations

Understand overall setup steps for AACG
Identify required steps and optional setup features and
business functions
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

AACG Overview
Segregation-of-duties (SOD) Control-authoring and

handling solution
Across heterogeneous platforms to detect and prevent
undesired user access.
To identify un-authorized access and the users who have
that access, Models are created and run which will list
Users with conflicting access.
On obtaining desired results, Models are upgraded into s a
)h a
Controls. o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r
Application s fe Governor regulates access to duties assigned in business-
aAccessnControls
Bh n-tapplications.
management ra By default it controls access to Oracle E-Business Suite and
no
PeopleSoft Enterprise, and it may be configured to work with other business management
applications as well. It implements access controls, which identify duties that are considered
to conflict with one another because, in combination, they would enable individual users to
complete transactions that may expose a company to risk.

Access Control Life Cycle
Conflict Paths
Policy Library
s a
a
)h
m
co uide
Detection e
Prevention
Define @ hp nt G
Access Remediation maPreventive r de Compensating
Access u S t u
Controls
Analysis (Clean-up)
d y -k hProvisioning
i s Policies
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Access Points
Each control specifies access points to a companys business

management applications that should not be assigned

simultaneously to individual users.
In Oracle E-Business Suite, access points include:
Roles, Responsibilities
Menus, Functions, Grants, and Concurrent Programs
In PeopleSoft, access points include:
s a
Roles, Permission Lists a
)h
Panel Group Components m
co uide
e
Menus, and Page Definitions
@ hp nt G
In Fusion, access points include:uma tude
r
Roles d y -k his S
r e d se t
a r ath e to u
Permissions and Privileges
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Ana r a control
access n s fedefines conflicts among a selection of access points to an
h -tra systems. In broad terms, an access point is an object in a business
Borganizations
non
management application which, when made available to a user, enables him to do
something.
Access points may be gathered into entitlements, and AACG policies may use
entitlements in place of, or in addition to, access points.
Best-practice libraries for Fusion, PeopleSoft and E-Business Suite provide access controls
that support rapid segregation-of-duties implementation around common end-to-end business
processes. These include Order to Cash, Procure to Pay, Finan-cials, and Human Resources.

Entitlements
Groups of Access Points

Use Entitlements to group

access points that correspond
to a common privilege (e.g.
several different functions
allow you to create an s a
invoice) h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r
Entitlement
a Features
n s fe
Bh n-trofa access points (similar to Entity Groups)
Grouping
no
Business naming conventions to technical access points
Initial staging of future access definition functionality
Loose linking to compensating controls

Segregation-of-duties Conflicts
AACG finds SOD conflicts

Assignments of duties to business management

application users that violate access points
Best-practice SOD libraries may be used to deploy
controls for immediate conflict analysis
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r th sfer
amodel
h a
An access
t r a ndefines conflicts among access points (duties) that can be assigned to
B -
users in a company's applications. Access points are considered to conflict when, in
non they would enable individual users to complete transactions that may expose a
combination,
company to risk. An access model consists of filters, each of which may serve either of two
purposes:
An access filter may specify an access point or an entitlement (a set of access points); if
so, it identifies users who have been assigned the specified access point, or any access
point in the specified entitlement. A conflict exists when a user is selected by a specified
combination of these filters. Combinations are determined by the way you arrange filters
in the model.
A filter may define a condition, which sets limits on the conflicts a model may identify.
Typically, a condition specifies users or other items (such as companies in PeopleSoft,
operating units in Oracle EBS, or business units in Fusion) that are excluded from
analysis by the model, or it specifies a type of item (operating unit, for example) and
requires that the model return results only when access points conflict within individual
instances of that item type.

Environment Setup and AACG Implementation
1) Work with partner service 2) Identify preferred and 3) Look on Oracle

provider to evaluate environment supported OS, Support for known
and options for installation. app server and database environment variable issues.
configurations.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
4) Follow installation 5) Verify that areas u m
k is S6)asContinue
of setup steps
instructions to d
the applicationy - are h recommended in
e d e t
install AACG.
t h r properly.
working
u s Implementation Guide.
a r a e t o
h
(b 2015, s
d y
R ed able
a r ath nsfer
Bh n-tra
no

Multi-Platform and Cross-Platform Support
Multi-Platform Support for Cross-Platform Support for

stand-alone applications integrated applications
SAP, JDE or SAP, JDEdwards or

EBS User PeopleSoft User Custom Application EBS User PeopleSoft User Custom Application
User User
Application Access Controls Governor Application Access Controls Governor
Custom or
s a Custom or
Legacy
Applications
)h a Legacy
Applications
m
co uide
e
@ hp nt G
m ar tude
y - ku Manage i s S user access between
Manage user access within multiple
application platforms concurrentlyred
d t h
h u s e multiple application platforms
r t
a e to
a
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Implementation Approach Overview
To set up Application Access Controls Governor, you will use

software tools specific to it as well as software tools common to

it and other GRC applications.
A two-phase process is assumed:
During remediation, you clean up incidents that existed
before access controls were created.
During access approvals, existing controls prevent, allow,
or suspend new access requests. s a
h a )
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Implementation Approach Flow
Administration Create
Setup Deploy Controls Manage Access
Setup Access Model
Conditions (Remediation Phase) Approvals
View Results
AACG datasource Create Access
Import Models Manage Global Post Remediation
configuration Controls Phase
Conditions
GRCI Assign Priority
Configuration Review Model Manage Access
Path Conditions Assign Perspectives
Setup Business
Application View Results Mange
Assign Investigators
Run (Incidents) Notification
s a
Synchronization Assign Enforcement a
Configuration
)h
Mange Types m
co uide
Define perspective
e
hierarchies
Entitlements Run
@ hp nt G
Conflict
Analysis
Manage Roles m ar tude
Create Access
y - ku Manage i s S Incidents
Manage Models
e d h
d se t (Remediation Flow)
Required
r Optional
Users
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
ara tFlowchart
AACGhSetup n s fe
B setnup a
- rApplication
You can o Access Controls Governor in many ways, Oracle recommends
that younfollow the order suggested in the flowchart.
The steps highlighted in blue with italicized text in the flowchart are required.
The others are optional; you perform the optional steps only if you are ready to use the
features or business functions implemented by those steps.

AACG Setup Flow
Administration Setup
Connect GRC Instance to Database

Connect to Embed GRCI (Optional)
Connect Business Application
Synchronize to load data from Business Application to AACG
schema
Define Perspective Hierarchies
a
Define job, duty, and data roles as )h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath Setup
s f er
a
h -tran Steps
Administration
B
Connect o n instance of GRC to its database: Typically, connectivity values are set during
n your
installation; you would update the values only if your configuration needs to change.
AACG can connect, and supply information, to Oracle Fusion GRC Intelligence (GRCI): To
use the optional embedded Oracle Fusion GRC Intelligence (GRCI), create a distinct schema
for its use, known as the Data Analytics schema. Then, in an Analytics tab on the Manage
Application Configurations page, provide information AACG uses to connect to the Data
Analytics schema.
Configure connections to datasources for instances of the business-management applications
(such as Fusion, Oracle EBS, or PeopleSoft) that are to be subject to control by AACG.
Run synchronization to consume the access security model for each datasource.
Define perspective hierarchies, each of which is, in effect, a set of related values that define a
context in which GRC objects may exist. Individual perspective values may be assigned to
individual models, controls, and incidents (control violations). Perspectives may then be used
for reporting and filtering purposes (for example, a user may generate a report about all
controls associated with a particular perspective value). Perspectives are also instrumental in
GRC security: data roles define the data to which individual users are granted access, and if
associated with perspective values, these roles grant access only to models, controls, and
incidents associated with those values.

AACG Setup Flow
Create Access Models and View Results

Import Content (Optional)

Review Model Logic (Optional)
View Model Results (Optional)
Manage Access Entitlements
Manage Access Models
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath Models
s f er
Create a
h -tran and View Results
Access
B
non in the form of models, controls, or tem-plates. During initial implementation, it is
Import content: The AACG export and import functionality may be used to import
content
recommend that you import models or templates, so that model logic may be reviewed,
results may be generated and analyzed, and the models may (if necessary) be modified
before permanent controls are created and used to generate incidents. Best-practice
SOD libraries for Fusion, PeopleSoft and E-Business Suite may be loaded to support
rapid implementation of segregation of duties.
Review model logic: If the best-practice SOD libraries were imported, it is important to
review the related entitlements and model logic to ensure the definitions meet your
companys expectations for identifying SOD conflicts. You may need to modify these as
you see fit.
View model results: The purpose of a model is to allow initial analysis of temporary
results before permanent incidents are generated. It is also common at this stage to do
some initial remediation if your company does not require a history of the incident.

AACG Setup Flow
Set Up Conditions
Define conditions to create a more focused analysis and

eliminate false positives.
You can create three types of conditions:
Filters
Global conditions
Global path conditions
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
Set Up a r ath nsfer
Conditions
Bh nTypes
Condition - tra
no
Filters: As you create or edit a model, you can create filters for it. These are conditions
in that they specify users or other objects, like companies in PeopleSoft or operating
units in Oracle EBS, that are exempt from the control. Or they specify circumstances
under which the control is enforced for example, only when a users access to
conflicting access points would be granted within a single set of books.
Global conditions: These are essentially the same as conditions configured to apply to
an individual model or control, except a global condition applies to all models and
controls as they are enforced on a given instance of a business-management
application.
Global path conditions: Each excludes one access point from another, such as an
EBS function from a responsibility. A path including those points would be excluded
from conflict generation. If, for example, a global path condition excluded function1 from
responsibility1, a control set function1 in conflict with function2, and a user had access
to both functions, no conflict would occur if the users access to function1 came from
responsibility1.

AACG Setup Flow
Deploy Controls (Remediation Phase)

Create access controls

Prioritize controls (Optional)
Assign perspective values (Optional)
Assign result investigators for controls
Assign enforcement types
Run analysis
Manage incidents s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
Deploya r
Controls s fer
ath n(Remediation Phase)
B h -tra
non automatically to appropriate investigators and tracked as they are accepted,
Create access controls: Deploy controls from models to generate permanent incidents,
assigned
rejected, or remediated.
Prioritize controls: Assign numbers to controls to identify which are most important.
Consider a companys GRC goals, the regulations it has to follow, areas of high risk to
its business, areas on which previous audits have dinged the company, and so on.
Prioritization can be used to run focused conflict analysis, sorting, views, and reporting.
Assign perspective values: For each control, one set of perspective values applies to
the control itself. The control inherits these values from the model on which it is based,
although a user may add to the inherited values while creating the control. A second set
of perspec-tive values characterizes and secures incidents the control generates; these
values are selected as the control is created.

AACG Setup Flow
Manage Access Approvals

Engage preventive analysis

Configure notifications.
Note: All these steps are optional.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath Approvals
s f er
Manage a
h -tran
Access
B
on period after installation, a site may wish to run AACG with the Access Approvals
For an initial
featurenturned off, so that incidents that existed prior to the installation of AACG can be
cleaned up before new incidents are addressed. (Moreover, Manage Access Approvals is
typically run in a production instance, but not in a test instance.) Thus, it is possible to turn
Manage Access Approvals off and on. You would do so in each Oracle E-Business Suite or
PeopleSoft instance that is to be subject to analysis by AACG.

Quiz
AACG works across heterogeneous platforms to detect and

prevent undesired user access :

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no

Quiz
AACG and Enterprise Governance, Risk and Compliance

Manager (EGRCM) form Enterprise Governance, Risk and

Compliance Controls (EGRC); together, they run as a
Continuous Controls Monitoring (CCM) module in the GRC
platform.
As you set up AACG, you will use software
a. True tools specific to it as well as software tools
b. False common to it and other GRC applications
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:abr a nsfe
Bh n-tra
no

Quiz
As you set up AACG, you will use software tools specific to it as

well as software tools common to it and other GRC applications

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no

Summary
In this lesson, you should have learned how to:

Identify AACG implementation considerations

Understand overall setup steps for AACG
Identify required steps and optional setup features and
business functions
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

AACG Configuration Planning and Installation
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Define Data Sources

Evaluate ETL Synchronization
Define Notification Schedules
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Application Configuration
The Manage Application Configuration page sets parameters

required for Application Access Controls Governor to connect

to its database
Typically, you would accept parameter values set during
installation, and would use this panel to update the values only
if your configuration needs to change
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Configuration Planning
In the AACG Data Administrator, you create and set up one or

more data sources.

The data sources you set up depend on various factors,
such as:
Companys current mandates
Risk tolerances
Compliance goals
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r a th sfer
a
Configuration an
h -trPlanning and Installation
B
onevaluating your business needs, you can create the necessary datasources so
By carefully
n
that when models and controls are loaded or created, they will be able to run against the
appropriate datasources. Considerations include the need to connect to development
instances and test instances, and to analyze data across multiple homogeneous instances
and/or heterogeneous platforms.

Defining Data Sources
By carefully evaluating your business needs, you can create

the necessary data sources so that when access controls are

loaded or created, they will be able to run against the
appropriate data sources.
AACG
s a
Set Connectivity )h a
Properties to Database
m
o idewith
cIntegration
e
p Other u
Applications
h t G
a r@ den
- k um Stu
Email Notification to
e d dy Language
e t his Support
Policy Participants
t h r us
r a t o
( b ha nse
d d y 2015,
R e able
You can a r
configure s fer
ath nconnections between AACG and instances of the business-management
B h
applications - t r a
subject to its controls, set up AACG to send email notifications to policy
non or set properties required for AACG to connect to its database, to display
participants,
information in varying languages, or to integrate with other applications (GRCI).

Manage Application Data
You must configure connections to datasources for instances of

the business-management applications (such as Oracle or

PeopleSoft) that are to be subject to control by AACG
Seeded connectors include Oracle EBS, PeopleSoft and
Fusion
Oracle-enabled partners offer other connectors
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Run Synchronization
To capture changes made in business-management

applications over time and synchronize their data with the data
used by AACG
Options to Run Now or Schedule
Synchronization should be executed anytime changes are
made to the security access model of the business system
and before analysis is run
If your organization commonly makes changes to Oracle s a
)h a
menu structures, or creates and changes responsibilities
m
on a daily basis, then it would also be wise e
to co the
run u ide
p
h nt G
datasource synchronization on a daily r @
basis.
a de um Stu
- k
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r
To maximize n s fe and handle cross-platform analysis, application access security
a performance
Bhdatanis-textracted
model ra and loaded into GRC to be used in analysis. How often
no is run or scheduled depends on various factors.
synchronization
In general, any time the access security model of the datasource you are running analysis
against has changed, an Access synchronization should occur before analysis is run. If, for
instance, your organization commonly makes changes to Oracle menu structures, or creates
and changes responsibilities on a daily basis, then it would also be wise to run the Access
synchronization on a daily basis.
If, for another example, your company evaluates incidents on a monthly basis, then it may
only be necessary to run the synchronization process once a month.

Notifications
Notifications are used to:

Alert users when tasks within GRC require their

attention when worklists are generated in EGRCM or
Continuous Controls Management.
Alert result investigators not only when incidents await
their review, but also when AACG preventive analysis
requires approval of a role assignment to a business-
application user. s a
a
) hto the
Alert users to pending worklists by sending an email m
o ide
c
investigators. hpe Gu
a r@ dent
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
You can a r
set
aup GRC n s fealert users when tasks within GRC require their attention when
to
Bh are
worklists n - tra
generated in EGRC.
no
EGRC can alert result investigators not only when incidents await their review, but also when
AACG preventive analysis requires approval of a role assignment to a business-application
user. In the latter case, you can also configure EGRC to inform that user of the approval
decision.

Defining Notification Schedules
Notification schedules determine how often users are

notified when conflicts are generated.

For each result investigator, a consolidated email message
is generated, showing all conflict paths generated for the
participant, but not yet sent.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r th sfer
aschedules
h a
Notification
t r a n determine how often users are notified when incidents are generated.
B
A consolidated - email message is generated for each result investigator, showing all violated
controls onwhich
nfor no prior notification had been sent. Before creating a notification schedule,
consider how often incidents will be generated, and how immediate is the need to review or
fix those incidents.

Notification Configuration
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r
To establish n s fe with your SMTP server and set a schedule on which email
a a connection
Bh nare-trsent,
messages
a click the Notification tab and enter the following values:
no Server
Notification
User Name: The user name with which one would log on to the SMTP server. This
value is required only if access to the SMTP server requires authentication.
Password: The password with which one would log on to the SMTP server. This value
is required only if access to the SMTP server requires authentication.
Confirm Password: The SMTP server password entered in the Password field. This
value is required only if access to the SMTP server requires authentication.
Port Number: The port number at which the SMTP server communicates with other
applications.
Server Name: The host name for the SMTP server your company uses for sending
email.
Sender Email Address: An address that appears in the "From" line of email messages
generated by the Notification function.

Turning Off a Notification Schedule
Now users can turn off notifications to Users.

To De-Activate/turn off the Notifications scheduled for

sending to investigators, you may navigate and do so in
the Manage Application Configuration Page > Notification
tab.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath sfer
a
EnablehNotification
t r an
B -
oncheck box to activate the sending of worklist alerts to GRC users, or clear it to
Select this
n
inactivate sending them.

Parallel Processing
We have now parallel processing capabilities

We can run multiple controls simultaneously by using the

Map Reduce Option
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
aracheck
Selecththis
t r a n to enable EGRC to process multiple controls simultaneously. However,
box
B
use of this n - requires, at a minimum, 16 GB of RAM; 24 to 256 GB is preferred.
feature
n o
When you select the Enable Parallel Processing check box, two fields appear. In a Number of
Cores Available for Processing field, enter the number of processor cores you wish to devote
to parallel processing;
EGRC devotes one core to each control selected for analysis, until as many cores as you
select are in use. In a Maximum Megabytes of Physical RAM Available field, specify an
amount of memory for use in parallel processing. As a rule of thumb, enter total RAM minus 8
GB; you may need to adjust this value if other processes run slowly.

Quiz
AACG runs on its own database schema:

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no

Quiz
Perspectives are assigned to only:

a. Data Role
b. Duty Role
c. Job Role
d. Job/Duty Role
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no

Summary

Define Data Sources

Evaluate ETL Synchronization
Define Notification Schedules
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
AACG Models and Control Planning and

Setup
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Define and use Models

Analyze Models
Define Conditions
Define Global Conditions
Define and use Controls
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Planning Overview
You may decide to load the best-practice SOD library.

By doing so, you will have a number of entitlements and

controls to be reviewed with appropriate business owners,
and compared against the companys goals for
Governance, Risk, and Compliance.
It may be necessary to inactivate or edit controls and
entitlements, or add new ones.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
Load Review ed
r e t
Edit Add
s
SOD library ath e toAccess
Entitlements
a r u Controls Entitlements
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Models & Controls Overview
Models are proposed-controls designed to run against the

datasource to temporarily test whether the

results/Incidents are being generated as per expectations
of the control designer.
Once a Model is tested to find the expected results it will
then be Upgraded into a Control to give permanent
results/incidents.
It may be necessary to edit /delete models if they are as a
found to result in un-expected results. m )h
However, once created, Controls can be edited e cobutucannot
ide
p
h nt G
be deleted. r @
a deum Stu
- k
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Models & Controls Workflow
1. Identify GRC goals of the company.

2. Load the best-practice SOD library.

3. Hold workshops with subject matter experts (SMEs) to
review access models.
4. Create and edit Models and Entitlements as needed.
5. Analyze model results with SMEs.
6. Carry out initial remediation where possible. a
h a s
7. Prioritize Controls. )
o m
8. Assign Control types. p e c uide
@ h nt G
r
9. Assign perspectives to secure and categorize
a tude Controls.
m
10. Assign Control Investigators. y-ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
ath nways
arseveral
Therehare s fetor approach defining models and deploying controls. A common
approach - tra in the following steps:
B isnoutlined
no GRC goals of the company.
1. Identify
2. Load the best-practice SOD library.
3. Hold workshops with subject matter experts (SMEs) to review models.
4. Create and edit models and entitlements as needed.
5. Analyze model results with SMEs.
6. Carry out initial remediation where possible.
7. Create and prioritize controls.
8. Assign Control types.
9. Assign perspectives to secure and categorize controls.
10. Assign result investigators.

Creating/Importing Access Models
Auditors will have a starting point for doing some of their

own analysis, without disturbing your controls or incidents

Import the Access Content as Models/Templates
Models can be secured by perspectives. To access
models, users must have data roles associated with
perspective values that match the values assigned to the
models.
Control logic cannot be modified. Therefore, reviewing s
the
a
a
)h
model logic for relevance is your chance to make many
necessary changes. e co uide
hp G
a r@ dent
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Models a r
can
abe viewed
n s feand updated only by users with appropriate access, based on data
BhAs you
roles. n - tra the best-practice SOD library during an implementation, models are
import
no
assigned values for three system perspectives: Business Objects, Data-sources, and CCM
Type (for which the value is Access). To access models, a user must have a data role with at
minimum those three system perspectives assigned.
Another option is to import the content as templates. Templates can be viewed by anyone. If
you go this route, users will need to create models from templates.
Models can be secured by perspectives provided you have associated a perspective
hierarchy to the Model object via Setup and Administration -> Manage Module Perspectives.
To access models, users must have data roles associated with perspective values that match
the values assigned to the models.
Control logic cannot be modified. Therefore, reviewing the model logic for relevance is your
chance to make any necessary changes.

Access Points
Each control specifies access points to a companys business

management applications that should not be assigned

simultaneously to individual users.
In Oracle E-Business Suite, access points include:
Roles, Responsibilities
Menus, Functions, Grants, and Concurrent Programs
In PeopleSoft, access points include:
s a
Roles, Permission Lists a
)h
Panel Group Components m
co uide
e
Menus, and Page Definitions
@ hp nt G
In Fusion, access points include:uma tude
r
Roles d y -k his S
r e d se t
a r ath e to u
Permissions and Privileges
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Ana r a control
access n s fedefines conflicts among a selection of access points to an
h -tra systems. In broad terms, an access point is an object in a business
Borganizations
non
management application which, when made available to a user, enables him to do
something.
Access points may be gathered into entitlements, and AACG policies may use
entitlements in place of, or in addition to, access points.
Best-practice libraries for Fusion, PeopleSoft and E-Business Suite provide access controls
that support rapid segregation-of-duties implementation around common end-to-end business
processes. These include Order to Cash, Procure to Pay, Finan-cials, and Human Resources.

E Business Suite Access & SOD Challenges
Evaluate User Access

User
Test by Responsibility and User
Test by Function
Role
Responsibility
Menu
s a
h
) a
o m
Manage Sub-Menu c
p e u ide
h nt G
Segregation of Duties r @
a tude Form Function
Identify incompatible Privileges u m
d y -k his S
(i.e. Function) d se t
r e
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

PeopleSoft Authorization Model

User Profile Test by User Profile
Test by Page
Role
Permission List
Menu a
h a s
m )
Manage Component c o ide
p e
h nt G u
Segregation of Duties r @
a tude Page
Identify incompatible Privileges u m
d y -k his S
(i.e. Pages)
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Fusion Authorization Model

Test by Roles
User Test by Page
Role
Privileges
s a
Permission
a
)h
m
co uide
Manage e
Segregation of Duties @ hp nt G
m ar tude
Identify incompatible Roles and Privileges -ku S
d y h i s
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
In Oracle r a nthey
Fusion, s feinclude roles, privileges, and permissions. (AACG can recognize
Bhpoints
access n - tinraFusion only if a "connector" for Fusion Applications is installed.)
no

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Manage Entitlements
If you decided to load the best-practice SOD library, you

will have a number of entitlements that already group

together common access points, labeled by appropriate
business terminology.
At this point, you should have a good idea of the GRC
goals of the company and know what areas of the
business should be focused on.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r th sfer
aeach
Reviewing
h a t r a n entitlement and its access points is necessary to ensure that the
loaded
B
entitlements -fully cover the known ways that users may access functionality. It may be easier
non models to delete, and then focus on the entitlements within the remaining
to first identify
models for completeness.

