management cloud oracle risk...oracle risk management cloud securing risk management chapter 1...

Oracle RiskManagement Cloud

Securing Risk Management

20B

Oracle Risk Management CloudSecuring Risk Management

20BPart Number F27742-01Copyright © 2011, 2020, Oracle and/or its aliates.

Author: David Christie

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected byintellectual property laws. Except as expressly permied in your license agreement or allowed by law, you may not use, copy, reproduce, translate,broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering,disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you nd any errors, please reportthem to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, thenthe following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed oractivated on delivered hardware, and modications of such programs) and Oracle computer documentation or other Oracle data delivered to oraccessed by U.S. Government end users are "commercial computer software" or "commercial computer software documentation" pursuant tothe applicable Federal Acquisition Regulation and agency-specic supplemental regulations. As such, the use, reproduction, duplication, release,display, disclosure, modication, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system,integrated software, any programs embedded, installed or activated on delivered hardware, and modications of such programs), ii) Oracle computerdocumentation and/or iii) other Oracle data, is subject to the rights and limitations specied in the license contained in the applicable contract. Theterms governing the U.S. Government's use of Oracle cloud services are dened by the applicable contract for such services. No other rights aregranted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for usein any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware indangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safeuse. Oracle Corporation and its aliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its aliates. Other names may be trademarks of their respective owners.

Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarksor registered trademarks of SPARC International, Inc. AMD, Epyc, and the AMD logo are trademarks or registered trademarks of Advanced MicroDevices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products, and services from third parties. OracleCorporation and its aliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, andservices unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its aliates will not be responsiblefor any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicableagreement between you and Oracle.


Contents

Preface i

1 Introduction 1Overview of Risk Management Security ................................................................................................................................... 1

Predened Security Job ............................................................................................................................................................... 2

2 Users 3The Risk Management Implementation User ......................................................................................................................... 3

Prepare for and Manage Risk Management Users ............................................................................................................... 3

3 Functional Security 5Overview of Risk Management Roles ....................................................................................................................................... 5

Security Visualizations ................................................................................................................................................................. 6

Generate a Visualization .............................................................................................................................................................. 6

Options for Viewing a Visualization Graph ............................................................................................................................. 7

Visualization Table Display Options ......................................................................................................................................... 8

Create Risk Management Roles in the Security Console ..................................................................................................... 9

Copy or Edit Risk Management Roles in the Security Console ......................................................................................... 12

Compare Roles ............................................................................................................................................................................. 12

Simulate Navigator Menus in the Security Console ............................................................................................................ 14

Analytics for Roles ....................................................................................................................................................................... 15

Administrate the Security Console .......................................................................................................................................... 15

4 Data Security 19Overview of Risk Management Data Security ...................................................................................................................... 19

Select Users or Groups for Records ........................................................................................................................................ 19

Manage User Assignment Groups .......................................................................................................................................... 20

Use the Mass Edit Security Assignment Tool ....................................................................................................................... 21

Secure Business Objects ............................................................................................................................................................ 21


Preface

i

PrefaceThis preface introduces information sources that can help you use the application.

Using Oracle Applications

HelpUse help icons to access help in the application. If you don't see any help icons on your page, click your user imageor name in the global header and select Show Help Icons. Not all pages have help icons. You can also access the OracleHelp Center to nd guides and videos.

Watch: This video tutorial shows you how to nd and use help.

You can also read about it instead.

Additional Resources

• Community: Use Oracle Cloud Customer Connect to get information from experts at Oracle, the partnercommunity, and other users.

• Training: Take courses on Oracle Cloud from Oracle University.

ConventionsThe following table explains the text conventions used in this guide.

Convention Meaning

boldface Boldface type indicates user interface elements, navigation paths, or values you enter or select.

monospace Monospace type indicates le, folder, and directory names, code examples, commands, and URLs.

> Greater than symbol separates elements in a navigation path.

https://docs.oracle.com/en/cloud/saas/applications-help/

https://docs.oracle.com/en/cloud/saas/applications-help/

https://apex.oracle.com/pls/apex/f?p=44785:265:0::::P265_CONTENT_ID:27341

https://apex.oracle.com/pls/apex/f?p=44785:265:0::::P265_CONTENT_ID:27341

http://www.oracle.com/pls/topic/lookup?ctx=cloud&id=OACPR158049

https://appsconnect.custhelp.com/

http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=906


Preface

ii

Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website.

Videos included in this guide are provided as a media alternative for text-based help topics also available in this guide.

Contacting Oracle

Access to Oracle SupportOracle customers that have purchased support have access to electronic support through My Oracle Support. Forinformation, visit My Oracle Support or visit Accessible Oracle Support if you are hearing impaired.

Comments and SuggestionsPlease give us feedback about Oracle Applications Help and guides! You can send an e-mail to:[email protected].

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs

mailto:[email protected]


Chapter 1Introduction

1

1 Introduction

Overview of Risk Management SecurityIn Risk Management applications, you grant access to functionality by assigning job roles (and through them, duty rolesand privileges). You grant access to data by appointing users who can work with each individual record as you create oredit that record.

Risk Management RolesA job role conceptually represents a job that a user performs in an organization. It typically provides broader functionalaccess than a duty role, which represents one or more tasks included within a job.

Even so, either role type may dene function security policies, role hierarchies, or both. A function security policy grantsprivileges to complete specic tasks. A role hierarchy is a set of subordinate roles; the parent role inherits functionalaccess from them.

A job role provides broad enough access for assignment to a user. You can assign job roles directly to users, but youcan't assign duty roles. A user is granted duty roles only indirectly, as elements in the hierarchy of a job role.

You are encouraged to assign predened job roles to users. However, you can create and manage job and even dutyroles. To do so, you would use Oracle Applications Security, also known as the Security Console.

