Update 21D

Revision History

This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:

Overview

HAVE AN IDEA?

We’re here and we’re listening. If you have a suggestion on how to make our cloud services even better then go ahead and tell us. There are several ways to submit your ideas, for example, through the Ideas Lab on Oracle Customer Connect. Wherever you see this icon after the feature name it means we delivered one of your ideas.

GIVE US FEEDBACK

We welcome your comments and suggestions to improve the content. Please send us your feedback at oracle_fusion_applications_help_ww_grp@oracle.com.

DISCLAIMER

The information contained in this document may include statements about Oracle’s product development plans. Many factors can materially affect Oracle’s product development plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle.

This information may not be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates. Oracle specifically disclaims any liability with respect to this information. Refer to the Legal Notices and Terms of Use for further information.

Risk Common

Common Risk Management

Update to Record Attachments

When multiple attachments are added to a single record, the initial list is limited to the first five records. The list of records can be expanded in increments of five.

Group Security Assignment Authorization Display Update

When user groups are assigned to records, the Authorized As value is now displayed as read only.

Additional Risk Management Quick Actions Added

The ability to quickly add new records within Risk Management has been extended to Advanced Controls and Access Certifications functionality.

Audit Is Enabled for User Assignment Groups

You can now track changes made to Risk Management user assignment groups. For example, suppose a user assignment group has three members in it originally, and later another person is added. You can now run a report to see that change, who made the change, and when. These are the attributes tracked: Group Name, Authorization, Object, User Name, User Group, and Eligibility.

Transactional Business Intelligence for Risk Management

Reports Now Cover User Assignment Security for Remediation Plans

To secure Risk Management remediation plans, you authorize users as owners, editors, viewers, reviewers, or approvers, or you assign user groups that grant these authorizations. You can now report on the users and groups selected for remediation plans, and their levels of authorization. Reports also display whether each user is eligible, meaning that the user also has the functional access.

Financial Reporting Compliance

Financial Reporting Compliance

Send Email Reminder Email Configuration Change

In Financial Reporting Compliance, users may send email reminders to complete assessments, surveys, or tasks related to issues or remediation plans. These are sent regardless of whether email alerts are enabled or disabled in the Manage Configuration Options page of the Setup and Administration work area.

Data Migration Import State Transition and Ability to Import URL Attachments

At the point data is imported into Risk Management, the following applies:

• New records are imported at the Approved state.
• State does not change for records when incremental imports may change existing data relationships. The state of each of these records remains as it was prior to the update.

You can now import URLs as attachments associated to object records.

Assign Default Actors for Control Certification Assessments

The owner of a control can select assessors, reviewers, and approvers who are assigned by default to certification assessments of the control. The control owner makes these selections while working with the control record, using a Default Assessment Security Assignment page. The assessors, reviewers, and approvers are then assigned by default to all certification assessments for which the control is scoped. (They aren't assigned, however, to any type of control assessment other than certification.) The owner of an assessment batch that includes the control can update the default security assignments.

Changes to Surveys and Perspectives in Assessments

Two changes apply to an assessment batch that includes a survey: You can now view survey responses within each assessment record. Second, if you copy the assessment batch to create a new one, the copy includes the survey template. Another change applies to assessment-batch copies: If perspective values used for scoping in the original batch have become inactive, they are flagged as inactive in the copy. Records associated with inactive perspectives are not included among proposed records for the assessment-batch copy.

Associate a Survey Template to an Impromptu Assessment

You can now associate a survey template to an impromptu assessment.

Risk Management

Advanced Access Controls

Job Name Changed for User Provisioning

In 21D, "Generate Provisioning Rules" replaces "User Provisioning" as the name of the job that runs when a user clicks the Generate Provisioning Rules button in the Provisioning Rules page. The name appears in the record of the job on the Monitor Jobs page. The new name better reflects the purpose of the job. The job type has also changed from "User Provisioning" to "Generate Provisioning Rules."

New Message in Provisioning Rules

If no rules are generated when the Generate Provisioning Rules job is run, the Provisioning Rules page displays a message to the user. Prior to 21D the Autogenerated Rules section was missing, and its absence was confusing.

