Professional Documents
Culture Documents
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Oracle GRC Controls Suite
Fundamentals Ver.
8.6/7.3.3/5.5.1
Student Guide
D74761GC10
Edition 1.0 | September 2015 | D92592
publish, license, post, transmit, or distribute this document in whole or in part without
Barry Greenhut the express authorization of Oracle.
The information contained in this document is subject to change without notice. If you
Publishers find any problems in the document, please report them in writing to: Oracle University,
Jobi Varghese 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Giri Venugopal
Restricted Rights Notice
s a
U.S. GOVERNMENT RIGHTS
h
) a
The U.S. Governments rights to use, modify, reproduce, release, perform, display, or
o m
disclose these training materials are restricted by the terms of the applicable Oracle
e c uide
license agreement and/or the applicable U.S. Government contract.
p
Trademark Notice
@ h nt G
r
a tude
u m
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names
y -k his S
may be trademarks of their respective owners.
d
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Contents
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
(bh icens
Preventative Controls Governor 1-20
Summary 1-21 y
dd ble l
Quiz 1-22 e
R ra
t h fe
ra ansControls
2ha
t
B Objectives
- r
Continuous Monitoring
on
nApplication 2-2
Navigation 2-3
Viewing the Home Page 2-4
GRC Controls Navigation 2-5
Continuous Control Monitoring Workflow 2-6
Continuous Controls Management 2-7
Results Management 2-9
GRC Security 2-10
Defining Roles 2-11
Roles Examples 2-12
User and Role Administration 2-13
User and Role Hierarchy 2-14
Manage User Security 2-15
Creating and Managing Job Roles 2-16
Data Role Composition 2-17
iii
Duty Role Composition 2-18
CCM Users Management 2-19
Creating Users 2-20
User Preference 2-21
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
iv
Configuration Planning 4-4
Defining Data Sources 4-5
Manage Application Data 4-6
Run Synchronization 4-7
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
Notifications 4-8
Defining Notification Schedules 4-9
Notification Configuration 4-10
Turning Off a Notification Schedule 4-11
Parallel Processing 4-12
Quiz 4-13
Summary 4-15
v
6 Remediation
Objectives 6-2
Remediation 6-3
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
vi
Quiz 7-20
Summary 7-23
8 AACG Reporting
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
Objectives 8-2
Reporting Overview 8-3
Contextual Reporting for Control Summary 8-4
Contextual Reporting for Incident Results 8-5
CCM Control Management Reports 8-6
CCM Result Management Reports 8-7
Reporting File Types 8-9
Manage Report Parameters 8-10
Reporting Scheduling 8-12
s a
Report Generation 8-14 h
) a
o m
Report from Manage Controls Panel 8-15
p e c uide
Report Generation Manage Incidents Panel 8-16
@ h nt G
Report Management Menu 8-17 r
a tude
u m
Using the Report Management Menu 8-18
d y -k his S
Summary 8-19
r e d se t
a
9 Enterprise Transaction Controlsr ath Governor
t o u Overview
Objectives 9-2 ( b h
e n se
GRC Platformdand d yETCG Differentiators
l ic
R e b l e 9-3
AbouthTransactionra
r at s f e Governor 9-4
aETCGtSetup n Flowchart 9-6
Bh ETCG r a
on- Terminology
nCreate
9-7
Filters and Use Business Objects 9-8
Processes by Functional Area 9-9
Quiz 9-10
Summary 9-13
vii
Business Object Administration 10-12
Example: Business Object Administration 10-13
Summary 10-14
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
viii
Defined Filter Options 12-14
Example: Defined Filter Options 12-15
Create a Function 12-16
Create a Pattern 12-17
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
ix
Set-up Screen Example: AP Payment Terms 14-11
Terminology: Unique Identifiers and Primary Keys 14-12
CCG Definitions Example Screenshot 14-13
Snapshot HTML Report Example 14-14
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
x
Manage Baseline Snapshot Definitions 17-5
Perform a Forced Comparison 17-6
Create Templates 17-7
Purge Snapshot Definitions and/or Occurrences 17-8
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
xi
Condition Process Flow 20-10
Summary 20-11
Objectives 21-2
Audit Rules Overview 21-3
Creating Audit Groups 21-4
Defining Audit Columns and Translation Data 21-5
Activating an Audit 21-6
Reporting 21-7
The Online Audit Form 21-8
Audit Migration 21-9
Summary 21-10
s a
h
) a
o m
22 PCG Change Control Rules
p e c uide
Objectives 22-2
@ h nt G
Overview 22-3 r
a tude
u m
Change Control Rules 22-4
d y -k his S
Approval Change Control Rule 22-5
r e d 22-6se t
r th Content
Create Change Control Rules Manually
aRules t o u 22-8
h a
Load Optional Change Control
se
The Process 22-9 (b e n
d d y l ic
Re rab
Summary 22-11
l e
r t h
a nsfe
a
Bh n-tra
no
xii
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Abbreviations
Bh n-trApplication
AACG
a
Access Controls Governor
no
ETCG Enterprise Transaction Controls Governor
PCG Preventive Controls Governor
CCG Configuration Controls Governor
CCM Continuous Controls Monitoring - Continuous Control Monitoring (CCM) module
in the Governance, Risk and Compliance platform, regulates activity in business
applications for access and transaction controls (AACG & ETCG).
GRC Oracle Enterprise Governance, Risk and Compliance regulates activity in
business applications. GRC runs as a Continuous Control Monitoring (CCM) module in
the Governance, Risk and Compliance platform, and it consists of two components,
each of which implements "models" and "continuous controls" that define risks a
company may face.
course.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r th sfer
aonly
GRC ish a
the
t r n that manages business processes for greater efficiency, controls
solution
a
B
user access -to reduce risk, and tracks data changes to increase financial integrity. With
nonGovernance, Risk and Compliance Controls, you can build a better business and
Application
get compliance as a by-product; and identify transactions that pose unacceptable risk to a
company.
This continues monitoring of controls helps organizations to identify risks at the earliest
occurrence and take proactive actions accordingly.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
ath nsfeRisk r
a
Oracles r
Governance,
h -tra and Compliance (GRC) Solution
B
Oracle GRC n Solutions allow you to consolidate multiple requirements and address them,
norisk
automate and compliance activities, and embed preventive controls in the context of
business operations.
1. Oracle helps you to manage multiple GRC requirements. The core controls and content
management capabilities allow you to align multiple requirements with the same
superset of controls. This cuts down on duplication of documents, duplication of effort,
and provides the basis for a comprehensive view into GRC initiatives and how well
these are performing.
2. Oracle GRC Solutions helps you to automate critical GRC tasks. Oracle automates
critical cross-industry GRC processes like the documentation and communication of
your policies and procedures; the assessments of your risks and controls; the
remediation of control violations; as well the certification process across the multiple
levels of your organization.
GRC Intelligence
s a
EGRC Platform a
)h
m
co uide
e
Oracle E-Business Suite Instance
@ hp nt G
r
a(PCG) de
Preventive Controls Governor u m t u
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a nofsfthe
GRC is comprised
r e following Governors:
a
Bh nControls
Continuous - tra Monitoring regulates activity in business applications. Continuous
o
ControlnMonitoring (CCM) module in the Governance, Risk and Compliance platform (EGRC)
consists of two components as follows:
Application Access Controls Governor (AACG): Regulates access to duties
assigned in business-management applications. It implements access policies, which
identify duties that are considered to conflict with one another because, in combination,
they would enable individual users to complete transactions that may expose a
company to risk.
Enterprise Transaction Controls Governor (ETCG): Define models, each of which
specifies circumstances under which individual transactions would pose an
unacceptable risk to a company.
GRC Intelligence (GRCI): GRC Intelligence (GRCI) provides dashboards and reports
that present summary and detailed views of data generated in EGRCM and EGRC.
Preventive Controls Governor (PCG): Enforce GRC in real-time to prevent
unauthorized actions or business transactions. Examples include limiting access,
enforcing change management and creating an audit log on sensitive business functions
related to social security numbers, salary information and significant revenue accounts.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
CCM - Application Access A user who can create a Detects all the users and
Controls supplier cannot pay the the responsibilities that
supplier have these two privileges
CCM - Transaction Check any responsibility Detects suspects that point
Controls from Step1 for users who to some kind of fraudulent
have created a supplier activity
and approved a payment
Preventive Control A user who can create a Since this is preventive, s a
Governor supplier can pay other h a
this will prevent any fraud
)
suppliers but not the same o m
occurring in the application
one he created p e c uide
@ h allnkinds
t G of setup
Configuration Control Check if someone has r Detects e
a tud in a transaction
Governor changed the billing um changes
y
address of a supplier
d -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
GRC 8.6.4.3000
t h R ra
a r
An Oracle
a nsfeRisk and Compliance (GRC 8.6.4.3000) platform hosts two products
Governance,
Bh n-trControls
Continuous
a Monitoring, Oracle Enterprise Governance, Risk and Compliance
no(EGRCM) and GRC Intelligence (GRCI).
Manager
In this release the GRCM and GRC products that existed individually are merged into a single
GRC platform.
Continuous Controls Monitoring , in turn, consists of two subsidiary products, Application
Access Controls Governor (AACG) and Enterprise Transaction Controls Governor (ETCG).
Fusion GRC Intelligence (GRCI) provides dashboards and reports that present summary and
detailed views of data generated in EGRCM and EGRC.
Continuous Controls Monitoring regulates activity in business applications. Continuous
Control Monitoring (CCM) in the Governance, Risk and Compliance platform, and it consists
of two components, each of which implements "models" and "continuous controls" that define
risks a company may face:
Oracle Application Access Controls Governor (AACG) enforces segregation of duties in
Oracle E-Business Suite, PeopleSoft, and (if a "connector" is installed) Oracle Fusion.
under which individual transactions display evidence of error, fraud, or other risk. ETCG
implements only detective analysis, uncovering suspect transactions that have been
completed before a control is run.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
Accessa r
to
athe GRC
n s fe Suite Components
Control
Bh n-tra Suite Components are accessed differently:
The GRCoControl
n
Access Controls and Transaction Controls are web-based applications. You will access
CCM modules (GRC 8.6.4.3000 release) through your web browser.
Preventive Controls Governor (PCG) is accessed via Oracle E-Business Suite, using the
GRC responsibility.
Configuration Controls is also a web based application, which you will access from your
web browser. This will be via a different URL than EGRC Platform.
t h R ra
e
CCM h ara transf
Features
B n- Hierarchies of the perspective values. Users can associate individual
Perspectives
no
perspective values or the perspective values defined in the hierarchy with individual objects
(such as models and controls), thus cataloging objects by organization, region, or any other
concept a company determines to be meaningful. Perspectives are more powerful: First, they
are hierarchical values have parent/child relationships to one another. Second,
perspectives do more than serve as filtering values in the pages in which users manage
objects. They also play an important role in GRC security, and in the assignment of incidents
generated by controls to result investigators (formerly participants).
Redesigned security, in which job roles, consisting of duty roles and data roles, provide a
much more granular means of safeguarding access to GRC functionality and data.
The use of worklists and notifications to alert users to tasks awaiting their attention. This
involves modification of the system for email notification that was used in earlier EGRC
versions.
Revised search and saved search functionality, which replaces the views that existed in
earlier EGRC versions.
r t
a e to
a
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
e
ara transf
AACGhOverview
B n- Access Controls Governor (AACG) enforces segregation of duties in
Oracle Application
no
Oracle E-Business Suite, PeopleSoft, and (if a "connector" is installed) Oracle Fusion. Each
model or control defines conflicts among duties that can be assigned in a company's
applications, and identifies users who have conflicting access to those duties. AACG can
either discover conflicts that existed before controls were written to protect against them
("detective" analysis), or intervene when a user is assigned duties after controls have been
written to define them as conflicting ("preventive" analysis).
policy
Create & Manage Transaction Models & Controls that
specifies circumstances under which individual
transactions pose unacceptable RISK to a company.
Pattern Based Detection - Assist control definition and
detection of fraud based on patterns or complex
algorithmic rules. For example, Benford, Mean, etc. as a
m )h
e co uide
p tG
hPrevention
Detection
a r @ e n
m Stu
uReview d
Define Perform - k
y thAddress isand Preventive
Transaction Transaction dd Transaction
Controls h re use Suspects
Analysis
t Controls
a r a e t o
h
(b 2015, s
n and/or its affiliates. All rights reserved.
d y
Copyright l i c eOracle
R ed able
Oracle a r
Enterprise s fer
ath nTransaction Controls Governor (ETCG) evaluates transaction risk in
B h - t r
Oracle E-Business
a Suite and PeopleSoft.
non
Oracle Enterprise Transaction Control Governor creates & manages Transaction Models &
Controls that enable users to define models each of which specifies circumstances under
which individual transactions pose unacceptable RISK to a company.
Once Models are designed for a risk definition/criteria, to generate expected incidents,
controls are created using these models and the incidents are monitored to manage the risk
levels for the business application.
Pattern Based Detection - Assist control definition and detection of fraud based on patterns or
complex algorithmic rules. For example, Benford, Mean, etc
Oracle Enterprise Transaction Controls Governor (ETCG) evaluates transaction risk in Oracle
E-Business Suite and PeopleSoft and other business applications. Each model or control
specifies circumstances under which individual transactions display evidence of error, fraud,
or other risk. ETCG implements detective analysis, uncovering suspect transactions that have
been completed before a control is run.
or regulatory impact
Identify setup changes that violate financial or regulatory
policy
Accelerate documentation and analysis of setup values
s a
)h a
m
co uide
e
p tG
@ hPrevention
n
Detection
a r d e
- k um StEnforce u
Define
Configuration
Document or
Compare d dy this Change
Monitor
Configuration
e
Manage
Controls Configurations hr u
Changess e Data Integrity
r a t t o Control
h a s e
y (b 2015,i c n and/or its affiliates. All rights reserved.
eOracle
d
Copyright
ed able l
R
a r ath nsfer
CCG Overview
Bh n-tControls
Configuration
ra
no Enterprise. Governor
PeopleSoft
(CCG) monitors setup data in Oracle E-Business Suite and
It takes snapshots that document application set-ups; compares
snapshots with one another, to show how application setups differ; and employs change
tracking to monitor changes in setups.
Change Tracking
Alert users whenever changes occur
Dashboard summarizes changes in all environments
Drill down to see details of all changes
Export change details to CSV (Excel) and PDF
Snapshots & Comparisons
Document all setup values seen in the original applications
Compare two environments values (e.g., Production vs. a best-practice baseline), or
snapshots from two points in time
Export all details to CSV (Excel) and PDF
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Enforce preventive
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
r t
a e to
a
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a
Preventiver s fe manages the Form Rules, Flow Rules, Audit Rules and Change
aControlnGovernor
Bh Rules
Control n - tinrathe EBS application.
no
EBS
Environment
(PCG)
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a
PCG User r aInterface
n s fe
Bh n-tra are performed in the EBS environments, including reporting.
All PCG activities
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no
Segregation of Duties?
a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no
Controls Monitoring?
a. Access Control Governor
b. Transaction Control Governor
c. Preventive Control Governor
d. Continuous Control Governor
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:a r
a,b
a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:a r
a,b
a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
Click onaarNavigator
fernear the upper left of any GRC page to display lists of links to
ath nslink
Bh youn-can
features trause. The lists are organized by module, and the links you see depend on the
no to you by your roles.
rights granted
Controls include:
Continuous Monitoring
Continuous Control Management
Results Management
Tools
Report Management
s a
Perspective Management a
)h
Setup & Administration m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
Click onaarNavigator
fernear the upper left of any GRC page to display lists of links to
ath nslink
Bh youn-can
features trause. The lists are organized by module, and the links you see depend on the
no to you by your roles.
rights granted
The list for the Continuous Control Monitoring module includes two links: Continuous Control
Management enables you to create GRC models, controls, and their components; run them;
and review model results. From Result Management, you can resolve the incidents generated
by controls.
EGRCM provides a Financial Governance module to manage Process, Risk, Controls and
Issues.
A Tools list provides access to features that apply across modules. Its perspective
management, reports and administrative features apply to CCM.
