This document will continue to evolve as existing sections change and new information is added. All updates are logged below, with the most recent updates at the top.
The new functionality referenced in this document may not be immediately available to you if your organization has chosen not to receive optional monthly updates. Rest assured you will receive the new functionality in the next quarterly update which is required and cumulative. Quarterly updates are applied in February, May, August, and November.
.
| Date |
What's Changed |
Notes |
|---|---|---|
| 25 JUL 2017 |
Oracle Financial Reporting Compliance: Transactional Business Intelligence Enterprise for Risk Management |
New feature delivered in Update 8 (August), which will also be included in the August Quarterly update. |
| 24 MAY 2017 |
Risk Management: Page Composer |
New feature delivered in Update 6 (June), which will also be included in the August Quarterly update. |
| 21 APR 2017 |
Oracle Financial Reporting Compliance: Management Page Search |
New feature delivered in Update 5, the May Quarterly update. |
| 17 JAN 2017 |
Initial Document Creation |
This guide outlines the information you need to know about new or improved functionality in Oracle Risk Management Cloud Release 12. Each section includes a brief description of the feature, the steps you need to take to enable or begin using the feature, any tips or considerations that you should keep in mind, and the resources available to help you.
We welcome your comments and suggestions to improve the content. Please send us your feedback at oracle_fusion_applications_help_ww_grp@oracle.com.
Some of the new Release 12 features are automatically available to users after the upgrade and some require action from the user, the company administrator, or Oracle.
The table below offers a quick view of the actions required to enable each of the Release 12 features:
| Action Required to Enable Feature |
||||
|---|---|---|---|---|
| Feature |
Automatically Available |
End User Action Required |
Administrator Action Required |
Oracle Service Request Required |
| Oracle Risk Management Cloud |
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
| Transactional Business Intelligence Enterprise for Risk Management |
|
|||
| Applications Security |
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
Oracle Risk Management Cloud offers Financial Reporting Compliance, which documents your policies for identifying and resolving risk in your financial processes.
Changes to Security-Related Jobs
Changes have been made to jobs that run in Oracle Risk Management Cloud to synchronize users, roles, worklists, and other related security artifacts. The following changes have been made to areas under Risk Management Tools, Setup and Administration:
- A User and Role Security Synchronization job initiates predefined security objects when you set up applications in Risk Management Cloud. Subsequently, as you modify users or roles, this job synchronizes user and role definitions. Schedule this job to run regularly.
- A Worklist Security Synchronization job ensures that as user and role definitions change, users have appropriate access to worklists (notifications of tasks to be completed). Schedule this task to run regularly. However, the User and Role Security Synchronization job should always run first.
- These jobs replace jobs that no longer exist. The obsolete jobs include:
- Initiate Predefined Mappings, which had run from the Security Configuration page.
- Schedule Security Optimization, which had run from the Application Configuration page.
Scheduling page to manage jobs that run on a regular basis.
Steps to Enable
By default, these jobs are scheduled to run once a week, on Sundays. Start times are staggered to ensure they run in the correct sequence.
Tips and Considerations
The jobs are listed in the Scheduling page, where you can modify their schedules. If you do, you must be sure to set start times so that the jobs run in the proper order.
Key Resources
For more information see Risk Management Cloud Implementing Risk Management.
Security Updates to Predefined Roles
Changes have been made to some predefined duty roles in Oracle Risk Management Cloud Release 12. When you are upgrading from Release 11 to Release 12, you should review and compare any custom job roles that used a copy of a predefined role and evaluate if any changes are necessary in Release 12.
Steps to Enable
There are no steps necessary to enable this feature.
Tips and Considerations
Changes to predefined duty roles only impact upgrades from Release 11, and those that made copies of these predefined duty roles.
Key Resources
Please refer to the Upgrade Guide for Oracle Risk Management Cloud Security (Doc ID 2204136.1) to review details of the predefined roles that were modified to see whether any changes are necessary.
While Risk Management provides robust functionality as delivered, you can make changes to it, if necessary. Use Page Composer to customize simplified and desktop pages for other users. For example, you can:
- Add fields
- Add validations
- Change defaults
- Rearrange regions
- Add external content
- Save queries
Steps to Enable
Before customizing pages, do the following tasks:
- Understand the typical workflows for working with run-time customizations.
- Verify that the page is customizable. To do so, check if either the Customize Pages or the Customize <Page Name> Pages menu item is available under the Administrator menu. If no, the page can't be customized.
- Confirm that your privileges are sufficient for customizing the page.
- Activate a sandbox.
KEY RESOURCES
For more information see Oracle Help Center for the common document covering Page Customization located in Customizing the Applications for Functional Administrators.
Oracle Financial Reporting Compliance Cloud
Oracle Financial Reporting Compliance Cloud consolidates the process of documenting and assessing your business practices to satisfy financial reporting regulations, such as Sarbanes-Oxley and equivalent laws around the world and in the public sector.