Data Security in Risk ManagementThe person who creates a record automatically becomes its owner, and that person may select other users as owners,editors, or viewers. An owner can modify the details of a record, including its security conguration (the selection ofusers who can work with the record, and the level of their access). An editor can't change the security conguration, butcan modify other details. A viewer can see, but not change, record details.

No maer what objects a user's roles enable him or her to work with, access is actually granted only to records the userhas created or has been selected for. If you assign predened roles to users, owners may select them for records at anyof the three levels.

An owner can select less access for a record than a user's role allows. For example, an owner may select a user as aviewer of a transaction model in Advanced Financial Controls. If so, that user can't edit the model, even if he or sheremains eligible to be selected as an editor or owner of other models.

Owners may also assign data-security rights that are specic to individual Risk Management applications. For example,in Financial Reporting Compliance a user may have a role that grants rights to review or approve records. But thoserights would apply only to records whose owners have selected the user as a reviewer or approver.

Owners may assign data rights to individual users or to user assignment groups, in the laer case assigning rights to allmembers of each group at once. You create these groups in a Risk Management Data Security work area.


Chapter 1Introduction

2

Business Object SecurityIn Advanced Financial Controls, models and controls dene risks, then uncover transactions displaying those risks.Business objects provide business-application data for models and controls to analyze. As a further element ofdata security, you can select the business objects each user has access to. You make these selections in the RiskManagement Data Security work area.

Related Topics

• Manage User Assignment Groups

• Secure Business Objects

Predened Security JobA job called Security Synchronization determines whether users assigned to records have the proper privileges to beeligible for their authorizations. Users who don't are agged as ineligible and lose access to the records for which they'reno longer eligible. This may happen, for example, if users' role assignments change. Note that ineligible users continueto have access until the job has been run.

Usually, the Security Synchronization job also updates worklists to match current security denitions. If the numberof advanced-control worklist records is large enough, however, this update is automatically broken o into a secondjob, called Result Worklist Synchronization, which you would need to run separately. In that case, the SecuritySynchronization job nishes at the Complete with Errors status, and in its record in the Monitor Jobs page, a messageinstructs you to run the Result Worklist Synchronization job. If that message doesn't appear, you can ignore the ResultWorklist Synchronization job.

The Security Synchronization job runs the rst time you start Risk Management and then, by default, once a weekon Sundays. It's anticipated you will modify this default schedule. Your ideal schedule should reect the frequency ofchanges to roles and user assignments in your environment. Use the Scheduling page to modify the schedule, or use itsRun Now feature to run the job on demand.

Related Topics

• Modify Schedules

http://www.oracle.com/pls/topic/lookup?ctx=fa20b&id=1F6DDDEAAA913EC8E05362C3F00A66B3


Chapter 2Users

3

2 Users

The Risk Management Implementation UserThe service activation mail from Oracle provides the service URLs, user name, and temporary password for the test orproduction environment. Use these credentials to create an implementation user whose responsibility is to set up RiskManagement within each environment. Setup involves:

• Conguring perspectives.

• Conguring security.

• Selecting features and assessment activities available to objects in the Financial Reporting Compliancemodule. Unlike other implementation tasks, this activity establishes some seings that can't be changed onceapplication users create operational data.

• Seing administrative features that congure Risk Management for use and routine maintenance.

• Testing the implementation, in eect by using Risk Management features to ensure they return expectedresults.

Note: You may use Risk Management as a tool to manage risk in other Oracle Cloud oerings. If so, you'reexpected to coordinate the implementation of Risk Management with the implementation of those otheroerings. This is likely to require the creation of implementation users for those other oerings in addition tothe Risk Management implementation user. Consult documentation for those other oerings for informationabout their requirements.

Create the Risk Management implementation user in Oracle Human Capital Management (HCM), for example withCreate User functionality available in a Manage Users Work area. Doing so associates the implementation user with aperson record, which is needed for the testing of an email notication feature.

Note: It's possible to create user accounts in the Security Console. However, this doesn't create a personrecord and so is inappropriate for the Risk Management implementation user. Use HCM, not the SecurityConsole, to create the Risk Management implementation user.

As you create the implementation user, you may assign these predened job roles:

• Risk Administrator: This role enables the user to perform module and administrative setup, create perspectives,dene user groups, congure business object security, and mass-edit security assignments.

• IT Security Manager: This role provides access to the Security Console, where the user can create RiskManagement roles. You would need this only if you elect not to assign predened job roles to RiskManagement users.

• Risk Management job roles appropriate to use, and therefore test, the features you implement.

Prepare for and Manage Risk Management UsersDuring implementation, you prepare your Oracle Applications Cloud service for application users. Tasks includedetermining whether:

• The creation of a person, user, or party record automatically creates a related user account.


Chapter 2Users

4

• Roles are provisioned to users automatically or can be requested and, if so, creating role-provisioning rules.

• A user account is suspended automatically when the user has no roles, and reactivated automatically whenroles are assigned.

During implementation, you can use the Create User task to create test application users. By default, this task creates aminimal person record and a user account. After implementation, you should use the Hire an Employee task to createapplication users. You can also import users. These tasks are available through HCM.

For detailed information on preparing for, creating, and managing application users, see the Securing ERP document.

You can set certain standards for user accounts in the General Administration page of the Security Console. Theseinclude the format of the user name (the value a user enters during sign-in to identify himself), and password formatand policy.


Chapter 3Functional Security

5

3 Functional Security

Overview of Risk Management RolesRisk Management provides six predened job roles:

• Access Certication Administrator. This provides features of the Access Certication component of AdvancedAccess Controls, and setup and administration features that support Access Certication.

• Advanced Access Controls Analyst. This provides Advanced Access Controls features (other than those thatapply to Access Certication), and setup and administration features that support Advanced Access Controls.

• Advanced Transaction Controls Analyst. This provides Advanced Financial Controls features, and setup andadministration features that support Advanced Financial Controls.

• Risk Activities Manager. This provides Financial Reporting Compliance features, and setup and administrationfeatures that support Financial Reporting Compliance.