Controls
Design & Update Continuous Monitoring Scheduling has
a
Periodic Testing Investigators m
Perspective
)Values
c o i d e
Ad hoc results Status pe Assignemnts
User u h nt G
Models r @
a tudeReporting
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
OraclehEnterprise sfe
ara tranGovernance, Risk and Compliance Controls (GRC) regulates activity in
B -
business applications. GRC runs as a Continuous Control Monitoring (CCM) module in the
non Risk and Compliance platform, and it consists of two components, each of which
Governance,
implements "models" and "continuous controls" that define risks a company may face:
Oracle Application Access Controls Governor (AACG) Each model or control defines
conflicts among duties that can be assigned in a company's applications, and identifies
users who have conflicting access to those duties. AACG can either discover conflicts
that existed before controls were written to protect against them ("detective" analysis), or
intervene when a user is assigned duties after controls have been written to define them
as conflicting ("preventive" analysis).
Oracle Transaction Controls Governor (ETCG) evaluates transaction risk in Oracle E-
Business Suite and PeopleSoft. Each model or control specifies circumstances under
which individual transactions display evidence of error, fraud, or other risk. ETCG
implements only detective analysis, uncovering suspect transactions that have been
completed before a control is run.
Controls
Mass-Edit Controls
View and Edit Individual Controls
Run Controls
Import and Export Controls
Access Models a
Create and Edit Models a s
m )h
Run Models
e co uide
Import and Export
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
a
Controls r ath nsferControls are created and run to generate incidents
Management:
Bh n-tra
Access Management: Access models are created and managed using and Create Access
o
Modelsnand Manage Access Models links
Transaction Models
Create and Edit Models
Run Models
Import and Export Models
View or Export Model Results
Control Administration a
Create and Edit Access Entitlements a s
m )h
Access Global Conditions
e co uide
Access Path Conditions
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r h sfer
atModels:
h a
Transaction
t r a n Transaction models are created and managed using Create
B
Transaction -
nModels and Manage Transaction Models links
n o
Control Administration: In this task, all the access control administration and Entitlement
creation and modifications are done in this section.
Incident Workflow
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Auditors
Internal Controls Group
Business Area / Application Owners
System Administrator
Access Approval Investigators
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
arabegin
Beforehyou
t r a n up your roles, consider who will use AACG, and for what purposes.
setting
B
on- - May be able to review generated conflicts and run reports.
Auditors
n
Internal Controls Group - May help define dimensions, review/create policies, and run
reports.
Business Area/Application Owners - May conduct activities such as creating policies,
creating entitlements, viewing conflicts, updating conflict statuses, and simulating the
resolution of conflicts.
System Administrator - May set up data sources, application configuration, and
notification configurations.
Access Approval Investigator (Earlier User Provisioning Participants) - May review
access requests in the Manage Access Approvals panel.
See the GRC Security Implementation Guide, as well as the Security Management chapter
of the GRC User Guide.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r h sfer
atAdministration
In Setup
h aand
t r a n section, in the Security section, you can create roles, each of
B
which grantsn-access to a set of features in Governance, Risk and Compliance Controls. You
nocreate
can then users and assign roles to them. Each user can have any number of roles.
Note: Each user can have any number of roles
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r th sfer
aUser
a
User: n
h -traProfiles can have multiple Job Roles
B
n n The
JoboRole:
references
job role is the combination of functional access and data access. It
one or multiple duty roles and data roles, defining the complete set of
functional and data access needed for a job.
Duty Role: Duty Role provides functional access (i.e. Manage Controls). A duty role is
a set of privileges. Each duty role defines one or more tasks a user can complete in the
application for example creating controls, or approving changes to them.
Privilege is the most granular aspect of functional access: A reference to a specific
application resource, and the means to grant functional access to the user. Each
privilege has a name that describes its functionality, a navigator entry identifying the
navigator component in which it is included, and an activity identifying the type of activity
it is part of.
Data Role: Data Role grants data access to specific data. (i.e. Controls related with the
Security Perspective.)
A data role defines a narrowly focused set of data. Primary data role supports work with
models, continuous controls, or incident results in GRC and it sets a fourth condition: data
must be associated with a value for a seeded CCM Type perspective, which distinguishes
between data for use by AACG and data for use by ETCG.
s a
a
)h
m
co uide
e
@ hp nt G
Manage users and their
m ar tude
specific job function.
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
arasecurity
Usershlevel
t r a n to access the application is controlled by the roles defined and assigned
B
to them. n-
no who can access the application screens, based on the jobs and duties that are
Roles define
functionally assigned to the user and also the data that they need to be exposed to work
upon. Further the security can be enhanced by associating the perspectives to the roles to get
more granular control on the data that the user accesses in the application.
Create specific Job Roles based on the user community and their job
functions.
Best Practice: When possible create Job Role Templates that can be
copied and modified to meet the specific data access.
Leverage seeded
Job Duty Roles.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku data
Specify i s S security
level
e d
d sbased h
t by Job Role.
r e
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
In theh arapane,
Roles n s feon the row for a role whose information you wish to review. In the
click
Role - tra pane, labeled with the name of the selected role, displays detailed
BLogic,nlower
no about the role. In the Roles Pane, click the Role Name to view the details of the
information
Role.
Data Roles
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
Objects
Data Role Access Model
Controls
Incidents
Module
Actions
Create, View, s a
State/Action a
)h
Base Edit, and m
Delete/Retire e co uide
@ hp nt G
Perspectives
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r athdefines s f er
The data
h a role
t r a n which set of data the user has access to within the application. The
B n- on the criteria for all the data roles within each users job roles to determine
system matches
ofodata to which the user has access.
the set n
Two types of data role are delivered: primary data roles that include module, state, and state
action, and composite data roles that reference a set of primary data roles to form the basic
data access needed for a job role. As primary data roles are created for each object (model,
control, incident result), each state (Create, Edit, Delete, and View), each CCM Type (Access
and Transaction), and the variations of each state and state action allow for extremely
granular data-level security that may be assigned to users to control their access.
Each primary data role is intended to be referenced by many composite data roles,
depending on what actions are needed. You should not need to create primary data
roles with module, state, and state action, but simply reference the delivered primary
data roles.
For CCM, the application is delivered with primary data roles for models, continuous
controls, incident results, access requests, entitlements, and global and path conditions.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r h sfer
atoptions
You can
h ause
t r a n available from the Manage Users page to create, edit or copy, or unlock
B - or import them from an LDAP repository.
user accounts,
non
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
In theh ara trUsers
Manage a n page, click on Actions > Create User. A Create User page opens.
B n-
Enter theofollowing:
n
User Name for logon, Last Name, First Name, Middle Name, Email1
User Name cannot be changed after it has been saved
Indicate a status
Active or Inactive; Locked usually set by system
Add other optional user information
Contact information, Position, Organization
Language preference
Passwords
Roles
Select roles for users
All users access this page from the top right Preference link. Users
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
From hany s ferthe user who is currently logged on can open User Preferences,
ath in nGRC,
arpage
review n - tra pertaining to his own user account, and change some of it. To open User
B information
no click on the Preferences link near the upper-right corner of any GRC page. A
Preferences,
User Preferences dialog appears, divided into three sections:
A Details section displays your username and status as read-only values. It also
provides write-enabled fields in which you can modify your first, middle, and last names,
email address, password, a second email address, office and mobile phone numbers,
physical address, and position and organization.
Email Address 1 is the address to which GRC sends worklist advisories (if notifications
are enabled under Manage Application Configurations in the Setup and Administration
tasks). A password is case-sensitive and must consist of at least eight characters, taken
from each of four character sets: uppercase letters, lowercase letters, numbers, and
special characters, which comprise !@#$%&*. A password is invalid if it matches or
contains the username, and it must not match any of the previous three passwords.
t h R ra
Definehperspective sfe
ara tranhierarchies, each of which is, in effect, a set of related values that define a
B n- GRC objects may exist. Individual perspective values may be assigned to
context in which
nomodels,
individual controls, and incidents (control violations). Perspectives may then be used
for reporting and filtering purposes (for example, a user may generate a report about all
controls associated with a particular perspective value).
Perspectives are also instrumental in GRC security: data roles define the data to which
individual users are granted access, and if associated with perspective values, these roles
grant access only to models, controls, and incidents associated with those values.
GRC Perspective Management enables you to create (or edit) perspectives. Or, Data
Migration enables you to import them from a template. (Oracle supplies an import template
that includes Business Process and Risk perspectives. You may edit these, or create others,
for import.)
System perspectives for Datasource, Business Object, and CCM Type are used for securing
data. These are not accessible in Perspective Management and cannot be modified directly.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
Models
Continuous Controls
Results (Incidents)
s a
) h a
Manage m
perspectives byec o ide
object h p G u
r @ n t
m a tude
u
-k his S
d y
d se t
r e
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
Job Role a
)h
m
co uide
e
Data Role @ hp nt G
m ar tudPerspectives
e
u
-k his S
d y
d se t
r e
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a
Data Levelr aSecurity
n s fe
Bh n-also
Perspectives
tra play a part in GRC security. Users are assigned job roles, which contain
nothat define functionality available to users, and data roles that define sets of data
duty roles
available to users. A data role may be associated with a perspective value, and if so would
grant access only to data concerning objects associated with that perspective value. To use
the Organization example, a data role might be associated with the perspective value for a
specific operating unit within a particular division. That role would grant access only to data
pertaining to that operating unit.
t h R ra
In CCM a r
module, n s fe
a perspectives also help determine which users resolve incidents generated by
B h - t r a
continuousncontrols. As a continuous control is created, perspective values are assigned to it.
no
A user can review its incidents if his job role contains a data role associated with perspective
values that match values assigned to the control. (The job role would also need to contain a
duty role with the privilege for incident review.)
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
araindividual
"Jobs"hare
t r a n requests to synchronize data, evaluate models or continuous controls,
B - generate reports, or perform other background tasks. Some jobs can be run on
export results,
demand,noorncan be scheduled to run. In general, a job is run or scheduled from a page to
which it applies for example, one might synchronize data from the Manage Application
Data page or run controls from the Continuous Control Management > Manage Controls
page.
In the Manage Jobs page, users may view jobs, cancel them, or purge job history. Each row
in the Manage Jobs page presents the following information about one occasion when a job
was run:
Job ID: An identification number assigned internally to the job by GRC.
Name: The name of the job that was run.
Start Date and End Date: The dates and times on which the job began to run and
finished running.
Status: The current state of a job. Most statuses are assigned by GRC. These include
Not Started, Started, Queued, Pause Requested, Paused, Completed, and Error. GRC
updates the status until a final state (either Completed or Error) is reached.
Message: An informational message about the job status.
Run By: The user name of the user who ran the job.
created in the page to which the job applies; the job may be run
manually from that page as well.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
A job h ara
may n to run, and typically the schedule is created in the page to which the
be scheduled
t r a
B - job may be run manually from that page as well. For example, one may
job applies;nthe
updatenao data analytics schema, or schedule it to be updated, from the Manage Application
Configurations page. However, any schedule created elsewhere is listed in the Manage
Scheduling page, where you may modify schedules or run jobs manually.
View Schedules
In the Manage Scheduling page, each row presents the following information about a job
scheduled to run in the future:
Schedule Name: The name assigned to the schedule when it was configured.
Name: The name of the job itself for example, the name of a report if the scheduled
job is to generate the report.
Last Run Date: The date and time on which this schedule last caused the job to be run.
Next Run Date: The date and time on which this schedule will next cause the job to be
run.
Scheduled By: The user name of the GRC user who created the schedule.
tabs:
Properties
Worklist
Security
Analytics
User Integration a
Notification a s
m )h
Maintenance
e co uide
Attachments @ hp nt G
m ar tude
To open the Application Configuration kupage, Sselect Mange
y -
dthe Setup i s
Application Configuration under
r e d e th Menu section of the
s
Navigation panel. ath o u a r e t
h
(b 2015, s
n and/or its affiliates. All rights reserved.
d y
Copyright l i c eOracle
R ed able
r h sfer
atApplication
h a
The Manage
t r a n Configurations page is divided into tabs, in each of which you can
B - determine how GRC works.
set optionsnthat
n o
1. Properties: The Properties tab opens a page in which you can set values required for
GRC to connect to its database. You can also select performance and language
options, and back up or restore the GRC database schema.
2. WorkList: Fields available in the page opened from the Worklist tab apply only if
EGRCM is installed with Service Oriented Architecture (SOA). Typically, these fields are
set during installation and would not be changed subsequently.
3. Security: The Security tab opens a page in which you can set login, password, and other
security values.
4. Analytics Integration enables GRC to supply data Oracle Business Intelligence
Publisher (BIP), in which you can create custom AACG reports, or to Global Risk
Compliance Intelligence (GRCI), another Oracle product.
5. User Integration sets up GRC to recognize users created externally in a database that
uses LDAP technology to share user information.
Datasource Page,
You can configure connections between GRC and instances of
the business-management applications subject to its controls
Run synchronize option to run ETL against the defined data
source, to display information in varying languages, or to
integrate with other applications
Synchronize Business Data either for Access or Transaction
Data, one at a time, with GRC Database with progress barhas
a
indicating % of progress, located in lower portion of the m )
page.
o ide
cprogram.
We have an option to schedule the Synchronization p e
h nt G u
We can also continue to navigate and work r @
a tuother
on e pages when
m d
y - ku is S
the synchronization process is running.
d h use with models
You can also import business edobjects e tfor
h r us
r a t t o
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r s f er
ath Application
Use the
h a
Manage
t r a n Datasources page to set up Oracle EBS, PeopleSoft, Fusion, or
B - and to synchronize data for those datasources. Datasource management
other datasources,
non
applies only to GRC (the CCM module)
Working with Data Sources
Governance, Risk and Compliance Controls works with data gathered from business
management applications. For it to do so, you must configure connections to data sources for
instances of these applications. GRC comes prepared for you to configure connections to
Oracle or PeopleSoft data sources. If you intend to configure a connection to an instance of
another business-management application, you must first configure a data source type for
that application. Once connections are established, you would periodically synchronize GRC
data with that in the data sources; there are distinct synchronization procedures for data used
by AACG and data used by ETCG.
ETL synchronization may be run on demand, or it may be scheduled to run at regular
intervals. Various factors dictate how often either on-demand or scheduled synchronization
should occur.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r th sfer
aObjects
a
h -tran
Business
B
on ormodels,
As you create
none
label for
you work with business objects, each essentially a business-language
more database tables that hold information pertinent to access or
transactions. Business objects contain attributes, each a business-language name for a
column within the selected object. Although GRC comes with a selection of business objects
already configured, more will be developed over time.
Patterns
They are statistical functions, supplied by Oracle, that may be used in transaction models and
controls.
Custom Connector
A custom connector uses ETL technology to collect data from a business-management
application and provide it in a format that GRC recognizes. A default connector, provided with
GRC, does this for instances of Oracle EBS and PeopleSoft. Custom connectors may be
developed (outside of GRC) to do the same for other business-management applications, and
then uploaded to GRC. Once uploaded, a custom connector would be selected for a particular
datasource in the Manage Application Datasources page.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath utilitys f er
A Data
h a
Migration
t r a n enables you to upload perspective data for the CCM module. The
B
procedure n -
oinvolves
nupdating
module,
generating an XML template that reflects the specific configuration of the
the template with your operational data, and running an import process.
The Data Migration utility supports both initial and incremental loading of operational data:
Initial Load indicates that all the data contained in the import file is new to the module
(and Initial Load can be run even when other data already exists in the module).
Incremental load supports the addition of new operational data as well as the updating
of existing object, association, and perspective data. New transaction data for existing
objects can also be imported during an incremental load, but updating an existing
transaction is not supported.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath uses s f er
h a
An administrator
t r a n the Application Configuration panel to make a selection of these
B
languagesn -
available to users.
n o
Each individual user may select one of the available languages while logging on, while
configuring a user profile, or both.
For a given user,
CCM selects a language in the following order of preference:
The language specified during logon.
If none is selected then, the language specified in the user profile.
If no language is chosen in either place, the language specified in the users web
browser.
If the web browser language does not match one available in the AACG instance, US
English.