Changes have been made to the location in which you perform searches on objects you manage. The search has been moved to the left side for management pages for processes, risks, controls, and issues. The search criteria and options remain the same.
Locate controls you want to analyze using the search region.
Steps to Enable
There are no steps necessary to enable this feature.
Transactional Business Intelligence Enterprise for Risk Management
Financial Reporting Compliance delivers two subject areas that allow creation of analyses based on Financial Reporting Compliance data. Each is described below. For example, you can use the Compliance subject area to create a Control Listing quickly.
Risk Management Cloud – Compliance Real Time subject area.
Risk Management Cloud - Compliance Real Time
This subject area provides summarized information related to records of Oracle Financial Reporting Compliance objects, such as process, risk, control, issue, remediation plan, and assessment. Dimensions in this subject area allow reporting and analysis related to definitions of the object records. The person who views an analysis or report based on this subject area sees records of objects associated with perspective values matching those specified in his or her security configuration.
Risk Management Cloud - Assessment Results Real Time
This subject area provides summarized information related to Oracle Financial Reporting Compliance assessment results. Dimensions in this subject area allow reporting and analysis related to assessments for processes, risks, and controls.
Steps to Enable
The predefined Enterprise Risk and Control Manager as well as the Compliance Manager job roles have the required duty to access the Risk Management subject areas. If you want to enable reporting for job roles you create, be sure to grant them the Financial Reporting Compliance Transaction Analysis Duty.
Users with access to this duty role have access to both the Compliance and Assessment Results subject areas in Risk Management.
Users viewing analyses created from these subject areas can see only data they have access to, as granted in Risk Management through data security policies. For example, suppose two risks exist, one associated to a US perspective value and the other to a Canada perspective value. A user's data security policies enable him to view only records with US perspective values in the application. That user would also be able to see only records associated to the US risk in an analysis.
Report Synchronization
A synchronization program must be run to gather real-time information pertaining to perspective and security assignments. By default, this job is scheduled to run every Sunday. To change the scheduled frequency or to run the program on demand, navigate to Risk Management Tools > Setup and Administration > Scheduling. Data for both the Compliance and Assessment Results subject areas is available real-time.
KEY RESOURCES
For more information see Oracle Risk Management Cloud Creating Analytics and Reports in the Risk Management library of the Oracle Help Center.
Oracle Fusion Applications Security provides a single console where IT Security Managers and Administrators can perform various functions including user lifecycle management, role definition, security policy management(both functional and data), role hierarchy maintenance, username and password policy administration, and certificate management. The console also enables users to simulate the effect of security changes, to run security reports, and download a connector for integration with Microsoft Active Directory.
In Release 12, Oracle Fusion Applications Security offers several new capabilities that offer customers the following benefits:
- A Simplified User Experience for the IT Security Manager - Prior to Release 12, security administration functions were distributed across Oracle Identity Management (OIM) and Authorization Policy Manager (APM). In Release 12, these functions are delivered through a single interface – the Security Console. OIM and APM are no longer available in R12.
- Easy Integration with Identity and Access Management (IDM/IAM) Systems –New capabilities to synchronize user account information with Identity and Access Management (IDM/IAM) systems. This synchronization enables the delivery of a Single Sign-On experience through these systems.
- Upgrade-Safe Reference Role Model - Starting from Release 12, pre-defined roles that are shipped with Oracle Applications Security will be locked down. Customers will not be able to modify the functional and data security policies that are associated with these roles. They can, however, add new data security policies to these pre-defined roles. In addition, privileges and resources are protected. Users cannot create or modify these artifacts
- Enhanced Self-Service Capabilities - Administrators are able to manage the entire user lifecycle. They can customize how notifications are generated and sent for various user lifecycle events including user account creation, and password management.
For Microsoft Active Directory (AD) and Oracle Identity Management (OIM), customers can download and install connectors that will automatically synchronize user account information between Oracle Fusion Applications and these IDM systems. As in R11, customers must continue to log a Service Request (SR) to set up federated Single Sign-On (SSO) between these systems. Once the federation is enabled, the connectors will synchronize information.
Release 12 also delivers a REST API based on the SCIM (System for Cross-Domain Identity Management) standard. Customers can use this API to create user accounts, modify user attributes (e.g. email), enable/disable users, and fetch user account and role information.
Locking down these security artifacts enables safe upgrades to pre-defined roles, since the possibility of conflict with customer introduced changes to these roles is now eliminated. This, in turn enables customers to safely adopt new enhancements that may be delivered with pre-defined roles in future releases. As in R11, customers can make copies of pre-defined roles and freely customize these copies.
