Integrating Oracle Applications Access Control Governor with Oracle® Hyperion Financial Management, Fusion Edition 11.1.1

<Do not delete this text because it is a placeholder for the generated list of "main" topics when run in a browser>

Purpose

This tutorial covers integrating Oracle Applications Access Control Governor (AACG) with Financial Management to perform segregation of duties analysis on Financial Management users and groups.

Oracle® Hyperion Financial Management, Fusion Edition is a comprehensive Web-based application that delivers global collection, financial consolidation, reporting, and analysis in one highly scalable solution. The Hyperion Application Access Control Governor Adapter (HAA) Accelerator for Oracle Governance, Risk, and Compliance (GRC) Applications provides integration between Hyperion® Shared Services (Shared Services) and AACG, thereby reducing the effort required to manage segregation of duties in Shared Services-enabled Hyperion Enterprise Performance Management (EPM) applications.

Segregation of duties (SOD) refers to the separation of business activities that a single person may initiate or validate to limit or prevent erroneous or fraudulent activities. AACG complies with Sarbanes-Oxley requirements by automating SOD. It acts as a central repository for both single- and cross-platform policies, providing one source of truth for all SOD violations.

In this tutorial, you integrate Oracle AACG with Financial Management user information in Shared Services.

Scenario

Your organization uses Financial Management as a reporting ledger to adjust, consolidate, and report financial data based on your primary general ledger. As such, it is concerned about potential conflicts in user roles and privileges. You have been tasked with integrating your Financial Management users and groups into AACG to perform a SOD analysis.

Software and Hardware Requirements

The following is a list of software requirements:

Oracle AACG 8.5.1 must be installed and configured.
Financial Management 11.1.1 must be installed and configured.

Prerequisites

Before starting this tutorial, you should:

.	Have administrator access to Financial Management users and groups in HSS.
.	Have SQL access to create staging tables in the GRC database.

Preparing for Installation

In this topic, you prepare your environment for installation by downloading the adapter ZIP file from Oracle Technology Network (OTN), and then unzipping it into your adapter home directory.

.	Open a Web browser and navigate to http://www.oracle.com/technetwork/apps-tech/grc-accelerators/index.html.
.	Scroll down to Hyperion Segregation of Duties Management, and click haa-accelerator-v1.0.1.zip.
.	Save the file to disk.
.	Copy the ZIP file to the destination location. In this tutorial, the directory is called [ADAPTER_HOME].
.	Navigate to the location of the saved ZIP file, and unzip it.
.	Verify that the files were unzipped into the hyperion-grc\dist folder.

Installing the Hyperion AACG Adapter

To install the Hyperion AACG adapter, you perform the following steps:

Create the staging tables in the Governance, Risk, and Compliance Controls (GRCC) database.
Create and configure a data source for Hyperion in GRCC.
Configure Java.
Copy the Oracle Data Integrator (ODI) scenario from the staging tables to the AACG database.

Creating Staging Tables

.	Connect to the GRCC database. In this example, you connect in SQL*Plus.
.	Run the [ADAPTER_HOME]/install/stage_hypaacg.sql script. The staging tables are created. Note: When you run the script for the first time, the DROP TABLE statements return a NO TABLE FOUND error.
.	Exit SQL*Plus.

Connect to the GRCC database. In this example, you connect in SQL*Plus.

Run the [ADAPTER_HOME]/install/stage_hypaacg.sql script.

The staging tables are created.

Note: When you run the script for the first time, the DROP TABLE statements return a NO TABLE FOUND error.

Exit SQL*Plus.

Creating and Configuring a Hyperion Data Source in GRCC

.	Log on to Oracle GRCC by performing the following actions: Open a Web browser and navigate to http://[SERVER]:8080/grcc. Enter a username and password. In the Language Preference drop-down list, select English (U.S.). Click Login. The Oracle GRCC home page is displayed.
.	In the Navigation pane, select Administration > Data Administration.
.	On the toolbar, click Custom Datasource Type. The Custom Datasource Type dialog box is displayed.
.	For Datasource Type Name and Datasource Type Description, enter HyperionAdapterType.
.	Perform the following actions: In Version Name, enter 001. In Version Description, enter Version001.
.	For Synchronization Adapter Path, enter /scratch/software/AACG82/apache-tomcat-5.5.27/webapps/grcc/WEB-INF/classes/META-INF/etl/etlsrc/custom/jobs, and click Save. Note: You copy the ODI scenario to this directory in the "Copying the ODI Scenario" section.
.	For Access Type Name and Access Type Description, enter Hyperion Roles, and click Save.
.	For Access Type Name and Access Type Description, enter Hyperion Groups, and click Save.
.	Click the Add button next to the Datasource Types drop-down list to add the custom data source type.
.	Click the Datasource Types drop-down list to verify your entry.
.	Click the Versions drop-down list to verify your entry.
.	Click the Access Types drop-down list to verify your entry.
.	Click Save.
.	Click OK at the message that the datasource was saved.
.	On the toolbar, click Add. A blank line is added to the data source panel.
.	Double-click in the Datasource Name field, and enter a name for the data source. In this tutorial, you enter Hyperion DS.
.	Double-click in the Description field, and enter a description for the data source. In this tutorial, you enter Hyperion datasource.
.	Double-click in the Host Name and Port fields, and enter the host name and port of your database server.
.	Double-click in the User Name, Password, and Confirm Password fields, and enter the user name and password for your database.
.	Double-click in the Service Identifier field, and enter the service identifier (SID) for your database.
.	Double-click in the Type field, and select HyperionAdapterType from the drop-down list.
.	Double-click in the Version field, and select 001 from the drop-down list.
.	On the toolbar, click Save.
.	Click OK at the message that the datasource was saved.