Worklist is a record of, and link to, a task that a user must
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
module, by activity type. You can expand or collapse sets of watchlist entries so that you can
focus only on a particular set. The watchlist appears only on your home page, near the upper
left corner
Notifications
A notification is a record of a task in which you have an interest, but for which no action is
required from you. Like a worklist, a notification is also a link to the page on which the task
has been undertaken. To view your notifications, select the Notifications tab in the Pending
Activities area of your home page or any object overview page. You can search for
notifications in the same way you search for worklists.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
In the Manage Users pane of the Manage User page - you can
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
t h R ra
a r a nsfe
Bh n-tra
no
Application Navigation
Understand Continuous Controls Monitoring features
Users and Roles Administration
Perspectives
Manage Administration of Controls, Incidents, Jobs &
Reports a
Manage Application Data, Configuration, Notificationsh a
&
s
m )
Approvals. c o de
h pe t Gui
a r@ den
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:abr a nsfe
Bh n-tra
no
a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no
for Controls?
a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
handling solution
Across heterogeneous platforms to detect and prevent
undesired user access.
To identify un-authorized access and the users who have
that access, Models are created and run which will list
Users with conflicting access.
On obtaining desired results, Models are upgraded into s a
)h a
Controls. o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r
Application s fe Governor regulates access to duties assigned in business-
aAccessnControls
Bh n-tapplications.
management ra By default it controls access to Oracle E-Business Suite and
no
PeopleSoft Enterprise, and it may be configured to work with other business management
applications as well. It implements access controls, which identify duties that are considered
to conflict with one another because, in combination, they would enable individual users to
complete transactions that may expose a company to risk.
Conflict Paths
Policy Library
s a
a
)h
m
co uide
Detection e
Prevention
Define @ hp nt G
Access Remediation maPreventive r de Compensating
Access u S t u
Controls
Analysis (Clean-up)
d y -k hProvisioning
i s Policies
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Ana r a control
access n s fedefines conflicts among a selection of access points to an
h -tra systems. In broad terms, an access point is an object in a business
Borganizations
non
management application which, when made available to a user, enables him to do
something.
Access points may be gathered into entitlements, and AACG policies may use
entitlements in place of, or in addition to, access points.
Best-practice libraries for Fusion, PeopleSoft and E-Business Suite provide access controls
that support rapid segregation-of-duties implementation around common end-to-end business
processes. These include Order to Cash, Procure to Pay, Finan-cials, and Human Resources.
t h R ra
a r
Entitlement
a Features
n s fe
Bh n-trofa access points (similar to Entity Groups)
Grouping
no
Business naming conventions to technical access points
Initial staging of future access definition functionality
Loose linking to compensating controls
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r th sfer
amodel
h a
An access
t r a ndefines conflicts among access points (duties) that can be assigned to
B -
users in a company's applications. Access points are considered to conflict when, in
non they would enable individual users to complete transactions that may expose a
combination,
company to risk. An access model consists of filters, each of which may serve either of two
purposes:
An access filter may specify an access point or an entitlement (a set of access points); if
so, it identifies users who have been assigned the specified access point, or any access
point in the specified entitlement. A conflict exists when a user is selected by a specified
combination of these filters. Combinations are determined by the way you arrange filters
in the model.
A filter may define a condition, which sets limits on the conflicts a model may identify.
Typically, a condition specifies users or other items (such as companies in PeopleSoft,
operating units in Oracle EBS, or business units in Fusion) that are excluded from
analysis by the model, or it specifies a type of item (operating unit, for example) and
requires that the model return results only when access points conflict within individual
instances of that item type.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
4) Follow installation 5) Verify that areas u m
k is S6)asContinue
of setup steps
instructions to d
the applicationy - are h recommended in
e d e t
install AACG.
t h r properly.
working
u s Implementation Guide.
a r a e t o
h
(b 2015, s
n and/or its affiliates. All rights reserved.
d y
Copyright l i c eOracle
R ed able
a r ath nsfer
Bh n-tra
no
Custom or
s a Custom or
Legacy
Applications
)h a Legacy
Applications
m
co uide
e
@ hp nt G
m ar tude
y - ku Manage i s S user access between
Manage user access within multiple
application platforms concurrentlyred
d t h
h u s e multiple application platforms
r t
a e to
a
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
View Results
AACG datasource Create Access
Import Models Manage Global Post Remediation
configuration Controls Phase
Conditions
GRCI Assign Priority
Configuration Review Model Manage Access
Path Conditions Assign Perspectives
Setup Business
Application View Results Mange
Assign Investigators
Run (Incidents) Notification
s a
Synchronization Assign Enforcement a
Configuration
)h
Mange Types m
co uide
Define perspective
e
hierarchies
Entitlements Run
@ hp nt G
Conflict
Analysis
Manage Roles m ar tude
Create Access
y - ku Manage i s S Incidents
Manage Models
e d h
d se t (Remediation Flow)
Required
r Optional
Users
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
ara tFlowchart
AACGhSetup n s fe
B setnup a
- rApplication
You can o Access Controls Governor in many ways, Oracle recommends
that younfollow the order suggested in the flowchart.
The steps highlighted in blue with italicized text in the flowchart are required.
The others are optional; you perform the optional steps only if you are ready to use the
features or business functions implemented by those steps.
Administration Setup
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath Models
s f er
Create a
h -tran and View Results
Access
B
non in the form of models, controls, or tem-plates. During initial implementation, it is
Import content: The AACG export and import functionality may be used to import
content
recommend that you import models or templates, so that model logic may be reviewed,
results may be generated and analyzed, and the models may (if necessary) be modified
before permanent controls are created and used to generate incidents. Best-practice
SOD libraries for Fusion, PeopleSoft and E-Business Suite may be loaded to support
rapid implementation of segregation of duties.
Review model logic: If the best-practice SOD libraries were imported, it is important to
review the related entitlements and model logic to ensure the definitions meet your
companys expectations for identifying SOD conflicts. You may need to modify these as
you see fit.
View model results: The purpose of a model is to allow initial analysis of temporary
results before permanent incidents are generated. It is also common at this stage to do
some initial remediation if your company does not require a history of the incident.
Set Up Conditions
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
Set Up a r ath nsfer
Conditions
Bh nTypes
Condition - tra
no
Filters: As you create or edit a model, you can create filters for it. These are conditions
in that they specify users or other objects, like companies in PeopleSoft or operating
units in Oracle EBS, that are exempt from the control. Or they specify circumstances
under which the control is enforced for example, only when a users access to
conflicting access points would be granted within a single set of books.
Global conditions: These are essentially the same as conditions configured to apply to
an individual model or control, except a global condition applies to all models and
controls as they are enforced on a given instance of a business-management
application.
Global path conditions: Each excludes one access point from another, such as an
EBS function from a responsibility. A path including those points would be excluded
from conflict generation. If, for example, a global path condition excluded function1 from
responsibility1, a control set function1 in conflict with function2, and a user had access
to both functions, no conflict would occur if the users access to function1 came from
responsibility1.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath Approvals
s f er
Manage a
h -tran
Access
B
on period after installation, a site may wish to run AACG with the Access Approvals
For an initial
featurenturned off, so that incidents that existed prior to the installation of AACG can be
cleaned up before new incidents are addressed. (Moreover, Manage Access Approvals is
typically run in a production instance, but not in a test instance.) Thus, it is possible to turn
Manage Access Approvals off and on. You would do so in each Oracle E-Business Suite or
PeopleSoft instance that is to be subject to analysis by AACG.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:abr a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
AACG
s a
Set Connectivity )h a
Properties to Database
m
o idewith
cIntegration
e
p Other u
Applications
h t G
a r@ den
- k um Stu
Email Notification to
e d dy Language
e t his Support
Policy Participants
t h r us
r a t o
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
You can a r
configure s fer
ath nconnections between AACG and instances of the business-management
B h
applications - t r a
subject to its controls, set up AACG to send email notifications to policy
non or set properties required for AACG to connect to its database, to display
participants,
information in varying languages, or to integrate with other applications (GRCI).
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
applications over time and synchronize their data with the data
used by AACG
Options to Run Now or Schedule
Synchronization should be executed anytime changes are
made to the security access model of the business system
and before analysis is run
If your organization commonly makes changes to Oracle s a
)h a
menu structures, or creates and changes responsibilities
m
on a daily basis, then it would also be wise e
to co the
run u ide
p
h nt G
datasource synchronization on a daily r @
basis.
a de um Stu
- k
e d dy this
t h r u se
a r a e to
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r
To maximize n s fe and handle cross-platform analysis, application access security
a performance
Bhdatanis-textracted
model ra and loaded into GRC to be used in analysis. How often
no is run or scheduled depends on various factors.
synchronization
In general, any time the access security model of the datasource you are running analysis
against has changed, an Access synchronization should occur before analysis is run. If, for
instance, your organization commonly makes changes to Oracle menu structures, or creates
and changes responsibilities on a daily basis, then it would also be wise to run the Access
synchronization on a daily basis.
If, for another example, your company evaluates incidents on a monthly basis, then it may
only be necessary to run the synchronization process once a month.
t h R ra
You can a r
set
aup GRC n s fealert users when tasks within GRC require their attention when
to
Bh are
worklists n - tra
generated in EGRC.
no
EGRC can alert result investigators not only when incidents await their review, but also when
AACG preventive analysis requires approval of a role assignment to a business-application
user. In the latter case, you can also configure EGRC to inform that user of the approval
decision.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r th sfer
aschedules
h a
Notification
t r a n determine how often users are notified when incidents are generated.
B
A consolidated - email message is generated for each result investigator, showing all violated
controls onwhich
nfor no prior notification had been sent. Before creating a notification schedule,
consider how often incidents will be generated, and how immediate is the need to review or
fix those incidents.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r
To establish n s fe with your SMTP server and set a schedule on which email
a a connection
Bh nare-trsent,
messages
a click the Notification tab and enter the following values:
no Server
Notification
User Name: The user name with which one would log on to the SMTP server. This
value is required only if access to the SMTP server requires authentication.
Password: The password with which one would log on to the SMTP server. This value
is required only if access to the SMTP server requires authentication.
Confirm Password: The SMTP server password entered in the Password field. This
value is required only if access to the SMTP server requires authentication.
Port Number: The port number at which the SMTP server communicates with other
applications.
Server Name: The host name for the SMTP server your company uses for sending
email.
Sender Email Address: An address that appears in the "From" line of email messages
generated by the Notification function.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath sfer
a
EnablehNotification
t r an
B -
oncheck box to activate the sending of worklist alerts to GRC users, or clear it to
Select this
n
inactivate sending them.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
aracheck
Selecththis
t r a n to enable EGRC to process multiple controls simultaneously. However,
box
B
use of this n - requires, at a minimum, 16 GB of RAM; 24 to 256 GB is preferred.
feature
n o
When you select the Enable Parallel Processing check box, two fields appear. In a Number of
Cores Available for Processing field, enter the number of processor cores you wish to devote
to parallel processing;
EGRC devotes one core to each control selected for analysis, until as many cores as you
select are in use. In a Maximum Megabytes of Physical RAM Available field, specify an
amount of memory for use in parallel processing. As a rule of thumb, enter total RAM minus 8
GB; you may need to adjust this value if other processes run slowly.
a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no
a. Data Role
b. Duty Role
c. Job Role
d. Job/Duty Role
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
Models a r
can
abe viewed
n s feand updated only by users with appropriate access, based on data
BhAs you
roles. n - tra the best-practice SOD library during an implementation, models are
import
no
assigned values for three system perspectives: Business Objects, Data-sources, and CCM
Type (for which the value is Access). To access models, a user must have a data role with at
minimum those three system perspectives assigned.
Another option is to import the content as templates. Templates can be viewed by anyone. If
you go this route, users will need to create models from templates.
Models can be secured by perspectives provided you have associated a perspective
hierarchy to the Model object via Setup and Administration -> Manage Module Perspectives.
To access models, users must have data roles associated with perspective values that match
the values assigned to the models.
Control logic cannot be modified. Therefore, reviewing the model logic for relevance is your
chance to make any necessary changes.
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Ana r a control
access n s fedefines conflicts among a selection of access points to an
h -tra systems. In broad terms, an access point is an object in a business
Borganizations
non
management application which, when made available to a user, enables him to do
something.
Access points may be gathered into entitlements, and AACG policies may use
entitlements in place of, or in addition to, access points.
Best-practice libraries for Fusion, PeopleSoft and E-Business Suite provide access controls
that support rapid segregation-of-duties implementation around common end-to-end business
processes. These include Order to Cash, Procure to Pay, Finan-cials, and Human Resources.
Test by Function
Role
Responsibility
Menu
s a
h
) a
o m
Manage Sub-Menu c
p e u ide
h nt G
Segregation of Duties r @
a tude Form Function
Identify incompatible Privileges u m
d y -k his S
(i.e. Function) d se t
r e
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Test by Page
Role
Permission List
Menu a
h a s
m )
Manage Component c o ide
p e
h nt G u
Segregation of Duties r @
a tude Page
Identify incompatible Privileges u m
d y -k his S
(i.e. Pages)
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Role
Privileges
s a
Permission
a
)h
m
co uide
Manage e
Segregation of Duties @ hp nt G
m ar tude
Identify incompatible Roles and Privileges -ku S
d y h i s
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a
In Oracle r a nthey
Fusion, s feinclude roles, privileges, and permissions. (AACG can recognize
Bhpoints
access n - tinraFusion only if a "connector" for Fusion Applications is installed.)
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
ath e to u
Merge Suppliers AP_APXVDDUP
a r
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Model Objects
Select Datasources
Model Logic
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a
To createra s fe needs to provide the following:
amodel,nuser
Bh nName
1. Model - tra
no
2. Select Datasources
Before a business object can supply access points, entitlements, or other data to a
model, it must be associated with at least one datasource. As the model is evaluated, a
filter citing that business object will analyze data from the associated datasource.
access point).
- Add the Access Entitlement business object to your model if you intend to create a
filter that specifies an entitlement (and returns users who have been assigned any
access point included in that entitlement).
- Select among three other business objects EBS Access Condition, PeopleSoft
Access Condition, and Fusion Access Condition if you intend to create a
condition filter (which defines exemptions from analysis by a model).
- Each of these business objects supports a type of datasource (EBS,
a
PeopleSource,or Fusion), and is available only if a datasource of its type has been
s
a
)h
set up and synchronized in the Manage Application Datasources page.
4. Model Logic m
co uide
e
Creating an Access Point or Entitlement Filter
@ hp nt G
Create an access point filter (one
point, and returns users who u m arbeen
t u de
that specifies an access
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath sfer
a
View Results
h -tOnline
r an
B
onmodel results online is a first step to verifying your model definition is what you
Viewing the
n
intended and to get a glimpse of conflicts that violate that model.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r h sfer
atotthe
h a
In addition
t r a n view and extracts, a visualization feature provides a graphic hierarchy
online
B n- paths causing conflicts. It enables you to analyze more easily the sometimes
of the access
nohard-to-read
long and conflict paths.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r h sfer
atincidents
h a
If permanent
t r a n do not need to be tracked in AACG, I can use my standard corporate
B - to request these menus to be remediated before a control is ever created.
tracking system
noifnyou would like to track that this incident occurred, in-cluding any comments on
However,
your remediation action, then you will want to first create a control before doing any cleanup
so that these incidents are tracked within AACG.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r h sfer
atLevel
a
Model
h model. t r a nCondition: A condition applies to a specific model when the user creates
Bthe n-
n o
Access Global Condition: This sets limits on the conflicts identified by all access
models or controls evaluated on a given datasource.
Access Path Condition: A path condition excludes one access point from another,
such as an Oracle function from a menu or a responsibility. A path including those points
would be excluded from incident generation. For example, an access control might set
functions f1 and f2 in conflict. If a path condition excludes f1 from responsibility r1, and a
user has access to both functions, then no incident would be generated if the users
access to f1 comes from r1.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
A globala r
condition s fer specifies users or other items (such as companies in PeopleSoft
ath ntypically
Bh n-units
or operating tra in Oracle EBS) that are excluded from analysis by a model or control, or it
noa type of item (operating unit, for example) and requires the model or control to
specifies
return results only when access points conflict within individual instances of that item type.
The process of creating a global condition is essentially like creating an access model that
contains only condition filters. As you create filters for a global condition, however, AACG
places them horizontally to one another, indicating an OR relationship the condition
produces results if any (or any combination) of its filters evaluates to true. You cannot arrange
condition filters to create AND relation-ships. Moreover, each global condition applies to a
single datasource.
t h R ra
Common a r a nsfe Settings for Oracle EBS
Global-Condition
Bh nGrant
Submenu - traFlag: N
n o
Do not apply policies to menus (and functions available from them) for which the grant flag is
not selected on parent menus. (If the grant flag is not selected, the submenu belongs to the
parent menu but does not appear on it and cannot be selected.)