Removed Duplicate Provisioning Rule Results in Security Console

While editing or creating roles in the Security Console, you analyze the role structure for separation-of-duties conflicts determined by provisioning rules, and make changes to the role structure as needed until your role is conflict-free. Prior to 21D the results showed duplicate conflicting-role combinations; in each, one pair was the inverse of the other. Now the results display each conflicting-role pair only once.

Audit Is Enabled for Global Conditions

You can now track changes made to Advanced Controls global conditions. For example, suppose a global condition was added to exclude North America business units, and someone made it inactive. This may cause many new incidents to be generated. You can now run a report to see that change, who made the change, and when, which could help answer the question as to why new incidents were created. These are the attributes tracked: Name, Filter Name, Attribute, Condition, Value.

Added Exclusions for Procurement Agent Actions

For certain privileges to grant functional access, a user must be granted both the privilege and a corresponding "action" as a "procurement agent" for a business unit. Advanced Access Controls automatically excludes privileges related to actions a procurement agent has not been granted access to perform. The "Merge Suppliers" privilege is now excluded during analysis if "Manage Suppliers" procurement action is not granted via a procurement agent.

Changes Made to Invoke Model Logic Actions

When creating or editing a model, it used to be that you could select a filter node in the model logic area and right click to invoke various actions: Edit, Delete, Clear Highlight. These features still exist, but there are new ways of invoking them. There were also two tabs on the right side in the model logic area. One was removed because the same features can be invoked another way, the other was moved to another place on the page.

Messaging Around Result Default Security

In a control definition, there are two areas to assign security: first, to the control itself, and second, to the results generated by that control. There's often confusion about what happens if you edit a control to modify its result security: does the new security apply only to new incidents, or also to those generated before the result-security edit? The answer is, a result-security edit applies only to incidents generated after the edit. This has been made clear with a banner message.

Updated Delivered Model Content

The privileges Define Self Managed Oracle Fusion General Ledger Allocation Formula and Define Oracle Fusion General Ledger Allocation Formula have been removed from the Enter Journals entitlement.

Access Certification

Changes to Access Certification Scoping Feature

Scoping condition filters can now recognize data-security definitions configured in the Manage Data Access for Users task in Setup and Maintenance.

Advanced Financial Controls

New Read-Audit Model in Content Library

One new Advanced Financial Controls model is available for import. It’s called 70007: Infrequently Used IP Addresses.

Changes Are Made to Business Objects

This release includes additions and updates to business objects. For existing business objects, new attributes were added to Purchase Order, Asset Workbench, Sensitive Data Access Audit, Audit - Contract, Audit - Organization Unit, Audit - Person Allocated Checklist, Audit - Person Allocated Checklist Tasks, Audit - Participant Header, Audit - RcvParametersAuditVO, Audit - Mapping Set Value Audit, and Audit - Supplier Bank Accounts. All Audit business objects also include two new attributes that provide greater user and value information for audit records returned.

Number of Occurrences Attribute Value No Longer Impacts Control Incident Status

In previous releases, if the Number of Occurrences attribute was the only value that changed in an incident record after control analysis was run, the existing incident was closed and a new one was created. This is no longer the case for newly created incidents in release 21D. If the Number of Occurrences changes, the value is updated and there is no impact to the existing status of the incident.

Audit Is Enabled for Business Object Security

You can now track changes made to Risk Management business object security. For example, suppose a user has access to all business objects in the area of procurement, and later the user is also given access to the business object Journal Entry. You can now run a report to see that change, who made the change, and when. These are the attributes tracked: User Name, Access by Product or Business Object.

Changes Made to Invoke Model Logic Actions

When creating or editing a model, it used to be that you could select a filter node in the model logic area and right click to invoke various actions: Edit, Delete, Clear Highlight. These features still exist, but there are new ways of invoking them. There were also two tabs on the right side in the model logic area. One was removed because the same features can be invoked another way, the other was moved to another place on the page.

Messaging Around Result Default Security

In a control definition, there are two areas to assign security: first, to the control itself, and second, to the results generated by that control. There's often confusion about what happens if you edit a control to modify its result security: does the new security apply only to new incidents, or also to those generated before the result-security edit? The answer is, a result-security edit applies only to incidents generated after the edit. This has been made clear with a banner message.