Access Model Example
Provide fine grained access control and segregation of duties

Process: Procure to Pay

Risk: Financial Fraud
Entitlements: Create Payment

Element Description
Payment Action AP_APXPAWKB_CHECK_ACTIONS
Access Points Payment Batch Sets AP_APXPBSET
s a
Payment Actions Payments AP_APXPAWKB
)h a
Payment Batch Sets Payments Invoice AP_APXINWKB_INVOICES
m
co uControl
Payments
p e
Access ide
Payments Invoice
Entitlements: Create Suppliers h Payment
Create
@ n t G& Create Suppliers
Vendors
Element Description
r
a tude
Enter Suppliers
u m
Suppliers
Vendors
Enter Suppliers
d y -k his S
APXVDMVD
PN_APXVDMVD
Merge Suppliers Suppliers
r e d se t
AP_APXVDMVD
ath e to u
Merge Suppliers AP_APXVDDUP
a r
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Access Model Creation
To create a model, user provides:

Model Name
Model Objects
Select Datasources
Model Logic
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
To createra s fe needs to provide the following:
amodel,nuser
Bh nName
1. Model - tra
no
2. Select Datasources
Before a business object can supply access points, entitlements, or other data to a
model, it must be associated with at least one datasource. As the model is evaluated, a
filter citing that business object will analyze data from the associated datasource.

3. Select Business Objects
A business object corresponds to one or more database tables (existing in one or more
datasources) that hold information pertinent to user access.
Select one or more:
- Add the Access Point business object to your model if you intend to create a filter
that specifies an access point (and returns users who have been assigned that
access point).
- Add the Access Entitlement business object to your model if you intend to create a
filter that specifies an entitlement (and returns users who have been assigned any
access point included in that entitlement).
- Select among three other business objects EBS Access Condition, PeopleSoft
Access Condition, and Fusion Access Condition if you intend to create a
condition filter (which defines exemptions from analysis by a model).
- Each of these business objects supports a type of datasource (EBS,
a
PeopleSource,or Fusion), and is available only if a datasource of its type has been
s
a
)h
set up and synchronized in the Manage Application Datasources page.
4. Model Logic m
co uide
e
Creating an Access Point or Entitlement Filter
@ hp nt G
Create an access point filter (one
point, and returns users who u m arbeen
t u de
that specifies an access
point) or an entitlement dfilter - k have

y th(one S assigned that
is that specifies an
access
entitlement, and returns e d

r users e
s who have been assigned any
access point included r a t h t
in o u
that entitlement.
a e
(bh icens
Creating a Condition Filter
y
e dd ablcondition
To create e l that excludes an item
R
h create
tTo raa condition that requires the model to find
r a s f e
a conflictsn
Bh n-of traan
for access points assigned only within instances
item type
n o
Creating Group Filter
- You can incorporate filters into groups: select those you want to include and click
on the Group Filters button (or on Actions > Group Filters). Once you have placed
filters in a group, you cannot remove them from the group.

Model Analysis Flow
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

View Model Results
Begin initial analysis by reviewing model results

Determine if model is defined as intended

Modify model as needed adding additional filters, global
conditions, etc.
Analyze results online, with Visualization or extract to
Excel
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath sfer
a
View Results
h -tOnline
r an
B
onmodel results online is a first step to verifying your model definition is what you
Viewing the
n
intended and to get a glimpse of conflicts that violate that model.

Visualization
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r h sfer
atotthe
h a
In addition
t r a n view and extracts, a visualization feature provides a graphic hierarchy
online
B n- paths causing conflicts. It enables you to analyze more easily the sometimes
of the access
nohard-to-read
long and conflict paths.

Initial Remediation
Use a Pivot to summarize and easily

see Intra-Role conflicts or obvious
menus that need removed
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r h sfer
atincidents
h a
If permanent
t r a n do not need to be tracked in AACG, I can use my standard corporate
B - to request these menus to be remediated before a control is ever created.
tracking system
noifnyou would like to track that this incident occurred, in-cluding any comments on
However,
your remediation action, then you will want to first create a control before doing any cleanup
so that these incidents are tracked within AACG.

Define Conditions
Conditions help eliminate false positives and create

focused conflict-analysis runs.

Conditions are specific to the application data source and
most likely will be tweaked throughout the remediation
process to help focus on different areas as the clean-up
process occurs.
Company determines
what conditions are set s a
and at what level
a
)h
for conflict analysis m
co uide
e
@ hp nt G
m ar tude
Global?
y - ku is S Path?
e d d th
r us e
r a thcontrol?t o
( b ha nse
d d y 2015,
R e able
th sfer
What h arayour
does
t r n
company
a want to consider, or exclude, in its analysis for SOD violations?
B n- what conditions should be set and at what level (global, control, or path). For
This determines
nocertain
instance, users (like developers) may cause hundreds of incidents in a development
instance that they would not cause in a production instance. You may want to exclude these
users from analysis at certain points of the evaluation.

Define Conditions
Specify users or other objects, such as companies in

PeopleSoft or operating units in Oracle EBS, that are exempt

from the Control.
Model Level Condition
Access Global Condition
Access Path Condition
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r h sfer
atLevel
a
Model
h model. t r a nCondition: A condition applies to a specific model when the user creates
Bthe n-
n o
Access Global Condition: This sets limits on the conflicts identified by all access
models or controls evaluated on a given datasource.
Access Path Condition: A path condition excludes one access point from another,
such as an Oracle function from a menu or a responsibility. A path including those points
would be excluded from incident generation. For example, an access control might set
functions f1 and f2 in conflict. If a path condition excludes f1 from responsibility r1, and a
user has access to both functions, then no incident would be generated if the users
access to f1 comes from r1.

Access Global Conditions
Click Create Access Global Condition from the Continuous

Control Management tasks
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
A globala r
condition s fer specifies users or other items (such as companies in PeopleSoft
ath ntypically
Bh n-units
or operating tra in Oracle EBS) that are excluded from analysis by a model or control, or it
noa type of item (operating unit, for example) and requires the model or control to
specifies
return results only when access points conflict within individual instances of that item type.
The process of creating a global condition is essentially like creating an access model that
contains only condition filters. As you create filters for a global condition, however, AACG
places them horizontally to one another, indicating an OR relationship the condition
produces results if any (or any combination) of its filters evaluates to true. You cannot arrange
condition filters to create AND relation-ships. Moreover, each global condition applies to a
single datasource.

Recommended Global Condition
For EBS Implementation:

Condition Value Business Reason

Submenu grant Flag N Submenu has not been actually granted for
the system
Query Only QUERY_ You cannot transact in that form
ONLY
Menu Function grant N Function has not been granted for that menu
flag
Responsibility End Fixed Inactive responsibility s a
Date Date or
a
)h
relative m
co uide
e
Date
@ hp nt G
Inactive users ar
User End Date
u m t u de
User Responsibility -k his Sfor a given user
Inactive responsibility
d y
Assignment End
r e d se t
Date
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Common a r a nsfe Settings for Oracle EBS
Global-Condition
Bh nGrant
Submenu - traFlag: N
n o
Do not apply policies to menus (and functions available from them) for which the grant flag is
not selected on parent menus. (If the grant flag is not selected, the submenu belongs to the
parent menu but does not appear on it and cannot be selected.)
Query Only: QUERY_ONLY
Exempt functions available from menus that provide query-only access; enforce the access
policy for other menus that provide write access to the same functions.
Function Grant Flag: N
Do not apply access policies to functions for which the grant flag is not selected on menus. (If
not, the function belongs to the menu but does not appear on it and cannot be selected.)
Responsibility End Date: Inactive
Users do not have access to menus and functions within responsibilities that have been end
dated, therefore there is no reason to include these in conflict analysis.

Recommended Global Condition
For PeopleSoft:
Condition Value Business Reason

Display Only 1 Display Only is set at the page
permission level.
Hidden 1 Do not apply controls to pages that have
been set up as hidden as users cannot
actually transact in these pages.
s a
h
) a
For Fusion: m
o
c uide
Condition Value Business Reason hpe
@ n t G
r e that are
User Status: Active
ma Stutodusers
Do not apply controls
inactive.-ku
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Common a r a nsfe Settings for PeopleSoft
Global-Condition
Bh n-tr1a
Display Only:
n o
Display Only is set at the page permission level. Page permissions can be different
depending on the Permission List>Menu>Component hierarchy they are used in. Do not
apply controls to pages that are display only as users cannot actually transact in these pages.
Hidden: 1
Do not apply controls to pages that have been set up as hidden as users cannot actually
transact in these pages. Hidden pages are work pages that are associated with derived or
work records and are often used in work groups. You can store all of your work field controls
there. Create these pages when you want calculations to be performed in the background by
PeopleCode that the user does not need to see.
Common Global-Condition Settings for Oracle Fusion
User Status: Active
Do not apply controls to users that are inactive.

Access Path Condition
Select Manage Access Path Conditions, among the Continuous

Control Management tasks available in the Navigator.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
ara traexcludes
A pathhcondition n one access point from another, such as an Oracle function from a
B
menu or a n -
responsibility. A path including those points would be excluded from incident
no For example, an access control might set functions f1 and f2 in conflict. If a path
generation.
condition excludes f1 from responsibility r1, and a user has access to both functions, then no
incident would be generated if the users access to f1 comes from r1.
To view the history of changes to path conditions, click on the row for a condition in the upper
portion of the page. Change history appears in the lower portion one row displaying the
settings for each version of the condition up to, but not including, the current version.

Before Deploying a Control
Set Up Perspectives
Apply Conditions on Models to filter the incidents to focus

on High Risk incidents.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
Set Up a r ath nsfeinrPreparation for Assigning Result Investigators
Perspectives
Bh n-you
At this point,
traare just about ready to deploy your models as controls. Before you do, think
no will be involved in the investigation process when incidents are generated. You
about who
may need to perform some additional perspective configuration, so that you can assign
perspective values to the controls you create, and so direct the incidents they generate to
users whose roles specify matching perspective values.
Defining Conditions
Conditions help eliminate false positives and create focused analysis runs. Conditions are
specific to the application datasource and most likely will be tweaked throughout the
remediation process to help focus on different areas as the clean-up process occurs.

Continuous Access Controls
A continuous access control defines risk and generates

incidents - records of access-point assignments that

exceed the defined risk.
Define Continuous Access Controls as:
Naming and Describing Control
Setting Priority, Status, and Enforcement Type
Selecting Datasource s a
h
) a
Selecting Perspective Values and Result Investigators
m
o
c uide
Writing Comments h p e G
a r@ dent
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Assign Priorities
Prioritization can be used to run focused conflict analysis,

sorting, views and reporting.

Consider company GRC goals, regulations, risk areas,
audit findings.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
In theh ara tfield,
Priority
r a nenter a value that expresses the importance of the controls you are
B
creating in n - to others. The value must be a number. (Your company should establish a
relation
no values and enforce consistent usage.)
set of priority

Assign Enforcement Type
A Monitor Control permits access to conflicting access

points.
Approval Required Control allows a user to work at
conflicting access points only upon approval by a reviewer
designated by the Control.
A Prevent Control should deny access to conflicting
access points.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
araoftrenforcement
Threehtypes a n are: Prevent, Monitor, and Approval Required.
B n- are assigned roles after these access controls are activated, the assignments
Note: If users
n o
are denied if they violate Prevent controls, permitted if they violate Monitor controls, or
suspended pending approval if the violate Approval Required controls.

Assign Perspectives
As you create controls or entitlements, you can assign

perspective values to them.

By assigning perspective values to your Controls, you will
have different ways to view the conflicts that are
generated.
This will help you to focus on areas of concern during
remediation
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Quiz
Continuous Access Controls cannot be created without models:

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:a r
a,
ac nsfe
Bh n-tra
no

Quiz
Controls cannot be deleted or modified from the system:

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no

Summary

Define and use Models

Analyze Models
Define Conditions
Define Global Conditions
Define and use Controls
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Remediation
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Define remediation
Understand remediation considerations and Checklist
Identify AACG remediation steps
Use the incident reports
Run conflict reports
Use simulation s a
h a
Setup iterative clean-up process m) co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r h sfer
atRemediation
a
h -tran
Analysis and Checklist
B
nonAccess Controls Governor Remediation Steps
Application
Run Analysis
Focus on Areas with the Highest Risk, Priority, and Volume
Review Intra-Role Incidents
Review Inter-Role Incidents
Use Various On-Line Views to Analyze Incidents
Use Various Reports and Extracts to Analyze Incidents
Assign Incidents to Business Owners
Run Simulation
Utilize Corporate Change-Tracking Process
Make Changes in the Underlying System
Re-evaluate

Remediation
Remediation is the act of cleaning up your application to

reduce or eliminate segregation of duties conflicts defined

by controls.
Segregation of duties means simply that each user should
not be assigned access points that controls define as
conflicting.
Segregation of duties is different for every company
(although there may be similarities), so you may need atos a
adjust this common approach based on your companys m )h
goals for Governance, Risk and Compliance. e co uide
p h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r
Remediation
a is thenact
s feof cleaning up your application to reduce or eliminate segregation of
Bhconflicts
duties n - a
trdefined by controls. Segregation of duties means simply that each user should
not be n o
assigned access points that controls define as conflicting. Segregation of duties is
different for every company (although there may be similarities), so you may need to adjust
this common approach based on your companys goals for Governance, Risk and
Compliance.

Application Access Controls Governor
Remediation Steps
Run Conflicts Analysis
for All Controls Re-evaluate
Focus on Areas with

Highest Risk, Priority
and Volume Make Changes in the
Underlying System
Review Intra-Role
Conflicts
Utilize Corporate
Review Change Tracking
Inter-Role Process
Conflicts
s a
Use Various On-line Run a
)h
Views to Analyze Simulation m
co uide
e
Conflicts
Manage@ hp nt G
Priorities
Use Various Reports
and Extracts to Analyze m arand Status
t u de
Conflicts
u
-k handis S
Manage d y
dInvestigators,
Perspectives t
r e s e
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
Remediationr a Checklist
n s fe
Bh n-traand clean-up is an iterative process, and although there are various ways to
no
Conflict analysis
approach remediation, weve outlined a common approach utilizing components of
Application Access Controls Governor.
1. Run analysis.
Loading all best practice SOD content and running analysis will provide a quick view of
your companys overall SOD health and provide a basis for beginning analysis and
prioritization.
2. Focus on areas with the highest risk, priority, and volume.
Depending on your GRC goals, determine areas to begin analyzing any category of
information on which you want to base your remediation efforts perhaps business
process, or control, or any other category that produces a large number of incidents.)

Remediation Steps
Run Analysis
Focus on areas with the highest risk, priority, and volume

Review Intra-role and Inter-role incidents
Use various on-line views & Reports to analyze incidents
Manage Perspectives, Investigators, Priorities and Status
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath sfer
a
Remediation
h -Checklist
t r an
B
on and clean-up is an iterative process, and although there are various ways to
Conflict analysis
n
approach remediation, weve outlined a common approach utilizing components of
Application Access Controls Governor.
1. Run analysis.
Loading all best practice SOD content and running analysis will provide a quick view of
your companys overall SOD health and provide a basis for beginning analysis and
prioritization.
2. Focus on areas with the highest risk, priority, and volume.
Depending on your GRC goals, determine areas to begin analyzing any category of
information on which you want to base your remediation efforts perhaps business
process, or control, or any other category that produces a large number of incidents.)

Remediation Checklist
Run Simulation
Utilize corporate change-tracking process

Make changes in the underlying system
Re-evaluate
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
a
1. Runr ath nsfer
simulation.
Bh n
Before - tra making changes in the underlying system, you may wish to run the
actually
no Simulation feature to answer the what would happen if questions that come up
AACG
during analysis.
2. Utilize corporate change-tracking process.
Remediation involves making changes in the system being analyzed. For instance, in
Oracle E-Business Suite, a menu structure or responsibility may need to be changed.
These changes generally first need to happen in a development instance, most likely
next in a test instance, and finally in a production instance. It is important to have a
change-tracking process to ensure the changes are made from system to system.
Simulation has a Remediation Plan report that can be given to the system administrator
responsible for making changes to the access security model.
3. Make changes in the underlying system.
Using the change-tracking process, request and make changes in the underlying
system. For instance, in an Oracle E-Business Suite environment, you may remove a
function from a menu that causes conflicts. During this process, the access security
model may change, or compensating controls may be put in place. In either case, the
result should produce fewer incidents on the next run.

Run Analysis
First Run Access Models and do initial clean up

Deploy Models as Access Controls and categorize and

prioritize controls
Run the controls for conflict analysis will provide a quick
view of your companys overall SOD health and provide a
basis for beginning analysis and prioritization.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
If you h ara trthe
followed a nmodel analysis section as recommended, you will have loaded the content
B -
as models,nreviewed and updated the entitlement and model definitions to ensure they are
no to your company and you may have even done some initial clean up. At this point,
applicable
you should have deleted models that do not make sense for your company and deployed
those models that do make sense as controls.
When deploying the models as controls based on the subject matter expert workshops and
close interaction with the control investigators who know and understand the control and
risk you should have been able to add a priority and any perspectives that will help you
categorize and prioritize controls.
You are now ready to run an analysis. Your companys goals will determine your next steps. If
you already know, for instance, that the procure to pay controls are your highest priority (and if
you have created a Business Process perspective with a Procure to Pay value), you may
choose to run analysis only on controls with that perspective value. If you arent sure where to
focus your efforts first, you may want to run analysis for all controls so that you can see where
the greatest volume is by priority or business process, for instance. This may help give you
the direction you need to select a focus area to begin remediation on.

Focus on Areas with the Highest Risk, Priority,
and Volume
A focus area is any category of information on which you want
to base your remediation efforts perhaps business process,

or control, or any other category that produces incidents.
Control Detail Extract Report
Visualization of access conflict paths
Create Filtered views on controls for high volume incidents
generated during initial analysis run
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
a
Depending r fer
aonthyournscompanys GRC goals, determine focus areas to begin analyzing. (A
B h t r a
focus arean-is any category of information on which you want to base your remediation
operhaps business process, or control, or any other category that produces a large
efforts n
number of incidents.)
Use the Control Detail Extract Report to create pivots, filter and summarize data in a
variety of ways to determine your focus area.
In addition to the graphs and extracts, a visualization feature provides a visual hierarchy
of the access paths causing conflicts to more easily analyze the some-times long and
hard-to-read conflict paths.
If an initial analysis run returned a high volume of incidents, you should not only decide on a
focus area, but also create some filtered views that include only those controls you want to
focus on. (For example, if you choose to focus on the priority one, procure to pay business
area, filter on that priority and business area then create a view.) This will make it easy to
quickly select the records you are analyzing and working to remediate.

Intra-Role Incidents
Intra-Role Conflicts are caused when access points within

the same role conflict.

Clean these up first, as the role has been incorrectly set up
if it contains access points that conflict with each other.
When you start by eliminating intra-role conflicts, you may
also clean up several inter-role conflicts.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
ath nsare r
fecaused
h a
Intra-Role rIncidents
a when access points within the same role conflict. Clean these
B
up first, as n t r
- role has been incorrectly set up if it contains access points that conflict with
the
no When you start by eliminating intra-role incidents, you may also clean up several
each other.
inter-role incidents.
1. View Intra-Role Violations by Control Report found in the Report Management task. This
gives a high-level view of roles that have conflicting access points within themselves.
You may want to focus on controls you have rated as the highest priority.
2. View Access Violations within a Single Role (Intra-Role) Report. For a given role that
has conflicting access points within itself, this shows the controls that are violated and
their details including the users and access points with incidents.
First, use the Intra-Role Violations by Control Report to determine your highest priority
controls with intra-role conflicts. Then run this report and focus on cleaning up the roles
related to those high-risk controls first.

A role may be expected to incorporate conflicts. For example, a Purchasing Super User
role may incorporate all purchasing functions, including some that conflict, such as the
ability to create a purchase order and approve it. Such a role would be assigned
sparingly, but might nevertheless be necessary for high-level managers to do their jobs.
As a result, AACG permits the creation of a sensitive access control one that sets a
responsibility or role in conflict with itself because it provides so much authority that any
user should require approval before being granted access to it.
In most cases, however, a role should not contain access points that conflict with one
another. The Access Violations within a Single Role (Intra-Role) report identifies such
roles so that conflicts may be removed from them.
3. Within the Manage Incident Results panel, analyze using visualization and various
searches to determine when conflicting access points for one role have been violated.
4. Determine how to remediate.
These reports, along with online analysis, will help to give context to what access an
individual role has, along with the users that have those roles. It is up to the business to
s a
decide how to remediate those incidents. Generally, the conflicting access points within
h
) a
an individual role should be separated out. One of the conflicting access points may
o m
p e c uide
already exist in another applicable role, or potentially a new role will need to be created
h nt G
so that the intra-role conflict can be cleaned up.
@
5. Simulate. r
a tude
u m
d y -k his S
Before actually making any changes in your business system, you may want to simulate
r e d se t
what would happen if you were to make the change. Navigate to Simulation and exclude
users. a r ath e to u
an access point to see how your action would impact your conflicts, roles, controls and
6. Remediate. y (bh icens

e dd ble l
Following your company change-tracking process, request that the change be made in
t h R ra
a r a nsfe
your business system. For instance, if you decided to remove the Oracle Enter Journals
function from the GL_SU_JOURNAL menu, you would need to follow your company
Bh n-tra
process to request this change. Most likely the change would be made in a development
noinstance, possibly then a test instance, and finally the production instance.
7. Repeat. Remediation is an iterative process. Continue to focus on high-priority, high-
risk, and high-volume areas to clean up your business system.

Intra-Role Example
aaa
Responsibility: Financial Management-General Ledger
s a
)h a
m
co uide
e
@ hp nt G
m ar tude
Payments y - ku responsibility
Same
i s S has two
Suppliersred
d t h
conflicting functions (intra-role)
s e
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Intra-Role a r a nsfe
Example
Bh n-traResponsibility: Financial Management-General Ledger has two functions
no
In this example,
(Payments and Suppliers) that are conflicting.

Inter-Role Incidents
Inter-role conflicts can be approached in a similar manner.

Inter-role conflicts occur when access points conflict with

each other across roles for a single user.
Payables Super User (Process Operations)
Assets Super User (Process Operations)

s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
d d
Suppliers
e th
r e
r a th to us
Payment Batches
( b ha nse
d d y 2015,
R e able
a
Inter-role r ath noccur
incidents s ferwhen access points conflict with each other across roles for a single
Bh n-tra
user.
noincident Management Process:
Inter-role
1. View Users with Access Violations by Control report. This is a high-level listing of users
that violate controls.
2. View Access Violations by User report. This lists the top 10 users with incidents across
roles, as well as details for every user that has violated a control, the roles and access
points that cause the violation.
First, use the Users with Access Violations by Control Report to determine your highest
priority controls with inter-role conflicts. Then run this report for those controls. By doing
so, you will get a list of users that have violated those controls, and will be able to
quickly see who has access to more than one role causing conflicts.
3. Within the Manage Incident panel, analyze using visualization and various filters to
determine when one use has conflicting access points that span across roles.