Query Only: QUERY_ONLY
Exempt functions available from menus that provide query-only access; enforce the access
policy for other menus that provide write access to the same functions.
Function Grant Flag: N
Do not apply access policies to functions for which the grant flag is not selected on menus. (If
not, the function belongs to the menu but does not appear on it and cannot be selected.)
Responsibility End Date: Inactive
Users do not have access to menus and functions within responsibilities that have been end
dated, therefore there is no reason to include these in conflict analysis.
For PeopleSoft:
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
t h R ra
Common a r a nsfe Settings for PeopleSoft
Global-Condition
Bh n-tr1a
Display Only:
n o
Display Only is set at the page permission level. Page permissions can be different
depending on the Permission List>Menu>Component hierarchy they are used in. Do not
apply controls to pages that are display only as users cannot actually transact in these pages.
Hidden: 1
Do not apply controls to pages that have been set up as hidden as users cannot actually
transact in these pages. Hidden pages are work pages that are associated with derived or
work records and are often used in work groups. You can store all of your work field controls
there. Create these pages when you want calculations to be performed in the background by
PeopleCode that the user does not need to see.
Common Global-Condition Settings for Oracle Fusion
User Status: Active
Do not apply controls to users that are inactive.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
ara traexcludes
A pathhcondition n one access point from another, such as an Oracle function from a
B
menu or a n -
responsibility. A path including those points would be excluded from incident
no For example, an access control might set functions f1 and f2 in conflict. If a path
generation.
condition excludes f1 from responsibility r1, and a user has access to both functions, then no
incident would be generated if the users access to f1 comes from r1.
To view the history of changes to path conditions, click on the row for a condition in the upper
portion of the page. Change history appears in the lower portion one row displaying the
settings for each version of the condition up to, but not including, the current version.
Set Up Perspectives
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
Set Up a r ath nsfeinrPreparation for Assigning Result Investigators
Perspectives
Bh n-you
At this point,
traare just about ready to deploy your models as controls. Before you do, think
no will be involved in the investigation process when incidents are generated. You
about who
may need to perform some additional perspective configuration, so that you can assign
perspective values to the controls you create, and so direct the incidents they generate to
users whose roles specify matching perspective values.
Defining Conditions
Conditions help eliminate false positives and create focused analysis runs. Conditions are
specific to the application datasource and most likely will be tweaked throughout the
remediation process to help focus on different areas as the clean-up process occurs.
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
In theh ara tfield,
Priority
r a nenter a value that expresses the importance of the controls you are
B
creating in n - to others. The value must be a number. (Your company should establish a
relation
no values and enforce consistent usage.)
set of priority
points.
Approval Required Control allows a user to work at
conflicting access points only upon approval by a reviewer
designated by the Control.
A Prevent Control should deny access to conflicting
access points.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
araoftrenforcement
Threehtypes a n are: Prevent, Monitor, and Approval Required.
B n- are assigned roles after these access controls are activated, the assignments
Note: If users
n o
are denied if they violate Prevent controls, permitted if they violate Monitor controls, or
suspended pending approval if the violate Approval Required controls.
t h R ra
a r a nsfe
Bh n-tra
no
a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:a r
a,
ac nsfe
Bh n-tra
no
a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
Remediation
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
Define remediation
Understand remediation considerations and Checklist
Identify AACG remediation steps
Use the incident reports
Run conflict reports
Use simulation s a
h a
Setup iterative clean-up process m) co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r h sfer
atRemediation
a
h -tran
Analysis and Checklist
B
nonAccess Controls Governor Remediation Steps
Application
Run Analysis
Focus on Areas with the Highest Risk, Priority, and Volume
Review Intra-Role Incidents
Review Inter-Role Incidents
Use Various On-Line Views to Analyze Incidents
Use Various Reports and Extracts to Analyze Incidents
Assign Incidents to Business Owners
Run Simulation
Utilize Corporate Change-Tracking Process
Make Changes in the Underlying System
Re-evaluate
t h R ra
a r
Remediation
a is thenact
s feof cleaning up your application to reduce or eliminate segregation of
Bhconflicts
duties n - a
trdefined by controls. Segregation of duties means simply that each user should
not be n o
assigned access points that controls define as conflicting. Segregation of duties is
different for every company (although there may be similarities), so you may need to adjust
this common approach based on your companys goals for Governance, Risk and
Compliance.
t h R ra
a
Remediationr a Checklist
n s fe
Bh n-traand clean-up is an iterative process, and although there are various ways to
no
Conflict analysis
approach remediation, weve outlined a common approach utilizing components of
Application Access Controls Governor.
1. Run analysis.
Loading all best practice SOD content and running analysis will provide a quick view of
your companys overall SOD health and provide a basis for beginning analysis and
prioritization.
2. Focus on areas with the highest risk, priority, and volume.
Depending on your GRC goals, determine areas to begin analyzing any category of
information on which you want to base your remediation efforts perhaps business
process, or control, or any other category that produces a large number of incidents.)
Run Analysis
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath sfer
a
Remediation
h -Checklist
t r an
B
on and clean-up is an iterative process, and although there are various ways to
Conflict analysis
n
approach remediation, weve outlined a common approach utilizing components of
Application Access Controls Governor.
1. Run analysis.
Loading all best practice SOD content and running analysis will provide a quick view of
your companys overall SOD health and provide a basis for beginning analysis and
prioritization.
2. Focus on areas with the highest risk, priority, and volume.
Depending on your GRC goals, determine areas to begin analyzing any category of
information on which you want to base your remediation efforts perhaps business
process, or control, or any other category that produces a large number of incidents.)
Run Simulation
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
a
1. Runr ath nsfer
simulation.
Bh n
Before - tra making changes in the underlying system, you may wish to run the
actually
no Simulation feature to answer the what would happen if questions that come up
AACG
during analysis.
2. Utilize corporate change-tracking process.
Remediation involves making changes in the system being analyzed. For instance, in
Oracle E-Business Suite, a menu structure or responsibility may need to be changed.
These changes generally first need to happen in a development instance, most likely
next in a test instance, and finally in a production instance. It is important to have a
change-tracking process to ensure the changes are made from system to system.
Simulation has a Remediation Plan report that can be given to the system administrator
responsible for making changes to the access security model.
3. Make changes in the underlying system.
Using the change-tracking process, request and make changes in the underlying
system. For instance, in an Oracle E-Business Suite environment, you may remove a
function from a menu that causes conflicts. During this process, the access security
model may change, or compensating controls may be put in place. In either case, the
result should produce fewer incidents on the next run.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
If you h ara trthe
followed a nmodel analysis section as recommended, you will have loaded the content
B -
as models,nreviewed and updated the entitlement and model definitions to ensure they are
no to your company and you may have even done some initial clean up. At this point,
applicable
you should have deleted models that do not make sense for your company and deployed
those models that do make sense as controls.
When deploying the models as controls based on the subject matter expert workshops and
close interaction with the control investigators who know and understand the control and
risk you should have been able to add a priority and any perspectives that will help you
categorize and prioritize controls.
You are now ready to run an analysis. Your companys goals will determine your next steps. If
you already know, for instance, that the procure to pay controls are your highest priority (and if
you have created a Business Process perspective with a Procure to Pay value), you may
choose to run analysis only on controls with that perspective value. If you arent sure where to
focus your efforts first, you may want to run analysis for all controls so that you can see where
the greatest volume is by priority or business process, for instance. This may help give you
the direction you need to select a focus area to begin remediation on.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
ath nsare r
fecaused
h a
Intra-Role rIncidents
a when access points within the same role conflict. Clean these
B
up first, as n t r
- role has been incorrectly set up if it contains access points that conflict with
the
no When you start by eliminating intra-role incidents, you may also clean up several
each other.
inter-role incidents.
1. View Intra-Role Violations by Control Report found in the Report Management task. This
gives a high-level view of roles that have conflicting access points within themselves.
You may want to focus on controls you have rated as the highest priority.
2. View Access Violations within a Single Role (Intra-Role) Report. For a given role that
has conflicting access points within itself, this shows the controls that are violated and
their details including the users and access points with incidents.
First, use the Intra-Role Violations by Control Report to determine your highest priority
controls with intra-role conflicts. Then run this report and focus on cleaning up the roles
related to those high-risk controls first.
In most cases, however, a role should not contain access points that conflict with one
another. The Access Violations within a Single Role (Intra-Role) report identifies such
roles so that conflicts may be removed from them.
3. Within the Manage Incident Results panel, analyze using visualization and various
searches to determine when conflicting access points for one role have been violated.
4. Determine how to remediate.
These reports, along with online analysis, will help to give context to what access an
individual role has, along with the users that have those roles. It is up to the business to
s a
decide how to remediate those incidents. Generally, the conflicting access points within
h
) a
an individual role should be separated out. One of the conflicting access points may
o m
p e c uide
already exist in another applicable role, or potentially a new role will need to be created
h nt G
so that the intra-role conflict can be cleaned up.
@
5. Simulate. r
a tude
u m
d y -k his S
Before actually making any changes in your business system, you may want to simulate
r e d se t
what would happen if you were to make the change. Navigate to Simulation and exclude
users. a r ath e to u
an access point to see how your action would impact your conflicts, roles, controls and
aaa
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
)h a
m
co uide
e
@ hp nt G
m ar tude
Payments y - ku responsibility
Same
i s S has two
Suppliersred
d t h
conflicting functions (intra-role)
s e
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Intra-Role a r a nsfe
Example
Bh n-traResponsibility: Financial Management-General Ledger has two functions
no
In this example,
(Payments and Suppliers) that are conflicting.
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
a
Inter-role r ath noccur
incidents s ferwhen access points conflict with each other across roles for a single
Bh n-tra
user.
noincident Management Process:
Inter-role
1. View Users with Access Violations by Control report. This is a high-level listing of users
that violate controls.
2. View Access Violations by User report. This lists the top 10 users with incidents across
roles, as well as details for every user that has violated a control, the roles and access
points that cause the violation.
First, use the Users with Access Violations by Control Report to determine your highest
priority controls with inter-role conflicts. Then run this report for those controls. By doing
so, you will get a list of users that have violated those controls, and will be able to
quickly see who has access to more than one role causing conflicts.
3. Within the Manage Incident panel, analyze using visualization and various filters to
determine when one use has conflicting access points that span across roles.
Before actually making any changes in your business system, you may want to simulate
what would happen if you were to make the change. Navigate to Simulation and exclude
an access point to see how your action would impact your conflicts, roles, controls and
users.
6. Remediate.
Following your company change-tracking process, request that the change be made in
your business system. For instance, if you decided to revoke a role assignment for a
a
user, be sure to let that user know your plans and be sure this change actually makes it
s
to the production system. h
) a
7. Repeat. o m
p e c uide
Remediation is an iterative process. Continue to focus on high-priority, high-risk, and
@ h nt G
r
high-volume areas to clean up your business system.
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
In theh
Manage n fepanel, view pending incidents by control, and filter records by various
ara trControls
s
B including
columns - a priority, risk, business process and any other perspectives you may have
no n
identified to help secure and categorize your controls.
In the Manage Incident Results panel, view pending incidents in the Control Summary view
and drill into any control for a filtered list of related incidents. Focus on incidents tied to
specific priorities, risks, or business processes by setting and saving searches to help
manage and analyze records.
Try using the visualization feature to view conflict paths in a graphical format and easily
identify inter- and intra-role incidents.
Assign status to incidents: The Manage Incident Results grid has functionality to set statuses
on each incident. For instance, if a control has been set with the Approval Required
enforcement type, the incidents it generates can be accepted or set to remediate in the
Manage Incident Results grid. This can be done individually or several at a time. By setting
the status here, you can return to the Manage Inci-dent Results grid later to review incidents
set to remediate status, or you can run reports for incidents in the remediate status and
determine how to clean up your business system. When incidents are remediated in the
business system (i.e. a function causing a conflict is removed from a menu) the next time ETL
and analysis is run the status for those incidents that have been cleaned up will automatically
be set to a closed status.
having to set a status each and every incident (for instance, you may be focusing on cleaning
up the Purchasing Clerk responsibility but by removing the Create Supplier function from that
responsibility, you will affect many users and many incidents will automatically be closed the
next time ETL and analysis is run).
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Select
Rows
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
)h a
m
co uide
Incident by Control e
Summary Report @ hp nt G
m ar tude
Access Incident
y - ku is S Access Point
Details Report e d
d se t h Report
r
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a
Running ar s fe or extract is another way to analyze incidents and help with
aseedednreport
Bh n-Intraddition
remediation.
a to the reports already mentioned, below are additional reports
no used to help analyze incidents:
commonly
Incident by Control Summary Extract Report
Use this to get a summary of pending incidents for each control. See the last time the
control was run, any comments associated and use as a general summary level report
to help determine where to focus your remediation on.
Incident Details Extract Report from the drop down and click extract.
Once you have the data in Excel or a similar application, slice and dice the data to view
conflicts in a way that will help you with the remediation process. For instance, creating
a quick pivot table in Excel is a great way to see where your conflicts are and what
paths are causing the incidents.
Access Point Report
This report can be used to get conflict path information, which will help lead to access
model hierarchies that need to be cleaned up in the system. For instance, if you find that
a
a s
the Access Violations within a Single Role report identifies the Vendors and Payment
h
)
Actions functions as conflicting access points, you can use the Access Point Report to
m
find the access paths those functions are used in. o
c uide
p e
h nt G
r @
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
Initially,a r a appear
incidents n s fe in the Manage Results home page at an Assigned status, which
Bhthatnyou
means - tra(potentially along with others) have been designated to address them. You
no
can update an Assigned incident to any of the following statuses:
Accepted, which means you have determined that nothing need be done to resolve the
incident.
Remediate, which means you have decided that some action must be taken in the
business-management application to resolve the incident.
Resolved, which means you have confirmed that the remedial action has been carried
out in the business-management application.
GRC may set other statuses:
Authorized is given to incidents that result from preventive analysis: If a control violation
causes the assignment of a role to a user to be suspended, a result investigator then
approves the assignment, and the control is subsequently run, incidents related to the
assignment receive Authorized status.
Control Inactive means that an incident is no longer of concern because the control that
generated it has been inactivated.
Closed indicates that because an incident has been resolved in the business-
management application, a subsequent evaluation of controls finds that the incident
need no longer be addressed.
incident may be at the Remediate status and In Investigation state; a user may update status
from Remediate to Resolved; if he saves, rather than submits, the change, the incident
remains at the In Investigation state. Or, a Resolved (and Approved) incident may be
reopened, its status changed to Remediate. If it is submitted, its state changes to In
Investigation; if it is saved, its state remains Approved.
If the status of an incident is Authorized, its state is Approved; if its status is Closed or Control
Inactive, its state is Closed.
State matters in part because the Manage Results page presents pending incidents by
s a
default, other pages show counts of pending results, and pending incident results are defined
h
) a
as those at the In Investigation state. (State matters also because each users access is
o m
p e c uide
determined by his data roles, which specify states at which he may access data.) To cause
the Manage Results page to display incidents at other states - presuming your data roles give
@ h nt G
you access to data at those states. r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r th sfer
apaths
a
All conflict
h -trawould n have to be resolved in order to see a net change in conflict impact
B n find PN_NAVIGATE_GUI menu and select it. That node in the graph will
From theograph,
then benbold
From the graph, find Financial Management menu as PN_NAVIGATE_GUIs parent and
select it.
The line that joins between the two nodes will now be red.
Double click on the red line and the remediation step will automatically get created under
Remediation Steps.
Save the record
From the menu select Run Statistics to see the impact of the simulation
management application
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r athfor use s f er
h a
For example,
t r a n when you actually implement a remediation plan in a business-
B
management n-application you can print a remediation plan or save it to your computer. To
nothe
do so, run simulation and then select Actions > View Remediation plan in the Statistics
panel. You are then prompted either to save, or to open and print, a copy of the plan in .PDF
format.
analyze conflicts
Prioritize
add focus with conditions
clean up
re-evaluate
It is a repetitive process.
s a
a
Initial remediation may require new conflict analysis runs
)h to
be executed several times in one day or depending m
co uideon
e
@ hp steps
how long it takes to run through the previous
n t Ga
r
longer period. ma ude k u S t
-
dy this
r e d se
r t h
a e to u
a
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
r a nsfcan e
Perhaps
h aremediation
t r a be done throughout the week, with a new conflict analysis run at the
B
end of each - to provide a fresh look at where conflicts stand. Conflict analysis and
week
nonare slightly different for every company. This document was intended to provide
remediation
guidelines and example approaches based on best practices.