• Risk Administrator. This grants access to all features in the Setup and Administration, Perspective, and RiskManagement Data Security work areas. It's used by administrators, but is also typically the starting point forimplementation job roles.

• Risk Management Auditor. This role organizes activities for users responsible for enterprise auditing inadvanced access and transaction controls, and in nancial reporting compliance controls.

Note: The Risk Activities Manager and Risk Administrator roles replace two older roles, Compliance Managerand Enterprise Risk and Control Manager. The older roles remain available for use, but will be discontinued ina future release. So you're advised to use their replacements.

It's recommended that you assign predened job roles to users. To limit the access they provide, owners select usersonly for data records appropriate for them.

You may instead create your own job roles, but even if you do, it's recommended that you include predened duty rolesin their hierarchies. A common strategy is to copy a predened job role that applies to a product area. You would thenremove duty roles from the copy, or potentially add duty roles to it, until you're left with what you want users to have.

You may also create duty roles, or copy predened duty roles and edit the copies. However, you should rarely haveoccasion to do so. In most cases, the predened duty roles should meet your needs.

How to Work with RolesThe remaining topics in this chapter apply to you if you intend to create, edit, or review roles. You congure RiskManagement roles, and may assign them to users, within Oracle Applications Security. Its Security Console enables youto:

• Create roles, either from scratch or by copying existing roles and editing the copies. As you create or edit jobroles, you can also assign them to users.

• Visualize hierarchical relationships among users, roles, and privileges.

• Simulate Navigator menus available to roles or users.

• Compare versions of roles.



6

To open the Security Console, select Tools in the home page. Among its options, select Security Console. You musthave the IT Security Manager role to do so.

Security VisualizationsA Security Console visualization graph consists of nodes that represent security items. These may be users, roles,privileges, or aggregate privileges. Arrows connect the nodes to dene relationships among them. You can trace pathsfrom any item in a role hierarchy either toward users who are granted access or toward the privileges roles can grant.

You can select one of the following two views:

• Radial: Nodes form circular (or arc) paerns. The nodes in each circular paern relate directly to a node at thecenter. That focal node represents the item you select to generate a visualization, or one you expand in thevisualization.

• Layers: Nodes form a series of horizontal lines. The nodes in each line relate to one node in the previous line.This is the item you select to generate a visualization, or the one you expand in the visualization.

For example, a job role might consist of several duty roles. You might select the job role as the focus of a visualization(and set the Security Console to display paths leading toward privileges):

• The Radial view initially show nodes representing the duty roles encircling a node representing the job role.

• The Layers view initially show the duty-role nodes in a line after the job-role node.

You can then manipulate the image, for example, by expanding a node to display the items it consists of.

Alternatively, you can generate a visualization table that lists items related to an item you select. For example, a tablemay list the roles that descend from a role you select, or the privileges inherited by the selected role. You can exporttabular data to an Excel le.

Generate a VisualizationHere's how you can generate a visualization:

1. On the Security Console, click Roles.2. Search for the security item on which you want to base the visualization.

◦ In a Search eld, select any combination of item types, for example, job role, duty role, privilege, or user.

◦ In the adjacent eld, enter at least three characters. The search returns the matching records.

◦ Select a record.

Alternatively, click Search to load all the items in a Search Results column, and then select a record.3. Select either Show Graph or View as Table buon.

Note: On the Administration page, you can determine the default view for a role.

4. In the Expand Toward list, select Privileges to trace paths from your selected item toward items lower in itsrole hierarchy. Or select Users to trace paths from your selected item toward items higher in its hierarchy.



7

5. If the Table view is active, select an item type in the Show list: Roles, Privileges, or Users. (The options availableto you depend on your Expand Toward selection.) The table displays records of the item type you select. Notethat an aggregate privilege is considered to be a role.

Options for Viewing a Visualization GraphWithin a visualization graph, you can select the Radial or Layers view. In either view, you can zoom in or out of theimage. You can expand or collapse nodes, magnify them, or search for them. You can also highlight nodes thatrepresent types of security items.

1. To select a view, click Switch Layout in the Control Panel, which is a set of buons on the visualization.2. Select Radial or Layers.

Node LabelsYou can enlarge or reduce a visualization, either by expanding or collapsing nodes or by zooming in or out of the image.As you do, the labels identifying nodes change:

• If the image is large, each node displays the name of the item it represents.

• If the image is small, symbols replace the names: U for user, R for role, S for predened role, P for privilege, andA for aggregate privilege.

• If the image is smaller, the nodes are unlabeled.

Regardless of labeling, you can hover over a node to display the name and description of the user, role, or privilege itrepresents.

Nodes for each type of item are visually depicted such that item types are easily distinguished.

Expand or Collapse NodesTo expand a node is to reveal roles, privileges, or users to which it connects. To collapse a node is to hide those items.To expand or collapse a node, select a node and right-click or just double-click on the node.

Using Control Panel ToolsApart from the option to select the Radial or Layers view, the Control Panel contains these tools:

• Zoom In: Enlarge the image. You can also use the mouse wheel to zoom in.

• Zoom Out: Reduce the image. You can also use the mouse wheel to zoom out.

• Zoom to Fit: Center the image and size it so that it's as large as it can be while ing entirely in its displaywindow. (Nodes that you have expanded remain expanded.)

• Magnify: Activate a magnifying glass, then position it over nodes to enlarge them temporarily. You can use themouse wheel to zoom in or out of the area covered by the magnifying glass. Click Magnify a second time todeactivate the magnifying glass.

• Search: Enter text to locate nodes whose names contain matching text. You can search only for nodes that theimage is currently expanded to reveal.

• Control Panel: Hide or expose the Control Panel.



8

Using the LegendA Legend lists the types of items currently on display. You can take the following actions:

• Hover over the entry for a particular item type to locate items of that type in the image. Items of all other typesare grayed out.

• Click the entry for an item type to disable items of that type in the image. If an item of that type has child nodes,it's grayed out. If not, it disappears from the image. Click the entry a second time to restore disabled items.

