This action might not be possible to undo. Are you sure you want to continue?
Release Notes Release 8.6.0
exhibit. GOVERNMENT RIGHTS Programs. and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract. translate.S. Risk and Compliance Controls Release Notes Copyright © 2010 Oracle Corporation and/or its affiliates. products and services from third parties. and related documentation and technical data delivered to U. The software and documentation may provide access to or information on content.227-19. Oracle USA. Redwood City. All rights reserved. backup. is prohibited. disclosure. Government. publish or display any part. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third party content. products or services. As such. and. please report them to us in writing. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software in dangerous applications. If you find any errors. redundancy and other measures to ensure the safe use of this software. products and services. CA 94065. distribute. The software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. or damages incurred due to your access to or use of third party content. you may not use. disassembly. modification. Primary Author: David Christie Oracle is a registered trademark of Oracle Corporation and/or its affiliates.S. the following notice is applicable. Other names may be trademarks of their respective owners.S. duplication. If this software or related documentation is delivered to the U. perform. Government customers are “commercial computer software” or “commercial technical data” pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. in any form. If you use this software in dangerous applications. including applications which may create a risk of personal injury. The information contained herein is subject to change without notice and is not warranted to be error-free. then you shall be responsible to take all appropriate fail-safe. Government or anyone licensing it on behalf of the U.Oracle Governance. . costs. license. or decompilation of this software. Except as expressly permitted in your license agreement or allowed by law. reproduce.. broadcast. databases. the use. modify. Oracle Corporation and its affiliates will not be responsible for any loss. It is not developed or intended for use in any inherently dangerous applications. Commercial Computer Software License (December 2007). transmit. unless required by law for interoperability. The software is developed for general use in a variety of information management applications. Reverse engineering. software. the additional rights set forth in FAR 52. U.S. Inc. or by any means. copy. to the extent applicable by the terms of the Government contract. 500 Oracle Parkway.
..........Contents 1 Release Notes Access and Transaction Analysis ..................................... 1-4 Contents iii ............................ 1-3 Installation .............................................................. 1-1 Reporting....................................................................................... 1-3 Administration............................................................................................................................................. 1-4 Resolved Issues ........................
iv Oracle Governance.0 .6. Risk and Compliance Controls 8.
an ETCG control inherits the filtering elements and processing logic from the model that is its source. In version 8.6.” which roughly corresponded to a column in a database table that supplied data for analysis.18.104.22.168. in combination. function. Or filters may define “conditions” — exemptions from processing. AACG users could create “access policies. In version 8. An AACG model uses filters arranged graphically in an AND/OR pattern. but also convert them into “controls. Both access models and controls continue to specify access points that. their AND/OR relationships define risky combinations.” which defined conflicts among “access points” in a business application and identified users with conflicting access.5. TCG users could create “models.1.0. Enterprise Transaction Controls Governor (ETCG) identifies business-application transactions that pose unacceptable risk. Each of these elements specified an “attribute” of a “business object. In version 8. AACG adopts a structure like that of ETCG: Users can create access models. In a graphic interface.5. Each AACG filter also specifies an attribute of a business object. ETCG users can not only create models.6. AACG models and controls are developed similarly. In version 8. which return temporary results. would enable individual users to complete transactions that may expose a company to risk. or pattern — each of which defined some aspect of risk and returned records of transactions that satisfied the definition. and can convert them into access controls. Access and Transaction Analysis In version 8. Its filters may specify access points (or “entitlements” — selections of access points).” which defined transaction risk and returned “temporary” results — snapshots of risk that were replaced each time models were run. Risk and Compliance Controls (GRCC) provides a platform in which two components run: Application Access Controls Governor (AACG) regulates access to duties assigned in business-management applications such as Oracle E-Business Suite and PeopleSoft. any number of these elements could be arranged in a pattern that defined a processing logic — AND or OR relationships that determined the results a model would produce.0.1. which return permanent results.” which return “permanent” results — records of violations that remain available to be resolved no matter how often controls are run.0. In version 8.5.Release Notes Oracle Governance. Release Notes 1-1 . a TCG model comprised elements — filter. In version 8.