A common approach to remediation is to analyze incidents, prioritize, add focus with
conditions, clean up, and re-evaluate. It is an iterative process. Initial remediation may require
new analysis runs to be executed several times in one day or depending on how long it
takes to run through the previous steps a longer period. Perhaps remediation can be done
throughout the week, with a new analysis run at the end of each week to provide a fresh look
at where incidents stand. Analysis and remediation are slightly different for every company.
This document was intended to provide guidelines and example approaches based on best
practices.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no
a. Visualization
b. Simulation
c. Remediation
d. Re-evaluate
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:abr a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:abr a nsfe
Bh n-tra
no
Define remediation
Understand remediation considerations and Checklist
Identify AACG remediation steps
Use the incident reports
Run conflict reports
Use simulation s a
h a
Setup iterative clean-up process m) co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
a r ath nsfer
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
Once h aracleanup
most
t r a n has taken place, and the customer feels comfortable with the incidents
B - to remain, the AACG Manage Access Approvals feature is normally turned on.
that are known
nonimplements preventive SOD analysis it applies access controls to users as
This feature
they are being assigned duties in the Oracle FND Users form, the PeopleSoft User Profile
page or the Fusion Oracle Identity Manager (OIM). It rejects role assignments that violate a
Prevent control, and accepts assignments that violate a Monitor control (or no control). If an
assignment violates an Approval Required control, AACG suspends the assignment and
displays an entry for it in a Manage Access Approvals panel, for review by the investigators
designated by the control. If an investigator approves, the assignment is allowed; if he rejects,
it is disallowed.
This is just one of two ways to exert preventive control over user provisioning. The other is
Oracle's strategic method: implement Oracle Identity Management, and configure OIM's
entitlement approval workflows to display AACG conflict analyses in OIM. This is accelerated
thanks to Oracle's ready-made OIM+AACG integration.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Preventive
..which prevents / rejects assignment of responsibilities /
roles to an existing or new user in the underlying Business
Application
Monitor
..which allows assignments but requires monitoring by a
supervisors h a s
m )
Approval Required o
c uide
p e
h nt G
..which suspends assignment and seeks r @
Approval/Rejection from an APPROVER a tude
um -k his S
d y
d se t
r e
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Prevent State:
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
t h R ra
a r a nsfe
Bh n-tra
no
No Conflict State:
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
In AACG .. In EBS.
If there is no conflict, the In the Oracle Users form, an end
assignment is allowed. date in the future (or no end date)
may be configured for
responsibilities assigned to the
user. s a
a
)h
In PeopleSoft, roles remainmadded
co utab
to the users list in theeRoles ideof
p
h nt G
the User Profiler@ page.
m a tude
u
-k his S
d y
d se t
r e
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
deployed
Notification is also sent when incidents are generated
Can be run at any time or scheduled to run daily or at
hourly interval
One notification is sent for one control when one or more
incidents are generated
a
Queued notifications are consolidated for any controlhtype sa
to the participants m )
c o e
h p e G uid
a r@ dent
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Defining a r
Your n s fe Schedules
a Notification
Bh nschedules
- tra determine how often users are notified when incidents are generated.
no
Notification
A consolidated email message is generated for each result investigator, showing all violated
controls for which no prior notification had been sent. Before creating a notification schedule,
consider how often incidents will be generated, and how immediate is the need to review or
fix those incidents.
In AACG
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
Email notification when incidents are generated y - kufor a icontrol
s S
e d
d se t h
r
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r
Notification
aschedules
n s fedetermine how often users are notified when incidents are generated.
Bh n-tremail
A consolidated
a message is generated for each result investigator, showing all violated
o which no prior notification had been sent. Before creating a notification schedule,
nfor
controls
consider how often incidents will be generated, and how immediate is the need to review or
fix those incidents.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
araare
Whenhusers
t r a n
assigned roles in business applications, and the assignments violate existing
B - of the Approval Required enforcement type, EGRC suspends the
access controls
non and lists them for review in the Manage Access Approvals page.
assignments
Note: If role assignments violate Prevent controls, EGRC denies them; if role assignments
violate Monitor controls, EGRC allows them. In both these cases, the role assignments do not
appear in the Manage Access Approvals page.
For control violations that occur in Oracle EBS or PeopleSoft, use this Manage Access
Approvals page to approve or reject responsibilities or roles involved in the conflicts. You are
able to review those assignments for which Approval Required controls both find conflicts and
name you as a result investigator:
1. In the top portion of the Manage Access Approvals page, locate the user whose
assignments you wish to review, and click on the + symbol next to his name.
2. One or more subordinate rows appear. Each shows a role provisionally assigned to the
user, the start and end dates configured for it, the business-application instance on
which the conflict exists, and a status (which is set initially to Pending).
In the Status field of each row, select Approve or Reject. Optionally, type a comment
about your decision in the Comments field.
After reviewing conflict paths, you may determine that you should reject the role
assignment. If so, change the status in the upper half of the Request page to Reject.
(When you alter a decision, it's advisable to rerun the Preview feature for those roles
you still want to approve.)
4. When you have set status for all provisionally assigned roles to Approve or Reject, click
on the Submit prompt (in the Submit column of the parent row that identifies the user, in
the upper half of the page). The user's record then disappears from the Manage Access
Approvals page. If the control is rerun after roles have been approved, incidents related
a
to those roles appear in the Manage Incidents page, with the status set to Authorized.
s
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath page s f er
Use the
h aHistory
t r a n essentially in the same way as you would use the upper half of the
B
Approvals n -
page:
n o
The page displays rows containing the user names of users whose responsibility or role
assignments have violated access controls. Locate the user whose request you wish to
review, and click on the + symbol next to his name
One or more subordinate rows appear, each showing a role assigned to the user, the
start and end dates configured for it, the Oracle EBS or PeopleSoft instance on which
the role was assigned, the status selected for the assignment, and any comments
entered by the user who approved or rejected it.
If you have view rights, all you can do is review these entries. If you have update rights,
then for any row set to the Pending status, you can select a Reject link in the Reject
column, and then select a Submit link in the Submit column. The responsibility or role
assignment is then end-dated in the Oracle EBS Users form or deleted from the Roles
tab on the PeopleSoft User Profiles page.
disappear from there, and her responsibility-assignment statuses are reset in the History
page to the values (Approve or Reject) selected in the Approvals page.
Users with view permission to the Manage Access Approvals History page can review
approval history.
Users with update permission to this page can both review history and reject role
assignments at the Pending status; other statuses cannot be updated.
The assumption is that such users would reject Pending roles only under extraordinary
circumstances (for example, the participant for a control has resigned from the
company); update rights to the Manage Access Approvals History page should be
s a
granted sparingly. a
)h
m
co uide
View and update rights are, of course, determined by roles assigned to GRC users.
e
p use
We can Use the History page essentially in the same way as wehwould Gthe upper half of
@ n t
the Approvals page:
m ar tude
It displays rows containing the user names of k
- u whoShave violated access controls.
users
Locate the user whose request you wish d y is click on the + symbol next to his
dto review,thand
name
h r e us e
r a t t o
One or more subordinate rows
(
start and end dates, the b ha appear, n s
roles instance,
e each
the
showing a role assigned to the user, the
status , and any approvers comments.
d y l i c e
R edrights,
If you have view
a b le you can do is review the entries.
all
r a th update
If you have
s f errights, then for any row set to the Pending status, you can Reject &
a
h -tran
Submit.
B n
Theoresponsibility or role assignment is then end-dated in the Oracle EBS Users form or
n
deleted from the Roles tab on the PeopleSoft User Profiles page.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no
a. Prevent
b. Approval Required
c. Monitor
d. None
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:a r
a,
ab, c nsfe
Bh n-tra
no
business application:
a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
AACG Reporting
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
Note:h ara tranGRC
Embedded sfeIntelligence provides reports and dashboards if it is implemented with
B8.6.4.nIn- the courseware we do not include reports from GRCI
GRC
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath sfer
a
Contextual
h Reporting
t r an for Incident Results
B -
When you
n onselect Control Summary in the View By list box of the Manage Results home page,
you can generate the following reports:
Intra-Role Violations by Control Report lists access controls that generate intra-role
conflicts for which incidents exist at the Assigned, Remediate, Authorized, or Accepted
status. For each control, it also lists the roles for which the conflicts are generated. An
"intra-role" conflict is one involving privileges granted by a single role.
Users with Access Violations by Control Report lists access controls that have
generated incidents at the Assigned, Remediate, Authorized, or Accepted status. For
each control, it lists users whose work assignments have violated the control.
Result by Control Summary Extract Report lists access and transaction controls that
have generated pending incidents, and provides information about each control.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r h sfer
atPoint
a
Access
h is-tnotr anaReport lists paths to access points involved in conflicts. Each record in the
Breportn conflict in itself, but rather one path (potentially among many) to one of
noaccess
the points involved in a conflict.
Access Violations Within a Single Role (Intra-Role) Report lists roles for which access
controls generate conflicts between privileges granted within a role, so that the role
cannot be assigned to any user without a conflict occurring.
Access Violations by User Report lists ten users with the greatest number of conflicts,
the number of conflicts for each, and information about those conflicts.
Result Summary Extract Report lists incidents generated by access and transac-tion
controls, providing summary details for each.
Access Incident Details Extract Report lists incidents generated by access controls,
providing not only the information that would be included in the Result Summary Extract
Report, but also additional details.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
a
The r ath nDetail
Control s ferExtract Report provides information about continuous controls. For
h control,
Beach - tra it gives the processing logic, conditions, and other values that define it;
n
no who created or updated it, and when they did so; and perspectives and result
users
investigators associated with it.
The Conditions Report provides information about three sorts of condition that may be
set in AACG: A global condition specifies objects exempted from controls on a given
datasource; the report lists global conditions by datasource. A global path condition
excludes one access point from another, exempting paths including both points from
analysis; the report identifies each excluded access point and its parent. A control-
specific condition is like a global condition, but applies to only one control; the report
lists controls that contain conditions.
The Entitlement Report lists access points belonging to each in a set of entitlements (an
entitlement being a set of access points that may be included in a model or continuous
control).
t h R ra
a
TherAccess s fe report displays records of role assignments in business-
a nApprovals
h -tra applications which, because they violated Approval Required controls,
Bmanagement
nonsuspended until a control participant could review them.
were
The Result Summary Extract Report lists incidents generated by access and transaction
controls, providing summary details for each. These include an Incident Information
value the path by which a user can reach one in a conflicting pair of access points, or
the value of the first attribute selected (during model configuration) to characterize a
suspect transaction.
The Access Incident Details Extract Report lists incidents generated by access controls,
providing not only the information that would be included in the Result Summary Extract
Report, but also additional details.
The Transaction Incident Details Extract Report lists incidents generated by a
transaction control. It provides not only the information that would be included in the
Result Summary Extract Report, but also values for all attributes selected to
characterize suspect transactions. These attributes vary from one control to another, so
each run of the report must focus on a single control.
PDF (Adobe)
CSV (Excel)
Reports can be either .
Opened immediately after generation and printed
Or
Saved locally and printed later. s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r th sfer
areports
As youh a
run
t r a nyou can select parameter values, thus focusing the results on records that
B
match those -values. Parameters vary from one report to another; in general, they correspond
non you make as you create or otherwise work with the object on which you are
to the selections
reporting. As you set parameters, you would select among the same values.
For example, a Control Detail Extract Report (for EGRC) enables you to select among values
you would set as you create continuous controls, such as name, type, enforcement type,
priority, and other values. For each report, you can also select the format in which the report
should be generated PDF (Adobe Acrobat file) or CSV (a text file for export to another
application, such as a spreadsheet).
Select parameter values in a Parameters pop-up window that opens as you run or schedule
reports.
To use a set of saved parameter values, choose it in the Select Saved Report Parameters list
box that appears in the Parameters pop-up window. (This list box is available regardless of
whether you are running an ad hoc report or scheduling a report.)
In this list box, you can select a Personalize option. This opens a Personalize Saved Report
Parameters dialog. In its list box, select one of the sets of saved parameters. Then do any of
the following:
Click the Delete button to delete the set of saved parameters.
Select or clear a Show in Saved Report Parameters check box to make the set of
a
parameters available, or hide it, in the Select Saved Report Parameters list box.
s
a
)h
Select or clear a Default Report Parameter check box to apply the set of parameters
m
co uide
each time you run the report. (This option should be selected for only one set of
e
set of parameters.) @ hp nt G
parameters per report. Clear the existing selection before setting this option for a new
e d d
selections, and the OK button to close the dialog.
th
r e
r a th to us
( b ha nse
d d y l i ce
R e able
a r ath nsfer
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
If you h arascheduled
have
t r a n a report to run, the bottom portion of the Report Management page can
B
for the n on- a(Note
display either
report.
row for each generation of the report or a row for each schedule configured
that the Last Run Date and Last Run By columns in the top portion of the
screen are populated by GRC, but only for scheduled runs of reports, not for ad hoc runs.)
To view a report generated on a schedule:
1. In the top portion of the Report Management page, click on the title of the report you
want to see.
2. In the top portion of the page, click on Display > Report History.
3. In the bottom portion of the Report Management page, click on the row representing the
instance of the report you want to see. Then select Actions > View Report.
(To remove an instance of a report, click on its row in the bottom portion of the page, and then
select Actions > Delete.)
in the row for a schedule, then select Actions > Reschedule/Unschedule Report Job.
The Schedule Parameter pop-up window reopens. You can re-enter schedule values
and select a Reschedule button, or turn off the scheduling by selecting an Unschedule
button.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
s a
) h a
Managem Incidents
Manage Controls o
c Paneluide
Panel p e
h nt G
r
a tude@
Reports -k u m S
d y h i s
r e d se t
Management
a r ath ePanel t ou
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tuManage de Controls
u m
d y -k his S Panel
e d e t
t h r us
r a t o
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
a r ath nsfer
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Bh n-tra
no
a r a e t o
h
(b 2015, s
n and/or its affiliates. All rights reserved.
d y
Copyright l i c eOracle
R ed able
r ath sfer
ETCG h a
Overviewan
tr with rapid implementations in mind, a best-practice library (a set of
B n -
no
ETCG was designed
delivered templates) may be used to deploy models for immediate transaction analysis. The
best-practice library for the Oracle E-Business Suite (EBS)/Peoplesoft provides models that
support rapid implementation of transaction analysis around common end-to-end business
processes. These include Order-to-Cash, Procure-to-Pay, Financials (or Reconcile-to-
Report), and Human Resources (or Hire-to-Retire).
s a
a
)h
m
co uide
e
@ hp nt G
Upgrade Run
m ar tudeAnalyse,
Controlsktou S Resolve and
Models as
d y - i s
r e
Generate
d e th Remediate
Controls
t h u s
Incidents Incidents
a r a e t o
h
(b 2015, s
n and/or its affiliates. All rights reserved.
d y
Copyright l i c eOracle
R ed able
r ath sfer
ETCG h a
Setup an
r
B n
Althoughoyour
-tSystem Administrator can set up Transaction Controls Governor in many ways,
n
the diagram illustrates the suggested method, and we recommend that you follow this order.
Some steps are required, and others are optional; you would perform the optional steps only if
you are ready to use the features or business functions implemented by those steps.
t h R ra
a r a nsfe
Bh n-tra
no
Model Types
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
Defined-Type
Pattern (model that contains a pattern filter)
Filters
Defined / Standard
Function (supports three aggregate functions: Sum, Average, Count)
Patterns
Benford, Mean, Paretto, Absolute Deviation, Anomaly Detection and
Clustering
s a
Business Objects a
)h
Delivered (seeded in application) m
co uide
e
Custom Business Object
@ hp nt G
Imported data set for use as business object,
m ar tue.g. dexml file
uploaded by user u
-k his S
d y
d se t
r e
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Models: a r a nsObjects,
Business
fe Filters, and Result Data
B h -tra
on objects and datasources are selected, create one or more filters in the Model
Once business
n
Logic pane. A filter is a logical statement that defines what makes a transaction risky (or, if a
model contains more than one filter, defines one element of the risk).