• Hide or expose the Legend by clicking its buon.

Using the OverviewOn the image, click the plus sign to open the Overview, a thumbnail sketch of the visualization. Click any area of thethumbnail to focus the actual visualization on that area.

Alternatively, you can click the background of the visualization and move the entire image in any direction.

Refocusing the ImageYou can select any node in a visualization as the focal point for a new visualization: Right-click a node, then select Set asFocus.

Note: You can review role hierarchies using either a tabular or a graphical view. The default view depends onthe seing of the Enable default table view option on the Administration tab.

Visualization Table Display OptionsA visualization table contains records of roles, privileges, or users related to a security item you select. The table displaysrecords for only one type of item at a time:

• If you select a privilege as the focus of your visualization, select the Expand Toward Users option. Otherwisethe table shows no results. Then use the Show option to list records of either roles or users who inherit theprivilege.

• If you select a user as the focus of your visualization, select the Expand Toward Privileges option. Otherwisethe table shows no results. Then use the Show option to list records of either roles or privileges assigned to theuser.

• If you select any type of role or an aggregate privilege as the focus of your visualization, you can expand ineither direction.

◦ If you expand toward privileges, use the Show option to list records of either roles lower in hierarchy, orprivileges related to your focus role.

◦ If you expand toward users, use the Show option to list records of either roles higher in hierarchy, orusers related to your focus role.

Tables are all-inclusive:



9

Table Name What it displays

Roles

Records for all roles related directly or indirectly to your focus item. For each role, inheritancecolumns specify the name and code of a directly related role.

Privileges

Records for all privileges related directly or indirectly to your focus item. For each privilege,inheritance columns display the name and code of a role that directly owns the privilege.

Users

Records for all user assigned roles related directly or indirectly to your focus item. For eachuser, Assigned columns display the name and code of a role assigned directly to the user.

The table columns are search-enabled. Enter the search text in a column eld to get the records matching your searchtext. You can export a table to Excel.

Create Risk Management Roles in the Security ConsoleYou can use the Security Console to create Risk Management job or duty roles.

In many cases, an ecient method of creating a role is to copy an existing role, then edit the copy to meet yourrequirements. Typically, you would create a role from scratch if no existing role is similar to the role you want to create.

To create a role from scratch, select the Roles tab in the Security Console, then click the Create Role buon. Enter valuesin a series of role-creation pages, selecting Next or Back to navigate among them.

Provide Basic InformationOn a Basic Information page:

1. In the Role Name eld, create a display name, for example North America Risk Manager.2. In the Role Code eld, create an internal name for the role, such as GRC_NA_RISK_MGR_JOB.

Note: Don't use "ORA_" as the beginning of a role code. This prex is reserved for rolespredened by Oracle. You can't edit a role with the ORA_ prex.

3. In the Role Category eld, select a tag that identies a purpose the role serves in common with other roles.Typically, a tag species a role type and an application the role applies to. For Risk Management, appropriatetags are "GRC - Job Roles" and "GRC - Duty Roles."

If you select the duty-role category, you can't assign the role you're creating directly to users. To assign it, youwould include it in the hierarchy of a job role, then assign that role to users.

4. Optionally, describe the role in the Description eld.

Add Function Security PoliciesA function security policy selects a set of functional privileges; each permits use of a eld or other user-interfacefeature. On a Function Security Policies page, you may dene a policy for a duty role. The policy selects functional



10

privileges to be inherited by other roles the duty role belongs to. Typically, you don't add function security policiesdirectly to a job role.

As you dene a policy, you can either add an individual privilege or copy all the privileges that belong to an existing role:

1. Select Add Function Security Policy.2. In a Search eld, select the value Privileges or types of role in any combination, and enter at least three

characters. The search returns items of the types you selected, whose names contain the characters youentered.

3. Select a privilege or role. If you select a privilege, click Add Privilege to Role. If you select a role, click AddSelected Privileges.

The Function Security Policies page lists all selected privileges. When appropriate, it also lists the role a privilege isinherited from. You can:

• Click a privilege to view details of the code resource that it secures.

• Delete a privilege. If, for example, you added the privileges associated with a role, but want to use only some ofthem, you must delete the rest. To delete a privilege, click its x icon.

Data Security PoliciesData security policies (as they can be congured in the Security Console) apply to Oracle Cloud applications other thanRisk Management. In the Data Security Policies page in the Create Role train of the Security Console, make no entries.Simply click Next to move to the next page.

Note: For Risk Management purposes, you may opt to set the Data Security Policies page to be read-only. Todo so, select the Administration tab, and then the Roles tab on the Administration page. Locate and clear an"Enable edit of data security policies" option.

Congure the Role HierarchyA Role Hierarchy page displays either a visualization graph, with the role you're creating as its focus, or a visualizationtable. Select the Show Graph buon or View as Table buon to select between them. In either case, link the role you'recreating to other roles from which it's to inherit functional privileges.

• If you're creating a duty role, you can add duty roles to it. In eect, you're creating an expanded set of duties forincorporation into a job role.

• If you're creating a job role, you can add duty roles to it.

To add a role:

1. Select Add Role.2. In a Search eld, select a combination of role types, and enter at least three characters. The search returns

items of the types you selected, whose names contain the characters you entered.3. Select the role you want, and click Add Role Membership. You add not only the role you have selected, but also

its entire hierarchy.

In the graph view, you can use the visualization Control Panel, Legend, and Overview tools to manipulate the nodes thatdene your role hierarchy.



11

Run Segregation of Duties AnalysisOn a Segregation of Duties page, you can determine whether the hierarchy of the role you're creating includessegregation of duties conicts. These are pairs of roles that would allow an individual user to complete tasks thatinvolve risk.

These conicts are dened by provisioning rules, so this page has value only if your organization uses AdvancedControls Management to create provisioning rules. (For more on creating these rules, see the user guide for AdvancedControls Management.)