In version 8. In version 8. Each AACG control inherits the filters and processing logic from its source model. displaying either a “cumulative” view of conflicts or the conflicts generated in any run of the analysis program.and incident-management pages.1 conflict-resolution tools such as the Conflict Analysis page.5. The GRCC platform provides pages. (These were known as “dimensions” in earlier versions. an entitlement.6.6. each control requires at least one “participant” — a person (or group) assigned to resolve incidents. a user adds items necessary for “incidents” (control violations) to be resolved. As a model is converted into a control. A visualization feature enables users to depict graphically the paths from any number of users to any number of access points involved in conflicts.0. the assignment of status to incidents discovered through detective processing is unified for AACG and ETCG. For both controls and incidents. and status. From the home control. for the management of models and controls. Version-8. ETCG implements only detective analysis. custom objects can be deleted. Each of the control.0. the Work Queue. participants. shared by AACG and ETCG. or a value used in a condition. AACG maintains one consolidated record of incidents generated by all runs of control analysis.and incident-management pages enables users to edit values for multiple controls or incidents at once.0 changes to AACG-specific features include the following: • A simulation feature enables AACG users to forecast the impact of incident resolution on business-management applications.6. • • Version-8. values also include priority and tags.6. For example. participants and tags apply to both AACG and ETCG analysis. users can select one or more controls. and base simulations on the resolution of their incidents.0 changes to ETCG-specific features include the following: • • 1-2 Oracle Governance. AACG can discover conflicts that existed before controls were written to protect against them (“detective” analysis). there is no change to preventive analysis by access controls.6. or intervene when a user is assigned duties after controls have been written to define them as conflicting (“preventive” analysis). this feature is available from windows in which users view model results. In version 8. Users may also apply “tags. and for the resolution of incidents. In version 8.6. ETCG enables users to import any set of data as a “custom object” and use it as if it were a business object.) In version 8. Risk and Compliance Controls 8.” or values by which controls and their incidents can be categorized. For controls.6. uncovering suspect transactions that have been completed before a control is run.0. users may also open pages that display full details for individual controls or incidents. and the Heat Map no longer exist.6. In version 8.0.0. However. Version-8.6. these values include comments.0 . The Business Object Library for ETCG includes SOD objects for use in transaction analysis.which can supply an access point. AACG tracked individual runs of the program it used to analyze access policies. In earlier versions.0.
as well as the number of conflicts for each. and other applications and to “synchronize” its data with that of business applications. Administrators may also set an “Enable analysis across datasources” switch to optimize performance if each control is configured to apply only to a single datasource. Release Notes 1-3 . as well as GRCC users and roles.6. GRCC Users and Roles Report provides information about GRCC users and the GRCC roles assigned to them. to set GRCC parameters.0 expands the reporting capability to include not only reports on AACG analysis. Access Violations Within a Single Role Report lists roles for which access controls generate “intra-role” conflicts. Global Users Report provides information about IDs created by GRCC. Users with Access Violations by Control Report lists access controls that have generated conflicts.0.6. the GRCC properties an administrator can set include the number of login attempts a user may make before being locked out of the application. Reports include the following: • • • Control Detail Extract Report provides information about both access and transaction controls. Access Incident Details Extract Report provides details of incidents generated by access controls. In version 8. Access Point Report lists paths to access points involved in conflicts. each of which correlates to any number of potentially varying IDs a person may have in business-management applications subject to access controls. Access Violations by User Report lists the ten users with the greatest number of conflicts. Incident Summary Extract Report lists incidents generated by access and transaction controls. to create GRCC users and roles. and the number of days before a password expires. but also ETCG analysis. connect with your email server. Incident by Control Summary Extract Report lists access and transaction controls that have generated pending incidents. and integrate GRCC with other applications. Transaction Incident Details Extract Report provides details of incidents generated by transaction controls. Conditions Report provides information about control-specific. Intra-Role Violations by Control Report lists access controls that generate intrarole conflicts. and global path conditions that may be set in AACG. • • • • • • • • • • Administration The GRCC platform provides tools to connect to Oracle EBS. PeopleSoft. global.Reporting GRCC 8.