A standard business object is a business-language label for one or more database tables
(existing in one or more datasources) that hold information pertinent to transactions. ETCG
has a selection of business objects; and others can be uploaded via a Business Objects
Administration page (available from the Administration node in the Navigation panel).
In addition, you can import any set of data as a custom object and use it as if it were a
business object.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no
controls only:
a. True
b. False
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:aar a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath cans f er
a
h -tran run only after at least one model has been created and saved.
Synchronization be
B n
ETL synchronization may be run on demand, or it may be scheduled to run at regular
noVarious
intervals. factors dictate how often either on-demand or scheduled synchronization
should occur.
In general, whenever data within ETCG is believed to have aged substantially beyond
equivalent data in a datasource, synchronization should occur before transaction analysis is
run against that datasource. Transaction data changes daily, so a daily synchronization is
recommended if transaction analysis is also performed daily.
If, for another example, your company evaluates transactions on a monthly basis, then you
may need to run the synchronization process only once a month.
Keep in mind that you can always run an on-demand synchronization if necessary. However,
this must be completed before the transaction analysis is performed.
When using a business object for the first time, ETL is triggered
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath sfer
a
h -tranfor Transaction
Data Synchronize
B
non optionsynchronization
For Administrators,
Synchronize for Transaction
can be run via Administration > Data Administration
Use the synchronize option in either location to update business objects that were previously
synchronized.
ETL is only run for business objects and datasources used by transaction models (meaning if
a business object like Buyer is not used in any user model, no ETL is performed; and
when an object is used in a model, Synchronization only occurs from datasources associated
to the object)
The synchronize option may not be available if kicked off by another user; it becomes
available when it has completed.
Periodically, you need to synchronize data used by EGRC models and controls capture
changes made in the business application (datasource) in which the models and controls
evaluate risk
Each time a datasource is synchronized, GRC updates fields in the row for that datasource:
Last Access Synchronization Date and Last Access Synchronization Status show the date of
the most recent access synchronization, and its completion status. Last Transaction
Synchronization Date and Last Transaction Synchronization Status do the same for the most
recent transaction synchronization.
s a
Jobs a
)h
Manage Jobs: m
co uide
e
Managing Jobs includes
@ hpsynchronization,
n t G model
analysis, import, r
a tude
and export model results.
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Administration
Administration Management : s a
a
)h
Define transaction datasources, and assign one
default source for TC. m
co uide
e
Pattern Management:
@ hp nt G
Upload new ror revisede
Oracle.m
a tud patterns provided by
y - ku is S
e d d BusinessthObject Administration: Dictionary and
t h r u se of delivered objects.
mapping
a r a e to
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
r e
a nsfDatasources:
Manage
h aApplication
t r a Use the Manage Application Datasources page to set up
B
Oracle EBS, -PeopleSoft, Fusion, or other datasources, and to synchronize data for those
non Datasource management applies only to EGRC (the CCM module), not to
datasources.
EGRCM (the Financial Governance and custom modules).
Manage Application Libraries: You can upload new business objects or patterns for use in
models and continuous controls, or connectors to link GRC to datasources other than Oracle
EBS or PeopleSoft (for which GRC uses a default connector). Application library management
applies only to EGRC (the CCM module), not to EGRCM (the Financial Governance and
custom modules).
The Properties tab opens a page that sets values required for
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath sfer
a
Performance an
h -tConfiguration
r
B
non to operate
Enable Era-Based
synchronization
ETL Optimization: Select this check box to cause ETCG data
only on data entered in business-management applications after a
specified date.
Note: This setting has no impact on data synchronization operations for AACG.
When you select the Enable Era-Based ETL Optimization field, and Analysis Start Date field
appears. In it, enter a date from which you want synchronization runs to recognize data
changes. When you click in the field, a pop-up calendar appears. Click left- or right-pointing
arrows to select earlier or later months (and years), and then click on a date in a selected
month.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath sfer
a
UploadhPatternsan
r
tstatistical
B are n -
n o
"Patterns" functions, supplied by Oracle, that may be used in the creation of
Transaction Controls Governor models. Independently of GRC releases, Oracle may issue
files (in .jar format) that contain patterns. To upload these files:
1. Click on the Patterns tab.
2. Click on Action > Upload File.
3. An Upload Pattern pop-up window opens. Click on its Browse button.
4. A Choose File dialog opens. In it, use standard Windows techniques to navigate to, and
select, the file you want to upload. The path and name of the file then populate the field
next to the Browse button in the Upload Pattern window.
5. Click on the Upload File button. A pop-up message reports the status of the upload
operation. Click on its OK button to clear it, and then click on the Close button in the
Upload Pattern window.
In the Patterns page, rows display information about patterns you've uploaded for each, the
name, description, and version.
t h R ra
Businessa r
Object s fe
a nAdministration Page
B h -tra
non models in Transaction Controls Governor, you work with business objects,
As you create
each essentially a business-language label for one or more database tables that hold
information pertinent to a transaction. Business objects contain attributes, each a business-
language name for a column within the selected object. Although GRC comes with a selection
of business objects already configured, more will be developed over time. As they are made
available, you would upload them from files to your GRC implementation. You use the
Business Object Administration page to do this.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r a th sfer
a
Business
h Object t r anMappings and Dictionaries
B -
non a business object upgrade, you would upload two files (both of which are in OWL
To complete
format):
Business Object Dictionary: This is the Semantic Data Dictionary (SDD). It is a
collection of generic business definitions of a single object regardless of any application
instance.
Business Object Mapping: This is the Semantic Data Mapping (SDM). This is the
mapping of the attributes of the associated Business Object Dictionary to the physical
store specific to an application (Oracle E-Business Suite or PeopleSoft).
Examples of attributes for a Business Object called Customer include:
Customer Name, Address Line 1, Zip, and Customer ID.
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath sfer
Model h a
Planningaand
t r n Setup
B -
n on
Your organization may decide to load the best-practice transaction models. By doing so, you
will have a number of analysis models to be reviewed with appropriate business owners, and
compared against your organizational goals for governance, risk, and compliance (GRC). It
may be necessary to edit models or add new ones.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
e
Model h ara transf
Planning
B napproach
A common
n o - is outlined in the following steps:
1. Identify GRC goals of the company.
2. Load the best-practice model library.
3. Hold meetings to review models.
4. Prioritize the models you plan to create or edit.
5. Create and edit models as needed.
6. Generate and view results.
7. Validate and refine models.
t h R ra
a r a nsfe
Bh n-tra
no
These include:
Oracle R12.1, which is the current delivered integration
(adapter and metadata).
AG Schema for 8.x that is used in conjunction with
Authorization type business objects. (The datasource
basically points to itself to leverage access-oriented object
information stored in GRC.) s a
a
)h
XLS Datasource is used in conjunction with spreadsheets m
co uide
e
you may have leveraged to create your own
@ hp custom
n t G
r de
objects. It is not necessary to defineathis datasource under
u m t u
the Data Administration page.y-k
d dis S th
r e e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
a r ath nsfer
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath sfer
Manage a
h Models t r an
B -
on Model page does not provide immediate access to models created by other
The Manage
n
users. You can share models you can export your models so that other users can import
them, or you can import models exported by others.
t h R ra
r a Manages e
fModel
Actions a
from
h -tra n includes:
B
non
Create New takes user to Create Model page
Edit takes user to Edit Model page
Delete remove models that are no longer used
Duplicate copy action applies incremental number after name
Synchronize runs transaction ETL
View Results run/access model data results
Import upload model definitions
Export saves model in xml format (import/export enables re-use across instances and
model sharing)
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
Status may include: m
co uide
Not Started, Started, Completed, Error, and Canceled e
@ hp ntlink G is
When model has a status of Completed, a a r
View Results
de
available to access existing results u m t u
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
e
Model h ara transf
Status
B n-indicates whether the model has been evaluated and has produced results
no
Model status
records of transactions captured by its filters. In addition, an Error status links to the GRC
Jobs page, which can provide information about processing
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
page
Select download, define file name and save
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
page
Locate and select the file to import
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:a r
a,
ac nsfe
Bh n-tra
no
a. Business Application
b. ETCG Application
c. AACG Application
d. Continuous Control Monitoring Module
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:a r
b,
ad nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:a r
a,
ac nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Answer:abr a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a
Use Custom r a Objects
n s fe
Bh nxml-trfilea
n o
Before the is uploaded, the following format-related conversions must be made in the
datasource xls file:
Computed values should be converted to absolute values.
Any "total" amount rows not directly tied to specific data attributes should be removed.
Numeric formatting, such as $ signs, is not supported. The format should be changed to
Number format.
Negative amounts should be formatted to use a negative sign, , not open and close
parentheses.
Date format is mm/dd/yyyy.
Excel 2003 and later are supported. (You can take an xls file as the datasource, properly
format it to support upload to ETCG, and perform a Save As operation to convert it to an xml
file.)
If you choose to refresh an existing custom object, the new file must use the exact format of
the original. Columns (attributes) can neither be added nor deleted. Only additional rows of
values can be added. Moreover, only the user who added the custom object has access to it,
or can refresh it.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
e
nsf
ara traObjects
ImporthCustom
B n -
n oa custom
To upload object:
1. Click on the Custom Objects button in the Library. An Import File dialog opens.
2. Create a name for the object in the Name field. This is the object name the Library will
display.
3. Click the Browse button. A Choose File dialog opens. In it, use standard Windows
techniques to navigate to, and select, the file you want to import. The path and name of
the file then populate the field next to the Browse button in the Import File window.
4. With the file selected, click on the OK button. The custom object is now available for use
as if it were a standard business object.
t h R ra
a
The Library r a nsfe
Bh nthe-trlefta
n o
In a grid at of the Create Model page, select (click on) the Business Objects tab, and
then on an object in the grid. (Although it's unlabeled, this grid is known as the Library.
More business objects may exist than can be displayed at once, and so the Library is divided
into pages. Click on the icon that looks like a right-pointing triangle to move forward one page,
or the right-pointing triangle with a vertical bar to move to the last page. Click on the left-
pointing triangle to move back one page, or the left-pointing triangle with a vertical bar to
move to the first page.
1. Model Objects
s a
h
) a
2. Model Logic
o m
3. Result Display p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
Review available attributes, or add custom
h
) a
attributes
o m
Apply Data Sources to model; when p e c datauide
default
@ h when n t G
source defined, assigned automatically
a r d e saved
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
e
nsf
ara traAttributes
CreatehCustom
B non- the green + icon. A dialog box opens, labeled with the name of the
1. Click
no
business object.
2. In an Attribute Name field, create a name for the new attribute.
3. In a Base Attribute field, select one of the existing attributes.
4. In a Modifier field, select a mathematical operator: + (addition), (subtraction),
* (multiplication), or / (division).
5. In a Value field, enter a value that the Modifier will apply to the Base
Attribute.
6. Click on the OK button.
Subsequently, you can use the custom attribute in filters. Custom attributes appear at the top
of the list of attributes displayed by the business object, and each has an edit icon (which
looks like a pencil). You can click on a custom attribute to open another dialog box in which
you may either edit or delete the custom attribute.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
ara tRegion
ModelhLogic
r an
B -
nonA filter
Once business
Logic pane.
objects and Data Sources are selected, create one or more filters in the Model
is a logical statement that defines what makes a transaction risky (or, if a
model contains more than one filter, defines one element of the risk).
New Filter
To add the first filter to a model, click on a button (or a corresponding option in the Actions
menu) that selects the type you want New Filter for a defined filter
New Function
A defined filter may specify a function that operates on its attribute for example, calculating
the average of purchase-order amounts. If so, it uses a grouping feature to establish sets of
records to which the function applies for example, it may group records by supplier so that
it can calculate an average purchase-order amount for each supplier.
New Pattern
A Pattern filter employs a pattern a statistical function, provided by Oracle, that identifies
baselines and outliers to those baselines. A model can contain only one pattern, so you can
select the New Pattern button only once.
AND filters
Condition across Object
Type
Contains condition
against text attribute
s a
a
)h
m
co uide
e
@ hp nt G
OR filters, m ar tude
combined y - ku is S
e d d th
with AND r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath sfer
a
Createha Filter an
B -tr
To createoanfilter:
n
1. Click on the New Filter button, or on Actions > New Filter. A dialog box appears in the
Model Logic pane.
2. In the header area of the dialog box, enter a name for the filter in the field next to the
label Filter.
3. An Object field lists all of the business objects you've added to the model in the Model
Objects pane. Select (click on) the one from which you want to select an attribute for use
in this filter.
4. An Attribute field presents a list of attributes belonging to the object you selected in step
3. Select (click on) the one you want to use in this filter.
t h R ra
a r
The function n s fe this grouping on its own, in which case groups contain records for
a can perform
Bhthe values
which n - traof an attribute exactly match. In the example, it might group records by Bank
noID.
Account
Or, the function can be used in conjunction with a filter that uses the Similar or Similar to
condition to create groups of records. In the example, the filter might create sets of records for
which an Account Name attribute contains values that are 95 percent similar.
If you intend to use such a filter to group records, create it first. Then create the function,
placing it in an AND relationship with (below) the filter.
You can add one pattern to a given model (and the addition of
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
t h R ra
1. In a r
the s fe pane, click on Actions > New Pattern, or on the New Pattern button.
aModelnLogic
BAhdialogn - ra appears. Note, however, that you must first have selected at least one
tbox
no object for the model with at least one attribute that provides data upon which
business
patterns can operate (in the case of Benford and Mean patterns, numeric values).
Otherwise, an error message informs you that no patterns are associated with the
selected business objects.
2. In the header area of the dialog box, enter a name for the pattern in the field next to the
label Pattern.
3. In the Pattern list box, select the pattern you want to use. (If you have not selected a
business object appropriate for your patterns, however, this list box is empty.)
4. Click on the green + icon; a row appears beneath the Object and Attribute headings. In
the Object field of this row, select a business object; in the Attribute field, select an
attribute belonging to the object. These fields display only objects and attributes upon
which your pattern can operate. You may create additional rows to select additional
attributes for the pattern to evaluate. You may also select a row and click on the red
icon to delete the row.
5. Under the headings Parameter, Value, and Unit, one row appears for each parameter
appropriate for the pattern you've selected. For each parameter row, enter a value in the
Value field and select a unit of measurement to apply to that value for example, 20
percent.
Mean Pattern
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
t h R ra
Pattern a r
filters n s fe algorithms applied to identify baselines and anomalies in data.
a are statistical
Bh n-trpatterns
Two delivered
a
are available: Mean and Benford.
n o
Only one pattern filter is allowed per model, and can be used in conjunction with other filters.
If at first your pattern model does not return any graph/data points/suspect transactions, try
lowering threshold numbers.
the model, when it is run, will return values for each risky
transaction it finds.
Be careful to choose attributes that reflect the level of
detail you want to see in your results.
A model might identify many records that exceed the risk it
specifies, but if you define results so broadly that there
would be no way to distinguish these records, the results s a
a
)h
window will present only one record and eliminatemthe
apparent duplicates. e co uide
p h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a
To definer a nsfe
results:
Bh ndown
1. Scroll - tra to the Result Display pane in the Create Model page. (Or, collapse other
no by clicking on their toggle icons.)
panes
2. An Available Columns box lists the business objects included in the model. For each,
click on the toggle to reveal a list of the attributes that belong to the business object.
3. Select an attribute for which you want to see results (click on it), then click on the >
button. The attribute moves to a Selected Columns box. Repeat this process for all other
attributes for which you want to see results. Alternatively, click on the >> button to move
all attributes to the Selected Columns box.
If you reconsider your choices, select attributes individually in the Selected Columns box
and click on the < button to return them to the Available Columns box. Or, click on the
<< button to return all attributes to the Available Columns box.
4. Select the Include for Data Analytics check box if you want to make model results
available to Global Risk Compliance Intelligence (GRCI), another Oracle product. If not,
clear the check box.
the model, when it is run, will return values for each risky
transaction it finds.
Be careful to choose attributes that reflect the level of
detail you want to see in your results.
A model might identify many records that exceed the risk it
specifies, but if you define results so broadly that there
would be no way to distinguish these records, the results s a
a
)h
window will present only one record and eliminatemthe
apparent duplicates. e co uide
p h nt G
r
a tude@
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a
To definer a nsfe
results:
Bh ndown
1. Scroll - tra to the Result Display pane in the Create Model page. (Or, collapse other
no by clicking on their toggle icons.)
panes
2. An Available Columns box lists the business objects included in the model. For each,
click on the toggle to reveal a list of the attributes that belong to the business object.