Configuring Java

Navigate to [ADAPTER_HOME]/dist/bin, and edit the adapter.conf file. In this tutorial, you use VI editor.

Enter the following information in the adapter.conf file, and then save and close the file.

Parameter	Value
hyp.hssuser	The user name created for the instance of Hyperion Shared Services that supports the Hyperion instance to which you want to connect
hyp.hsspass	The password that validates the user name entered under hyp.hssuser. This value must be encrypted.
hyp.hsscssurl	The URL used to call the Common Security Services (CSS) API that returns the users, roles, and groups
hyp.dbuser	The user name created for the Financial Management database
hyp.dbpass	Financial Management database user password. This value must be encrypted.
hyp.dbconnect	JDBC connection information for the Financial Managment database
grcc.datasourcename	Hyperion datasource name that you created in GRCC
grcc.dbuser	GRCC database user name
grcc.dbpass	GRCC database user password. This value must be encrypted.
grcc.jdbcurl	JDBC connection information for GRCC database
grcc.accesstypegroup	Access Type group name that you created in GRCC
grcc.accesstyperole	Access Type role name that you created in GRCC
grcc.appcode	A code that identifies installed Hyperion products. Use HSS-HFM for Financial Management supported by Shared Services.

Note: For instructions on encrypting passwords, refer to the Oracle® Hyperion Segregation of Duties Blueprint for Oracle GRC Applications User & Install Guide.

Copying the ODI Scenario

.	Navigate to [ADAPTER_HOME]/dist/ODIScenario.
.	Verify that SCEN_LOADACCESSDATA Version 001.xml is in the ODIScenario directory.
.	Copy SCEN_LOADACCESSDATA Version 001.xml to <Tomcat_Home>/webapps/grcc/WEB-INF/classes/META-INF/etl/etlsrc/custom/jobs, where <Tomcat_Home> is the full path to the highest-level directory in which Tomcat components are installed.

Navigate to [ADAPTER_HOME]/dist/ODIScenario.

Verify that SCEN_LOADACCESSDATA Version 001.xml is in the ODIScenario directory.

Copy SCEN_LOADACCESSDATA Version 001.xml to <Tomcat_Home>/webapps/grcc/WEB-INF/classes/META-INF/etl/etlsrc/custom/jobs, where <Tomcat_Home> is the full path to the highest-level directory in which Tomcat components are installed.

Executing the Adapter

You execute the adapter by executing a script to populate the staging tables, and then synchronizing the data source in AACG to move the data from the staging tables to the AACG database.

.	Navigate to [ADAPTER_HOME]/dist and verify that the popStage.sh file is present. Note: The popStage.sh script is a Java program that populates the staging tables. You should schedule this to run as part of a regular cron job.
.	Edit the popStage.sh script in a text editor. In this tutorial you use vi editor.
.	Enter the following information in popStage.sh: ADAPTER_HOME = [ADAPTER_HOME]/dist. JAVA_HOME = the directory in which Java Development Kit 1.6 (or higher) is installed.
.	Save and exit the file.
.	Execute the script. The script populates the staging table with Financial Management users and groups.The script populates the staging table with Financial Management users and groups.
.	Verify that the script returns the following message: "Status - Complete".
.	In GRCC, select Hyperion DS, and then select Synchronize > Run Now > Access to move the data from the staging tables to the GRCC database.
.	In the Confirmation dialog box, click OK.
.	In the Information dialog box, click OK.
.	Verify that the status bar displays Datasource Synchronization Completed.

Importing Prebuilt SOD Policies for Financial Management

In this section, you import a file containing prebuilt SOD policies for analyzing Financial Management user data.

.	In Oracle GRCC, select Access Governor > Policy > Definition.
.	Select Transfer > Import. The Import File dialog box is displayed.
.	Click Browse.
.	Perform the following actions: Navigate to[ADAPTER_HOME]/dataload Select Policies_HFM_1269993198179.agx Click Open.
.	Click OK. The Select Items to Import dialog box is displayed.
.	Select Journals Conflict, and click Next.
.	In the Mapped Datasources drop-down list, select Hyperion DS, and click Import.
.	Verify that the import was completed successfully, and click OK.

Performing a SOD Analysis on Financial Management Users and Groups

In this section, you view the Journals Conflict access policy , and then you run the policy to perform a SOD analysis of your Financial Management users and groups.

An access policy defines conflicts among a selection of “access points” in an organization’s systems. An access point is an object in a business management application that enables a user to perform a business action. Access points may be gathered into entitlements, and AACG policies may use entitlements in place of, or in addition to, access points. In Financial Management, access points are equivalent to roles.

After viewing the policies, you run a Find Conflicts program , which you can apply to selected policies or to all policies. The program evaluates business-management application users, noting those whose work assignments violate policies, and then displays the results.

.	Log on to Oracle GRCC by performing the following actions: Open a Web browser and navigate to http://[SERVER]:8080/grcc. Enter a user name and password. In the Language Preference drop-down list, select English (U.S.). Click Login. The Oracle GRCC home page is displayed.
.	Select Access Governor > Policy > Definition.
.	Select Journals Conflict.
.	In the bottom pane, click the expand button next to AND, and view the policy. In this example, the Journals Conflict policy indicates that a user cannot be provisioned for the Post Journals, Approve Journals, and Create Journals roles at the same time.
.	Select Find Conflicts > Run Now to run the policy.
.	Verify that the status bar displays Conflict Analysis Completed.
.	Select Display > Conflicts to view the conflict report.
.	View the conflicts in the bottom panel. In this example, user HFMDEMO2 has the Create Journals, Approve Journals, and Post Journals roles, and thus violates the Journals Conflict policy group. You have completed the tutorial.