4. Determine how to remediate.
These reports, along with online analysis will help to give context to what conflicting
access an individual user has. It is up to the business to decide how to remediate those
incidents. Generally, role access may need to be removed from a user or restructuring
of a menu related to a role may need to be considered where there is conflicting access
points.
5. Simulate.
Before actually making any changes in your business system, you may want to simulate
what would happen if you were to make the change. Navigate to Simulation and exclude
an access point to see how your action would impact your conflicts, roles, controls and
users.
6. Remediate.
Following your company change-tracking process, request that the change be made in
your business system. For instance, if you decided to revoke a role assignment for a
a
user, be sure to let that user know your plans and be sure this change actually makes it
s
to the production system. h
) a
7. Repeat. o m
p e c uide
Remediation is an iterative process. Continue to focus on high-priority, high-risk, and
@ h nt G
r
high-volume areas to clean up your business system.
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

On-Line Views to Analyze Incidents
Manage Controls panel

view pending incidents by control

categorize your controls
Manage Incident Results panel
Assign status to incidents
Visualization
graphical representation of the incidents - conflict paths
s a
Helps focus on what needs to be remediated h
) a
Identify inter- and intra-role incidents o m
c de pe t Gui
h
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
In theh
Manage n fepanel, view pending incidents by control, and filter records by various
ara trControls
s
B including
columns - a priority, risk, business process and any other perspectives you may have
no n
identified to help secure and categorize your controls.
In the Manage Incident Results panel, view pending incidents in the Control Summary view
and drill into any control for a filtered list of related incidents. Focus on incidents tied to
specific priorities, risks, or business processes by setting and saving searches to help
manage and analyze records.
Try using the visualization feature to view conflict paths in a graphical format and easily
identify inter- and intra-role incidents.
Assign status to incidents: The Manage Incident Results grid has functionality to set statuses
on each incident. For instance, if a control has been set with the Approval Required
enforcement type, the incidents it generates can be accepted or set to remediate in the
Manage Incident Results grid. This can be done individually or several at a time. By setting
the status here, you can return to the Manage Inci-dent Results grid later to review incidents
set to remediate status, or you can run reports for incidents in the remediate status and
determine how to clean up your business system. When incidents are remediated in the
business system (i.e. a function causing a conflict is removed from a menu) the next time ETL
and analysis is run the status for those incidents that have been cleaned up will automatically
be set to a closed status.

Typically, a single investigator would be assigned all the incidents by which a users role
assignments violate a control, so that the users access can be addressed in a coherent way.
However, for enhanced flexibility, investigators may be assigned to individual incidents if
desired.
During initial remediation, instead of setting statuses for every incident, you will want to use
your corporate change-tracking system to remediate changes in the business system and
rerun analysis often. During this iterative process, incidents will begin to dwindle without your
having to set a status each and every incident (for instance, you may be focusing on cleaning
up the Purchasing Clerk responsibility but by removing the Create Supplier function from that
responsibility, you will affect many users and many incidents will automatically be closed the
next time ETL and analysis is run).
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

Visualization
Select
Rows
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Reports and Extracts to Analyze Incidents
Running a seeded conflict report or extract is another way

to analyze conflicts and help with remediation.

A few reports are commonly used to help analyze conflicts:
s a
)h a
m
co uide
Incident by Control e
Summary Report @ hp nt G
m ar tude
Access Incident
y - ku is S Access Point
Details Report e d
d se t h Report
r
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
Running ar s fe or extract is another way to analyze incidents and help with
aseedednreport
Bh n-Intraddition
remediation.
a to the reports already mentioned, below are additional reports
no used to help analyze incidents:
commonly
Incident by Control Summary Extract Report
Use this to get a summary of pending incidents for each control. See the last time the
control was run, any comments associated and use as a general summary level report
to help determine where to focus your remediation on.

Access Incident Details Extract Report
The ability to extract data from the Manage Incident Results screen is for using pivots
and filters to slice and dice data in a variety of ways. Generally, you start with graphs
and other summary reports to understand where you should focus. Once youve
determined the area on which you want to focus for remediation (i.e., controls, roles,
risks, business areas, users or a combination of these), go to the Manage Incident
Results screen and enter your filter to view the data to extract. Then select Access
Incident Details Extract Report from the drop down and click extract.
Once you have the data in Excel or a similar application, slice and dice the data to view
conflicts in a way that will help you with the remediation process. For instance, creating
a quick pivot table in Excel is a great way to see where your conflicts are and what
paths are causing the incidents.
Access Point Report
This report can be used to get conflict path information, which will help lead to access
model hierarchies that need to be cleaned up in the system. For instance, if you find that
a
a s
the Access Violations within a Single Role report identifies the Vendors and Payment
h
)
Actions functions as conflicting access points, you can use the Access Point Report to
m
find the access paths those functions are used in. o
c uide
p e
h nt G
r @
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

Assign Incidents to Business Owners
When a control is created, a first-to-act users are assigned

to it. When it generates conflicts, their paths are assigned

to this result investigator.
It may be appropriate to reassign conflict paths to a
business owner who is more directly interested in the
conflict. When that person logs on, he or she may view the
worklist to work on the assigned conflicts.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r
rath isanviolated,
Whenhaacontrol sfe all eligible users are able to access the incidents it generates.
B users
(Again, n - r eligible if their data roles are associated with perspective values that match
tare
values n o
assigned to the control.) In addition, a worklist is sent to each eligible result
investigator. It may be appropriate to reassign incidents to a business owner who is more
directly interested in the incidents. When that person logs on to the Manage Incident Results
screen, she will automatically be viewing all the incidents assigned to her.

Incident States
Initially, incidents appear as Assigned status. You can update

an Assigned incident to any of the following statuses:

Accepted
Remediate
Resolved
GRC may set other statuses: Authorized, Control Inactive,
Closed a
a
An incident has not only status, but also one of three states:
s
m ) h In
Investigation, Approved, or Closed. co ide pe t Gu
h
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Initially,a r a appear
incidents n s fe in the Manage Results home page at an Assigned status, which
Bhthatnyou
means - tra(potentially along with others) have been designated to address them. You
no
can update an Assigned incident to any of the following statuses:
Accepted, which means you have determined that nothing need be done to resolve the
incident.
Remediate, which means you have decided that some action must be taken in the
business-management application to resolve the incident.
Resolved, which means you have confirmed that the remedial action has been carried
out in the business-management application.
GRC may set other statuses:
Authorized is given to incidents that result from preventive analysis: If a control violation
causes the assignment of a role to a user to be suspended, a result investigator then
approves the assignment, and the control is subsequently run, incidents related to the
assignment receive Authorized status.
Control Inactive means that an incident is no longer of concern because the control that
generated it has been inactivated.
Closed indicates that because an incident has been resolved in the business-
management application, a subsequent evaluation of controls finds that the incident
need no longer be addressed.

An incident has not only status, but also one of three states: In Investigation, Approved, or
Closed. A user cannot directly set the state of an incident. He can change its status, then
either save or submit it, and GRC assigns a state as a result of these actions. A submission
can cause a state change; a save cannot.
In general, if the status of an incident is Assigned or Remediate, its state is In Investigation; if
its status is Accepted or Resolved, its state is Approved. However, because of the distinction
between saving and submitting a status change, this is not always true. For example, an
incident may be at the Remediate status and In Investigation state; a user may update status
from Remediate to Resolved; if he saves, rather than submits, the change, the incident
remains at the In Investigation state. Or, a Resolved (and Approved) incident may be
reopened, its status changed to Remediate. If it is submitted, its state changes to In
Investigation; if it is saved, its state remains Approved.
If the status of an incident is Authorized, its state is Approved; if its status is Closed or Control
Inactive, its state is Closed.
State matters in part because the Manage Results page presents pending incidents by
s a
default, other pages show counts of pending results, and pending incident results are defined
h
) a
as those at the In Investigation state. (State matters also because each users access is
o m
p e c uide
determined by his data roles, which specify states at which he may access data.) To cause
the Manage Results page to display incidents at other states - presuming your data roles give
@ h nt G
you access to data at those states. r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

Simulation
Simulation gives you the ability to do what-if analysis to

study the impact of the remediation step in the business

application.
Running simulation will not change anything in your
business application.
You can only use access points that are defined on a
model.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r
rath anApplication
To aidhinacleanup, sfe Access Controls Governor enables you to simulate graphically
B
how incident t r
-generation would change if configuration of the business-management
nonwere altered, and to create remediation plans from the simulations. Each step in a
application
simulation names an access point that might be excluded from another access point in
Oracle EBS, for example, a function that might be excluded from a responsibility.
A simulation model enables you to select an access point and display its hierarchy a
diagram showing how the access point connects to all other access points that relate to it as
parents and children. In the diagram, you select parent-child pairs of access points and
then remove each child from its parent. As you do, the simulation feature builds a
remediation plan, essentially listing, as steps, the child access points and the parents from
which they would be removed. Once you are satisfied with your plan, you run statistics to
determine how the removal of the child access points from their parents would impact your
incidents, roles, controls, and users. You can print the remediation plan, or save it to your
computer, in order to refer to it if you choose actually to implement the plan in your business-
management system.

Simulation Goals
The goal of using simulation is to get an idea of:

What users and roles have access to my modeled access point?

What access paths is my modeled access point involved in?
What conflict paths would I clean up if I remove access point A
from access point B?
What user incidents would that impact?
What role incidents would that impact?
What controls would that impact?
s a
What conflict paths would remain that I still need to work on
a
)h
cleaning up? m
co uide
e
hp tofGincidents?
What other users and roles would I affect, regardless
a tuwith
What is the remediation plan I am comfortable
r@
de so I can send n
u m S security model
d y -k hissystem
it to the person in charge of the business
to make the changes? red t
se
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Simulation Steps
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r th sfer
apaths
a
All conflict
h -trawould n have to be resolved in order to see a net change in conflict impact
B n find PN_NAVIGATE_GUI menu and select it. That node in the graph will
From theograph,
then benbold
From the graph, find Financial Management menu as PN_NAVIGATE_GUIs parent and
select it.
The line that joins between the two nodes will now be red.
Double click on the red line and the remediation step will automatically get created under
Remediation Steps.
Save the record
From the menu select Run Statistics to see the impact of the simulation

Utilize Corporate Change-Tracking Process
Remediation will involve making changes in the system

that is being analyzed. For instance, in Oracle E-Business

Suite, a menu structure or responsibility may need to be
changed.
These changes will generally first need to happen in a
development instance, then most likely in a test instance,
and finally in a production instance.
It is important you have a change-tracking process to as a
h
ensure the changes are made from system to system.m) co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r h sfer
atwill
h a
Remediation
t r a n making changes in the system that is being analyzed. For instance,
involve
B -
in Oracle E-Business Suite, a menu structure or responsibility may need to be changed.
non
These changes will generally first need to happen in a development instance, then most likely
in a test instance, and finally in a production instance. It is important you have a change-
tracking process to ensure the changes are made from system to system.

Remediation Plan
Generate a Remediation Plan to implement in the business

management application
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r athfor use s f er
h a
For example,
t r a n when you actually implement a remediation plan in a business-
B
management n-application you can print a remediation plan or save it to your computer. To
nothe
do so, run simulation and then select Actions > View Remediation plan in the Statistics
panel. You are then prompted either to save, or to open and print, a copy of the plan in .PDF
format.

Changes to Business System
The act of remediation is to make actual changes in the

underlying system in which conflicts exist.

Options for remediation may be different depending on the
business system.
Some common changes that may need to be made in the
business system include inactivating users, revoking role
assignments, and changing menu structures.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath sfer
a
h -trainnthe Underlying System
Make Changes
B
on is the act of making actual changes in the underlying system in which incidents
Remediation
n
exist. Options for remediation vary depending on the business system. Some common
changes that may need to be made in the business system include inactivating users,
revoking role assignments, and changing menu structures.
Generally a system administrator type person makes the security model change in the
business system. We assume this person is familiar with the best way to implement the
remediation steps. For instance, in Oracle EBS, if we have a remediation step that removes
function1 from menu1, the system administrator type person has a few ways to do this:
Function exclusion on responsibility form.
Uncheck grant flag on menu for that function.
Remove prompt for that function in that menu.
Remove entire line for that function in that menu.

Re-evaluate
A common approach to remediation is to:

analyze conflicts
Prioritize
add focus with conditions
clean up
re-evaluate
It is a repetitive process.
s a
a
Initial remediation may require new conflict analysis runs
)h to
be executed several times in one day or depending m
co uideon
e
@ hp steps
how long it takes to run through the previous
n t Ga
r
longer period. ma ude k u S t
-
dy this
r e d se
r t h
a e to u
a
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
r a nsfcan e
Perhaps
h aremediation
t r a be done throughout the week, with a new conflict analysis run at the
B
end of each - to provide a fresh look at where conflicts stand. Conflict analysis and
week
nonare slightly different for every company. This document was intended to provide
remediation
guidelines and example approaches based on best practices.
A common approach to remediation is to analyze incidents, prioritize, add focus with
conditions, clean up, and re-evaluate. It is an iterative process. Initial remediation may require
new analysis runs to be executed several times in one day or depending on how long it
takes to run through the previous steps a longer period. Perhaps remediation can be done
throughout the week, with a new analysis run at the end of each week to provide a fresh look
at where incidents stand. Analysis and remediation are slightly different for every company.
This document was intended to provide guidelines and example approaches based on best
practices.

Quiz
Remediation is cleaning up your application to reduce or

eliminate segregation of duties conflicts :

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no

Quiz
In AACG, what-if analysis is done using:

a. Visualization
b. Simulation
c. Remediation
d. Re-evaluate
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:abr a nsfe
Bh n-tra
no

Quiz
Simulation of conflicts for analysis is done directly on the

business application for the current data:

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:abr a nsfe
Bh n-tra
no

Summary

Define remediation
Understand remediation considerations and Checklist
Identify AACG remediation steps
Use the incident reports
Run conflict reports
Use simulation s a
h a
Setup iterative clean-up process m) co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
a r ath nsfer
Bh n-tra
no

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Detail the preparations before enforcement

Describe preventive enforcement
List enforcement types
Manage conflicts
Assign users in Oracle EBS and PeopleSoft
Manage notifications s a
h
) a
Approve and reject procedures m
o
c uide
Manage Access Approval History h p e G
r@ den t
a
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

In AACG, Manage Access Approval section:

Implements preventive SOD analysis

Applies preventive access controls to users in the
Business Application
Access violations are reviewed by investigators designated
by the control
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
Once h aracleanup
most
t r a n has taken place, and the customer feels comfortable with the incidents
B - to remain, the AACG Manage Access Approvals feature is normally turned on.
that are known
nonimplements preventive SOD analysis it applies access controls to users as
This feature
they are being assigned duties in the Oracle FND Users form, the PeopleSoft User Profile
page or the Fusion Oracle Identity Manager (OIM). It rejects role assignments that violate a
Prevent control, and accepts assignments that violate a Monitor control (or no control). If an
assignment violates an Approval Required control, AACG suspends the assignment and
displays an entry for it in a Manage Access Approvals panel, for review by the investigators
designated by the control. If an investigator approves, the assignment is allowed; if he rejects,
it is disallowed.
This is just one of two ways to exert preventive control over user provisioning. The other is
Oracle's strategic method: implement Oracle Identity Management, and configure OIM's
entitlement approval workflows to display AACG conflict analyses in OIM. This is accelerated
thanks to Oracle's ready-made OIM+AACG integration.

Enforcement
For an initial period after installation, a site may wish to run

GRC with the Access Approval feature turned off, so that

conflicts that existed prior to the installation of GRC can be
cleaned up before new conflicts are addressed.
It is possible to turn Conflict Analysis off and on.
You would do so in each Oracle E-Business Suite,
PeopleSoft or Fusion instance that is to be subject to
analysis by GRC. a
as )h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
a r ath nsfer
Bh n-tra
no

Enforcement
AACG preventive enforcement applies access controls to

each user as he is assigned responsibilities in the User

form of Oracle E-Business Suite, or roles in the User
Profile page of PeopleSoft Enterprise.
Results depend on what (if any) controls are violated.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Enforcement Types
The three types of Enforcements are:

Preventive
..which prevents / rejects assignment of responsibilities /
roles to an existing or new user in the underlying Business
Application
Monitor
..which allows assignments but requires monitoring by a
supervisors h a s
m )
Approval Required o
c uide
p e
h nt G
..which suspends assignment and seeks r @
Approval/Rejection from an APPROVER a tude
um -k his S
d y
d se t
r e
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Conflict Management
Prevent State:
In AACG ..it is in In EBS.

rejected state and no In the Oracle Users form, when
conflict is seen. prevent is active and a user
responsibility is added to a user that
conflicts, it will PERMANENTLY end
date that responsibility. sa
) ha
c om ide
In PeopleSoft.
h pe t Gu
Roles are deleted a r@from d e nthe user.
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Conflict Management
No Conflict State:
In AACG .. In EBS.
If there is no conflict, the In the Oracle Users form, an end
assignment is allowed. date in the future (or no end date)
may be configured for
responsibilities assigned to the
user. s a
a
)h
In PeopleSoft, roles remainmadded
co utab
to the users list in theeRoles ideof
p
h nt G
the User Profiler@ page.
m a tude
u
-k his S
d y
d se t
r e
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Conflict Management
Monitor Controls: In EBS.

In AACG .. In the Oracle Users form, an end

If an assignment date in the future (or no end date)
violates a Monitor may be configured for
control, the responsibilities assigned to the
assignment is user.
allowed. In PeopleSoft, roles remain added
to the users list in the Roles tabs a
a
of the User Profile page. m) h
c o ide
h pe t Gu
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Conflict Management
Approval Required Controls: In EBS.

In AACG .. End dates are removed

from approved
If an assignment violates an Approval
responsibilities, but kept
Required control, it is suspended.
for those that are
Notifications sent to Investigators to rejected.
approve or reject individual
In PeopleSoft, Approved
responsibilities or roles involved in the
roles are restored tosaa
conflict.
) a
hlist,
PeopleSoft users
m e
If the control is subsequently run in the and rejected c oroles
Manage Controls page, incidents h pe t Guidare
not.
@ n
related to approved responsibilities or mar tude
roles appear in the Manage Incidents y - ku is S
e d d th
r
page, with status set to Authorized.
h us e
a r at e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Order of Priority
When multiple control violations occur, GRC takes the most

restrictive possible action.

The pecking order is
1. Prevent
2. Approval Required
3. Monitor
4. No conflict s a
) ha
c om ide
h pe t Gu
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Manage Notification Configuration
Notification is sent to participants when a control is

deployed
Notification is also sent when incidents are generated
Can be run at any time or scheduled to run daily or at
hourly interval
One notification is sent for one control when one or more
incidents are generated
a
Queued notifications are consolidated for any controlhtype sa
to the participants m )
c o e
h p e G uid
a r@ dent
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Defining a r
Your n s fe Schedules
a Notification
Bh nschedules
- tra determine how often users are notified when incidents are generated.
no
Notification
A consolidated email message is generated for each result investigator, showing all violated
controls for which no prior notification had been sent. Before creating a notification schedule,

Notifications
In AACG
When an Approval Required control is violated, its

participants receive notification at the email address
provided for each investigator in the Email Address 1
column of the Manage Users page.
Notifications are consolidated: each participant receives
one message for all role assignments awaiting her review.
In EBS s a
h
) a
Notification of the Enforcement outcome is sent o
tomthe
p e c uide
user who has been prospectively assigned @ h newntduties,
G at
r dethe
ausertuin
the email address associated withuthem
business-management application.
d y -k his S
d t
t h re use
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Responding To Notifications
When an Approval Required control has been violated ..

Approver responds in the Manage Access Approvals page.

The Approver is a participant designated to have Assign
Incidents rights in the control that generated the conflict.
The Investigator may approve or reject the role
assignment, but the first one to do so acts for all; other
participants cannot act after the first participant has.
s a
If a control violation involves more than one role or control, a
)h
AACG evaluates all controls & automatically approves maccess
co uide
e
to roles that may be granted without conflict, and
@ hp displays
n t G
records of only those roles that would conflictr
a twith dethose
u m u
already granted. y-k is S
d d th
r e e
r a th to us
( b ha nse
d d y 2015,
R e able
a r ath nsfer
Bh n-tra
no

Email Notification
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
Email notification when incidents are generated y - kufor a icontrol
s S
e d
d se t h
r
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r
Notification
aschedules
n s fedetermine how often users are notified when incidents are generated.
Bh n-tremail
A consolidated
a message is generated for each result investigator, showing all violated
o which no prior notification had been sent. Before creating a notification schedule,
nfor
controls

Manage Access Approval
When users are assigned roles in business applications, and

the assignments violate existing access controls of the

Approval Required enforcement type, EGRC suspends the
assignments and lists them for review in the Manage Access
Approvals page.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
araare
Whenhusers
t r a n
assigned roles in business applications, and the assignments violate existing
B - of the Approval Required enforcement type, EGRC suspends the
access controls
non and lists them for review in the Manage Access Approvals page.
assignments
Note: If role assignments violate Prevent controls, EGRC denies them; if role assignments
violate Monitor controls, EGRC allows them. In both these cases, the role assignments do not
appear in the Manage Access Approvals page.
For control violations that occur in Oracle EBS or PeopleSoft, use this Manage Access
Approvals page to approve or reject responsibilities or roles involved in the conflicts. You are
able to review those assignments for which Approval Required controls both find conflicts and
name you as a result investigator:
1. In the top portion of the Manage Access Approvals page, locate the user whose
assignments you wish to review, and click on the + symbol next to his name.
2. One or more subordinate rows appear. Each shows a role provisionally assigned to the
user, the start and end dates configured for it, the business-application instance on
which the conflict exists, and a status (which is set initially to Pending).
In the Status field of each row, select Approve or Reject. Optionally, type a comment
about your decision in the Comments field.

3. If you set the status for any role to Approve, click on its Preview prompt (in the Preview
column of the parent row that identifies the user). The lower half of the page then
displays records of incidents paths to the access points included in the conflict. Each
identifies the violated control, elements that define the incident (the assigned role, the
access point included in the control, and path leading from one to the other), and the
approver. (If you set the conflict status to Reject, the Preview feature does not apply,
and an attempt to run it produces a warning message.)
After reviewing conflict paths, you may determine that you should reject the role
assignment. If so, change the status in the upper half of the Request page to Reject.
(When you alter a decision, it's advisable to rerun the Preview feature for those roles
you still want to approve.)
4. When you have set status for all provisionally assigned roles to Approve or Reject, click
on the Submit prompt (in the Submit column of the parent row that identifies the user, in
the upper half of the page). The user's record then disappears from the Manage Access
Approvals page. If the control is rerun after roles have been approved, incidents related
a
to those roles appear in the Manage Incidents page, with the status set to Authorized.
s
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

Administer Access Approvals History
The Administer Access Approvals History page displays a

history of assignments that violate access controls of any type.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath page s f er
Use the
h aHistory
t r a n essentially in the same way as you would use the upper half of the
B
Approvals n -
page:
n o
The page displays rows containing the user names of users whose responsibility or role
assignments have violated access controls. Locate the user whose request you wish to
review, and click on the + symbol next to his name
One or more subordinate rows appear, each showing a role assigned to the user, the
start and end dates configured for it, the Oracle EBS or PeopleSoft instance on which
the role was assigned, the status selected for the assignment, and any comments
entered by the user who approved or rejected it.
If you have view rights, all you can do is review these entries. If you have update rights,
then for any row set to the Pending status, you can select a Reject link in the Reject
column, and then select a Submit link in the Submit column. The responsibility or role
assignment is then end-dated in the Oracle EBS Users form or deleted from the Roles
tab on the PeopleSoft User Profiles page.