3. Select an attribute for which you want to see results (click on it), then click on the >
button. The attribute moves to a Selected Columns box. Repeat this process for all other
attributes for which you want to see results. Alternatively, click on the >> button to move
all attributes to the Selected Columns box.
If you reconsider your choices, select attributes individually in the Selected Columns box
and click on the < button to return them to the Available Columns box. Or, click on the
<< button to return all attributes to the Available Columns box.
4. Select the Include for Data Analytics check box if you want to make model results
available to Global Risk Compliance Intelligence (GRCI), another Oracle product. If not,
clear the check box.
the user
For longer processes, users can return to model later to
view temporary results
One set of data stored per model at a time
Export results to supported file type
xls
sthe a
Pattern model types generate results in a graph, whereh
) a
user can click on data points to view underlying
c o m
data e
p e uid
h G
a r@ dent
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
result set
All objects includes user/date attributes
Performance can be affected by number of
object/attributes and datasource
The model must be saved before running View Results
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th er
ara transf
ModelhResults
B n-example, a model searches for purchase-order amounts above a threshold
Suppose,ofor
n you choose both supplier and purchase-order amount as your results attributes.
value, and
For each supplier in violation of the model, you may see multiple records one for every PO
amount above the threshold value.
If, however, you choose only supplier as a results attribute, you would see only one record for
each supplier in violation of the model.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th er
Openh ara transf
Results
B then-Results window, click on either of two View Results buttons, located in the title
To open o
bars ofn
the Model Logic and Result Display panes.
a. If the model has not been evaluated previously, a dialog box prompts you to choose
between Run and Run in Background options. If you select run, the Create Model (or
Edit Model) page remains open, and displays run status at the foot of the page. If you
select Run in Background, the model runs, but you return to the Manage Model page,
where you may work with another model or navigate to another GRCC page and work
there. (A Cancel option also exists; it stops the run and keeps you at the Create or Edit
Model page.)
b. If the model has been evaluated previously, a dialog box prompts you to decide whether
to overwrite existing results. Select No to display the existing results. Select Yes to
generate and display a new set of results. In this case, the dialog box prompting you to
run the model directly or in the background appears; make a selection there. When you
generate a new run, the earlier set of results is lost.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Export a r a Results
Model n s fe
Bh export
You can o n
a
-trmodel results to an Excel spreadsheet.
n
1. In the results window, click on Actions > Export to Excel.
2. A pop-up window offers you options to open or save the export file. Typically, click on its
Save button and, in a Save As dialog, use standard Windows techniques to navigate to
a folder in which you want to save the file.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
ara tarNew
Use ahModel a n Model
B
Rather than - a model from scratch, you may use an existing model or uploaded model
ncreate
n o
as a starting point, editing it to create a new model
1. In the Library pane at the left of the Create Model (or Edit Model) page, click on the
Models tab.
2. The Library displays instances of the object you've selected. (As you create or import
models, they populate a grid available in the Models tab. Click on the model you want
to use.
3. Click on the Open button. The model values populate the Name, Model Objects, Model
Logic, and Result Display panes. Using procedures described above, rename the
model, and then edit, add to, or delete from the source model values. Save the new
model.
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Bh n-tra
no
Assign Priorities
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
Select Datasources
Assign Perspectives
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
a r ath nsfer
Assign Priorities
h -tra
In the B
Priority n
field, a user enters a number that expresses the importance of the control (and related
n o
incidents) in comparison with others. You should establish a set of priority values and enforce consistent
usage within your organization.
Select Datasources
As a user creates a control, he must select one or more datasources for it. (Even if this is to be the
datasource already selected for the model from which the control is developed, the user must actively
select the datasource for the control.)
Assign Perspectives
A perspective (once again) is a set of related values, and individual values may be associated with
individual models, controls, or incidents. Each control may have two sets of perspective values: Control
Perspectives values characterize and secure the control itself. These are inherited from the model upon
which the control is based, although a user can add to them while creating the control. Result
Management Perspective Assignment values characterize and secure incidents the control generates; a
user selects these values while creating the control
Each incident inherits, from the control that generates it, values for the CCM Type and Datasources
system perspectives. The assignment of other perspective values is optional, but can be very beneficial
for the analysis and remediation of incidents. One can use these values for sorting, filtering, and reporting.
In addition, they determine which users have access to the incidents .
Other Considerations
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
Assignh ara tInvestigator
Result
r an
B -
non it. Initially,
A result investigator
done to resolve
looks into incidents and assigns a status to each that reflects what is
the control that generates a set of incidents also designates the
result investigators for those incidents. Worklists alert investigators to the incidents they need to
resolve .
The perspective values assigned to an incident determine the users who are eligible to serve as
result investigators for that incident. Initially, each incident inherits perspective values from the
control that generates it not only values for the CCM Type and Datasources system
perspectives, but also those selected as Result Management Perspective Assignment values
for the control.
By default, the control selects, as result investigators, all users whose job roles include data
roles with matching perspective values (and duty roles that authorize working with incidents).
The user who creates a control may accept this All Eligible Users setting, or may select one
among the eligible users.
Other Control Considerations
A controls status is Active (the default) or Inactive. If a control is inactivated after generating
incidents, they are set automatically to a Control Inactive status.
Other optional control elements include comments regarding the control.
You are now ready to run the analysis for your selected controls, to generate
incidents and begin your formal remediation process. New incidents created
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
d d y- across
function, interval on function, and equals
t h is the same business
t h re uinsethe incident details and not
object and attribute, but are included
available in the grid.) ra to
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
a r ath nsfer
Bh n-tra
no
t h R ra
a r
The evaluation n s fe
a of transaction controls generates incidents, each the record of a
Bh nthat
transaction - a
trexceeds the risk defined by a control. Each consists of values for
n o
attributes that were selected for a model from which the control was developed.
A Manage Results home page presents incidents belonging to the person currently
logged on to GRC for your purposes, you. Incidents may belong to you because
controls that generate them identify you as a result investigator, or because other
investigators assigned them to you. To open the page, select Result Management in the
Navigator, then Manage Incident Results among the Result Management tasks.
From the Manage Results home page, you may navigate to other pages, which show
detailed records of individual incidents. To return from those pages to the Manage
Results home page, click on the Manage Results tab.
The actual resolution of incidents occurs outside of GRC. For example, you may
determine that a purchase order should be canceled if a transaction control shows that
it is suspect; that action would be completed in the business-management application to
which it applies. The GRC Manage Results pages enable you to review incident details,
and to set the status of incidents to reflect whether anything should be, or has been,
done about them
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
From h the s fer home page, you may navigate to other pages, which show detailed
ath nResults
arManage
records n - tra incidents. To return from those pages to the Manage Results home page,
B of individual
o Manage Results tab.
click onnthe
The actual resolution of incidents occurs outside of GRC. For example, you may determine
that a purchase order should be canceled if a transaction control shows that it is suspect; that
action would be completed in the business-management application to which it applies. The
GRC Manage Results pages enable you to review incident details, and to set the status of
incidents to reflect whether anything should be, or has been, done about them.
Incident Status:
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
Accepted
Remediate
Resolved
Incident States:
In Investigation
Approved s a
a
)h
Closed m
e co uide
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath appear
s f er
Initially,
h aincidents
t r a n at an Assigned status, which means that you (potentially along with
B
others) have -been designated to address them. You can update an Assigned incident to any
non statuses:
of the following
Accepted, which means you have determined that nothing need be done to resolve the
incident.
Remediate, which means you have decided that some action must be taken in the
business-management application to resolve the incident.
Resolved, which means you have confirmed that the remedial action has been carried
out in the business-management application.
GRC may set other statuses:
Control Inactive means that an incident is no longer of concern because the control that
generated it has been inactivated.
Authorized and Closed apply exclusively to incidents generated by AACG controls (See
the Application Access Controls Governor User Guide.)
An incident has not only status, but also one of three states: In Investigation, Approved, or
Closed. A user cannot directly set the state of an incident. He can change its status, then
either save or submit it, and GRC assigns a state as a result of these actions. A submission
can cause a state change; a save cannot.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
Incident by Control @ hp nt G
Transaction
Summary
r
aExtract de
Incident Details u m S t u
Extract Report d y -k Report h i s
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
r e
a norsfIncidents
Viewing a
Controls
h -tra in Summary
B
n setnthe Manage Results home page to display either a list of controls that have
You can o
generated incidents, or a list of incidents generated by those controls. In the control list, each
control links to a list of the incidents only it has generated. From any list of incidents, you can
open pages that provide details of individual incidents.
For a list of controls, select Control Summary in the View By list box.
For a general list of incidents, select Incident Results in the View By list box.
For a list of incidents generated by a specific control, click on its Pending Result Count in the
Control Summary list.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
another user.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
If you h
are
fer
athresultnsinvestigator
arthe for an incident, you can assign the incident to another user.
B t r a
- either from the Manage Results home page (in which case you can reassign
You can donthis
no of incidents at once) or from the edit page for an individual incident.
any number
Because eligible investigators are users whose roles specify perspective values that match
those assigned to an incident, reassigning the incident
may involve resetting the perspective values configured for the incident.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
You cana r
establish s fer
ath nrelationships between incidents in the CCM module and objects in EGRCM
B h - t r
modules. Incidents
a may be related to processes, other base objects, risks, or controls, which
noinnthe Financial Governance module or any custom module. Once a relationship is
may exist
created, the incident is listed both in the CCM Manage Results page and in a Results tab of
the Manage page for the EGRCM object to which the incident is related.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
ath nView r
fegenerate
Control
h a r
Summary a s a Result by Control Summary Extract Report. It lists access
B t r
- controls that have generated pending incidents, and provides information
and transaction
noncontrol.
about each
Incident View generate the following transaction reports:
Result Summary Extract Report lists incidents generated by access and transaction
controls, providing summary details for each.
Transaction Incident Details Extract Report lists incidents generated by a transaction
control. It provides not only the information that would be included in the Result
Summary Extract Report, but also values for all attributes selected to characterize
suspect transactions. These attributes vary from one control to another, so each run of
the report must focus on a single control.
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Bh n-tra
no
Setup Options
+ Business Requirements
_____________________
= Application Behavior s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Setup Data
Set-ups
are your
Key Controls
key
controls
Operational Data
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a
Examplesr a set ups
of n s fe
include:
h -tra
BSetup
n- onApplication Security
Data
- Document Approvals
- Chart of Accounts
- Profile Options
- Users
- Application Setups
- MRP rules
Operational Data
- Customers
- Suppliers
- Employees
- Buyers
- Items
- Chart of Account Values
- Category Codes
t h R ra
a r a nsfe
Bh n-tra
no
Operational Changes
Growth of Company
Business Requirement Changes
New Functionality Introduced by Upgrades
t h R ra
e
ara transf
ClasshDiscussion:
B nare
What
n o - Examples of Key Controls of particular interest to your organization?
Who has the responsibility to define the values for these controls?
Who has the authority to access the set-up screens for these controls?
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
t h reand uoperational
se support.
a r a e to
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Who
Automatically captures
What a complete historical
audit trail for deployed
objects. Details of
When EVERY change. h a s a
m )
o
c uide
e
Where r
a tude@
p
h nt G
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
When?
Where? Who?
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
What?
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
The Oracle Applications store data into Oracle Database tables which
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Generate a
Snapshot
Occurrence
by performing
a Snapshot
Definition
t h R ra
Therehare
a ways
arthree n s ftoe populate the CCG historical Repository:
B n-traa Snapshot Occurrence by performing a Snapshot Definition: Each time
Generate
an
o
Snapshot Definition is performed, the setup values for the definitions specified objects
are captured via sql queries against the definitions specified ERP instance. The
captured values are stored in a Snapshot Occurrence in the CCG Repository. Snapshot
Occurrences are identified by the Snapshot Definition that was performed and the
performance date and time.
Generate a Comparison Occurrence by performing a Snapshot Occurrence
Comparison: When generating a Comparison Occurrence, two specific Snapshot
Occurrences are selected to be compared. The results of the Comparison are stored in
the repository as a comparison occurrence.
Transfer Change Tracking Data: Adds new changes to the Change Tracker data.
All CCG users have Home, Workbench, Jobs, and Help on the
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
araRoles
WhichhCCG
t r a na User is assigned determines:
B
Whethern- Administrator is also on the main menu bar (most class attendees will NOT
n o
have the Administrator role)
What choices the user has under the Workbench menu choice
Whether the user can Schedule Snapshots and Change Tracking (this shows up later
when scheduling or editing not in menu)
What Program choices the user has when scheduling a standalone job
functionality.
The CCG Administrator assigns Roles to Users.
CCG User
Snapshot Scheduler
CCG Developer
Change Tracking Scheduler
s a
Administrator h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a
CCG r n s fe
aUser (many):
Bh- nCreates
- tra and edits Definitions
n- o Snapshot
- Change Tracking
- Views occurrence results
- Views Change Tracking results
Snapshot Scheduler (many): Schedules CCG Snapshot Definitions to generate
snapshot occurrences and generates comparison occurrences
CCG Developer (few): Creates Snapshot Report Templates
Change Tracking Scheduler (very few): Schedules jobs to deploy change tracking
objects or transfer change tracking data
Administrator (very few): Creates and maintains Users, Security Groups, Purge
Definitions and data and other administrative activities
Related Practice: Manage Roles and Security Groups
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
is available
When the Job Status is Completed, the LOG button is
available
The refresh button at the bottom of the View Current Jobs
page must be clicked to update the job status (partial
screen shot below does not show the bottom of the View
Current Jobs page) a
as )h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
a r ath nsfer
Bh n-tra
no
Oracle
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
Application Forms
AP_Terms CCG a
Metamodel
h a s
AP_Terms_Lines )
om e
Object
c uid
p e
h nt G
r
a tude@
u m
d y -k his S AP Terms Payment
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Why Metadata?
Bh nMetadata
CCG uses - tra to enable the user to create definitions and read reports based on their
no
familiarity with the Oracle applications set-up screens. Without metadata, the user would need
to understand the relational database design behind each set-up screen.
Each Oracle Applications Set-up maps to one or more Oracle Database Tables. When an
execute query is performed in a set-up screen, the data is retrieved from these tables. When
updates or new entries are made in a set-up screen and committed, the values are saved to
the applicable tables.
When a set-up screen has multiple sections, the data from the various sections must be
stored and retrieved correctly to ensure the correct associations are maintained.
For example, set-up screens such as AP Payment Terms, have a Header Section and a Line
Item section (also referred to as Parent-Child or Master-Detail.) There is an Oracle database
table that corresponds to the Header Section and a table that corresponds to the Line Item
section. Non-displayed fields, program coding, and relational database design concepts are
utilized to ensure that the correct Line Items data is always associated with the correct
Header data and visa/versa.
The CCG Metadata creates a single OBJECT to correspond to each set-up screen. The user
only needs to know the OBJECT name. Via the metadata design, the OBJECT knows which
tables data must be retrieved from and the proper relationships between these tables to
retrieve and report corresponding data correctly.
s a
h
) a
o m
p e c uide
CCG @ h nt G
Snapshots & Home
r
a SERVER APP d e USER
m
ku is S t u
Comparisons
d y -
r e d e th
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
a r ath nsfer
Bh n-tra
no
s a
)h a
Transfer Change
Setup m
Changes e co uData
Tracking
i d eJob
CCG
@ hp nt G
Home
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
a r ath nsfer
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Which Instance
Which Application
Which Objects
Optionally: Filter specifications for each object
Snapshot Definitions are owned by their creator but can
be shared with other users once conditions are frozen.
s a
Snapshots can be modified until conditions are frozen.a
)h
(Note: When snapshot definitions are frozen, all m
previously
co uide
e
created occurrences are purged.) hp G
a r@ dent
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a
The Save r a feature
As n s fe one snapshot to be made by copying another one instance may
allows
Bh nas
be changed - a of the save as process.
trpart
no
Develop naming conventions to make selecting the correct Snapshot Definition easier when
picking from List of Values for Scheduling and Comparisons.