If so, click the Analyze buon. If the hierarchy of the role you're creating involves rule violations, the page then lists pairsof conicting roles. You would then be expected to return to the Role Hierarchy page to remove one role from each pair.However, no validation is performed to conrm that you have done so. Be aware, therefore, that if you don't performthis role cleanup, you're creating a role that can't be assigned to any user without creating what your organizationconsiders to be a segregation of duties conict.

This page has no purpose if your organization doesn't use the provisioning rules feature of Advanced ControlsManagement. In that case, you can inactivate the page by seing an ASE_SEGREGATION_OF_DUTIES_SETTING proleoption to No in the Manage Administrator Prole Values page of Setup and Maintenance.

Add UsersOn a Users page, you can select users to whom you want to assign a job role you're creating. (You don't assign a dutyrole directly to users.)

Note: For the Users page to be active, you must select an "Enable edit of user role membership" option. Tolocate it, select the Administration tab, and then the Roles tab on the Administration page. If this option isn'tselected, the Users page is read-only.

When you add a user to a job role, he or she can access pages the role grants functional access to. Data appears in data-secured pages, however, only when the user creates records (if the role grants that capability) or is selected for recordsby owners of those records.

To add a user:

1. Select Add Users.2. In a Search eld, select the value Users or types of role in any combination, and enter at least three characters.

The search returns items of the types you selected, whose names contain the characters you entered.3. Select a user or role. If you select a user, click Add User to Role. If you select a role, click Add Selected Users; this

adds all its assigned users to the role you're creating.

The Users page lists all selected users. You can delete a user. You may, for example, have added all the users associatedwith a role. But you may intend to assign your new role only to some of them, and so must delete the rest. To delete auser, click its x icon.

Complete the RoleOn a Summary and Impact Report page, review the selections you have made. Summary listings show the numbers offunction security policies, roles, and users you have added and removed. An Impact listing shows the number of rolesand users aected by your changes. Expand any of these listings to see names of policies, roles, or users included in itscounts.



12

If you determine you want to make changes, navigate back to the appropriate page and do so. If you're satised withthe role, select Save and Close.

Copy or Edit Risk Management Roles in the SecurityConsoleYou can edit roles you have created from scratch. Or, you can copy any role, then edit the copy to create a new role.

Note: You can't edit predened roles. That's because your edits would be overwrien during each upgrade,when Oracle updates predened roles to the specications for the newer release. You can identify apredened role by the ORA_ prex in its role code. Or, a Predened role box is checked in the BasicInformation page for a role if it's shipped by Oracle.

Initiate a copy or an edit from the Roles tab of the Security Console. Do either of the following:

• Create a visualization graph and select any role in it. Right-click and select Copy Role or Edit Role.

• Generate a list of roles in the Search Results column of the Roles page. Select one of them, and click its menuicon. In the menu, select Copy Role or Edit Role.

If you're copying a role, you must also select one of two options:

• Copy top role: You copy only the role you have selected. The source role has links to roles in its hierarchy, andthe copy inherits links to the original versions of those roles. If you select this option, subsequent changes tothe inherited roles aect not only the source top role, but also your copy.

• Copy top role and inherited roles: You copy not only the role you have selected, but also all of the roles inits hierarchy. Your copy of the top role is connected to the new copies of subordinate roles. If you select thisoption, you insulate the copied role from changes to the original versions of the inherited roles.

Next, an editing train opens. Essentially, you follow the same process in editing a role as you would to create one.However, note the following:

• As is true for role creation, the Data Security Policies page in the Edit Role train has no application to RiskManagement.

• By default, the name and code of a copied role match those of its source role, except that a prex, sux, orboth are appended. In the Roles Administration page, you can congure the default prex and sux for eachvalue.

• A copied job role can't inherit users from its source job role. You must select users for the copied role. (Theymay include users who belong to the source role.)

• The Role Hierarchy page displays all roles subordinate to a role you copied. Even so, you can add roles only to(or remove them from) the top role you copied.

To monitor the status of a role-copy job, select the Administration tab, and then the Role Copy Status tab of theAdministration page.



13

Compare RolesYou can compare any two roles to see the structural dierences between them. As you compare roles, you can also addfunction security policies existing in the rst role to the second role, providing that the second role isn't a predenedrole.

For example, assume you have copied a role and edited the copy. You then upgrade to a new release. You can compareyour edited role from the earlier release with the role as shipped in the later release. You may then decide whether toincorporate upgrade changes into your edited role. If the changes consist of new function security policies, you canupgrade your edited role by adding the new policies to it.

Select Roles for Comparison1. Select the Roles tab in the Security Console.2. Do any of the following:

◦ Click the Compare Roles buon.

◦ Create a visualization graph, right-click one of its roles, and select the Compare Roles option.

◦ Generate a list of roles in the Search Results column of the Roles page. Select one of them, and click itsmenu icon. In the menu, select Compare Roles.

3. Select roles for comparison:

◦ If you began by clicking the Compare Roles buon, select roles in both First Role and Second Roleelds.

◦ If you began by selecting a role in a visualization graph or the Search Results column, the First Role elddisplays the name of the role you selected. Select another role in the Second Role eld.

For either eld, click the search icon, enter text, and select from a list of roles whose names contain that text.

Compare Roles1. Select two roles for comparison.2. Use the Filter Criteria eld to lter for any combination of these artifacts in the two roles:

◦ Function security policies

◦ Inherited roles

The data security policies option doesn't apply to Risk Management.3. Use the Show eld to determine whether the comparison returns:

◦ All artifacts existing in each role

◦ Those that exist only in one role, or only in the other role

◦ Those that exist only in both roles

4. Click the Compare buon.

You can export the results of a comparison to a spreadsheet. Select the Export to Excel option.



14

After you create the initial comparison, you can change the lter and show options. When you do, a new comparison isgenerated automatically.

Add Policies to a Role

1. Select two roles for comparison.

◦ As the First Role, select a role policies already exist in.