Note
When a users assignments violate Prevent or Monitor controls, the status of those
assignments is set, respectively, to Reject or Approve.
When a users assignments violate Approval Required controls, their status is set
initially to Pending.
Once the conflict is resolved in the Manage Access Approvals page, the users records
disappear from there, and her responsibility-assignment statuses are reset in the History
page to the values (Approve or Reject) selected in the Approvals page.
Users with view permission to the Manage Access Approvals History page can review
approval history.
Users with update permission to this page can both review history and reject role
assignments at the Pending status; other statuses cannot be updated.
The assumption is that such users would reject Pending roles only under extraordinary
circumstances (for example, the participant for a control has resigned from the
company); update rights to the Manage Access Approvals History page should be
s a
granted sparingly. a
)h
m
co uide
View and update rights are, of course, determined by roles assigned to GRC users.
e
p use
We can Use the History page essentially in the same way as wehwould Gthe upper half of
@ n t
the Approvals page:
m ar tude
It displays rows containing the user names of k
- u whoShave violated access controls.
users
Locate the user whose request you wish d y is click on the + symbol next to his
dto review,thand
name
h r e us e
r a t t o
One or more subordinate rows
(
start and end dates, the b ha appear, n s
roles instance,
e each
the
showing a role assigned to the user, the
status , and any approvers comments.
d y l i c e
R edrights,
If you have view
a b le you can do is review the entries.
all
r a th update
If you have
s f errights, then for any row set to the Pending status, you can Reject &
a
h -tran
Submit.
B n
Theoresponsibility or role assignment is then end-dated in the Oracle EBS Users form or
n
deleted from the Roles tab on the PeopleSoft User Profiles page.

Quiz
Initially during AACG implementation as good practice, Access

Approvals are turned off in Business apllications :

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no

Quiz
Select the Enforcement types:

a. Prevent
b. Approval Required
c. Monitor
d. None
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:a r
a,
ab, c nsfe
Bh n-tra
no

Quiz
Preventive Enforcement Agent must be installed in the

business application:
a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no

Summary

Detail the preparations before enforcement

Describe preventive enforcement
List enforcement types
Manage conflicts
Assign users in Oracle EBS and PeopleSoft
Manage notifications s a
h
) a
Approve and reject procedures m
o
c uide
Manage Assess Approval History h p e G
r@ den t
a
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
AACG Reporting
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Describe reports used in Access Controls

Understand how to run Reports
Use the Report Management Menu
View & Save Reports
Understand Dash Boards for Controls and Incidents
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Reporting Overview
You can run ad hoc reports or schedule them to be run at

intervals over a period that you define.

AACG reports can be accesses from :
CCM Application
Embedded GRC Intelligence
In CCM application, reports are of types
Control Summary - Control Level a
h a s
Incident Results - Incident Level )
c om ide
h pe t Gu
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Note:h ara tranGRC
Embedded sfeIntelligence provides reports and dashboards if it is implemented with
B8.6.4.nIn- the courseware we do not include reports from GRCI
GRC
no

Contextual Reporting for Control Summary
Select Control Summary in the View By list box of the Manage

Results home page, you can generate the following reports
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath sfer
a
Contextual
h Reporting
t r an for Incident Results
B -
When you
n onselect Control Summary in the View By list box of the Manage Results home page,
you can generate the following reports:
Intra-Role Violations by Control Report lists access controls that generate intra-role
conflicts for which incidents exist at the Assigned, Remediate, Authorized, or Accepted
status. For each control, it also lists the roles for which the conflicts are generated. An
"intra-role" conflict is one involving privileges granted by a single role.
Users with Access Violations by Control Report lists access controls that have
generated incidents at the Assigned, Remediate, Authorized, or Accepted status. For
each control, it lists users whose work assignments have violated the control.
Result by Control Summary Extract Report lists access and transaction controls that
have generated pending incidents, and provides information about each control.

Contextual Reporting for Incident Results
Select Control Summary in the View By list box of the Manage

Results home page, you can generate the following reports
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r h sfer
atPoint
a
Access
h is-tnotr anaReport lists paths to access points involved in conflicts. Each record in the
Breportn conflict in itself, but rather one path (potentially among many) to one of
noaccess
the points involved in a conflict.
Access Violations Within a Single Role (Intra-Role) Report lists roles for which access
controls generate conflicts between privileges granted within a role, so that the role
cannot be assigned to any user without a conflict occurring.
Access Violations by User Report lists ten users with the greatest number of conflicts,
the number of conflicts for each, and information about those conflicts.
Result Summary Extract Report lists incidents generated by access and transac-tion
controls, providing summary details for each.
Access Incident Details Extract Report lists incidents generated by access controls,
providing not only the information that would be included in the Result Summary Extract
Report, but also additional details.

CCM Control Management Reports
The Control Detail Extract Report provides information

about continuous controls.

The Conditions Report provides information about three
sorts of condition that may be set in AACG.
The Entitlement Report lists access points belonging to
each in a set of entitlements.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
a
The r ath nDetail
Control s ferExtract Report provides information about continuous controls. For
h control,
Beach - tra it gives the processing logic, conditions, and other values that define it;
n
no who created or updated it, and when they did so; and perspectives and result
users
investigators associated with it.
The Conditions Report provides information about three sorts of condition that may be
set in AACG: A global condition specifies objects exempted from controls on a given
datasource; the report lists global conditions by datasource. A global path condition
excludes one access point from another, exempting paths including both points from
analysis; the report identifies each excluded access point and its parent. A control-
specific condition is like a global condition, but applies to only one control; the report
lists controls that contain conditions.
The Entitlement Report lists access points belonging to each in a set of entitlements (an
entitlement being a set of access points that may be included in a model or continuous
control).

CCM Result Management Reports
The Access Approvals Report

The Result Summary Extract Report

The Access Incident Details Extract Report
The Transaction Incident Details Extract Report
The Access Point Report
The Access Violations by User Report
The Access Violations Within a Single Role Report s a
h
) a
The Intra-Role Violations by Control Report m
o
c uide
The Global Users Report p e
h nt G
r @
The Result by Control Summary Extract
u m a Report
t u de
S Report
k isControl
dy- by
The Users with Access Violations
e h
d se t
r
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
TherAccess s fe report displays records of role assignments in business-
a nApprovals
h -tra applications which, because they violated Approval Required controls,
Bmanagement
nonsuspended until a control participant could review them.
were
The Result Summary Extract Report lists incidents generated by access and transaction
controls, providing summary details for each. These include an Incident Information
value the path by which a user can reach one in a conflicting pair of access points, or
the value of the first attribute selected (during model configuration) to characterize a
suspect transaction.
The Access Incident Details Extract Report lists incidents generated by access controls,
providing not only the information that would be included in the Result Summary Extract
Report, but also additional details.
The Transaction Incident Details Extract Report lists incidents generated by a
transaction control. It provides not only the information that would be included in the
Result Summary Extract Report, but also values for all attributes selected to
characterize suspect transactions. These attributes vary from one control to another, so
each run of the report must focus on a single control.

The Access Point Report lists paths to access points involved in conflicts. Each record
in the report is not a conflict in itself, but rather one path (potentially among many) to
one of the access points involved in a conflict.
The Access Violations by User Report lists ten users with the greatest number of
conflicts, the number of conflicts for each, and information about those conflicts.
The Access Violations Within a Single Role (Intra-Role) Report lists roles for which
access controls generate conflicts between privileges granted within a role, so that the
role cannot be assigned to any user without a conflict occurring.

The Intra-Role Violations by Control Report lists access controls that generate intra-role
conflicts for which incidents exist at the Assigned, Remediate, Authorized, or Accepted
status. For each control, it also lists the roles for which the conflicts are generated.
The Global Users Report provides information about global users IDs created by
EGRC, each of which identifies one person, and correlates to any number of potentially
varying IDs that person may have in business applications subject to access controls.
The Result by Control Summary Extract Report lists access and transaction controls that
a
a s
have generated pending incidents, and provides information about each control.
h
m )
The Users with Access Violations by Control Report lists access controls that have
o
c uide
p e
generated incidents at the Assigned, Remediate, Authorized, or Accepted status. For
h nt G
each control, it lists users whose work assignments have violated the control.
r @
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

Reporting File Types
Reports can be generated in 2 File Types:

PDF (Adobe)
CSV (Excel)
Reports can be either .
Opened immediately after generation and printed
Or
Saved locally and printed later. s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Manage Report Parameters
Set parameter values to run reports:

s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r th sfer
areports
As youh a
run
t r a nyou can select parameter values, thus focusing the results on records that
B
match those -values. Parameters vary from one report to another; in general, they correspond
non you make as you create or otherwise work with the object on which you are
to the selections
reporting. As you set parameters, you would select among the same values.
For example, a Control Detail Extract Report (for EGRC) enables you to select among values
you would set as you create continuous controls, such as name, type, enforcement type,
priority, and other values. For each report, you can also select the format in which the report
should be generated PDF (Adobe Acrobat file) or CSV (a text file for export to another
application, such as a spreadsheet).
Select parameter values in a Parameters pop-up window that opens as you run or schedule
reports.

You can save sets of parameter values, so that you can select them easily as you run reports:
1. In the Parameters window that opens when you select the Run Now option in the Report
Management page, select a set of parameter values. Then click the Save Report
Parameters button.
2. A Create Saved Report Parameters dialog opens. In it, create a name for the set of
parameter values, and click the OK button.
To use a set of saved parameter values, choose it in the Select Saved Report Parameters list
box that appears in the Parameters pop-up window. (This list box is available regardless of
whether you are running an ad hoc report or scheduling a report.)
In this list box, you can select a Personalize option. This opens a Personalize Saved Report
Parameters dialog. In its list box, select one of the sets of saved parameters. Then do any of
the following:
Click the Delete button to delete the set of saved parameters.
Select or clear a Show in Saved Report Parameters check box to make the set of
a
parameters available, or hide it, in the Select Saved Report Parameters list box.
s
a
)h
Select or clear a Default Report Parameter check box to apply the set of parameters
m
co uide
each time you run the report. (This option should be selected for only one set of
e
set of parameters.) @ hp nt G
parameters per report. Clear the existing selection before setting this option for a new
m ar tudedialog to implement your

Select the Apply button in the Personalize Saved Report
y - ku is S
Parameters
e d d
selections, and the OK button to close the dialog.
th
r e
r a th to us
( b ha nse
d d y l i ce
R e able
a r ath nsfer
Bh n-tra
no

Reporting Scheduling
Reports can be run or scheduled to run at regular intervals.

s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
If you h arascheduled
have
t r a n a report to run, the bottom portion of the Report Management page can
B
for the n on- a(Note
display either
report.
row for each generation of the report or a row for each schedule configured
that the Last Run Date and Last Run By columns in the top portion of the
screen are populated by GRC, but only for scheduled runs of reports, not for ad hoc runs.)
To view a report generated on a schedule:
1. In the top portion of the Report Management page, click on the title of the report you
want to see.
2. In the top portion of the page, click on Display > Report History.
3. In the bottom portion of the Report Management page, click on the row representing the
instance of the report you want to see. Then select Actions > View Report.
(To remove an instance of a report, click on its row in the bottom portion of the page, and then
select Actions > Delete.)

To view or modify the schedule on which the report was generated:
1. In the top portion of the Report Management page, click on the title of the report whose
schedule you want to see.
2. In the top portion of the page, click on Display > Scheduled Reports.
3. In the bottom portion of the Report Management page, each row represents a current
schedule. (Schedules that have reached their end dates are removed from the list.) Click
in the row for a schedule, then select Actions > Reschedule/Unschedule Report Job.
The Schedule Parameter pop-up window reopens. You can re-enter schedule values
and select a Reschedule button, or turn off the scheduling by selecting an Unschedule
button.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

Report Generation
You can run reports that document your use of Application

Access & Transaction Controls from each of several panels

mentioned below as per Context, or from a Report
Management Menu.
s a
) h a
Managem Incidents
Manage Controls o
c Paneluide
Panel p e
h nt G
r
a tude@
Reports -k u m S
d y h i s
r e d se t
Management
a r ath ePanel t ou
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Report from
Manage Controls Panel
From the Manage Controls panel under Control Management
Menu, you can run following report that provide information

about the configuration of access & transaction controls.
Now, Dash Boards are introduced to view Controls at a glance:
Control Detail Extraction Report
View Dash Boards
s a
h
) a
o m
p e c uide
@ h nt G
r
a tuManage de Controls
u m
d y -k his S Panel
e d e t
t h r us
r a t o
( b ha nse
d d y 2015,
R e able
a r ath nsfer
Bh n-tra
no

Report Generation
Manage Incidents Panel
From the Manage Incidents panel, you can run reports that
provide information about the generation of Incidents under two

categories:
Control Summary Wise
Incident Wise
You Can choose between these categories at the VIEW BY
Field on the top-left of the Menu Bar
s a
You may select one or more listed Incidents to include h a
) thein
the report. Otherwise all incidents will be included
c min
o ide

pe t Gu
report h
a @ en
rIncidents
Now, Dash Boards are introduced to view m tud at a glance.
- ku is S
d d y th
r e e
r a th to us
( b ha nse
d d y 2015,
R e able
a r ath nsfer
Bh n-tra
no

Report Management Menu
From the Reports Management Menu in the Navigator, you can

run the following reports for CCM:

Control Management Reports
Result Management Reports a

h a s
m )
o
c uide
p e
h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Using the Report Management Menu
From Reports Management pages, you can:

Run ad hoc reports or schedule them to be run at intervals

over a period that you define.
Save the scheduled reports it generates, enabling you to
view them at any time.
You can select parameter values, thus focusing the results
on records that match those.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Summary

Describe reports used in Access Controls

Understand how to run Reports
Use the Report Management Menu
View & Save Reports
Understand Dash Boards for Controls and Incidents
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Enterprise Transaction Controls Governor

Overview
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Understand the Capabilities of Transaction Controls

Appreciate the Benefits of Continuous Transaction
Monitoring
Define Business Objects
Understand ETCG system setup
Utilize terminology specific to ETCG process and functiona
h a s
m )
o
c uide
p e
h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

GRC Platform and ETCG Differentiators
Control based
Detection
Identify and remediate

Enterprise historic transactions that
Transaction represent risk or
Controls Governor violate business policies
Oracle
GRC (CCM)
Enforce controls on
business transactions ha
Pattern based
sa
)
m e
co
Detection
pe t Guid
h
a r@Assist d e n definition
- k um Stuand detection of fraud
Control
e d dy this based on patterns or

t h r u se complex algorithmic rules
a r a e t o
h
(b 2015, s
d y
R ed able
r ath sfer
ETCG h a
Overviewan
tr with rapid implementations in mind, a best-practice library (a set of
B n -
no
ETCG was designed
delivered templates) may be used to deploy models for immediate transaction analysis. The
best-practice library for the Oracle E-Business Suite (EBS)/Peoplesoft provides models that
support rapid implementation of transaction analysis around common end-to-end business
processes. These include Order-to-Cash, Procure-to-Pay, Financials (or Reconcile-to-
Report), and Human Resources (or Hire-to-Retire).

About Transaction Governor
Transaction analysis identifies transactions that meet the

criteria of the deployed controls. These transactions are only

suspect. They may or may not represent actual violations.
Additional review and research of the results may result in any
of the following conclusions:
A transaction involves error or fraud. If so, other upstream
controls should be employed to reduce the risk of the
occurrence of such transactions in the future. a
h a s
A transaction was a known and accepted deviation )from
general corporate policy, and appropriate approvals c m
o iande

pe t Gu d
sign-offs were obtained. h
a r@ den
A transaction was acceptable inku m context
the S tu of its
occurrence. This may be deemed
- is
dy tahfalse-positive and may
r e d s e
ath of otheu model logic.
warrant the modification
a r e t
h
(b 2015, s
d y
R ed able
ath nsfeare r
h r
If suspectatransactions
a deemed to be in violation of the control environment, then
B
remediationn t r
- are required. Involving the appropriate people during remediation is
steps
n o
imperative. Remediation within transaction analysis is not the same as it is for other
types of violations, such as segregation of duties (SOD). Transactions can-not be
removed from the system they will continue to exist. Remediation comes in the form
of identifying appropriate preventive and upstream controls and potentially entering in
adjusted transactions and modifying previously submitted reports

About Transaction Governor
ETCG enables its users to create models, each of which

defines risk that transactions may be present.

Each model specifies semantic business objects (BO),
which supply transaction data to the model; business
objects correspond to what a business user would expect
to see within an ERP environment.
ETCG then finds incidents transactions that are
suspect because they meet the criteria defined in the as a
h
m)
model, and so present potential risk to the organization.
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath sfer
a
Business
h Object t r anOverview
B -
non ETCG models, select one or more business objects related to the transaction
When defining
data in your source system that you wish to analyze. If selected objects are logically
unrelated, a warning message will indicate this as you attempt to save the model. In many
cases, you may find only one or two business objects are necessary to analyze and research
suspect results.
As an example:
When using the Payables Standard Invoice BO, include the Supplier BO in order to use
the Supplier Name attribute.
When you use the Payment BO in a model, it already contains the Supplier Name
attribute and does not require the additional Supplier BO.

ETCG Setup Flowchart
Define Define
Application Datasources Define Roles
Configuration and Default
Define Define Generate

Users Model Model Incidents
s a
a
)h
m
co uide
e
@ hp nt G
Upgrade Run
m ar tudeAnalyse,
Controlsktou S Resolve and
Models as
d y - i s
r e
Generate
d e th Remediate
Controls
t h u s
Incidents Incidents
a r a e t o
h
(b 2015, s
d y
R ed able
r ath sfer
ETCG h a
Setup an
r
B n
Althoughoyour
-tSystem Administrator can set up Transaction Controls Governor in many ways,
n
the diagram illustrates the suggested method, and we recommend that you follow this order.
Some steps are required, and others are optional; you would perform the optional steps only if
you are ready to use the features or business functions implemented by those steps.

ETCG Terminology
Model An automated rule written in business terms

against transaction data to detect anomalies or monitor for

suspicious and fraudulent data.
Incidents Any violation of the model rule generates
temporary results for analysis.
Evaluate To process (run) a model against one or more
datasources for the purpose of generating results.
s
Logic A collection of filters that make a logical expression
a
h a )
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Create Filters and Use Business Objects
Model Types
Defined-Type
Pattern (model that contains a pattern filter)
Filters
Defined / Standard
Function (supports three aggregate functions: Sum, Average, Count)
Patterns
Benford, Mean, Paretto, Absolute Deviation, Anomaly Detection and
Clustering
s a
Business Objects a
)h
Delivered (seeded in application) m
co uide
e
Custom Business Object
@ hp nt G
Imported data set for use as business object,
m ar tue.g. dexml file
uploaded by user u
-k his S
d y
d se t
r e
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Models: a r a nsObjects,
Business
fe Filters, and Result Data
B h -tra
on objects and datasources are selected, create one or more filters in the Model
Once business
n
Logic pane. A filter is a logical statement that defines what makes a transaction risky (or, if a
model contains more than one filter, defines one element of the risk).
A standard business object is a business-language label for one or more database tables
(existing in one or more datasources) that hold information pertinent to transactions. ETCG
has a selection of business objects; and others can be uploaded via a Business Objects
Administration page (available from the Administration node in the Navigation panel).
In addition, you can import any set of data as a custom object and use it as if it were a
business object.

Processes by Functional Area
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Quiz
Benford Analysis is a method of Pattern analysis:

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no

Quiz
What if analysis can be performed independently for the

incidents created in the ETCG application:

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no

Quiz
In CCM, perspectives are applied to ETCG models and

controls only:
a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no

Summary

Understand the Capabilities of Transaction Controls

Appreciate the Benefits of Continuous Transaction
Monitoring
Define Business Objects
Understand ETCG system setup
Utilize terminology specific to ETCG process and functiona
h a s
m )
o
c uide
p e
h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
ETCG Configuration Planning and Installation
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Understand Administration Management

Understand Manage Application Data
Define data sources
Schedule ETL synchronization
Synchronize business data with GRC data.
Manage Jobs s a
h
) a
Use Administration Management to access m
o
c uide
GRC Application Configuration p e
h nt G
Business Object Administration r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Configuration Planning
Use the Manage Application Datasources page to set up

Oracle EBS, PeopleSoft, Fusion, or other datasources, and to

synchronize data for those datasources.
The data sources you set up depend on various factors, such
as your companys current mandates, risk tolerances, and
compliance goals.
Considerations include the need to connect to development
instances and test instances, and to analyze data across
multiple homogeneous instances and/or heterogeneous as a
h
platforms. m) co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
a r ath nsfer
Bh n-tra
no

Defining Data Sources
Before you begin setting up your data sources, consider your

environment and your goals.
Do you run transaction analysis Do you connect to one application for

against Multiple applications? Financials and another for Human Resources?
Are these on the same platform? s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y -
Will you analyze transactionsku is S
e d d theven
across multipler
h to us
platforms e or
r a tcross-platform?
( b ha nse
d d y 2015,
R e able
r th sfer
aevaluating
h a
By carefully
t r a n your business needs, you can create the necessary datasources so
B - are loaded or created, they will be able to run against the appropriate
that when models
non
datasources.
Additionally, once you have your datasources identified, evaluate the amount of historical
data you will require as part of your transaction analysis. As part of defining properties (in the
GRC Application Configuration page), it is recommended you set an Analysis Start Date by
enabling era-based ETL optimization for ETCG. This causes ETCG data synchronization to
operate only on data that was last updated after the specified date. The date used here can
have a direct impact on performance because it affects the amount of data synchronized.
Note: Era-based ETL does not apply to AACG.

Run Synchronization
To maximize performance and handle cross-platform analysis,

GRC employs synchronization it extracts transaction data

from Business Application Systems and loads that data into its
own database. For efficiency purposes, a synchronization
operation collects transaction data that apply only to the
business objects and data sources used by existing models.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath cans f er
a
h -tran run only after at least one model has been created and saved.
Synchronization be
B n
ETL synchronization may be run on demand, or it may be scheduled to run at regular
noVarious
intervals. factors dictate how often either on-demand or scheduled synchronization
should occur.
In general, whenever data within ETCG is believed to have aged substantially beyond
equivalent data in a datasource, synchronization should occur before transaction analysis is
run against that datasource. Transaction data changes daily, so a daily synchronization is
recommended if transaction analysis is also performed daily.
If, for another example, your company evaluates transactions on a monthly basis, then you
may need to run the synchronization process only once a month.
Keep in mind that you can always run an on-demand synchronization if necessary. However,
this must be completed before the transaction analysis is performed.

Synchronizing Data
When using a business object for the first time, ETL is triggered
in the background when the model is saved.