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Create a r
Snapshot n s fe Reports by navigating to Workbench, CCG:
a Occurrence
Bh nCCG
From - traDefinitions, select occurrence
no
CCG Occurrences, select object
CCG Occurrence Objects, select VALUE
At CCG Occurrence Values Export Selected or All in HTML, PDF, or Excel format
Values are the unique identifier (primary key) values for each of the Master records (rows)
returned. The example above shows that 57 Set of Books have been defined. If the Object is
from a Set-up screen with Header-LineItem Sections (Parent-Child, Master-Detail) such as
Payment Terms, the VALUES are the Header Record Unique Identifier Values. The count of
VALUES is the count of Header Records. For example, if 24 Payment Terms have been
defined, the VALUE count will be 24, even though many of the Payment Terms may have
multiple Payment Term Lines. When exporting to a report, choose between
ShowDisplayed fields only, All fields, or Template, and between Field Descriptions,
Column names or Both
Related Practice: Snapshots
Prod
11.5.9
Dev Dev
11.5.10
11.5.9
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r athprovide
s f er
a
h -tran
Comparisons Difference Analysis for two Snapshot Occurrences.
B
nona screen
To perform
Occurrences
comparison, the user starts by picking the first occurrence from the CCG
and then clicking on Compare. The user then picks the second
occurrence.
Comparisons can be between 2 occurrences of the same snapshot to provide an over
time difference analysis.
Comparisons can be between 2 occurrences of different snapshots, to provide a cross-
instance difference analysis.
To review the results of a comparison, the user can navigate to the details of the Generate
Comparison job, or click on Comparisons for the applicable occurrence on the CCG
Occurrences Screen. When the comparison job is performed, the rows in each occurrence
are compared by matching Header rows with the same Primary Key value. If a Primary Key
value exists in one occurrence only, that Primary Key value will be reported as a Missing
Record for the other occurrence. When a Primary Key match is found, the two parent rows are
compared and the results include the unique ids of missing child records and/or column value
differences for parent fields and for child records that exist for both parents.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r
The Change
a Tracker
n s fe
presents three levels of detail:
B h -tra
non
Highest Level: Summary change count for for each Application with change tracking
enabled *and* at least one change event From highest level, check which applications
to drill down and click changes for specific ERP instance
Middle Level: For each application chosen above, summary change count for each
OBJECT with change tracking enabled *and* at least once change event. From middle
level: click values
Third level of detail: List of which unique identifier values have incurred a change
event. Expand details under specific values for on-line change tracking details.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r th sfer
ateam
a
Use n
h -traapproach
a to decide which objects are to be change tracked. Team
Bcomposition should include: Business Process Owners, Finance department personnel,
non and External Auditors, IT staff
Internal
When deciding which objects to change track, consider regulatory implications as well
as the following:
- Affects / supports a control change tracking provides visibility to ensure controls
have been operating throughout the entire audit period
- Financial statement impact could potentially impact a financial statement
- Operational impact changes to business settings could be difficult to identify
Determine which User(s) will be *THE* change tracking manager(s).
The change tracking manager should create a change tracking definition for each
Application Module for which objects are to be deployed. This is the turn on change
tracking definition.
The decisions of which objects to change track determine which objects to select in the
Change Tracking Definitions
These definitions should not be modified unless business requirements are modified
resulting in the Change Tracking Team deciding to deploy additional objects or to modify
the change tracking specifications for objects already deployed.
Your organization should determine a process for turning off change tracking in case of
special circumstances, such as the application of a major Oracle Applications patch or a
large batch upload. One recommendation is to create a second turn off change
tracking definition to correspond to each turn on definition. The turn off definition
should have no objects checked. Performing a change tracking definition with no objects
checked will result in all the revoking of all change tracking triggers for that application.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r th sfer
aObject
a
h -tranStatus: contains details regarding which objects are currently being
View
Btracked
nonObject History: contains details regarding the history of which objects have been
View
tracked
View Tracker Status: contains details regarding the status of the Change Tracking
Database Triggers
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
Thea r
Change s fer Scheduler Role is required to deploy change tracking and to
ath nTracking
h -tchange
Btransfer ra tracking data on demand. The Change Tracking Scheduler Role
n
no only be assigned to a few individuals.
should
A cross-functional team should be involved in the decisions of what is to be changed
tracked. The implementation of these decisions by deploying change tracking should
be done by fewer individuals. We will discuss this more later in the class.
Change Tracking Data is stored in the repository until someone with the Change
Tracking Scheduler Role executes the Purge Change Tracking Data job.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a
UserQueries
fe down to specific subsets of change tracking data such as:
a ntosfilter
Bh n-trmade
Changes
a
within a certain date range
n o
Changes made to certain fields (new feature for version 5.5)
Changes made by a certain person
Additionally, if applicable, define Alerts by associating query with an emailid. When
new data transferred via change tracking transfer program, email will be sent if query
conditions are met.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r athTracking
s f er
a
h -trainnthe alerts
Change are emails sent by CCG to any emails that have been
Bdesignated
n email field for Add Alert.
n o
Emails are sent when data being transferred during the change tracking transfer job
when any of the new data being transferred falls within
the criteria of the query.
Related Practice: Change Tracking Queries
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r
rath anDefinition
WhenhaaSnapshot sfe has stabilized; i.e. all objects are included and all conditions and
filterBfields n -
havetr been defined correctly, Lock the Objects and Conditions so they will not be
changed. noThis ensures monitoring consistency.
Once a Snapshot Definition has been locked, it can be shared with other users. The (B) Share
is activated and you are able to select a user to share the snapshot definition with.
All Snapshot Occurrences taken prior to freezing the Snapshot Definition are purged as part
of the locking process.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
Cana rschedule
ferthe edit definition screen.
ath nsfrom
Bh n-trahas been saved with the include in schedulable items list checked, can
If definition
noschedule directly from the schedule job screen.
also
Can schedule job to repeat on a specified duration.
Can schedule multiple definitions to follow the same schedule.
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
th sfer
ara tset-up
Use tohensure
r a n standards have been followed across multiple organizations.
B
Apps user - which rows to compare by defining which Primary Key value to use in the
ndefines
n o
first occurrence and which primary key value to use in the second occurrence
Related Practice: Perform a Forced Comparison
by a snapshot.
One Snapshot occurrence may be viewed using multiple
templates. Each template would provide the set of fields
required for the task of the person reviewing the reports.
CCG Developer Role is required to create Templates.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a
Related r
Practice: s fe Templates
a nSnapshot
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r
Most
asites begin
n s fewith CCG configured to a couple of test and/or dev instances.
Bh n-trathe Production instance will also be configured.
Eventually
no
Other instances can also be configured as needed.
When an ERP Instance configured for CCG is to be refreshed, steps should be taken
within the ERP Instance Workbench *BEFORE* the refresh as well as after the refresh.
- Refer to CCG Administration Guide for details.
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
GRC Controls
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
GRCC Platform
Configuration Controls
Transaction Controls Form Rules
Governor (CCG)
Governor Flow
(f.k.a RulesApps)
Integra
(TCG) Audit Rules
Change Control Rules a
h a s
m )
Oracle E-Business Suite Instance o
c uide
h p e G
Preventive Controls Governora(PCG) r@ dent
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r
Form
aRules nsfe
Bh- nBusiness
- tra users can alter the behavior of E-Business Suite Forms without
no advanced development expertise
- Centralizes alterations to vastly simplify and accelerate documentation of controls
Flow Rules
- Business users can create Oracle Workflows without advanced development
expertise
- Link those workflows with Form Rules alterations to create change approval
workflows
Audit Rules
- Business users can create complete, easily understood audit trails of changes to
E-Business Suite data
Change Control Rules
- Combines the functionality of Form, Flow and Audit Rules with a wizard-like
approach to make it even easier for business users to create a broad range of
preventive controls
EBS Environment
(PCG)
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
r e
a naresfperformed
All PCGaactivities
h -tra in the EBS environments, including reporting.
B
Related o n
nPractice: Create a User
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r
To capture
aform items:
n s fe
Bh n-atrForm
1. Create
a
rule that specifies using the Event Tracker.
no
2. Go into the target form and navigate to each block and field that you want to be able to
later select as you build Form rules.
event tracker:
Prevent Update to Block
Prevent Insert to Block
Prevent Update to Field
Hide Field
Make This Field Required a
h a s
Enforce Uppercase on This Field )
o m
Hide This Tab p e c uide
@ h nt G
Get Field Properties a r de
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
r ayou open s e
fan
a
When
h Actionst r a n Oracle Applications form for which you are running Event Tracker,
Ban - menu provides options for setting security properties for items on the form.
nousen these options, click on a field for which you want to set security, or click on a field
To
in a block or tab for which you want to set security. Select the Actions menu and choose
from one of following options:
- Prevent Update to Block: Prevent an existing value from being changed for any
field in the block where the cursor is located.
- Prevent Insert to Block: Prevent an original value from being entered for any field
in the block where the cursor is located.
- Prevent Update to Field: Prevent an existing value from being changed for the
selected field.
- Hide Field: Remove the selected field from the form.
- Make This Field Required: Prevent a user from selecting a new record or closing
a form if no value has been saved in the selected field.
- Enforce Uppercase on This Field: Require that data entered in the selected field
be all upper case.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
Forms
Blocks
Tabs
Fields
Descriptive flexfields (DFF)
t h R ra
Security a r
Rule
a nsfe
Bh n-tavailable
Attributesoare
ra
to components in varying combinations. You can restrict the ability to
n
update, insert, or delete data; require that data be entered or that text entries be in upper or
lower case; or hide screen items. To set these security attributes, use the Security panel,
which is selected by default when you open the Business Rule Details form.
t h re use
a r a e to
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a
This slide r a the
shows n s fe boxes that are available to each component type.
check
Bh n-traaForm rule for the purpose of setting security on a form, block, or field, assign
When creating
o
securitynattributes for each component part of the rule.
For the most part, the security attributes are controlled by the Case field, and the six check
boxes for each component.
If you intend to set security attributes for a number of fields at the same time, first select which
fields by choosing Oracle Rules Form Elements from the Tools menu, and then setting the
Include Flag for the appropriate fields.
Related Practice: Run the Event Tracker and Create a Security Rule
You can set the default values of fields in the form that is
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
t h R ra
a
Related r a nCreate
Practice: s fe Default Value Rule
Bh n-tra
no
LOVs
You must run the Event Tracker on fields for which you want
to create or modify LOVs
t h R ra
a
Related r a nCreate
Practice: s fe List of Values Rule
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r th sfer
aPaths
a
h -tran
Navigation
B
You can o n entries in the Tools, Actions, or Reports menu of a target form, each of which,
n create
when clicked, opens another form (or, in a special case, executes a Form Rules rule
element). You can also create zooms similar links that are activated when a user clicks
on the Zoom button in the tool bar.
Typically, such a link becomes active when a form is first opened, and so you would create
such links for rule elements that use the When New Form event. Moreover, a navigational link
works only if the source and destination forms are both available within a single responsibility.
If a user does not have access to a form, a navigational link created in Form Rules will not
take him there.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a
A processr a can:nsfe
flow
Bh nor
Notify, - a
trrequest approval of, designated persons when some action has been
no
completed.
Alert designated persons to errors or other exceptional conditions.
Implement a constraint, which alerts designated persons if necessary conditions have
not been met, and pauses the process pending a response.
Run a concurrent program, or monitor one as it runs.
Run structured query language (SQL) scripts.
Link the current process to other processes.
Run separately defined workflows or events within a process.
Important note: Before beginning the exercises in this chapter, the instructor must ensure that
the Workflow Background concurrent program is running in Oracle. From the Flow Rules
menu, select Launch Background Program.
t h R ra
a r a nprocess
A schedule-based s fe rule differs from a trigger-based process rule in that you can set
thisB
h -traup to run on a periodic or scheduled basis rather than specifying a trigger that
type ofnflow
nothe flow.
launches
Example: Material transactions often get stuck with errors in the Material Transaction
Interface table. You want this table to be checked periodically for errors, and you want
notification to be sent to the appropriate person to fix the errors.
Related Practice: Create Trigger-based Process Rule
t h R ra
a
Example:r a annew
When s feitem is created, you want your Flow rule to inform a group of
Bh and
approvers n - a them with the ability to approve or reject the new item.
trprovide
no
Related Practice: Create Approval Process Flow
programs.
For each program, you can configure the rule to:
Accept static parameters
Execute SQL statements that determine parameters at
runtime
Notify a user (or workflow role) when each program has
finished running. s a
)h a
For programs that produce output files (such asoreports), m
you can also specify a printer to which output p e c should
files u ide
h nt G
be sent and the number of copies toabe r@printed.de
u m t u
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
Example:a r a a nnew
After s feitem has been created and approved, you want to include that item in a
Bh report
periodic n - trofanew items.
no
A Constraint/Condition element:
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
t h R ra
a
Example: r a created
You n s fea Constraint process flow to check whether a buyer had been
Bh tona-tnew
assigned ra item and to send a notification to the Purchasing department if one had
no
not. You realize now that the Purchasing department only needs to be informed if the Default
Buyer field is blank and the item is marked as a Buy item, so you add a condition to that
Constraint process flow.
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
t h R ra
a r a nsfe
Bh n-tra
no
Audit Rules:
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
t h R ra
Toa r
view s fe run a concurrent-request program called Audit: Dequeue Process.
a auditnresults
Bh updates
This n - tra audit results; if the program has not been run recently, you will miss audit
noreflecting changes to database values made since the last time it was run.
data
Typically, this concurrent request is scheduled during installation to be run periodically.
Even if this is the case for your instance, however, you may wish to run the request
before viewing reports and would typically run it before viewing audit results in the
Online Audit form, to ensure that those results are as current as can be.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r th sfer
atable
a
For
h -traor
a na report to be migrated, its audit group must already exist on the
Bdestination
n instance.
n o
For an instance-to-instance online migration, the ID of the person who created an audit
group, table, or report in the source instance must exist in the destination instance.
(However, the users status on the destination instance may be active or inactive. Audit
migration does not validate whether the user is active.)
For an XML file import, the user ID of the person who created an audit group, table, or
report need not exist in the destination instance. The CREATED_BY and
LAST_UPDATED_BY fields are updated with the ID of the person who performs the file
import.
A log file gathers information about a migration, export, or import operation. If an
operation fails and you are unable to determine why, rerun the operation with the debug
level changed from low to high and evaluate the log data.
Commonly, problems with migration result from missing translations. In such cases, the
audit log shows errors as INVALID. For instance, if a table or a responsibility does not
exist in the destination, a migration error occurs.
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
a r a nsfe
Bh n-tra
no
t h R ra
For the a r a control
Approval n s fe type, you must enter a WorkFlow Role value; it designates the
Bhwhonapproves
person - tra changes.
no
upper right of the Change Details panel, in the Enable column) to enable or disable all
rules currently displayed in the panel.
Enable Visual Attributes: Select the check box to cause the controlled field to appear
in yellow on its Oracle EBS form. Clear the check box to allow the field to remain
visually undistinguished from other fields. This option applies only to fields controlled by
Reason Code or Approval rules.
Comments: Explain the business risk addressed by the rule you are creating.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y 2015,
Copyright l i ceOracle and/or its affiliates. All rights reserved.
R e able
r ath sfer
a
Load Change
h -tControl
r an Rules Content
B
on spreadsheets contain more than 1,500 Change Control Rule definitions. They
Sample content
n
are located in the content directory on Governance, Risk, and Compliance Controls Suite Disk
1 of your Oracle media pack. Whether you upload rules from a content spreadsheet or create
them individually in the Change Control Wizard, you can migrate them from one Oracle EBS
instance to another.
t h R ra
To loada r
rules
fe spreadsheet:
a fromnascontent
Bh n-tthe
1. Review
ra spreadsheet. Select the rules that target fields for which you want to
no
implement controls, and then enter Y in the Upload column for those rules.
2. Create flat files containing the rules you have selected. From the Tools menu in Excel,
select the LogicalApps Create CSV for Preventive Controls Governor (AGS) option.
Specify the destination for each CSV file and click Save.
3. A control total message displays the number of rules written to the CSV file. Compare
this number with the number of rows you selected to upload.
To upload the file you have prepared:
1. FTP the CSV files to a valid utl directory of the instance where the rules are to be used.
2. Open the Navigator in the Logical Apps responsibility (in Oracle Applications) and run
the Preventive Controls Governor Content Load concurrent
request.
3. Open Preventive Controls Governor (Audit and Approval Rules).
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh2015,
c e nsand/or its affiliates. All rights reserved.
e dd ble li
Copyright Oracle
t h R ra
a r a nsfe
Bh n-tra
no
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no