◦ As the Second Role, select the role you're adding the policies to. This must be a custom role. You can'tmodify a predened role.

2. In the Filter Criteria eld, select Function security policies. The Data security policies option doesn't apply toRisk Management, and the Inherited roles option is to be excluded for any application.

3. As a Show value, select Only in rst role.4. Click the Compare buon.5. Among the artifacts returned by the comparison, select those you want to copy.6. An Add to Second Role option becomes active. Select it.

Simulate Navigator Menus in the Security ConsoleYou can simulate Navigator menus available to roles or users. From a simulation, you can review the access inherent ina role or granted to a user. You can also determine how to alter that access to create roles.

Opening a SimulationTo open a simulated menu:

1. Select the Roles tab in the Security Console.2. Create a visualization graph, or populate the Search Results column with a selection of roles or users.3. In the visualization graph, right-click a role or user. Or, in the Search Results column, select a user or role and

click its menu icon.4. Select Simulate Navigator.

Working with the SimulationIn a Simulate Navigator page:

• Select Show All to view all the menu and task entries that may be included in a Navigator menu.

• Select Show Access Granted to view the menu and task entries actually assigned to the selected role or user.

In either view:

• A padlock icon indicates that a menu or task entry can be, but isn't currently, authorized for a role or user.

• An exclamation icon indicates an item that may be hidden from a user or role with the privilege for it, because ithas been modied.

To plan how this authorization may be altered:

1. Click any menu item on the Simulate Navigator page.



15

2. Select either of the two options:

◦ View Roles That Grant Access: Lists roles that grant access to the menu item.

◦ View Privileges Required for Menu: Lists privileges required for access to the menu item. Listsprivileges required for access to the task panel items.

Analytics for RolesYou can review statistics about the roles that exist in your Oracle Cloud instance.

On the Analytics page, click the Roles tab. Then view these analyses:

• Role Categories. Each role belongs to a category that denes some common purpose. Typically, a categorycontains a type of role congured for an application, for example, "Financials - Duty Roles."

For each category, a Roles Category grid displays the number of:

◦ Roles

◦ Role memberships (roles belonging to other roles within the category)

◦ Security policies created for those roles

In addition, a Roles by Category pie chart compares the number of roles in each category with those in othercategories.

• Roles in Category. Click a category in the Role Categories grid to list roles belonging to that category. For eachrole, the Roles in Category grid also shows the number of:

◦ Role memberships

◦ Security policies

◦ Users assigned to the role

• Individual role statistics. Click the name of a role in the Roles in Category grid to list the security policies andusers associated with the role. The page also presents collapsible diagrams of hierarchies to which the rolebelongs.

Click Export to export data from this page to a spreadsheet.

Administrate the Security ConsoleBefore you start using the Security Console, ensure that you run the background processes that refresh security data.You can use the Security Console Administration pages to select the general options, role-oriented options, and trackthe status of role-copy jobs. You can also select, edit, or add notication templates.



16

Run the Background ProcessesHere are the background processes you must run:

• Retrieve Latest LDAP Changes - This process copies data from the LDAP directory to the Oracle CloudApplications Security tables. Run this process once, before you start the implementation.

• Import User and Role Application Security Data - This process imports users, roles, privileges, and datasecurity policies from the identity store, policy store, and Oracle Cloud Applications Security tables. Schedule itto run regularly to update those tables.

To run the Retrieve Latest LDAP Changes process:

1. In the Setup and Maintenance work area, go to the Run User and Roles Synchronization Process task in theInitial Users functional area.

2. If you want to be notied when this process ends select the corresponding option.3. Click Submit.4. Review the conrmation message and click OK.

To run the Import User and Role Application Security Data process:

1. In the Tools work area, select Scheduled Processes.2. Click Schedule New Process.3. Search for the Import User and Role Application Security Data process and select it.4. Click OK.5. Click Submit.6. Review the conrmation message and click OK.

Congure the General Administration Options1. On the Security Console, click Administration.2. In the Certicate Preferences section, set the default number of days for which a certicate remains valid.

Certicates establish keys for the encryption and decryption of data that Oracle Cloud applications exchangewith other applications.

3. In the Synchronization Process Preferences section, specify the number of hours since the last run of theImport User and Role Application Security Data process. When you select the Roles tab, a warning messageappears if the process hasn't been run in this period.

Congure the Role Administration Options1. On the Security Console, click Administration.2. On the Roles tab, specify the prex and sux that you want to add to the name and code of role copies. Each

role has a Role Name (a display name) and a Role Code (an internal name). A role copy takes up the name andcode of the source role, with this prex or sux (or both) added. The addition distinguishes the copy from itssource. By default, there is no prex, the sux for a role name is "Custom," and the sux for a role code is"_CUSTOM."

3. In the Graph Node Limit eld, set the maximum number of nodes a visualization graph can display. When avisualization graph contains a greater number of nodes, the visualizer recommends the table view.

4. Deselect Enable default table view, if you want the visualizations generated from the Roles tab to have theradial graph view.

5. Enable edit of data security policies: Determine whether users can enter data on the Data Security Policies pageof the role-creation and role-edit trains available from the Roles tab.



17

6. Enable edit of user role membership: Determine whether users can enter data on the Users page of the role-creation and role-edit trains available from the Roles tab.

View the Role Copy Status

1. On the Security Console, click Administration.2. On the Role Copy Status tab, you can view records of jobs to copy roles. These jobs are initiated on the Roles

page. Job status is updated automatically until a nal status, typically Completed, is reached.3. Click the Delete icon to delete the row representing a copy job.



18


Chapter 4Data Security

19

4 Data Security

Overview of Risk Management Data SecurityTo secure data in Risk Management, you (as an owner) select users who can work with the following types of datarecords as you create or edit those records, and you set the level of access at which each user can work. These securityseings apply to records of:

• Processes, risks, controls, assessments, issues, and remediation plans in Financial Reporting Compliance.