These include the following: • • • • • • Issue 8719024: User can filter controls by tag value and run only the tagged controls.0 incorporates corrections to issues identified during the use of version 8. instead. Issue 9259582: Exclusions to access analysis defined by global conditions were not recognized in reports.6. Issue 8972589: In LOVs. and Spanish.6. a datasource ID value is replaced by the name of the datasource corresponding to the ID.5. See the Oracle Governance. Issue 9291080: The Manage Jobs page generated an unexpected error during an attempt to purge jobs. Issue 9385371: Attempts to use the AACG Visualization feature resulted in errors. Issue 9025154: For a transaction model that uses a pattern. user can begin to type a value to generate a list filtered by the value typed. Issue 9021131: When a Delete action is performed from the My Models action drop-down.0 total twelve: US English. GRCC displays information in multiple languages. Issue 8992821: For a pattern used in a transaction model. values are sorted alphanumerically on the x-axis. (Administrators use a Properties page to select the languages they want to make available to users. but not displayed when the pattern was reloaded.1. • • • • • 1-4 Oracle Governance. removing the model should also remove/purge the corresponding data results tied to the model. the pages on which administrators can complete administrative tasks — such as importing business objects or patterns —have been reorganized. Issue 9007747: In the Manage Models page. Risk and Compliance Controls 22.214.171.124. Installation You can perform a “fresh” installation of GRCC 8. standard (simplified) Chinese. Issue 9003208: In model results. label text was saved. You cannot upgrade directly to it from any earlier version. Dutch. Brazilian Portuguese. traditional Chinese.) The languages available in version 8. you must upgrade an earlier version to 8.5. French.0 . Risk and Compliance Controls Installation and Upgrade Guide for details. Resolved Issues Version 8.0. Italian. and then upgrade from there to 8.6.0. Issue 9305875: Attempts to generate reports resulted in errors. a grid that displays entries for models offers column sorting.Moreover.5. Danish. Korean. and Dutch has been added. German.6. Japanese. or you can upgrade to it from version 8.
) Issue 9578470: Imports of pre-built policies (called controls in version 8. Issue 9846065: Conditions were written to exclude Oracle EBS functions from access analysis. Issue 9497913: An attempt to run access simulation statistics resulted in an error. Issue 9541854: Concurrent requests used for preventive analysis in Oracle EBS instances generated errors. but they were included anyway. the status of the run was not updated correctly in the Jobs and Scheduling page.0 — enable GRCC to apply models and controls to applications other than Oracle EBS and PeopleSoft.6. Issue 9553230: An attempt to edit control status generated errors. Issue 9816911: A global condition to exclude “no prompt” functions from access analysis failed. Issues 10105077 and 10105579: The review of role assignments identified as violations of access controls by AACG preventive analysis. took excessive time. Issue 9468689: Business objects assigned to a GRCC role were not being saved. Issue 9792943: AACG conflict analysis failed when run against a “view” (a filtered set of policies/controls). Issue 9567515: A table supporting custom adapters was not being populated. and the approval of those roles. Issue 10105065: When AACG preventive analysis presented a role assignment for review in the Manage Access Approvals page.• Issue 9439868: When ETCG synchronization was run from the Manage Application Data page. Issue 9740629: AACG conflict analysis generated an “ODM Issue Clarification” error.6. (Custom adapters — called custom connecters in version 8. an attempt to reject the assignment produced an error.0) failed. • • • • • • • • • • • • Release Notes 1-5 .
1-6 Oracle Governance. Risk and Compliance Controls 8.6.0 .