Please refer to your product upgrade guide for any steps that may be required to prepare for and adopt this feature. (Upgrade Guide for Oracle Risk Management Cloud Security (Doc ID 2204136.1))
Administrators can also tailor username and password generation by choosing from a list of shipped policies.
Please refer to your product upgrade guide for any steps that may be required to prepare for and adopt this feature. (Upgrade Guide for Oracle Risk Management Cloud Security (Doc ID 2204136.1))
You can now create and manage implementation user accounts within Oracle Fusion Applications Security. You can assign roles to these user accounts using the following navigation: Tools > Security Console > User tab. You can also search, retrieve, and manage user accounts automatically created for employees, contingent workers, supplier contacts, or partner contacts.
Search User Accounts Page
Add User Account Page
Steps to Enable
There are no steps necessary to enable this feature.
Role Information
The following function security privileges are required for this feature.
| Privilege Name and Code |
Job Role Name and Code |
|---|---|
| Create User Account ASE_CREATE_USER_ACCOUNT_PRIV |
IT Security Manager ORA_FND_IT_SECURITY_MANAGER_JOB |
| Delete User Account ASE_DELETE_USER_ACCOUNT_PRIV |
IT Security Manager ORA_FND_IT_SECURITY_MANAGER_JOB |
| Edit User Account ASE_EDIT_USER_ACCOUNT_PRIV |
IT Security Manager ORA_FND_IT_SECURITY_MANAGER_JOB |
| View User Account ASE_VIEW_USER_ACCOUNT_PRIV |
IT Security Manager ORA_FND_IT_SECURITY_MANAGER_JOB |
Key Resources
For more information on the Security Console, go to the Help Center for the following guide:
- Security Oracle HCM Cloud
Administrator Password Management
As an administrator, you can manage passwords of other users using the Security Console. You can auto-generate or manually enter a password for a user account. You can also define password lifecycle and complexity policies. Passwords will be automatically validated against these policies.
Administrator’s Reset Password Page
Steps to Enable
There are no steps necessary to enable this feature.
Key Resources
For more information on the Security Console, go to the Help Center for the following guide:
- Security Oracle HCM Cloud
User Password Management (Self-Service)
You can now manage your own user account password using the Security Console. The password will be automatically validated against the defined password lifecycle and complexity policies.
Self-Service Password Reset Page
Steps to Enable
There are no steps necessary to enable this feature.
As an administrator, you can now lock user accounts. If you lock a user account, you will be temporarily preventing the user from logging in with that user account. You can also unlock a locked user account.
Lock User Account in Edit User Account Page
Steps to Enable
There are no steps necessary to enable this feature.
You can now view only certain components of a role in the graphic visualizer. You can view only the privileges, aggregate privileges or roles assigned to a role. You can also view the graph in full screen mode and pan over a specific region in the graph.
For complex roles, these features enable you to reduce the amount of information visualized and to focus on the area within the role hierarchy that requires your attention.
View Only the Privileges for a Role
View Only the Inherited Roles for a Role
Pan and View Top Left Region of the Graph
Steps to Enable
There are no steps necessary to enable this feature.
You can now view role hierarchies in a tabular view. You can switch between the graphic visualizer view and the tabular view. You can also export the date displayed in the tabular view.
Tabular View of Direct and Indirectly Inherited Roles for a Role
Tabular View of Direct and Indirectly Assigned Privileges for a Role
Tabular View of Direct and Indirectly Assigned Users for a Role
Export of Direct and Indirectly Inherited Privileges for a Role
Steps to Enable
There are no steps necessary to enable this feature.
Search in Role Hierarchy Visualization
You can now search and quickly locate security artifacts (nodes) in the role hierarchy visualization. You can search for privileges, roles or users in the visualization.
Search in Role Hierarchy Graph
Steps to Enable
There are no steps necessary to enable this feature.
You can now define the user name generation rules used to auto-generate the user name in Oracle Fusion Applications Security. User name generation rules can be based on the user’s first and last names, e-mail or person number. You can also choose to use a system generated user name if the rule fails to generate a user name.
User Name Generation Rules Region in the Administration Page
Steps to Enable
There are no steps necessary to enable this feature.
Tips and Considerations
If your company submitted a service request for Oracle to set up a custom username generation rule, review the Validate User Lifecycle Settings topic in the Upgrade Guide for Oracle Risk Management Cloud Security.
You can now define policies for password management. These policies can define the duration for various password lifecycle events like password expiration and password warning generation. You can also set the complexity of generated passwords by choosing from a pre-defined list of rules.
Password Policy Region in the Administration Page
Steps to Enable
There are no steps necessary to enable this feature.
Tips and Considerations
If your company submitted a service request for Oracle to set up a custom password policy, review the Validate User Lifecycle Settings topic in the Upgrade Guide for Oracle Risk Management Cloud Security.