• Models, advanced controls, and incident results in Advanced Access Controls and Advanced Financial Controls.

• Certication projects in Access Certication.

In addition, you can use a Risk Management Data Security work area to:

• Create user assignment groups. When an owner selects a group for a record, all members of the group areauthorized to work with the record.

• Make mass edits to the assignments of users or groups to records.

• Select the business objects to which each Advanced Financial Controls user has access.

Select Users or Groups for RecordsYou may be the owner of a record either because you created it or because you have been added as an owner of it. If so,you can modify data security for that record: You can select users who can work with it, and you can set their levels ofaccess to it.

Depending on the type of object you're working with:

• Security conguration may occur as a step in a "guided process" as you create or edit a record.

• A Security Assignment buon may appear in the page to view or edit a record; clicking it opens a SecurityAssignment page. (The buon isn't available while the record is being created, but appears immediately after itscreator saves or submits it for the rst time.)

In either case, you can select individuals or user groups.

To select individual users, click Add in a User Assignments region. Search for and select a user in a Name eld. Thenmake these selections:

• In an Authorized As eld, select Owner, Editor, or Viewer. An owner can edit details of the record, includingits security conguration. An editor can't modify the security conguration, but can modify other details. Aviewer can see, but not change, record details. These are authorizations that apply in any Risk Managementapplication. You must select one value for each user you add to a record.

You can select less access for a record than a user's role allows. For example, a user may be eligible to be a riskowner, editor, or viewer in Financial Reporting Compliance. If you select that user as a viewer for a risk, he can'tedit that risk, even though he remains eligible to be selected at any level for other risks.

• In an Authorizations eld, optionally select one or more authorizations specic to individual Risk Managementapplications, such as the ability to manage or certify roles in Access Certication, or the ability to review



20

or approve records in Financial Reporting Compliance. (This eld doesn't apply to Advanced ControlsManagement, and so doesn't appear as you select users for its records.)

The two types of authorization are distinct. For example, you may select a user as a viewer of a risk in FinancialReporting Compliance. You may also select her as an approver. If so, she can't edit the risk record itself, but shedoes have write access to the page in which the risk is either approved or rejected.

While an Authorizations selection is optional for individual users, making no selection for any user wouldhave an impact on functionality. For example, if you select no user as an approver or reviewer of a FinancialReporting Compliance record, then that record isn't subject to review or approval; it becomes approvedthe moment it's created. For another example, it makes no sense to create a certication project in AccessCertication if you select no users to manage and certify roles within it.

Note: Although owners have authority to edit security assignments, an owner can't downgrade his or herown authorization to editor or viewer, or remove himself or herself from the record. That's because by makingthe change, the owner would lose the authority to save the change. An owner who wants to make such achange would need to add another user to the record as an owner, and then arrange for that owner to makethe change.

To select user groups, click Add in a Group Assignment region. Search for and select a group. In this case, though,groups are granted authorizations as they're created. You can view those authorizations as you select groups for arecord, but you can't change them.

See the user guides for Financial Reporting Compliance, Advanced Controls Management, and Access Certication foruser-authorization details that are specic to the individual applications.

Manage User Assignment GroupsAs they create or edit records, owners may select user assignment groups, assigning data rights to all members of eachgroup at once.

Groups specify their own authorizations. While selecting a group for a record, an owner can view the authorization itprovides, but can't change that authorization.

Each group grants only one authorization. If you were authorizing an individual user for a risk record in FinancialReporting Compliance, for example, you might select up to ve authorizations: one of Owner, Editor, or Viewer inan Authorized As eld, and then any combination of Approver, Reviewer, Issue Owner, and Issue Validator in anAuthorizations eld. If you were creating a group, however, you could select only one of these seven values.

To gain access to a record, a user (and so a group member) must be selected as an owner, editor, or viewer. As youcreate groups, you can combine this authorization with others by creating multiple groups, one with each authorizationand all with the same members. In the example, one group might select a set of users as Editor, and another mightselect the same users as Reviewer. The owner of a record could then select both groups for that record.

To create or edit user assignment groups:

1. Navigate to Risk Management > Risk Management Data Security. User Assignment Groups is the landing pagefor this work area. If you open another page in this work area, you can return to the groups page by selectingthe Risk Management Data Security tab.

2. To create a new group, select Add. A Create a User Assignment Group page opens.3. In a Details region:

◦ Name the group.



21

◦ Select an object. The group you're creating becomes available for selection by an owner working with arecord of this object type.

◦ Select an authorization. The authorizations available for selection are those appropriate for the objectyou have selected.

4. In a Members region, select users who are to belong to the group:

◦ To select members individually, select Add. In a list of users, search for those you want, and then clickcheck boxes next to their names. Then click Add.

◦ Instead, you can select an Add All Eligible Users option.

5. Click Save and Close.

To edit an existing group, search for it, then select the Edit icon in its row. You can't modify the object and authorizationselections. Otherwise, follow the creation procedure to edit either the group name or the selection of its members. Youcan add or delete members. To do the laer, click the x icon in their rows.

Use the Mass Edit Security Assignment ToolUse the Mass Edit Security Assignment tool to modify the security seings for any number of records at once.

Note: The Mass Edit Security Assignment tool eectively enables its user to act as the owner of everyrecord in your system, even those for which he hasn't been directly selected as an owner. Because it's verypowerful, it should be limited to very few users. The privilege to use this tool is available in the predened RiskAdministrator job role.

To use the Mass Edit Security Assignment tool:

1. Navigate to Risk Management > Risk Management Data Security. Select the Mass Edit Security Assignment tab.2. In an Object eld, select an object to update security for records of that object. A list of object records appears.3. Optionally, lter the list of object records. Click Show Filters, and enter ltering parameters in the Filters region.

Then click Search.4. Select the check boxes for records whose security authorizations are to be reassigned. Or click a Select All check

box.5. Click the Edit buon.6. Enter values in a Dene Security Assignment Goals region. Then click Continue.