Business Users can update source data via the Manage
Models page Synchronize action.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath sfer
a
h -tranfor Transaction
Data Synchronize
B
non optionsynchronization
For Administrators,
Synchronize for Transaction
can be run via Administration > Data Administration
Use the synchronize option in either location to update business objects that were previously
synchronized.
ETL is only run for business objects and datasources used by transaction models (meaning if
a business object like Buyer is not used in any user model, no ETL is performed; and
when an object is used in a model, Synchronization only occurs from datasources associated
to the object)
The synchronize option may not be available if kicked off by another user; it becomes
available when it has completed.
Periodically, you need to synchronize data used by EGRC models and controls capture
changes made in the business application (datasource) in which the models and controls
evaluate risk
Each time a datasource is synchronized, GRC updates fields in the row for that datasource:
Last Access Synchronization Date and Last Access Synchronization Status show the date of
the most recent access synchronization, and its completion status. Last Transaction
Synchronization Date and Last Transaction Synchronization Status do the same for the most
recent transaction synchronization.

Synchronizing Data
Models evaluate transactions completed in business

management applications (data sources).

For models to recognize changes made in their Data
Sources, you must synchronize data run a process that
captures changes made since the last time a model was
evaluated.
Each data synchronization job updates data used by all
models created by all users. a
as )h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
a r ath nsfer
Bh n-tra
no

Manage Jobs
s a
Jobs a
)h
Manage Jobs: m
co uide
e
Managing Jobs includes
@ hpsynchronization,
n t G model
analysis, import, r
a tude
and export model results.
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Administration Management
Set one of your data sources to Default for GRC

Assigns data source as default for any business objects

added in your model
Only then user will have access to the default data source
Administration
Administration Management : s a
a
)h
Define transaction datasources, and assign one
default source for TC. m
co uide
e
Pattern Management:
@ hp nt G
Upload new ror revisede
Oracle.m
a tud patterns provided by
y - ku is S
e d d BusinessthObject Administration: Dictionary and
t h r u se of delivered objects.
mapping
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
r e
a nsfDatasources:
Manage
h aApplication
t r a Use the Manage Application Datasources page to set up
B
Oracle EBS, -PeopleSoft, Fusion, or other datasources, and to synchronize data for those
non Datasource management applies only to EGRC (the CCM module), not to
datasources.
EGRCM (the Financial Governance and custom modules).
Manage Application Libraries: You can upload new business objects or patterns for use in
models and continuous controls, or connectors to link GRC to datasources other than Oracle
EBS or PeopleSoft (for which GRC uses a default connector). Application library management
applies only to EGRC (the CCM module), not to EGRCM (the Financial Governance and
custom modules).

Application Configuration Properties Tab
The Properties tab opens a page that sets values required for
the Governance, Risk and Compliance Controls platform to

connect to its database, and in the Performance Configuration
section, you enable options that optimize GRC Application
performance.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath sfer
a
Performance an
h -tConfiguration
r
B
non to operate
Enable Era-Based
synchronization
ETL Optimization: Select this check box to cause ETCG data
only on data entered in business-management applications after a
specified date.
Note: This setting has no impact on data synchronization operations for AACG.
When you select the Enable Era-Based ETL Optimization field, and Analysis Start Date field
appears. In it, enter a date from which you want synchronization runs to recognize data
changes. When you click in the field, a pop-up calendar appears. Click left- or right-pointing
arrows to select earlier or later months (and years), and then click on a date in a selected
month.

Application Configuration Patterns Tab
Pattern types are:

Upload action available for future delivered patterns

(new), or updates to existing delivered by Oracle
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath sfer
a
UploadhPatternsan
r
tstatistical
B are n -
n o
"Patterns" functions, supplied by Oracle, that may be used in the creation of
Transaction Controls Governor models. Independently of GRC releases, Oracle may issue
files (in .jar format) that contain patterns. To upload these files:
1. Click on the Patterns tab.
2. Click on Action > Upload File.
3. An Upload Pattern pop-up window opens. Click on its Browse button.
4. A Choose File dialog opens. In it, use standard Windows techniques to navigate to, and
select, the file you want to upload. The path and name of the file then populate the field
next to the Browse button in the Upload Pattern window.
5. Click on the Upload File button. A pop-up message reports the status of the upload
operation. Click on its OK button to clear it, and then click on the Close button in the
Upload Pattern window.
In the Patterns page, rows display information about patterns you've uploaded for each, the
name, description, and version.

Business Object Administration
List shows data source types/versions available (as

defined under Administration Management in your

environment).
Only Oracle R12 (Data source Type/Version column) is
delivered with release 8.6.
Other data source types/versions are available and
displayed for customers to apply their own custom objects
(no underlying dictionaries or mappings delivered in as a
release). m )h
o ide
cdictionaries.
Import / Export business object mappingshand
p e Gu
a r@ dent
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Businessa r
Object s fe
a nAdministration Page
B h -tra
non models in Transaction Controls Governor, you work with business objects,
As you create
each essentially a business-language label for one or more database tables that hold
information pertinent to a transaction. Business objects contain attributes, each a business-
language name for a column within the selected object. Although GRC comes with a selection
of business objects already configured, more will be developed over time. As they are made
available, you would upload them from files to your GRC implementation. You use the
Business Object Administration page to do this.

Example: Business Object Administration
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r a th sfer
a
Business
h Object t r anMappings and Dictionaries
B -
non a business object upgrade, you would upload two files (both of which are in OWL
To complete
format):
Business Object Dictionary: This is the Semantic Data Dictionary (SDD). It is a
collection of generic business definitions of a single object regardless of any application
instance.
Business Object Mapping: This is the Semantic Data Mapping (SDM). This is the
mapping of the attributes of the associated Business Object Dictionary to the physical
store specific to an application (Oracle E-Business Suite or PeopleSoft).
Examples of attributes for a Business Object called Customer include:
Customer Name, Address Line 1, Zip, and Customer ID.

Summary

Understand Administration Management

Understand Manage Application Data
Define data sources
Schedule ETL synchronization
Synchronize business data with GRC data.
Manage Jobs s a
h
) a
Use Administration Management to access m
o
c uide
GRC Application Configuration p e
h nt G
Business Object Administration r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

ETCG Manage Models
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Use the Manage Model page

Export and Import Models
View Models
Synchronize data
View or export results
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

ETCG Modelling
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath sfer
Model h a
Planningaand
t r n Setup
B -
n on
Your organization may decide to load the best-practice transaction models. By doing so, you
will have a number of analysis models to be reviewed with appropriate business owners, and
compared against your organizational goals for governance, risk, and compliance (GRC). It
may be necessary to edit models or add new ones.

Identify Models
You should have a good idea of the GRC or business-

performance goals of your organization and know what

areas of the business should be focused on.
Reviewing each loaded Model and its content is necessary
to ensure that the goals of the company are being met.
There are several ways to approach defining models.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
e
Model h ara transf
Planning
B napproach
A common
n o - is outlined in the following steps:
1. Identify GRC goals of the company.
2. Load the best-practice model library.
3. Hold meetings to review models.
4. Prioritize the models you plan to create or edit.
5. Create and edit models as needed.
6. Generate and view results.
7. Validate and refine models.

Setup of Models
To create models efficiently, its important to understand

how transaction controls works.

Unused business object is added to a model, a
synchronization process executes to collect data from
business application.
If you intend to use one or more new business objects as
you create or edit any number of models, you should
initiate the synchronization process first. a
as )h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
ath ofntwo r
feways:
Do this a
in r
either s
Bh n-atrpseudo
1. Create
a
model one that contains the previously unused BOs, but no
no
business logic. Saving this model initiates the synchronization process for the new BOs.
You may choose to do this several days (or at least overnight) prior to building the
models you really want to create.
2. Build an actual model with all its business logic. Save this model and allow it to run in
the background, so that other new models can be created. These models and related
BO synchronization are queued in Job History (a page available under the Jobs node of
the GRC Navigation Panel).

Create Models
There are key things to consider when defining models:

Select all the necessary business objects.

Use the right data sources.
Select only the most important attributes.
An attribute is an individual piece of trans-action data owned
by a business object for example Supplier Name in the
Supplier business object.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Business Objects
When defining ETCG models, select one or more business

objects related to the transaction data in your source

system that you wish to analyze.
If selected objects are logically unrelated, a warning
message will indicate this as you attempt to save the
model.
You may find only one or two business objects are
necessary to analyze and research suspect results. as a
m )h
e co uide
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r er
ath naresfthe
a
Business Objects
h -tra building blocks for modeling a transaction control.
B

non
As an example:
When using the Payables Standard Invoice BO, include the Supplier BO in order to use
the Supplier Name attribute.
When you use the Payment BO in a model, it already contains the Supplier Name
attribute and does not require the additional Supplier BO.

Datasources
ETCG uses three datasource types; excluding customizations

These include:
Oracle R12.1, which is the current delivered integration
(adapter and metadata).
AG Schema for 8.x that is used in conjunction with
Authorization type business objects. (The datasource
basically points to itself to leverage access-oriented object
information stored in GRC.) s a
a
)h
XLS Datasource is used in conjunction with spreadsheets m
co uide
e
you may have leveraged to create your own
@ hp custom
n t G
r de
objects. It is not necessary to defineathis datasource under
u m t u
the Data Administration page.y-k
d dis S th
r e e
r a th to us
( b ha nse
d d y 2015,
R e able
a r ath nsfer
Bh n-tra
no

Model Logic
As you create a ETCG model, you define filters, each of

which defines risk and selects transactions that satisfy the

definition.
At its most basic, a filter consists of an attribute, a
condition (a mathematical or other operator) and usually
a third term.
At a high level, there are three filter types:
General s a
h
) a
Function o m
Pattern p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Manage Model Page
The Manage Model page provides information about

Transaction Models created or imported by the user who is

currently logged on you.
To open the page, select Navigator > Control
Management > Manage Model in the Navigation panel.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath sfer
Manage a
h Models t r an
B -
on Model page does not provide immediate access to models created by other
The Manage
n
users. You can share models you can export your models so that other users can import
them, or you can import models exported by others.

Manage Models Menu
Users access and manage their own models

Review model status and result availability

Save user views of My Models grid
Actions from Manage Model includes:
Create New takes user to Create Model page
Edit takes user to Edit Model page
Delete remove models that are no longer used
Duplicate copy action applies incremental number after s a
name ) ha
Synchronize runs transaction ETL c om ide
View Results run/access model data results h pe t Gu
Import upload model definitions ma
r@ den
- k u S tu
Export saves model in xml
d dyformat t is
(import/export
hsharing) enables
re-use across instances
r eand e
model
s
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
r a Manages e
fModel
Actions a
from
h -tra n includes:
B
non
Create New takes user to Create Model page
Edit takes user to Edit Model page
Delete remove models that are no longer used
Duplicate copy action applies incremental number after name
Synchronize runs transaction ETL
View Results run/access model data results
Import upload model definitions
Export saves model in xml format (import/export enables re-use across instances and
model sharing)

My Models Pane
A My Models pane displays a list of existing models,

together with summary information about them for each

model, its name and description, type and status, and the
date when it was last evaluated.
All these pieces of information are supplied by GRC, from
information recorded when a model is created, edited, or
run; you cannot update them directly.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Example: Manage Model
s a
a
)h
Status may include: m
co uide
Not Started, Started, Completed, Error, and Canceled e
@ hp ntlink G is
When model has a status of Completed, a a r
View Results
de
available to access existing results u m t u
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
e
Model h ara transf
Status
B n-indicates whether the model has been evaluated and has produced results
no
Model status
records of transactions captured by its filters. In addition, an Error status links to the GRC
Jobs page, which can provide information about processing

Manage Import and Export
Export models to re-use or share with other users

Import previously exported models, mapping them to a

data source in your environment
Logs provided for import/export status
Import and export files are xml file types
Currently supports single model per file
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Export Model
Select the Export option under Actions on Manage Model

page
Select download, define file name and save
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Import Model Select File
Select the Import option under Actions on Manage Model

page
Locate and select the file to import
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Import Model Select Model
Highlight the model to import; select Next

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Import Model Map Data Source
Select the datasource to map the model; select Import

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Import Model Import Statistics & Log
Import statistics indicate success or failure

Review the log for any details regarding the statistics
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Manage Shared Models
Sharing and re-using Models

Export models from ETCG instance to a file

Export format is *.xml
Export as either model or template
Importing Models
Restricted to the active user (the user that is logged in)
Pre-pends file name with Models
Specify one or more Datasources as determined by the model definition
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Data Access and Security
A user must have update access (job role) to the Create

Models page to create/edit models

Users only see business objects in library menu in which
they have been granted access
Users only have access to data sources they have been
granted access
This access impacts ability to import models and access
templates if they do not have access to objects they use s a
h a )
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Quiz
ETCG synchronization means loading data for all the Business

Objects defined in ETCG application:

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:a r
a,
ac nsfe
Bh n-tra
no

Quiz
Business Objects are modeled in:

a. Business Application
b. ETCG Application
c. AACG Application
d. Continuous Control Monitoring Module
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:a r
b,
ad nsfe
Bh n-tra
no

Quiz
Synchronization loads the data values for the Busniess Objects

defined in the Transaction Model:

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:a r
a,
ac nsfe
Bh n-tra
no

Quiz
In the EGRC application, Transaction Models and Model

Results both can be imported and exported:

a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Answer:abr a nsfe
Bh n-tra
no

Summary

Use the Manage Model page

Export and Import Models
View Models
Synchronize data
View or export results
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

ETCG Create and Edit Models
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Use the Create Model page

Select business objects
Use custom objects
Select data sources
Select and arrange filters, functions, and patterns
Create a filter, a function, and a pattern s a
h
) a
Define model Results m
c o e
Save a model and view or export results hpe Guid
t
Use a model to create a new model ar@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Modeling
Creating the Model

Naming the Model

Selecting Business Objects
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Adding Custom Objects to the
Business Objects Library
You can import any set of data as a "custom object," and
use it as if it were a business object. For this purpose, you

can import only xml files, which must observe the following
formatting conventions:
The first row of the file must be column headers. Each
header name serves as an attribute of the object. Each
header entry must comprise a name and, in parentheses, a
data type for example NAME(String), AMOUNT(Double),a
IDNUMBER(Integer), or DATE(Date). h a s
o
The second row and beyond are considered itscvalues.m) e
p e uid
The file should contain only one sheet andh cannott G
support
multiple sheets. ar@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
Use Custom r a Objects
n s fe
Bh nxml-trfilea
n o
Before the is uploaded, the following format-related conversions must be made in the
datasource xls file:
Computed values should be converted to absolute values.
Any "total" amount rows not directly tied to specific data attributes should be removed.
Numeric formatting, such as $ signs, is not supported. The format should be changed to
Number format.
Negative amounts should be formatted to use a negative sign, , not open and close
parentheses.
Date format is mm/dd/yyyy.
Excel 2003 and later are supported. (You can take an xls file as the datasource, properly
format it to support upload to ETCG, and perform a Save As operation to convert it to an xml
file.)
If you choose to refresh an existing custom object, the new file must use the exact format of
the original. Columns (attributes) can neither be added nor deleted. Only additional rows of
values can be added. Moreover, only the user who added the custom object has access to it,
or can refresh it.

Upload a Custom Object
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
e
nsf
ara traObjects
ImporthCustom
B n -
n oa custom
To upload object:
1. Click on the Custom Objects button in the Library. An Import File dialog opens.
2. Create a name for the object in the Name field. This is the object name the Library will
display.
3. Click the Browse button. A Choose File dialog opens. In it, use standard Windows
techniques to navigate to, and select, the file you want to import. The path and name of
the file then populate the field next to the Browse button in the Import File window.
4. With the file selected, click on the OK button. The custom object is now available for use
as if it were a standard business object.

Create Model Library Grid
Library menu for building models contains:

Business Objects Tab
Shows delivered and custom
objects that store transaction data
Models and Templates Tabs
Models Tab Existing models you have created a
a s
Templates Tab Predefined generic models
for use by all users m )h
Use an existing Model (Defined or e co utype)
Pattern ide
p
hfor newntmodel,
G
or Template as a starting point r @
or build from scratch u m
adding
a businesst u de objects
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
The Library r a nsfe
Bh nthe-trlefta
n o
In a grid at of the Create Model page, select (click on) the Business Objects tab, and
then on an object in the grid. (Although it's unlabeled, this grid is known as the Library.
More business objects may exist than can be displayed at once, and so the Library is divided
into pages. Click on the icon that looks like a right-pointing triangle to move forward one page,
or the right-pointing triangle with a vertical bar to move to the last page. Click on the left-
pointing triangle to move back one page, or the left-pointing triangle with a vertical bar to
move to the first page.

Create Model Regions
Three main regions to the

create/edit model canvas area:
1. Model Objects
s a
h
) a
2. Model Logic
o m
3. Result Display p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Model Objects Region
Model Names must be unique
Add one or more business objects to a model
s a
Review available attributes, or add custom
h
) a
attributes
o m
Apply Data Sources to model; when p e c datauide
default
@ h when n t G
source defined, assigned automatically
a r d e saved
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Select Data Sources
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Manipulate Objects in the Model Objects Pane
Within the Model Objects pane, each object appears as a

window that lists the attributes belonging to the object. In

this window, you can view, but not actually select, the
attributes.
You can do the following:
Remove a business object from the model: click on its
button.
Move a business object to the left or right of other objects:s a
ha
Click on the downward-pointing, green triangle. Two )options
appear; click on either Move Left or Move Right. c om ide
e h p t Gu
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Custom Attribute
Create, modify, or delete custom attributes within any

business object (appears at top of attribute list in object)

Supports modifiers against another attribute,
such as -, +, *, /
Use custom attribute as filter, or data result set
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
e
nsf
ara traAttributes
CreatehCustom
B non- the green + icon. A dialog box opens, labeled with the name of the
1. Click
no
business object.
2. In an Attribute Name field, create a name for the new attribute.
3. In a Base Attribute field, select one of the existing attributes.
4. In a Modifier field, select a mathematical operator: + (addition), (subtraction),
* (multiplication), or / (division).
5. In a Value field, enter a value that the Modifier will apply to the Base
Attribute.
6. Click on the OK button.
Subsequently, you can use the custom attribute in filters. Custom attributes appear at the top
of the list of attributes displayed by the business object, and each has an edit icon (which
looks like a pencil). You can click on a custom attribute to open another dialog box in which
you may either edit or delete the custom attribute.

Model Logic Region
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
ara tRegion
ModelhLogic
r an
B -
nonA filter
Once business
Logic pane.
objects and Data Sources are selected, create one or more filters in the Model
is a logical statement that defines what makes a transaction risky (or, if a
model contains more than one filter, defines one element of the risk).
New Filter
To add the first filter to a model, click on a button (or a corresponding option in the Actions
menu) that selects the type you want New Filter for a defined filter
New Function
A defined filter may specify a function that operates on its attribute for example, calculating
the average of purchase-order amounts. If so, it uses a grouping feature to establish sets of
records to which the function applies for example, it may group records by supplier so that
it can calculate an average purchase-order amount for each supplier.
New Pattern
A Pattern filter employs a pattern a statistical function, provided by Oracle, that identifies
baselines and outliers to those baselines. A model can contain only one pattern, so you can
select the New Pattern button only once.

Filters, Functions, and Patterns
Each model element (filter, function, pattern or group

filters) you create appears as a dialog box in a Model Logic

pane.
To define the element, make selections in the fields
displayed by its dialog box.
As you add elements, each is positioned vertically or
horizontally with respect to others;
A vertical pairing depicts an AND relationship s a
a
)h
A horizontal pairing depicts an OR relationship. m
co uide
e
Elements are also connected by arrows that
@ hp suggest
n t G the
order in which their contents will be processed.
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
araArrange
Selecthand
t r a n Filters, Functions, and Patterns
B - element to a model, click on a button (or a corresponding option in the Actions
non
To add the first
menu) that selects the type you want New Filter, New Function, or New Pattern.
To add subsequent elements, click again on any of those buttons (or menu options). As you
do, keep these concepts in mind:
a. No matter whether you add a filter, function, or pattern, it appears by default immediately
beneath the lowest object in your model hierarchy. If, for example, a model contains four
vertical levels and you click on the New Filter button, a filter appears at the fifth vertical
level.
b. Once two or more elements exist in your model, you can select them: hold down the Ctrl
key and click in the title bars of the elements you want to select. When you select an
element, its entire dialog box turns blue. (Ordinarily, the perimeter is blue but the interior
is white.) You can select one or multiple elements, but in the latter case, those you
select must be adjacent to one another.
c. Having selected elements, you can add a new element specifically in relation to those
you've selected. If, for example, your model includes two filters in an AND relationship
(stacked vertically), you select the higher one, and you click on the New Filter button,
the new filter appears immediately beneath that higher one; the filter that had been
second in the model hierarchy moves to the third level.
d. You can drag and drop existing elements to new positions within the model.

Defined Filter Options
Use the AND, OR filter type

Three available functions (AVG, COUNT, SUM), requires a

Data Group filter when used
Conditions available, can vary depending upon attribute
(e.g., Contains only available with text attribute types)
Use conditions in conjunction with Values or another
Object Attribute
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
Group a r ath nsfer
Filters
Bh nor-more
Group two
tra related filters together by highlighting them and selecting the Group
Filtersn
o
option.

Example: Defined Filter Options
AND filters
Condition across Object
Type
Contains condition
against text attribute
s a
a
)h
m
co uide
e
@ hp nt G
OR filters, m ar tude
combined y - ku is S
e d d th
with AND r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath sfer
a
Createha Filter an
B -tr
To createoanfilter:
n
1. Click on the New Filter button, or on Actions > New Filter. A dialog box appears in the
Model Logic pane.
2. In the header area of the dialog box, enter a name for the filter in the field next to the
label Filter.
3. An Object field lists all of the business objects you've added to the model in the Model
Objects pane. Select (click on) the one from which you want to select an attribute for use
in this filter.
4. An Attribute field presents a list of attributes belonging to the object you selected in step
3. Select (click on) the one you want to use in this filter.

Create a Function
A function applies a mathematical calculation to groups of

attribute values, then determines whether each calculated

value poses a risk.
For example, it may calculate the average beginning balance
credit for bank accounts, and then find average credit values
that are less than a threshold amount. To do so, it must
establish groups of records to which it applies the mathematical
calculation. s a
a
)soh that
In the example, it must group records by bank account, m
it can take the take the average beginning balance c o idfore
credit
h pe t Gu
each account. r@ en
m a tud
u
-k his S
d y
d se t
r e
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r
The function n s fe this grouping on its own, in which case groups contain records for
a can perform
Bhthe values
which n - traof an attribute exactly match. In the example, it might group records by Bank
noID.
Account
Or, the function can be used in conjunction with a filter that uses the Similar or Similar to
condition to create groups of records. In the example, the filter might create sets of records for
which an Account Name attribute contains values that are 95 percent similar.
If you intend to use such a filter to group records, create it first. Then create the function,
placing it in an AND relationship with (below) the filter.