Role Information
The following function security privilege is required for this feature:
| Privilege Name and Code |
Job Role Name and Code |
|---|---|
| Run Password Expiry Job ASE_PASSWORD_EXPIRY_ESS_JOB_PRIV |
IT Security Manager ORA_FND_IT_SECURITY_MANAGER_JOB |
You can now define custom notification templates for user account life cycle events. You can also use pre-defined notification templates.
These templates will be used to generate notifications for events like user account created, user password reset and user password expiry warning.
Notification Templates Region in the Administration Page
Edit Notification Template Page
Steps to Enable
There are no steps necessary to enable this feature.
Tips and Considerations
If your company submitted a service request for Oracle to set up a custom notification template, review the Validate User Lifecycle Settings topic in the Upgrade Guide for Oracle Risk Management Cloud Security.
Upgrade-Safe Management of Factory Shipped Roles
You can now identify a predefined (factory shipped) Oracle role when viewing the role. Predefined Oracle roles are locked and you cannot customize the Oracle delivered functional and data security policies associated with these roles. You can, however, add data security policies to these roles.
Predefined Oracle roles are displayed in a different color in the graph visualizer.
Predefined Role Indicator in the Edit Role Page
Predefined Role Indicator in the Role Hierarchy Graph
Steps to Enable
There are no steps necessary to enable this feature.
Bridge for Microsoft Active Directory
Simplify Single Sign-On with Microsoft Active Directory by downloading and installing the Active Directory Bridge from the Security Console. Automatically synchronize user account information between Oracle Fusion Applications Security and Microsoft Active Directory.
Active Directory Bridge Base Configuration Page
Active Directory Bridge User Attribute Mappings Page
Active Directory Bridge Synchronization Status Page
Steps to Enable
There are no steps necessary to enable this feature.
User Password Changes Audit Report
You can now generate a report that lists password changes made by users. The report can be generated for changes made by specific users or for all changes made during a specific period.
User Password Changes Audit Report Process Details Page
Steps to Enable
There are no steps necessary to enable this feature.
Role Information
The following function security privilege is required for this feature:
| Privilege Name and Code |
Job Role Name and Code |
|---|---|
| Run User Password Changes Audit Report ASE_USER_PASSWORD_CHANGES_AUDIT_REPORT_PRIV |
IT Security Manager ORA_FND_IT_SECURITY_MANAGER_JOB |
Steps to Enable
There are no steps necessary to enable this feature.
Integrate Custom Identity Management Solution
You can now optionally Integrate with your Identity Management solution for user and role management using industry standard System for Cross-domain Identity Management (SCIM) REST APIs and ATOM feeds.
Steps to Enable
There are no steps necessary to enable this feature.
The password reset flow has been changed in Release 12. A notification email will be sent to the user who requests a password reset. The user will be required to click on this link, within a specific period of time, to change the password. This replaces the previous flow where users were required to answer a series of challenge questions to reset the password.
Email Notification to Reset Password
User Reset Password Page
Steps to Enable
There are no steps necessary to enable this feature.
The unified security administrator interface, combined with the ability to safely upgrade the reference security implementation will result in the following changes in functionality in the Security Console.
- All User Account information including password changes and lock/unlock status are managed in the security console.
- Roles are now managed directly in the Security Console and are no longer managed within Oracle Identity Manager or Authorization Policy Manager.
- Users can view, create or modify roles without first selecting an application.
- Users cannot create or modify privileges. They can continue to grant privileges to roles
- Users cannot create or modify resources.
- Users cannot grant resources directly to role. Resources are now only granted to privileges.
Steps to Enable
There are no steps necessary to enable this feature.
New Function Security Privileges for Applications Security
This section provides product-specific information that you need when implementing new Release 12 features in your existing roles.
If you are not using the predefined reference roles, then you need to add the function security privilege to relevant custom job roles.
This table identifies the required function security privilege and the predefined role that automatically inherits the privileges during the upgrade.
| Privilege Name and Code |
Job Role Name |
|---|---|
| Create User Account ASE_CREATE_USER_ACCOUNT_PRIV |
IT Security Manager |
| Delete User Account ASE_DELETE_USER_ACCOUNT_PRIV |
IT Security Manager |
| Edit User Account ASE_EDIT_USER_ACCOUNT_PRIV |
IT Security Manager |
| View User Account ASE_VIEW_USER_ACCOUNT_PRIV |
IT Security Manager |
| Enable Database Resource Management ASE_ENABLE_DATABASE_RESOURCE_MGMT_PRIV |
IT Security Manager |
| Run Password Expiry Job ASE_PASSWORD_EXPIRY_ESS_JOB_PRIV |
IT Security Manager |
| Run User Password Changes Audit Report ASE_USER_PASSWORD_CHANGES_AUDIT_REPORT_PRIV |
IT Security Manager |
---
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
12.08