◦ In a What Assignment Type Do You Want to Update eld, select user or group.

◦ In a What Action Do You Want to Perform eld, select Append to add users or groups to records,Remove to remove them from records, or Replace to substitute one user or group for another in records.Subsequent options depend on the selection you make here.

7. If you selected Append in step 6, a Dene Security Assignment Authorizations region becomes active. (If youselected Remove or Replace, this disappears from view.) Make selections, then click Continue.

◦ In a What Authorization Do You Want to Update eld, select Owner, Editor, or Viewer.

◦ Depending on the object you selected, application-specic authorizations may also be available to you. Ifthe object is Access Control, for example, you can update a Result Owner authorization.

8. In a nal "Identify" region, your options depend on previous selections. Select the user or group to add to orremove from records. Or, select the user or group you want to replace, and the user or group you want toreplace it with.

9. Click the Submit buon.



22

Secure Business ObjectsA business object is, in eect, a set of related data elds from a business application. Business objects supply datafor analysis by transaction models and controls created in Advanced Financial Controls. By default, however, eachAdvanced Financial Controls user has no access to business objects. You must assign each user the objects he or shecan use to create models and controls. This applies not only to delivered business objects, but also to imported objectsand user-dened objects.

Note: This feature applies only to Advanced Financial Controls. Although Advanced Access Controls andAccess Certication also make use of three business objects, these must be (and so are automatically)available to all users who create access models or controls, or initiate certications. Financial ReportingCompliance doesn't use business objects.

To select the business objects available to users of Advanced Financial Controls:

1. Navigate to Risk Management > Risk Management Data Security. Select the Business Object Security tab.2. A Business Object Security page presents a list of users under the heading User Access to Business Objects.

Users appear in this list if they're assigned roles that include two privileges, View Transaction Model and ViewTransaction Control. Use a search eld to lter the list for users for whom you want to select business objects.

3. For each user, you may select a "Grant access to all business objects" check box. Or, click the user's name toassign objects to the user.

4. If you click the user's name:

◦ No objects may yet be assigned to the user. In that case, a page oers you a choice between addingobjects manually or selecting another user to copy that user's access. To do the laer, search for andselect a user in the User eld, and click the Copy buon. Or, to select business objects manually, clickAdd.

◦ If objects have already been assigned to the user, the page oering the option to copy another user'saccess is skipped, and the page to add objects appears, displaying the user's current access.

In the page to add objects, you can select products, and so add all the business objects that apply to each product youselect. If you take this approach, the user's access to business objects is updated automatically to reect any futurechanges to the business objects that apply to each product.

1. Click Add in the Access by Product region of the page to add objects. A new row appears.2. Use the drop-down list to search for and select a product.3. Click Save. This selects all the business objects appropriate for that product.

Repeat the process for any other products you want to select. Or, you can click the x icon in the row for any product youwant to delete.

Alternatively, you can select business objects themselves:

1. Click Add in the Access by Business Object region of the page to add objects. A new row appears.2. Use the drop-down list to search for and select a business object.3. Click Save.4. Repeat the process to add other objects.

You can't select an object in both regions. In other words:

• You can't select a product in the Access by Product region if you have selected any of its objects in the Accessby Business Object region.



23

• You can't select an object in the Access by Business Object region if you have already selected the product itapplies to.

If you have selected some objects belonging to a product, but then want to select their product instead, rst remove theobjects from the Access by Business Object region:

1. Use the search eld to search for the objects you want to remove.2. Click the check box in the row for each object.3. Click the Remove buon.



24


Glossary

25

Glossary

authorization

A grant of access to a data record. A user must be authorized as an owner, editor, or viewer, and may be authorized tocomplete other application-specific tasks.

business object

A set of related fields in a data source subject to models and controls created in Advanced Controls Management. Whilecreating a model, a user selects one or more business objects that supply data for evaluation.

data security policy

A component of a role that defines data appropriate for the functional access granted by the role. Risk Managementroles don't use data security policies, although roles created for other Oracle Cloud applications do.

data source

The supplier of data to business objects cited in models and controls created in Advanced Controls Management.For most business objects, this is your Oracle Cloud instance. However, an Internal data source corresponds to theAdvanced Controls Management instance in which you're working, and supplies data to business objects such as Userand Access Entitlement. Imported Business Object is a data source name that applies to business objects importedin .xml files.

duty role

A grant of access to privileges required to complete a specific task, or a set of related tasks.

editor

A grant of access to a data record that prevents a user from modifying its security configuration, but permits the user tomodify other details of the record.

function security policy

A component of a role that grants privileges to complete specific tasks.

incident

A record of a transaction or access assignment that exceeds the risk defined by an advanced control.

job role

A grant of access to duties required to complete a broad range of tasks. You can assign job roles to users. Incombination, the job roles assigned to a person encompass all he or she's hired to do.


Glossary

26

owner

A grant of access to a data record that enables a user to modify the details of the record, including its securityconfiguration. The person who creates a record is automatically its owner, and may select other users as owners,editors, or viewers.

privilege

A specific feature the application can make available to users.

role category

A tag that identifies a purpose the role serves in common with other roles. Typically, this tag specifies a role type and anapplication the role applies to.

role code

An internal name for a role, such as GRC_NA_RISK_MGR_JOB. In role codes, the prefix ORA is reserved for rolespredefined by Oracle.

role hierarchy

A definition of parent-child relationships among roles. A parent role inherits functional access from the child roles in itshierarchy. For example, the hierarchy of a job role may include duty roles.

user assignment group

A set of users associated with a single authorization to work with data records. While securing a record, its owner mayselect a group to authorize its members to work with the record.

viewer

A grant of access to a data record that permits a user to see but not to modify the record.

visualization

A graphical or tabular depiction of the hierarchical relationships among users, roles, and privileges. A visualization isgenerated in the Security Console.

management cloud oracle risk...oracle risk management cloud securing risk management chapter 1...

Documents