Create a Pattern
You can add one pattern to a given model (and the addition of
that pattern classifies the model as the pattern type, even if it

also contains defined filters).
There are initially six pattern types (although Oracle continues
to develop patterns and make them available independently of
GRC releases).
Each pattern calculates a baseline value and then identifies
transactions that vary excessively from the baseline; each as a
takes parameters, which enable you to define the variancem ) h that
is considered excessive. c o ide
pe u h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
1. In a r
the s fe pane, click on Actions > New Pattern, or on the New Pattern button.
aModelnLogic
BAhdialogn - ra appears. Note, however, that you must first have selected at least one
tbox
no object for the model with at least one attribute that provides data upon which
business
patterns can operate (in the case of Benford and Mean patterns, numeric values).
Otherwise, an error message informs you that no patterns are associated with the
selected business objects.
2. In the header area of the dialog box, enter a name for the pattern in the field next to the
label Pattern.
3. In the Pattern list box, select the pattern you want to use. (If you have not selected a
business object appropriate for your patterns, however, this list box is empty.)
4. Click on the green + icon; a row appears beneath the Object and Attribute headings. In
the Object field of this row, select a business object; in the Attribute field, select an
attribute belonging to the object. These fields display only objects and attributes upon
which your pattern can operate. You may create additional rows to select additional
attributes for the pattern to evaluate. You may also select a row and click on the red
icon to delete the row.
5. Under the headings Parameter, Value, and Unit, one row appears for each parameter
appropriate for the pattern you've selected. For each parameter row, enter a value in the
Value field and select a unit of measurement to apply to that value for example, 20
percent.

Model Type: Pattern Filters
Mean Pattern
Identify the average of a list of numbers of payments.

Benford Pattern
Identify anomalies of the first digit occurring outside the Benford Law.
Pareto Pattern (80-20 Rule)
Identify top 20% of Suppliers that send 80% of duplicate invoices by amount
value
Absolute Deviation Pattern
Identify Invoices for disk drives that are in the top 10% in price deviation
s a
from the average price for disk drives
)h a
Anomaly Detection Pattern m
co higher
Identify T&E reports where the hotel per day charges p e
are
much u ide
(normal distribution) than all the other T&E reports @ h nt G
r
a tude
Clustering Pattern u m S balances
Identify groups of vendors basedd
-k his vendor
onyuncollected
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Pattern a r
filters n s fe algorithms applied to identify baselines and anomalies in data.
a are statistical
Bh n-trpatterns
Two delivered
a
are available: Mean and Benford.
n o
Only one pattern filter is allowed per model, and can be used in conjunction with other filters.
If at first your pattern model does not return any graph/data points/suspect transactions, try
lowering threshold numbers.

Define Model Results
Once the model is developed, select attributes for which

the model, when it is run, will return values for each risky
transaction it finds.
Be careful to choose attributes that reflect the level of
detail you want to see in your results.
A model might identify many records that exceed the risk it
specifies, but if you define results so broadly that there
would be no way to distinguish these records, the results s a
a
)h
window will present only one record and eliminatemthe
apparent duplicates. e co uide
p h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
To definer a nsfe
results:
Bh ndown
1. Scroll - tra to the Result Display pane in the Create Model page. (Or, collapse other
no by clicking on their toggle icons.)
panes
2. An Available Columns box lists the business objects included in the model. For each,
click on the toggle to reveal a list of the attributes that belong to the business object.
3. Select an attribute for which you want to see results (click on it), then click on the >
button. The attribute moves to a Selected Columns box. Repeat this process for all other
attributes for which you want to see results. Alternatively, click on the >> button to move
all attributes to the Selected Columns box.
If you reconsider your choices, select attributes individually in the Selected Columns box
and click on the < button to return them to the Available Columns box. Or, click on the
<< button to return all attributes to the Available Columns box.
4. Select the Include for Data Analytics check box if you want to make model results
available to Global Risk Compliance Intelligence (GRCI), another Oracle product. If not,
clear the check box.

Save the Model
Once the model is developed, select attributes for which

the model, when it is run, will return values for each risky
transaction it finds.
Be careful to choose attributes that reflect the level of
detail you want to see in your results.
A model might identify many records that exceed the risk it
specifies, but if you define results so broadly that there
would be no way to distinguish these records, the results s a
a
)h
window will present only one record and eliminatemthe
apparent duplicates. e co uide
p h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
To definer a nsfe
results:
Bh ndown
1. Scroll - tra to the Result Display pane in the Create Model page. (Or, collapse other
no by clicking on their toggle icons.)
panes
2. An Available Columns box lists the business objects included in the model. For each,
click on the toggle to reveal a list of the attributes that belong to the business object.
3. Select an attribute for which you want to see results (click on it), then click on the >
button. The attribute moves to a Selected Columns box. Repeat this process for all other
attributes for which you want to see results. Alternatively, click on the >> button to move
all attributes to the Selected Columns box.
If you reconsider your choices, select attributes individually in the Selected Columns box
and click on the < button to return them to the Available Columns box. Or, click on the
<< button to return all attributes to the Available Columns box.
4. Select the Include for Data Analytics check box if you want to make model results
available to Global Risk Compliance Intelligence (GRCI), another Oracle product. If not,
clear the check box.

View Results
Results are displayed in a popup window and analyzed by

the user
For longer processes, users can return to model later to
view temporary results
One set of data stored per model at a time
Export results to supported file type
xls
sthe a
Pattern model types generate results in a graph, whereh
) a
user can click on data points to view underlying
c o m
data e
p e uid
h G
a r@ dent
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

View Results Page
Select and order attributes from object to include in data

result set
All objects includes user/date attributes
Performance can be affected by number of
object/attributes and datasource
The model must be saved before running View Results
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th er
ara transf
ModelhResults
B n-example, a model searches for purchase-order amounts above a threshold
Suppose,ofor
n you choose both supplier and purchase-order amount as your results attributes.
value, and
For each supplier in violation of the model, you may see multiple records one for every PO
amount above the threshold value.
If, however, you choose only supplier as a results attribute, you would see only one record for
each supplier in violation of the model.

Example: View Results - Output
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th er
Openh ara transf
Results
B then-Results window, click on either of two View Results buttons, located in the title
To open o
bars ofn
the Model Logic and Result Display panes.
a. If the model has not been evaluated previously, a dialog box prompts you to choose
between Run and Run in Background options. If you select run, the Create Model (or
Edit Model) page remains open, and displays run status at the foot of the page. If you
select Run in Background, the model runs, but you return to the Manage Model page,
where you may work with another model or navigate to another GRCC page and work
there. (A Cancel option also exists; it stops the run and keeps you at the Create or Edit
Model page.)
b. If the model has been evaluated previously, a dialog box prompts you to decide whether
to overwrite existing results. Select No to display the existing results. Select Yes to
generate and display a new set of results. In this case, the dialog box prompting you to
run the model directly or in the background appears; make a selection there. When you
generate a new run, the earlier set of results is lost.

Example: Results Exported to xls
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Export a r a Results
Model n s fe
Bh export
You can o n
a
-trmodel results to an Excel spreadsheet.
n
1. In the results window, click on Actions > Export to Excel.
2. A pop-up window offers you options to open or save the export file. Typically, click on its
Save button and, in a Save As dialog, use standard Windows techniques to navigate to
a folder in which you want to save the file.

Use a Model to Create a New Model
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
ara tarNew
Use ahModel a n Model
B
Rather than - a model from scratch, you may use an existing model or uploaded model
ncreate
n o
as a starting point, editing it to create a new model
1. In the Library pane at the left of the Create Model (or Edit Model) page, click on the
Models tab.
2. The Library displays instances of the object you've selected. (As you create or import
models, they populate a grid available in the Models tab. Click on the model you want
to use.
3. Click on the Open button. The model values populate the Name, Model Objects, Model
Logic, and Result Display panes. Using procedures described above, rename the
model, and then edit, add to, or delete from the source model values. Save the new
model.

Summary

Select business objects

Use custom objects
Select Data Sources
Select and arrange filters, functions, and patterns
Create a filter, a function, and a pattern
Define model Results s a
h
) a
Save a model and view or export results m
o
c uide
Use a model to create a new model h p e G
r@ den t
a
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

ETCG Create and Manage Transaction

Controls
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Create Transaction Controls

Understand Transaction Control Components
Understand How to Run a Control Analysis
Understand Remediation
Understand How to Manage Result Incidents
Understand the Reports and Extracts s a
h
) a
Understand Assigning Relationships m
o
c uide
View Change History h p e G
r@ den t
a
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Select models that have been tested and refined before

creating a control. The process of using a model to create a
control behaves like a copy action; once the control is created,

updates to the original model have no impact to the control.
Model components (name, description, objects, logic,
attributes, and perspectives) are copied into the control as the
first step. The control then captures additional information such
as priority, status, datasource, related controls, result
management perspective assignment (result investigator), and s a
a
)h
the ability to add any comments to the control that youmdefine.
Once a control is created and updated, and analysis e cois run,
u ide
p
h nt G
permanent incidents are created. r @
m a tude
After the control is run, you can update - u
k is control
the S elements as
necessary such as priorities, d d y th
perspectives, comments, and
r e s e
h toatu a time or in mass.
result investigator one ratcontrol
ha nse
( b
d d y 2015,
R e able
r ath sfer
You can acreate a an
control from a defined or pattern model. Note, however, that a
Bhmodel
pattern n - t r
generates graphic results, but when a control is generated from
n o
the pattern model, the graph is unavailable. It is advised that you use caution in
using a pattern model deployed as a control unless you have done some
extensive analysis working with the model. When a pattern model is deployed as
a control, one incident is created per unique row for all the rows underlying the
data points in your graph. Incidents basically represent a single transaction from
your ERP system, and you could potentially end up with a high volume of
incidents that might be hard to analyze and manage.

Transaction Controls Components
Assign Priorities
Select Datasources
Assign Perspectives
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
a r ath nsfer
Assign Priorities
h -tra
In the B
Priority n
field, a user enters a number that expresses the importance of the control (and related
n o
incidents) in comparison with others. You should establish a set of priority values and enforce consistent
usage within your organization.
Select Datasources
As a user creates a control, he must select one or more datasources for it. (Even if this is to be the
datasource already selected for the model from which the control is developed, the user must actively
select the datasource for the control.)
Assign Perspectives
A perspective (once again) is a set of related values, and individual values may be associated with
individual models, controls, or incidents. Each control may have two sets of perspective values: Control
Perspectives values characterize and secure the control itself. These are inherited from the model upon
which the control is based, although a user can add to them while creating the control. Result
Management Perspective Assignment values characterize and secure incidents the control generates; a
user selects these values while creating the control
Each incident inherits, from the control that generates it, values for the CCM Type and Datasources
system perspectives. The assignment of other perspective values is optional, but can be very beneficial
for the analysis and remediation of incidents. One can use these values for sorting, filtering, and reporting.
In addition, they determine which users have access to the incidents .

Transaction Controls Components
Assign Result Investigators

Other Considerations
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
Assignh ara tInvestigator
Result
r an
B -
non it. Initially,
A result investigator
done to resolve
looks into incidents and assigns a status to each that reflects what is
the control that generates a set of incidents also designates the
result investigators for those incidents. Worklists alert investigators to the incidents they need to
resolve .
The perspective values assigned to an incident determine the users who are eligible to serve as
result investigators for that incident. Initially, each incident inherits perspective values from the
control that generates it not only values for the CCM Type and Datasources system
perspectives, but also those selected as Result Management Perspective Assignment values
for the control.
By default, the control selects, as result investigators, all users whose job roles include data
roles with matching perspective values (and duty roles that authorize working with incidents).
The user who creates a control may accept this All Eligible Users setting, or may select one
among the eligible users.
Other Control Considerations
A controls status is Active (the default) or Inactive. If a control is inactivated after generating
incidents, they are set automatically to a Control Inactive status.
Other optional control elements include comments regarding the control.

Run Control a Analysis
You are now ready to run the analysis for your selected controls, to generate
incidents and begin your formal remediation process. New incidents created
during this process are assigned the status of Assigned.

Some additional information you should understand about the transaction
control and the incidents it generates is as follows:
Each incident created is assigned a unique identifier.
Each incident contains only one transaction record.
You must have appropriate data access to see the incidents in your
Manage Incident Results grid.
The Manage Incident Results grid displays some attributes from h a
the sa
transaction control logic that will assist you during analysisoandm )reporting

c i d e
Grouping Value. (Any additional columns outside h pe three
for remediation. They include Incident Information, Grouping,
these t G
and
u
are also
a r @ en
generated in the incident results for filters m
k u S t udsimilar to,
like similar,
d d y- across
function, interval on function, and equals
t h is the same business
t h re uinsethe incident details and not
object and attribute, but are included
available in the grid.) ra to
( b ha nse
d d y 2015,
R e able
a r ath nsfer
Bh n-tra
no

Remediation
Remediation or Resolution is the act of cleaning up your

business application by identifying, reducing or eliminating

Transaction Control Violations.
Though Incidents are first assigned initially, Remediation is done
in the Business Application to which the incidents belong to.
Once the remediation is completed in Business Application by
Business Users, it should be intimated to GRC Users to mark the
event of completion of rectification in the GRC Application
against the relevant incident by changing the STATUS in theas
a
Manage Incidents m )h
Page. e co uide
p h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r
The evaluation n s fe
a of transaction controls generates incidents, each the record of a
Bh nthat
transaction - a
trexceeds the risk defined by a control. Each consists of values for
n o
attributes that were selected for a model from which the control was developed.
A Manage Results home page presents incidents belonging to the person currently
logged on to GRC for your purposes, you. Incidents may belong to you because
controls that generate them identify you as a result investigator, or because other
investigators assigned them to you. To open the page, select Result Management in the
Navigator, then Manage Incident Results among the Result Management tasks.
From the Manage Results home page, you may navigate to other pages, which show
detailed records of individual incidents. To return from those pages to the Manage
Results home page, click on the Manage Results tab.
The actual resolution of incidents occurs outside of GRC. For example, you may
determine that a purchase order should be canceled if a transaction control shows that
it is suspect; that action would be completed in the business-management application to
which it applies. The GRC Manage Results pages enable you to review incident details,
and to set the status of incidents to reflect whether anything should be, or has been,
done about them

Manage Result Incidents
To View the List of Incidents generated by Transaction Controls

navigate to Results Management >Manage Incident Results
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
From h the s fer home page, you may navigate to other pages, which show detailed
ath nResults
arManage
records n - tra incidents. To return from those pages to the Manage Results home page,
B of individual
o Manage Results tab.
click onnthe
The actual resolution of incidents occurs outside of GRC. For example, you may determine
that a purchase order should be canceled if a transaction control shows that it is suspect; that
action would be completed in the business-management application to which it applies. The
GRC Manage Results pages enable you to review incident details, and to set the status of
incidents to reflect whether anything should be, or has been, done about them.

Incident Status and States Flow
Incident Status:
Accepted
Remediate
Resolved
Incident States:
In Investigation
Approved s a
a
)h
Closed m
e co uide
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath appear
s f er
Initially,
h aincidents
t r a n at an Assigned status, which means that you (potentially along with
B
others) have -been designated to address them. You can update an Assigned incident to any
non statuses:
of the following
Accepted, which means you have determined that nothing need be done to resolve the
incident.
Remediate, which means you have decided that some action must be taken in the
business-management application to resolve the incident.
Resolved, which means you have confirmed that the remedial action has been carried
out in the business-management application.
GRC may set other statuses:
Control Inactive means that an incident is no longer of concern because the control that
generated it has been inactivated.
Authorized and Closed apply exclusively to incidents generated by AACG controls (See
the Application Access Controls Governor User Guide.)
An incident has not only status, but also one of three states: In Investigation, Approved, or
Closed. A user cannot directly set the state of an incident. He can change its status, then
either save or submit it, and GRC assigns a state as a result of these actions. A submission
can cause a state change; a save cannot.

Focus on Areas with Highest Risk,
Priority, and Volume
The Incident Management Menu gives you a pretty good
idea of where your biggest areas of concern are.

There are various ways to continue analyzing the data.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Reports and Extracts
to Analyze Violations
Running a violation report or extract is another way to
analyze Transaction Control Violations and help with

remediation.
A few reports are commonly used to help analyze
violations:
s a
a
)h
m
co uide
e
Incident by Control @ hp nt G
Transaction
Summary
r
aExtract de
Incident Details u m S t u
Extract Report d y -k Report h i s
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
r e
a norsfIncidents
Viewing a
Controls
h -tra in Summary
B
n setnthe Manage Results home page to display either a list of controls that have
You can o
generated incidents, or a list of incidents generated by those controls. In the control list, each
control links to a list of the incidents only it has generated. From any list of incidents, you can
open pages that provide details of individual incidents.
For a list of controls, select Control Summary in the View By list box.
For a general list of incidents, select Incident Results in the View By list box.
For a list of incidents generated by a specific control, click on its Pending Result Count in the
Control Summary list.

Mass-Editing Incidents
You can set status for any number of incidents, or write

comments for them, all at once.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Viewing and Editing Individual Incidents
We can open pages for individual incidents:

1. Generate a list of incidents.

2. In that list, select any number of incidents..
3. Select Actions > Open./ Edit (and edit requisite
information)
One page opens for each incident youve selected. A tab
appears at the top of each page, labeled with the appropriate a
a s
incident ID number. To view an incident page, click on its htab.
To return to the Manage Incidents page, click on itsco m) e
tab.
p e uid
h G
a r@ dent
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Assigning Incidents
Result investigator for an incident, can assign the incident to

another user.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
If you h
are
fer
athresultnsinvestigator
arthe for an incident, you can assign the incident to another user.
B t r a
- either from the Manage Results home page (in which case you can reassign
You can donthis
no of incidents at once) or from the edit page for an individual incident.
any number
Because eligible investigators are users whose roles specify perspective values that match
those assigned to an incident, reassigning the incident
may involve resetting the perspective values configured for the incident.

Assigning Relationships
ICCM module can be associated to objects in EGRCM modules

For Example, Incidents may be related to processes, other

base objects, risks, or controls, which may exist in the Financial
Governance module or any custom module.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
You cana r
establish s fer
ath nrelationships between incidents in the CCM module and objects in EGRCM
B h - t r
modules. Incidents
a may be related to processes, other base objects, risks, or controls, which
noinnthe Financial Governance module or any custom module. Once a relationship is
may exist
created, the incident is listed both in the CCM Manage Results page and in a Results tab of
the Manage page for the EGRCM object to which the incident is related.

Contextual Reporting for Incident Results
Control Summary View

Control Summary Extract Report

Incident View
Result Summary Extract Report
Transaction Incident Details Extract Report
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
ath nView r
fegenerate
Control
h a r
Summary a s a Result by Control Summary Extract Report. It lists access
B t r
- controls that have generated pending incidents, and provides information
and transaction
noncontrol.
about each
Incident View generate the following transaction reports:
Result Summary Extract Report lists incidents generated by access and transaction
controls, providing summary details for each.
Transaction Incident Details Extract Report lists incidents generated by a transaction
control. It provides not only the information that would be included in the Result
Summary Extract Report, but also values for all attributes selected to characterize
suspect transactions. These attributes vary from one control to another, so each run of
the report must focus on a single control.

Viewing Change History
We can view a history of changes made to incidents or to the

controls that generated them. To do so:

Generate a list of controls or a list of incidents ; in the list,
click on the row for a control or an incident. Or, open the
details page for an incident.
Click on a left-pointing triangle located at the midway down
the right border of the Manage Incidents home page, or an
incident-detail page. A change-control pane opens aththe a sa
right of the screen and shows records of each change. )
om c uide
p e
h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Summary


Understand Transaction Control Components
Understand How to Run a Control Analysis
Understand Remediation
Understand How to Manage Result Incidents
Understand the Reports and Extracts s a
h
) a
Understand Assigning Relationships m
o
c uide
View Change History h p e G
r@ den t
a
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Configuration Controls Governor Overview
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Understand Configuration Controls Governor (CCG)

functionality
Understand snapshots and comparisons
Understand change tracking
Understand CCG terminology
Understand CCG users and roles a
h a s
Describe CCG metadata and architecture )
c om ide
h pe t Gu
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Oracle Applications Setup Overview
Setup Options
+ Business Requirements
_____________________
= Application Behavior s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Oracle Applications Setup Overview
Setup Data
Set-ups
are your
Key Controls
key
controls
Operational Data
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
Examplesr a set ups
of n s fe
include:
h -tra
BSetup
n- onApplication Security
Data
- Document Approvals
- Chart of Accounts
- Profile Options
- Users
- Application Setups
- MRP rules
Operational Data
- Customers
- Suppliers
- Employees
- Buyers
- Items
- Chart of Account Values
- Category Codes

Why Monitor Your Oracle Applications Set-ups?
How do you verify Oracle Applications set-up standards are being

consistently applied across organizations?

How do you monitor that approval controls and financial limits are
changed only when properly authorized?
How do you determine why functionality works in one instance but not in
another?
How do you ensure your set-ups are defined consistently across
instances when changes are propagated?
How do you automate SOX and other audit or regulatory compliance a
requirements? h a s
m )
How do you manage the changes required for new rollouts, o
c uide
business organizations, or version upgrades? p e
h nt G
r @
a tofude
How do you provide time stamped documentation
application setups ? m
ku is S
y -
How do you identify what changedddwhen errors
re use
th occur?
r t h
a e to
a
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Why Oracle Application Set-ups Change
Intentional Reasons for Set-up Changes

Operational Changes
Growth of Company
Business Requirement Changes
New Functionality Introduced by Upgrades
Unintentional Set-up Changes s a

h
) a
Unknown Consequences m
o
c uide
User Error p e
h nt G
r @
Unexpected Changes Caused by Patches
a de um Stu
- k
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
e
ara transf
ClasshDiscussion:
B nare
What
n o - Examples of Key Controls of particular interest to your organization?
Who has the responsibility to define the values for these controls?
Who has the authority to access the set-up screens for these controls?

CCG Functionality
Functionality What it can do for you

Snapshots Automate time-stamped documentation of key controls across

all Oracle Applications modules.
Comparisons Difference Analysis: determine whats different when problems
occur, verify whats changed after project activity. Monitor
consistency of controls across Instances, Versions, Points in
Time, Operating Units, and Sets of Books
Change Tracking Automate real-time monitoring of key controls in Oracle.
s a
h
) a
Ensure visibility and integrity of controls over a period of time.
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Snapshots and Comparisons
Snapshot Occurrences provide a

point-in-time picture of set-ups for a

specified object in a specified
instance
Snapshot Definitions can be

scheduled to execute immediately or
for a future date(s) and time(s)
s a
)h a
Snapshot and comparison reports
m
o idefor
cset-ups
can be used to monitor e
p t GuIT
multiple purposes h including
diagnostics, a r@ and
audit d e ncompliance
- k um change S tu
d d y this
requirements, management,
t h reand uoperational
se support.
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Change Tracking
Who
Automatically captures
What a complete historical
audit trail for deployed
objects. Details of
When EVERY change. h a s a
m )
o
c uide
e
Where r
a tude@
p
h nt G
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Change Tracking Report
When?
Where? Who?
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
What?
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Set-up Screen Example: AP Payment Terms
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Terminology: Unique Identifiers and Primary Keys
The Oracle Applications store data into Oracle Database tables which
have been designed using Relational Database Design principals.

Each table has a Unique Identifier: a field/column or fields/columns
combination whose value will be unique for each and every row/record
in that table.
Unique Identifiers are usually meaningful business values. In other
words, character strings that have meaning to the individuals who use
Oracle Applications to conduct their business
Each table also has a Primary Key: a field/column or fields/columns a
combination whose value will be unique for each and every row/record h a s
in that table m )
o
c by the ide
However, Primary Keys are usually NUMBERS assigned p e
happlication, u
G but dont
software application that are used by the software
r @ n t
a tude
really have business meaning. um
-k his S
d y
d se t
r e
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

CCG Definitions Example Screenshot
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Snapshot HTML Report Example
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Comparison Results Summary Example
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Comparison Report Example (HTML)
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Change Tracker Screenshot Example
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Change Tracking Example
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Repository Overview
Prod1 ERP Prod2 Dev Change Tracking

Instances Transfer.
Generate a
Snapshot
Occurrence
by performing
a Snapshot
Definition
CCG HOME: CCG Setup

s a
Metadata, Definitions, and a
)h
historical REPOSITORY of m
co uide
Generate a
Occurrences and Change e
Snapshot
Occurrence Tracking Data
@ hpAPPnt G USER
Comparison.
m ar tuSERVER de
u
-k his S
d y
d se t
r e
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Therehare
a ways
arthree n s ftoe populate the CCG historical Repository:
B n-traa Snapshot Occurrence by performing a Snapshot Definition: Each time
Generate
an
o
Snapshot Definition is performed, the setup values for the definitions specified objects
are captured via sql queries against the definitions specified ERP instance. The
captured values are stored in a Snapshot Occurrence in the CCG Repository. Snapshot
Occurrences are identified by the Snapshot Definition that was performed and the
performance date and time.
Generate a Comparison Occurrence by performing a Snapshot Occurrence
Comparison: When generating a Comparison Occurrence, two specific Snapshot
Occurrences are selected to be compared. The results of the Comparison are stored in
the repository as a comparison occurrence.
Transfer Change Tracking Data: Adds new changes to the Change Tracker data.

Main Menu Choices
All CCG users have Home, Workbench, Jobs, and Help on the
main menu bar.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
araRoles
WhichhCCG
t r a na User is assigned determines:
B
Whethern- Administrator is also on the main menu bar (most class attendees will NOT
n o
have the Administrator role)
What choices the user has under the Workbench menu choice
Whether the user can Schedule Snapshots and Change Tracking (this shows up later
when scheduling or editing not in menu)
What Program choices the user has when scheduling a standalone job

CCG Roles
In CCG Roles determine which Users can use what

functionality.
The CCG Administrator assigns Roles to Users.
CCG User
Snapshot Scheduler
CCG Developer
Change Tracking Scheduler
s a
Administrator h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
CCG r n s fe
aUser (many):
Bh- nCreates
- tra and edits Definitions
n- o Snapshot
- Change Tracking
- Views occurrence results
- Views Change Tracking results
Snapshot Scheduler (many): Schedules CCG Snapshot Definitions to generate
snapshot occurrences and generates comparison occurrences
CCG Developer (few): Creates Snapshot Report Templates
Change Tracking Scheduler (very few): Schedules jobs to deploy change tracking
objects or transfer change tracking data
Administrator (very few): Creates and maintains Users, Security Groups, Purge
Definitions and data and other administrative activities
Related Practice: Manage Roles and Security Groups

View Current Jobs Example
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

The Monitor and Log Buttons
When the Job Status is Running, the MONITOR button

is available
When the Job Status is Completed, the LOG button is
available
The refresh button at the bottom of the View Current Jobs
page must be clicked to update the job status (partial
screen shot below does not show the bottom of the View
Current Jobs page) a
as )h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
a r ath nsfer
Bh n-tra
no

Metadata
Oracle
Application Forms
Invoice: Payment Terms

Oracle
Application Tables
AP_Terms CCG a
Metamodel
h a s
AP_Terms_Lines )
om e
Object
c uid
p e
h nt G
r
a tude@
u m
d y -k his S AP Terms Payment
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Why Metadata?
Bh nMetadata
CCG uses - tra to enable the user to create definitions and read reports based on their
no
familiarity with the Oracle applications set-up screens. Without metadata, the user would need
to understand the relational database design behind each set-up screen.
Each Oracle Applications Set-up maps to one or more Oracle Database Tables. When an
execute query is performed in a set-up screen, the data is retrieved from these tables. When
updates or new entries are made in a set-up screen and committed, the values are saved to
the applicable tables.
When a set-up screen has multiple sections, the data from the various sections must be
stored and retrieved correctly to ensure the correct associations are maintained.
For example, set-up screens such as AP Payment Terms, have a Header Section and a Line
Item section (also referred to as Parent-Child or Master-Detail.) There is an Oracle database
table that corresponds to the Header Section and a table that corresponds to the Line Item
section. Non-displayed fields, program coding, and relational database design concepts are
utilized to ensure that the correct Line Items data is always associated with the correct
Header data and visa/versa.
The CCG Metadata creates a single OBJECT to correspond to each set-up screen. The user
only needs to know the OBJECT name. Via the metadata design, the OBJECT knows which
tables data must be retrieved from and the proper relationships between these tables to
retrieve and report corresponding data correctly.

Architecture Snapshots and Comparisons
Test Dev Prod 1 Prod 2

(11i) (10.7) (11) (10.7)
s a
h
) a
o m
p e c uide
CCG @ h nt G
Snapshots & Home
r
a SERVER APP d e USER
m
ku is S t u
Comparisons
d y -
r e d e th
r a th to us
( b ha nse
d d y 2015,
R e able
a r ath nsfer
Bh n-tra
no

Architecture Change Tracking
Test Dev Prod 1 Prod 2

(11i) (10.7) (11) (10.7)
CCG CCG CCG CCG
s a
)h a
Transfer Change
Setup m
Changes e co uData
Tracking
i d eJob
CCG
@ hp nt G
Home
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
a r ath nsfer
Bh n-tra
no

Summary

Understand Configuration Controls Governor (CCG)

functionality
Understand snapshots and comparisons
Understand change tracking
Understand CCG terminology
Understand CCG users and roles a
h a s
Describe CCG metadata and architecture )
c om ide
h pe t Gu
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
CCG Snapshots and Comparisons
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Create snapshot definitions

Generate snapshot occurrences
Create and read snapshot reports
Create and read record comparisons
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Create Snapshot Definitions
Snapshot Definitions specify:

Which Instance
Which Application
Which Objects
Optionally: Filter specifications for each object
Snapshot Definitions are owned by their creator but can
be shared with other users once conditions are frozen.
s a
Snapshots can be modified until conditions are frozen.a
)h
(Note: When snapshot definitions are frozen, all m
previously
co uide
e
created occurrences are purged.) hp G
a r@ dent
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
The Save r a feature
As n s fe one snapshot to be made by copying another one instance may
allows
Bh nas
be changed - a of the save as process.
trpart
no
Develop naming conventions to make selecting the correct Snapshot Definition easier when
picking from List of Values for Scheduling and Comparisons.

Generate Snapshot Occurrences on Demand
Schedule a Snapshot Definition to create a snapshot

occurrence with date & time stamp equal to when the

Generate Occurrence job was executed
Reminder: Details of each snapshot occurrence are
stored in CCG Home unless purged. Comparisons can be
executed for two occurrences of snapshot definitions
defined for the same object.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Create and Read Snapshot Occurrence Reports
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Create a r
Snapshot n s fe Reports by navigating to Workbench, CCG:
a Occurrence
Bh nCCG
From - traDefinitions, select occurrence
no
CCG Occurrences, select object
CCG Occurrence Objects, select VALUE
At CCG Occurrence Values Export Selected or All in HTML, PDF, or Excel format
Values are the unique identifier (primary key) values for each of the Master records (rows)
returned. The example above shows that 57 Set of Books have been defined. If the Object is
from a Set-up screen with Header-LineItem Sections (Parent-Child, Master-Detail) such as
Payment Terms, the VALUES are the Header Record Unique Identifier Values. The count of
VALUES is the count of Header Records. For example, if 24 Payment Terms have been
defined, the VALUE count will be 24, even though many of the Payment Terms may have
multiple Payment Term Lines. When exporting to a report, choose between
ShowDisplayed fields only, All fields, or Template, and between Field Descriptions,
Column names or Both
Related Practice: Snapshots

Create and Read Same Record Comparisons
Prod
11.5.9
Dev Dev
11.5.10
11.5.9
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r athprovide
s f er
a
h -tran
Comparisons Difference Analysis for two Snapshot Occurrences.
B
nona screen
To perform
Occurrences
comparison, the user starts by picking the first occurrence from the CCG
and then clicking on Compare. The user then picks the second
occurrence.
Comparisons can be between 2 occurrences of the same snapshot to provide an over
time difference analysis.
Comparisons can be between 2 occurrences of different snapshots, to provide a cross-
instance difference analysis.
To review the results of a comparison, the user can navigate to the details of the Generate
Comparison job, or click on Comparisons for the applicable occurrence on the CCG
Occurrences Screen. When the comparison job is performed, the rows in each occurrence
are compared by matching Header rows with the same Primary Key value. If a Primary Key
value exists in one occurrence only, that Primary Key value will be reported as a Missing
Record for the other occurrence. When a Primary Key match is found, the two parent rows are
compared and the results include the unique ids of missing child records and/or column value
differences for parent fields and for child records that exist for both parents.

Note: To see Missing Records and Missing Child Records, all fields must be selected when
exporting the report data.
Related Practice: Same Record Comparisons
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

Summary

Create snapshot definitions

Generate snapshot occurrences
Create and read snapshot reports
Create and read record comparisons
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

CCG Change Tracking
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Create Change Tracking Reports

Create Change Tracking Definitions
Understand Change Tracking Status Reports
Transfer Change Tracking Data
Define Change Tracking Queries and Alerts
Specify Change Tracking Alert Recipients s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Create and Read Change Tracking Reports
To create a Change Tracking Report:

From Apps Definitions Screen, click Change Tracker

Button,
From Change Tracker, select application(s), click
Changes
From Change Tracker
Objects, select Values
for specific object s a
h
) a
From Change Tracker o m
p e c uide
Object Values, choose h nt G
changed only or all r @
a tude
u m
values, Export
d y -k his S
t
selected or all red se
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r
The Change
a Tracker
n s fe
presents three levels of detail:
B h -tra
non
Highest Level: Summary change count for for each Application with change tracking
enabled *and* at least one change event From highest level, check which applications
to drill down and click changes for specific ERP instance
Middle Level: For each application chosen above, summary change count for each
OBJECT with change tracking enabled *and* at least once change event. From middle
level: click values
Third level of detail: List of which unique identifier values have incurred a change
event. Expand details under specific values for on-line change tracking details.

s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r th sfer
ateam
a
Use n
h -traapproach
a to decide which objects are to be change tracked. Team
Bcomposition should include: Business Process Owners, Finance department personnel,
non and External Auditors, IT staff
Internal
When deciding which objects to change track, consider regulatory implications as well
as the following:
- Affects / supports a control change tracking provides visibility to ensure controls
have been operating throughout the entire audit period
- Financial statement impact could potentially impact a financial statement
- Operational impact changes to business settings could be difficult to identify
Determine which User(s) will be *THE* change tracking manager(s).
The change tracking manager should create a change tracking definition for each
Application Module for which objects are to be deployed. This is the turn on change
tracking definition.
The decisions of which objects to change track determine which objects to select in the
Change Tracking Definitions

The Change Tracking Scheduler role is required to schedule change tracking definitions.
Unlike Snapshot Definitions, Change Tracking Definitions should only be
scheduled/performed a single time to turn on change tracking.
*IF* new business requirements impact the decisions regarding which objects should be
change tracked, the applicable change tracking definitions should be modified
accordingly, and then scheduled/performed once again.
These definitions should not be modified unless business requirements are modified
resulting in the Change Tracking Team deciding to deploy additional objects or to modify
the change tracking specifications for objects already deployed.
Your organization should determine a process for turning off change tracking in case of
special circumstances, such as the application of a major Oracle Applications patch or a
large batch upload. One recommendation is to create a second turn off change
tracking definition to correspond to each turn on definition. The turn off definition
should have no objects checked. Performing a change tracking definition with no objects
checked will result in all the revoking of all change tracking triggers for that application.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

Tracking the Tracker:
The Change Tracking Status Reports
When editing a change tracking definition, three Change
Tracking Status Reports are available via buttons at the bottom

of the definition screen:
View Object Status
View Object History
View Tracker Status
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r th sfer
aObject
a
h -tranStatus: contains details regarding which objects are currently being
View
Btracked
nonObject History: contains details regarding the history of which objects have been
View
tracked
View Tracker Status: contains details regarding the status of the Change Tracking
Database Triggers

s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
Thea r
Change s fer Scheduler Role is required to deploy change tracking and to
ath nTracking
h -tchange
Btransfer ra tracking data on demand. The Change Tracking Scheduler Role
n
no only be assigned to a few individuals.
should
A cross-functional team should be involved in the decisions of what is to be changed
tracked. The implementation of these decisions by deploying change tracking should
be done by fewer individuals. We will discuss this more later in the class.
Change Tracking Data is stored in the repository until someone with the Change
Tracking Scheduler Role executes the Purge Change Tracking Data job.

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
UserQueries
fe down to specific subsets of change tracking data such as:
a ntosfilter
Bh n-trmade
Changes
a
within a certain date range
n o
Changes made to certain fields (new feature for version 5.5)
Changes made by a certain person
Additionally, if applicable, define Alerts by associating query with an emailid. When
new data transferred via change tracking transfer program, email will be sent if query
conditions are met.

Using the Change Tracking Data Repository:
Designating Change Tracking Alert Recipients
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r athTracking
s f er
a
h -trainnthe alerts
Change are emails sent by CCG to any emails that have been
Bdesignated
n email field for Add Alert.
n o
Emails are sent when data being transferred during the change tracking transfer job
when any of the new data being transferred falls within
the criteria of the query.
Related Practice: Change Tracking Queries

Summary

Create Change Tracking Reports

Understand Change Tracking Status Reports
Specify Change Tracking Alert Recipients s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

CCG Additional Activities
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Lock and Share Snapshot Definitions

Schedule Snapshots
Manage Baseline Snapshot Definitions
Perform Forced Comparisons
Create Templates
Purge Snapshot Definitions s a
h
) a
Purge Change Tracking Data m
o
c uide
Define Security Groups and Users p e
h nt G
r @
Configure Additional ERP Instances a de um Stu
- k
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Lock Snapshot Definitions
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r
rath anDefinition
WhenhaaSnapshot sfe has stabilized; i.e. all objects are included and all conditions and
filterBfields n -
havetr been defined correctly, Lock the Objects and Conditions so they will not be
changed. noThis ensures monitoring consistency.
Once a Snapshot Definition has been locked, it can be shared with other users. The (B) Share
is activated and you are able to select a user to share the snapshot definition with.
All Snapshot Occurrences taken prior to freezing the Snapshot Definition are purged as part
of the locking process.

Schedule Snapshots for Future Executions
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
Cana rschedule
ferthe edit definition screen.
ath nsfrom
Bh n-trahas been saved with the include in schedulable items list checked, can
If definition
noschedule directly from the schedule job screen.
also
Can schedule job to repeat on a specified duration.
Can schedule multiple definitions to follow the same schedule.

A Baseline Snapshot Definition contains all of the objects

for a specific application.

Used to create comprehensive time-stamped
documentation and for comparisons when trouble
shooting.
Are created at time of instance configuration. The owner of
the snapshots is a configuration parameter.
Implementation decisions need to made regarding when s a
h a
new baseline occurrences will be generated. om)
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Perform a Forced Comparison
Force Comparison/Map Values allows you to compare rows

with different primary keys.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
ara tset-up
Use tohensure
r a n standards have been followed across multiple organizations.
B
Apps user - which rows to compare by defining which Primary Key value to use in the
ndefines
n o
first occurrence and which primary key value to use in the second occurrence
Related Practice: Perform a Forced Comparison

Create Templates
Use Templates to present a subset of the fields captured

by a snapshot.
One Snapshot occurrence may be viewed using multiple
templates. Each template would provide the set of fields
required for the task of the person reviewing the reports.
CCG Developer Role is required to create Templates.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
Related r
Practice: s fe Templates
a nSnapshot
Bh n-tra
no

Purge Snapshot Definitions and/or Occurrences
Schedule Stand-alone Purge Job

Specify whether purging only certain occurrences or

whether purging the Definition (which purges all
occurrences.)
Administrator
role is required
to purge
Snapshots. s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Purge Change Tracking Data
Schedule Stand-alone Purge Job

Specify instance and End Date

The Change Tracking Scheduler role is required to purge
Change Tracking Data.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Define Security Groups and Users
Administrators define users and assign roles to users.

Administrators Create Security Groups and add Assign

Users to Security groups.
See the CCG Administrators Guide for details.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Configure Additional ERP Instances
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r
Most
asites begin
n s fewith CCG configured to a couple of test and/or dev instances.
Bh n-trathe Production instance will also be configured.
Eventually
no
Other instances can also be configured as needed.
When an ERP Instance configured for CCG is to be refreshed, steps should be taken
within the ERP Instance Workbench *BEFORE* the refresh as well as after the refresh.
- Refer to CCG Administration Guide for details.

Summary

Lock and Share Snapshot Definitions

Schedule Snapshots
Perform Forced Comparisons
Create Templates
Purge Snapshot Definitions s a
h
) a
Purge Change Tracking Data m
o
c uide
Define Security Groups and Users p e
h nt G
r @
Configure Additional ERP Instances a de um Stu
- k
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Describe the components that comprise Preventive

Controls Governor
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

GRC Controls
GRCC Platform
Configuration Controls
Transaction Controls Form Rules
Governor (CCG)
Governor Flow
(f.k.a RulesApps)
Integra
(TCG) Audit Rules
Change Control Rules a
h a s
m )
Oracle E-Business Suite Instance o
c uide
h p e G
Preventive Controls Governora(PCG) r@ dent
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r
Form
aRules nsfe
Bh- nBusiness
- tra users can alter the behavior of E-Business Suite Forms without
no advanced development expertise
- Centralizes alterations to vastly simplify and accelerate documentation of controls
Flow Rules
- Business users can create Oracle Workflows without advanced development
expertise
- Link those workflows with Form Rules alterations to create change approval
workflows
Audit Rules
- Business users can create complete, easily understood audit trails of changes to
E-Business Suite data
Change Control Rules
- Combines the functionality of Form, Flow and Audit Rules with a wizard-like
approach to make it even easier for business users to create a broad range of
preventive controls

User Interface
EBS Environment
(PCG)
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
r e
a naresfperformed
All PCGaactivities
h -tra in the EBS environments, including reporting.
B
Related o n
nPractice: Create a User

Summary

Describe the components that comprise Preventive

Controls Governor
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
PCG Form Rules
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Run the Event Tracker

Set security attributes while running the Event Tracker
Set Security
Create Messages
Create Default Value rules
Create List of Values rules s a
a
)h
Understand Navigation, Field Attributes, SQL andmOracle
Flow e co uide
p h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Overview
Form Rules enables you to write rules that configure

Oracle Applications forms, modifying their security,

navigations, field, and data properties.
Each Form rule consists of subordinate rules called rule
elements.
Each element may target:
A form
A block within a form s a
a
)h
A field within a block m
co uide
e
Each element specifies an event that triggers
@ hp nt G
processing m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
Form h araistan
Rules
r a n
element of the Preventive Controls Governor. To enforce the controls
B - Governance, Risk, and Compliance Controls Suite, you can attach
defined in the
non to them. Form rules are among the items that can be attached as automations
automations
to controls. However, form rules run within Oracle EBS regardless of their association with
controls.

Event Tracker
Use the Event Tracker to capture blocks and fields for:

Selection in the Block Name and Field Name fields of the

main Form Rules window as you set the target of a rule
element
Selection later as you define how the element modifies a
target form or items on it
As you run the Event Tracker, you can set security attributes
for the target form s a
h a )
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r
To capture
aform items:
n s fe
Bh n-atrForm
1. Create
a
rule that specifies using the Event Tracker.
no
2. Go into the target form and navigate to each block and field that you want to be able to
later select as you build Form rules.

Set Security with Event Tracker
You have the following options when setting security on an

event tracker:
Prevent Update to Block
Prevent Insert to Block
Prevent Update to Field
Hide Field
Make This Field Required a
h a s
Enforce Uppercase on This Field )
o m
Hide This Tab p e c uide
@ h nt G
Get Field Properties a r de
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
r ayou open s e
fan
a
When
h Actionst r a n Oracle Applications form for which you are running Event Tracker,
Ban - menu provides options for setting security properties for items on the form.
nousen these options, click on a field for which you want to set security, or click on a field
To
in a block or tab for which you want to set security. Select the Actions menu and choose
from one of following options:
- Prevent Update to Block: Prevent an existing value from being changed for any
field in the block where the cursor is located.
- Prevent Insert to Block: Prevent an original value from being entered for any field
in the block where the cursor is located.
- Prevent Update to Field: Prevent an existing value from being changed for the
selected field.
- Hide Field: Remove the selected field from the form.
- Make This Field Required: Prevent a user from selecting a new record or closing
a form if no value has been saved in the selected field.
- Enforce Uppercase on This Field: Require that data entered in the selected field
be all upper case.

- Hide This Tab: Remove the tab that contains the selected field, and all the fields
associated with it, from the form.
- Get Field Properties: Capture the properties of the selected field. This is
essentially the same as navigating to the field with the Event Tracker running.
The security attributes you configure through the Event Tracker take effect when you
complete the definition of the Rule Element from which you are running the Event
Tracker.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

Form Rules
Form rules can be used to:

Set security attributes. These can mandate that data entry

be required; that updates, insertions, or deletions be
prevented; or that items be hidden from view.
Establish navigation paths from a target form to other
Oracle EBS forms, or to forms created through use of a
tool called Form Extensions.
Display messages. s a
a
) h to
m
Define default values for fields, compile lists ofcvalues
o ide
e
p t Gu
be selected from fields, or set other field attributes.
h
a @ en
rstatements.
Run structured query language (SQL)
k u m Stud
Execute processes defined d - hRules,
inyFlow is another
e d e t
thr Controls
component of Preventive
r a e tous Governor.
a
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Setting Security
You can assign security attributes to:

Forms
Blocks
Tabs
Fields
Descriptive flexfields (DFF)
Example: You need to restrict updates to the Taxpayer a IDa

s
)h
field and hide the Bank Accounts tab on the Suppliers
m
form. e co uide
p h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Security a r
Rule
a nsfe
Bh n-tavailable
Attributesoare
ra
to components in varying combinations. You can restrict the ability to
n
update, insert, or delete data; require that data be entered or that text entries be in upper or
lower case; or hide screen items. To set these security attributes, use the Security panel,
which is selected by default when you open the Business Rule Details form.

Security Attributes
Attribute Description Field DFF Block Form Tab

Case Field values must be entered in upper case x

(Upper), lower case (Lower), or mixed case
(blank)
Required If the check box is selected, a field value x
must be entered
No If the check box is selected, existing values x x x x
Update cannot be changed
No Insert If the check box is selected, new values x x x
cannot be entered
s a
No Delete If the check box is selected, existing values x x a
)h
cannot be deleted m
co uidex
e
Hide If the check box is selected, the screen
component is hidden from user's view
x
@
x
hp nt G
xma x udx
r e x
Active If the check box is selected, the attributes
k u S t x
boxes become active d d y- this

selected in the Case field and other check
t h re use
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
This slide r a the
shows n s fe boxes that are available to each component type.
check
Bh n-traaForm rule for the purpose of setting security on a form, block, or field, assign
When creating
o
securitynattributes for each component part of the rule.
For the most part, the security attributes are controlled by the Case field, and the six check
boxes for each component.
If you intend to set security attributes for a number of fields at the same time, first select which
fields by choosing Oracle Rules Form Elements from the Tools menu, and then setting the
Include Flag for the appropriate fields.
Related Practice: Run the Event Tracker and Create a Security Rule

Creating Messages
You can write messages that appear when a user

performs an action corresponding to the event you have

chosen for a rule element
Example: You need to alert the users when they enter an

amount greater than $10,000 as an Invoice Amount Limit
for the supplier, but also to prevent them from continuing
until they enter a smaller amount. a
as )h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
a
Related r
Practice: s fer Message Rule
ath nCreate
Bh n-tra
no

Default Value Rule
You can set the default values of fields in the form that is
the target of a rule element.

Regardless of the event you select to trigger the rule
element, you can set values for any number of fields in any
number of blocks on the form
The fields and blocks must be captured using the Event
Tracker
s a
a
) h in
Example: You need to set $10,000 as the defaultmvalue
the Invoice Amount Limit field for new suppliers e coon uthe
ide
p
h nt G
Suppliers form. r @
m a tude
u
-k his S
d y
d se t
r e
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
Related r a nCreate
Practice: s fe Default Value Rule
Bh n-tra
no

List of Values Rule
You can both alter existing lists of values or create new

LOVs
You must run the Event Tracker on fields for which you want
to create or modify LOVs
Example: A client uses the SIC code on corporate reports.

The SIC field on the Classification tab of the Suppliers
form is currently a text-entry field. You will make it a list sofa
values (LOV) field with the selections of Government, ) ha
Education, and Manufacturing. c om ide
e h p t Gu
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
Related r a nCreate
Practice: s fe List of Values Rule
Bh n-tra
no

Navigation Tab
You can create entries in the Tools, Actions, or Reports

menu of a target form

Create links for rule elements that use the When New
Form event.
Note: Source and Destination forms are both available within a
single responsibility.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r th sfer
aPaths
a
h -tran
Navigation
B
You can o n entries in the Tools, Actions, or Reports menu of a target form, each of which,
n create
when clicked, opens another form (or, in a special case, executes a Form Rules rule
element). You can also create zooms similar links that are activated when a user clicks
on the Zoom button in the tool bar.
Typically, such a link becomes active when a form is first opened, and so you would create
such links for rule elements that use the When New Form event. Moreover, a navigational link
works only if the source and destination forms are both available within a single responsibility.
If a user does not have access to a form, a navigational link created in Form Rules will not
take him there.

Field Attributes Tab
You can designate the display properties of blocks and

fields, such as the positioning, color, size, and weight of

items.
You can also set security properties for field instances.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Oracle Flow Tab
The Flow Rules application defines and implements

business processes. A Flow Rules process may be

configured to run in response to a - triggering event,
typically the insertion or updating of a record in a specified
database table.
For such a process, a Form Rules rule may instead define
the event that triggers the Flow Rules process to run.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Summary

Run the Event Tracker

Set security attributes while running the Event Tracker
Set Security
Create Messages
Create Default Value rules
Create List of Values rules s a
a
)h
Understand Navigation, Field Attributes, SQL andmOracle
Flow e co uide
p h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

PCG Flow Rules
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Create trigger-based and periodic process rules

Create the following process flows:
Constraint
Approval and Notification
Concurrent Program
SQL
s a
Condition h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Overview
The Flow Rules application defines and implements

business processes sets of actions to be completed in

specified sequences
A process may serve as a component of an Oracle
Workflow or may run on its own
A single process rule defines an entire process
The rule consists of subordinate rules, called process flows,
each of which constitutes a step in the process s a
a
) h it
Each flow is assigned a rule type that determinesmwhat
does e co uide
p h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
A processr a can:nsfe
flow
Bh nor
Notify, - a
trrequest approval of, designated persons when some action has been
no
completed.
Alert designated persons to errors or other exceptional conditions.
Implement a constraint, which alerts designated persons if necessary conditions have
not been met, and pauses the process pending a response.
Run a concurrent program, or monitor one as it runs.
Run structured query language (SQL) scripts.
Link the current process to other processes.
Run separately defined workflows or events within a process.
Important note: Before beginning the exercises in this chapter, the instructor must ensure that
the Workflow Background concurrent program is running in Oracle. From the Flow Rules
menu, select Launch Background Program.

Process Rules
To enforce the controls defined in the Governance, Risk,

and Compliance Controls Suite, you can attach

automations to them.
Processes created in Flow Rules are among the items that
can be attached as automations to controls.
Note that, you only attach processes for documentary
purposes.
Flow Rule processes run within s a
a
)h
Oracle E-Business Suite regardless m
of their association with controls. e co uide
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
Example:a r Various s fer
ath ndepartments in your organization are involved in the process of creating
B h t r a
- and approving their creation. Often that process stalls, or you later find that
inventory items
noornincomplete information was entered for those items. You want to use Flow Rules
incorrect
to automate this process and make it more efficient. Initially, your task is to create a process
rule that is triggered when a new item is configured, and then through the course of several
exercises, you will also define multiple process flows that further refine that initial rule. You
will create process flows for the following scenarios - when a new item is created:
Inform the Purchasing department so that a Buyer can be assigned to the new item.
Provide the ability for people to approve new items.
Include the new item in a periodic report.
If the new item is a Purchased item, automatically set the Postprocessing Lead Time to
5 days.
Modify #1 so that the Purchasing department is notified only when the item is a Buy item
and the Default Buyer field is blank.
Note: This scenario is just one example of how you can use Flow Rules in your organization.

Trigger-Based and Periodic Process Rules
There are two subscription types which determine what causes

a process rule to be run:

Trigger: The process rule runs when some
action occurs, and as a result a record is
created or updated in a specified database
table. For example, a new customer may
be created in a table that stores information
about customers. s a
a
)h
Periodic: The process rule is evaluated on a m
regular schedule. e co uide
p h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nprocess
A schedule-based s fe rule differs from a trigger-based process rule in that you can set
thisB
h -traup to run on a periodic or scheduled basis rather than specifying a trigger that
type ofnflow
nothe flow.
launches
Example: Material transactions often get stuck with errors in the Material Transaction
Interface table. You want this table to be checked periodically for errors, and you want
notification to be sent to the appropriate person to fix the errors.
Related Practice: Create Trigger-based Process Rule

Constraint Process Flow
Use the Advanced Rules Wizard to create a constraint as

part of a trigger-based process rule.

A Check Constraint rule determines whether appropriate
data has been provided before allowing a process to
continue
If not, it notifies a user who can obtain and enter that data.
You may create any number of constraints
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r athexample,s f er
Example:
h a For
t r a n a companys database may contain a table that stores records of
B -
items that itnpurchases. The company may require that a buyer be assigned for each new item
added ntoo
the table, and each record may contain a field that holds the ID of the assigned
buyer. In the Advanced Rules Wizard, a Constraint/Condition element may have been created
to test whether that buyer ID field is null. Now, a Check Constraint process flow would call that
element; whenever it evaluates to true, the process flow would send a notification to the
functional owner of the flow. In response, the owner would be expected assign a buyer and
enter the buyers ID in the appropriate field. The Check Constraint flow then verifies that the
ID is correctly entered, resending the notification if not.
Related Practice: Create Constraint Process Flow

Approval and Notification Process Flows
Use the Advanced Rules Wizard to create a notification

that will be sent to an approval group.

A Notification rule sends an information-only message to
designated users when a specified action has been
completed
An Approval rule sends a message requiring that
designated users respond with an approval or
rejection of the newly completed action s a
h
) a
Configuration of Approval and Notification o m
rules is very similar. p e c uide
h G
a r@ dent
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
Example:r a annew
When s feitem is created, you want your Flow rule to inform a group of
Bh and
approvers n - a them with the ability to approve or reject the new item.
trprovide
no
Related Practice: Create Approval Process Flow

Concurrent Request Process Flow
A Concurrent Program rule runs one or more concurrent

programs.
For each program, you can configure the rule to:
Accept static parameters
Execute SQL statements that determine parameters at
runtime
Notify a user (or workflow role) when each program has
finished running. s a
)h a
For programs that produce output files (such asoreports), m
you can also specify a printer to which output p e c should
files u ide
h nt G
be sent and the number of copies toabe r@printed.de
u m t u
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
Example:a r a a nnew
After s feitem has been created and approved, you want to include that item in a
Bh report
periodic n - trofanew items.
no

SQL Process Flow
A SQL rule executes one or more SQL Statement

elements created in the Advanced Rules Wizard.

Each element contains free-form SQL, so you can use
SQL rules to execute any database procedure or SQL
statement that must be run as part of a process.
You may include any number of SQL statements in the
rule.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
ath a nnew r
feitem
h a
Example: rAfter a s has been created and approved, if the item was flagged as a
B
purchasedn t r
- you want to automatically set its postprocessing leadtime to 5 days.
item,
no

Condition Process Flow
A Constraint/Condition element:
Specifies values that may be held in one or more columns

of a table
Evaluates to true for records that either do or do not
contain the specified values
Can be added to any process flow as a filter the
process flow would apply only to those records for which
the Constraint/ Condition element evaluates to true has
a
You can add conditions to any process flow, regardless m )of the
o
c uide
process flow type. h p e G
a r@ dent
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a
Example: r a created
You n s fea Constraint process flow to check whether a buyer had been
Bh tona-tnew
assigned ra item and to send a notification to the Purchasing department if one had
no
not. You realize now that the Purchasing department only needs to be informed if the Default
Buyer field is blank and the item is marked as a Buy item, so you add a condition to that
Constraint process flow.

Summary

Create trigger-based process rules

Create periodic/schedule-based process rules
Create schedule-based process rules
Create the following process flows:
Constraint/Condition
Approval and Notification a
h a s
Concurrent Program )
o m
SQL
p e c uide
Exception @ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
PCG Audit Rules
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Describe Audit Rules

Create Audit Groups
Define Audit Columns and Translation Data
Activate an Audit
Understand Reporting
Use the Online Audit Form s a
h
) a
Describe Audit Migration m
o
c uide
p e
h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Audit Rules Overview
Audit Rules:
Enables you to track changes to the values of fields in

database tables
Allows you to review changes in reports, which can be run
as concurrent requests
In addition to the audit report, Audit Rules can
present audit data in an Online Audit form.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r th sfer
aRules
a
Audit
h review t r a n
enable you to track changes to the values of fields in database tables. You
Bcan n - those changes in reports, which can be run as concurrent requests in Oracle
n o
E-Business Suite or in the Reports browser of the Governance, Risk, and Compliance
Controls Suite.
For each database row in which a column value has changed, the report includes the
column name and its display name, the old and new data values, the transaction type
(insert, update, or delete), the username of the user who made the change, and the date
on which the change was made.
You select the tables you want to include in an audit by assigning them to a group. You
refine the audit further by selecting columns from the tables that belong to the group.
You can also link audited columns to translations meaningful values that correspond
to the values held in audited tables. For example, a persons actual name might be the
translation value when an audited table column holds a numeric ID for the person.
In addition to the audit report, Audit Rules can present audit data in an Online Audit
form. Each field on an Oracle form corresponds to a database-table column; for fields on
any given Oracle form, the Online Audit form can be configured to display changes to
the underlying database columns. The Online Audit form opens from a menu option in
the Oracle form.
Once configured in an Oracle EBS instance, Audit groups and rules can be migrated to
other Oracle EBS instances.

Creating Audit Groups
To be audited, a table must belong to an audit group.

To create an audit group:

Assign a name to the group
Select the database tables that will belong to the group
Engage security by determining the Oracle responsibilities
that are allowed to view audit results in Oracle-based reports
and the Online Audit form
Save the group a
as )h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r th sfer
ayou
a
Once
h -traadd n a table to a group and save the addition, the table cannot be removed.
B
Foroan table to belong to a group, its entire schema must be defined as audit-enabled.

n
Audit Rules performs this setup step automatically as you add tables to a group.
After a group is defined and saved, you select columns for auditing from each of the
groups tables.

Defining Audit Columns and Translation Data
After you specify the tables that belong to a group, you

must select columns from each table.

For each column in an audit table, you can also specify a
translation value a corresponding column in a lookup
table.
This lookup column contains values that match the values in
the audited tables, such as a persons actual name in place
of a numeric identifier. a s
h
) a
A table can belong to more than one audit m
group, and the selection of columns for a ec uide o
table is identical in all the groups to which @ hp nt G
it belongs. m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r th sfer
aadd
If a
you n for a table in one group, the same columns are added for that table
columns
Binh its nother
t r a
- groups.
n o
If you add a table to a group, any column selections made earlier in other groups apply
in the new group by default.
Translation-value settings configured for a table in one group apply in all the groups to
which the table belongs. Once you add columns for a table (and save the addition), the
columns cannot be deleted.
You select columns and specify translation values in the form available when you click
the Audit Columns tab in Audit Rules. You must first ensure that:
- You have saved the audit group with which you want to work, and then reloaded it.
- You have selected the table whose columns you want to prepare for auditing.

Activating an Audit
To enable Audit Rules to begin auditing the group you

have defined you must choose to Create Audit Rules

Objects in the GRC Controls Utilities menu.
Two concurrent programs run:
An Audit Trail Update Tables program updates any changes
made to existing audit groups and creates new audit objects
required by new audit groups.
An Audit Rules Update Audit Objects program optimizes the s a
)h a
triggers to include When clauses for the selected columns.
c om ide
h pe t Gu
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Toa r
view s fe run a concurrent-request program called Audit: Dequeue Process.
a auditnresults
Bh updates
This n - tra audit results; if the program has not been run recently, you will miss audit
noreflecting changes to database values made since the last time it was run.
data
Typically, this concurrent request is scheduled during installation to be run periodically.
Even if this is the case for your instance, however, you may wish to run the request
before viewing reports and would typically run it before viewing audit results in the
Online Audit form, to ensure that those results are as current as can be.

Reporting
You run audit reports in E-Business Suite:

In the Oracle EBS environment, you can define audit reports.

Before running a report, run the Audit: Dequeue Process
concurrent request to ensure that results are current.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

The Online Audit Form
An Online Audit form can display audit data about a record

currently selected in an Oracle EBS form.

To use an Audit form:
Using Form Rules, create a rule that establishes a navigation
link from the form you are auditing to the Online Audit form.
Add a GRC Controls Online Audit function to the menu
structure of the responsibility that is to have access to the
Online Audit form. a s
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Audit Migration
Once you have created audit groups for an instance of

Oracle EBS, you can migrate them copy an audit group,

the auditing instructions for an individual table within a
group, or a report directly to another Oracle EBS instance.
You can also export groups and tables to, or import them
from, XML files.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r th sfer
atable
a
For
h -traor
a na report to be migrated, its audit group must already exist on the
Bdestination
n instance.
n o
For an instance-to-instance online migration, the ID of the person who created an audit
group, table, or report in the source instance must exist in the destination instance.
(However, the users status on the destination instance may be active or inactive. Audit
migration does not validate whether the user is active.)
For an XML file import, the user ID of the person who created an audit group, table, or
report need not exist in the destination instance. The CREATED_BY and
LAST_UPDATED_BY fields are updated with the ID of the person who performs the file
import.
A log file gathers information about a migration, export, or import operation. If an
operation fails and you are unable to determine why, rerun the operation with the debug
level changed from low to high and evaluate the log data.
Commonly, problems with migration result from missing translations. In such cases, the
audit log shows errors as INVALID. For instance, if a table or a responsibility does not
exist in the destination, a migration error occurs.

Summary

Describe Audit Rules

Create Audit Groups
Define Audit Columns and Translation Data
Activate an Audit
Understand Reporting
Use the Online Audit Form s a
h
) a
Describe Audit Migration m
o
c uide
p e
h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

PCG Change Control Rules
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives

Use the Change Control Wizard to create change control

rules manually
Load Change Control rules content
Create Change Control rules
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Overview
Change Control rules:

Control and track changes to key data within vital business

applications
Provide not only assured regulatory compliance and
protection against fraud, but the prevention of many
common data-entry errors
Provide pre-packaged controls developed
with industry-leading audit firms and s a
a
)h
validated by CFOs and financial controllers m
at the world's largest companies e co uide
hp G t
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

Change Control Rules
Change Control rules monitor and regulate changes to

fields in ERP applications.

Using change control rules, you can apply any of these
three control types to ensure that field-value changes
receive increasing degrees of review:
Audit
Reason Code
Approval s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r h sfer
atTrack
a
Audit: nchanges to fields and present a history of those changes in reports. No
h -trisarequired
Bapproval
n for changes to be made.
n o
Reason Code: Track changes to fields and present a history of those changes in
reports. Also, when a user changes the value of a field that is under this type of change
control, change control rules require the user to enter a reason code and may send
notification of the change to another person or role. No approval is required for changes
to be made.
Approval: Track changes to fields and present a history of those changes in reports.
Also, when a user changes the value of a field that is under this type of change control,
change control rules not only require the user to enter a reason code, but it also sends a
request for approval to a specified person or role.

Approval Change Control Rule
For Approval Change control rules:

Field changes are tracked, and their history presented in

reports
When a user changes the value of a field, the user must
enter a reason for the change, but the action also sends a
request for approval to a specified person or role
The change must be approved or rejected
The requesting user must acknowledge an
s a
approval ) h a
c o ide m
A change is implemented only after it is
approved and acknowledged. h pe t Gu
r@ n a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
For the a r a control
Approval n s fe type, you must enter a WorkFlow Role value; it designates the
Bhwhonapproves
person - tra changes.
no

Create Change Control Rules Manually
The Change Control Wizard enables you to create new

control rules manually

You can also use the wizard to:
View existing rules
Modify existing rules
Confirm that content-spreadsheet rules have been uploaded
correctly
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
th sfer
Enter h ara for
values
t r n following fields:
the
a
B
Field - Enter the name by which the underlying code calls the field you want to
nName:
n o
control. Select from the list (items are available if you have used the Event Tracker to
capture them; see page B-1), or type a value.
User Field Name: The Change Control Wizard selects a display field name (the label
visible to the user of an Oracle EBS application) corresponding to the Field Name in the
previous box. You can replace it with another value. This name appears in the Change
Control Request form and in notifications.
Control Type: Select the level of control you want to apply to the field Audit, Reason
Code, or Approval.
WorkFlow Role: Select the person or role who reviews changes made to the field. For
the Approval control type, you must enter a WorkFlow Role value; it designates the
person who approves changes. For the Reason Code control type, you may enter a
WorkFlow Role value to designate a person notified of the change. WorkFlow Role does
not apply for the Audit control type.

Reason Type: Select the name for a group of reason codes. A user who changes the
Oracle EBS field can apply any reason code belonging to the group you select here.
You must select a reason type if you selected the Approval or Reason Code control
type; a Reason Type selection does not apply if you selected the Audit control type.
Enable: To set a change-control rule to be active once it has been generated select the
Enable check box to the right of its row. Clear the check box (and respond to a
confirmation message) to turn off the rule. Or, select or clear the All check box (at the
upper right of the Change Details panel, in the Enable column) to enable or disable all
rules currently displayed in the panel.
Enable Visual Attributes: Select the check box to cause the controlled field to appear
in yellow on its Oracle EBS form. Clear the check box to allow the field to remain
visually undistinguished from other fields. This option applies only to fields controlled by
Reason Code or Approval rules.
Comments: Explain the business risk addressed by the rule you are creating.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

Load Optional Change Control Rules Content
PCG includes optional spreadsheets that can be used to

define Change Control Rules.

You can use these spreadsheets as templates for defining
your own rules.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
R e able
r ath sfer
a
Load Change
h -tControl
r an Rules Content
B
on spreadsheets contain more than 1,500 Change Control Rule definitions. They
Sample content
n
are located in the content directory on Governance, Risk, and Compliance Controls Suite Disk
1 of your Oracle media pack. Whether you upload rules from a content spreadsheet or create
them individually in the Change Control Wizard, you can migrate them from one Oracle EBS
instance to another.

The Process
To load rules from a content spreadsheet:

1. Review the spreadsheet.

2. Create flat files containing the rules you have selected.
3. A control total message displays the number of rules
written to the CSV file. Compare this number with the
number of rows you selected to upload.
To upload the file you have prepared: a
1. FTP the CSV files to a valid utl directory. h a s
m )
2. Run the Preventive Controls Governor Content o
c Load ide
p e
h nt G u
concurrent request. r @
a e
3. Create Audit Rules Objects. kum Stud
d d y- this
t h re use
a r a e to
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
To loada r
rules
fe spreadsheet:
a fromnascontent
Bh n-tthe
1. Review
ra spreadsheet. Select the rules that target fields for which you want to
no
implement controls, and then enter Y in the Upload column for those rules.
2. Create flat files containing the rules you have selected. From the Tools menu in Excel,
select the LogicalApps Create CSV for Preventive Controls Governor (AGS) option.
Specify the destination for each CSV file and click Save.
3. A control total message displays the number of rules written to the CSV file. Compare
this number with the number of rows you selected to upload.
To upload the file you have prepared:
1. FTP the CSV files to a valid utl directory of the instance where the rules are to be used.
2. Open the Navigator in the Logical Apps responsibility (in Oracle Applications) and run
the Preventive Controls Governor Content Load concurrent
request.
3. Open Preventive Controls Governor (Audit and Approval Rules).

4. From the Tools menu, select Create Audit Rules Objects. A message displays a
concurrent request ID number.
Note: The Create Audit Rules process automatically starts when the file is loaded, but it
is good practice to get into the habit of running it manually, as it does need to be run
manually after rules are created manually.
5. Click OK to clear the message.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

Summary

Use the Change Control Wizard to create change control

rules manually
Load Change Control rules content
Create Change Control rules
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no

s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no

GRC

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GRC

Uploaded by

Copyright:

Available Formats

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Learn more from Oracle University at oracle.com/education/

Ashwin Sadanandan Disclaimer

This document contains proprietary information and is protected by copyright and

If this documentation is delivered to the United States Government or anyone using

1 Introduction to the Oracle Governance, Risk Compliance Controls Suite

Define Perspectives 2-22

4 AACG Configuration Planning and Installation

5 AACG Models and Control Planning and Setup

Application Access Controls Governor Remediation Steps 6-4

10 ETCG Configuration Planning and Installation

11 ETCG Manage Models

12 ETCG Create and Edit Models

Model Type: Pattern Filters 12-18

14 Configuration Controls Governor Overview

Comparison Results Summary Example 14-15

17 CCG Additional Activities

Purge Change Tracking Data 17-9

18 Preventive Controls Governor Overview

20 PCG Flow Rules

21 PCG Audit Rules

Introduction to the Oracle Governance, Risk

After completing this lesson, you should be able to:

Understand Oracle GRC Solutions

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 2

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 3

activity in real-time, providing notification, workflow, and an

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 4

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 5

GRC Controls Suite

Continuous Controls Monitoring Configuration

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 6

as Continuous Control Module in the front end application.

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 7

Access Configuration Transaction Preventive

Analyze and Continuously Prevent losses

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 8

Product Example Output

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 9

Continuous Controls Monitoring (CCM) includes both Access

and Transaction controls governor in the same platform.

Governance, Risk and Compliance Intelligence

Financial Continuous Controls Monitoring (CCM)

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 10

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 11

GRC Controls Applications

Continuous Controls E-Business Suite

Applications Preventive Controls

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 12

functionality provided by the CCM module.

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 13

Continuous Control Monitoring, or CCM, applies to all

the functionality offered by earlier EGRC product.

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 14

Application Access Controls Governor regulates access to

duties assigned in business-management applications.

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 15

Identify setup changes that violate financial or regulatory

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 16

Controls setup changes that can have significant financial

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 17

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 18

controls for specific

Oracle GRC Controls Suite Fundamentals Ver. 8.6/7.3.3/5.5.1 1 - 19