Update 19A

Revision History

This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:

Date	Feature	Notes
12 APR 2019	Audit and Performance Monitoring Now Available and Turned On by Default	Updated document. Revised feature information.
11 FEB 2019	OTBI Direct Database Query Privilege is Disabled by Default for Authenticated Users	Updated document. Delivered feature in update 19A.
05 FEB 2019	Support for FSM Based Export/Import of Custom Role Hierarchy	Updated document. Delivered feature in update 19A.
21 DEC 2018		Created initial document.

Overview

This guide outlines the information you need to know about new or improved functionality in this update, and describes any tasks you might need to perform for the update. Each section includes a brief description of the feature, the steps you need to take to enable or begin using the feature, any tips or considerations that you should keep in mind, and the resources available to help you.

Give Us Feedback

We welcome your comments and suggestions to improve the content. Please send us your feedback at oracle_fusion_applications_help_ww_grp@oracle.com.

Optional Uptake of New Features (Opt-In)

We continue to add many new features to the Oracle Cloud Applications, and for some features, you can take advantage of new functionality at a pace that suits you by “opting in” to the feature when you’re ready. You can opt-in to a feature in two ways:  by using the New Features work area, or by using the Setup and Maintenance work area.

To opt-in using the New Features work area:

1. Click the Navigator, and then click New Features (under the My Enterprise heading).
2. On the New Features page, select the offering that includes new features you’d like to review.
3. Click Opt-In for any feature that you want to opt-in to.
4. On the Edit Features page, select the Enable option for the feature, and then click Done.

To opt-in using the Setup and Maintenance work area:

1. Click the Navigator, and then click Setup and Maintenance.
2. On the Setup page, select your offering, and then click Change Feature Opt-In.
3. On the Opt-In page, click the Edit Features icon.
4. On the Edit Features page, select the Enable option for any feature you want to opt-in to. If the Enable column includes an Edit icon instead of a check box, then click the icon, select your feature options, and click Save and Close. 
5. Click Done.

Feature Summary

Applications Security

Location Based Access Control

From this update, you can use IP addresses in determining access control in Oracle Applications Cloud. The IP address serves as the identifier of a user's location. The combination of IP addresses and roles offers administrators better options to control access.

Location Based Access feature is not enabled by default for both upgraded and newly provisioned environments. When you enable this feature in an environment, all roles by default are marked for private access and will depend on the whitelisted IP address for access control. 

Enable Location Based Access Control

To exclude a role from being dependent on a whitelisted IP address, you must explicitly grant it public access to the Security Console.

Enable Role with Access to Security Console from Any IP Address

Sample Use Cases for Location Based Access control

• You may want to enable employee self-service access when the application is accessed using the publicly available internet but restrict access to administrative tasks such as Security Console, Payroll for security reasons.

• You may want to allow access to integration web services (for example SCIM REST services) only to corporate data center IP address and allow access to self-service UIs when users access the same application from a public IP address.

Steps to Enable

ENABLING LOCATION BASED ACCESS 

1. Obtain the IP address or IP address Range (CIDR format) required for whitelisting.
2. In Security Console, go to Administration > Location Based Access and select the Enable Location Based Access check box.
3. Add the identified IP addresses in the IP Address Whitelist text box. 
4. Save the changes.

ENABLING UNRESTRICTED ACCESS TO SPECIFIC ROLES 

1. Identify roles that need to be granted public access (without being impacted by the IP address based restriction).
2. In Security Console, on the Role tab, edit the required role and select the Enable Role for Access from All IP Addresses check box.
3. Save the changes.

NOTE: If existing roles don't meet your functional need, create new roles and enable them for access from all IP addresses.

Tips And Considerations

• Validate your roles and IP address range in the test instance for functional accuracy before enabling the feature in the production environment.

• Location Based Access control comes into effect after the user signs in using valid credentials. However, their access to application content will be restricted, based on the IP addresses and assigned roles.

Updated Chooser Sign-in Page

Chooser enabled Login Page layout has been modified as below.

Chooser Login Page

Steps to Enable

No steps are required to enable this feature.

Role Information

• Visible on Fusion Application instances which are Federation (Single Sign-on) with chooser option enabled.

Self-Service External Identity Provider Setup

Security Console UI has been enhanced to support external Identity provider setup for SAML 2.0 federation.

Security Console Single Sign-on

Following setup  elements are required for external identity provider

Identity  Provider Setup

New email based alert notifications for SAML certificate expiration has been  introduced to alert Security managers to renew federation setup .

SAML Certificate Expiration Notifications

Steps to Enable

No steps are required to enable this feature.

Tips And Considerations

1. Ensure for security administrators performing Single-Sign on setup have following notifications events enabled

• administrator activity.
• expiring external IDP signing certificate.
• expiring service provider signing certificate.
• expiring service provider identity certificate.

2. Setup the SSO in test or stage environment before rolling out changes to production.

Role Information

• Seeded IT Security Manager Role will have access to Setup Single sign on.

Support for FSM Based Export/Import of Custom Role Hierarchy

The Manage Job Roles and Manage Duties tasks in the Functional Setup Manager are enhanced with the capability to export and import custom role hierarchy using the existing CSV based export and import functionality.

Export and Import Functionality for the Manage Job Roles and Manage Duties Tasks

You can search for the assignable roles using the filter criteria available on the Manage Job Roles and Duty Roles page.

Scope Based on Job and Duty Roles

Steps to Enable

No steps are required to enable this feature.

Tips And Considerations

The Manage Job Roles and Manage Duties tasks share the same setup business objects and therefore, the export and import activity from each task provides the same result.

• The following functional security artifacts are exported:
  • Custom Role
  • Custom Role to Seeded (predefined) Role membership
  • Custom Role to Seeded (predefined) Privilege membership

NOTE: You cannot export User to Role memberships.

• The following seeded functional security artifacts can't be exported. If required, these are delivered only through the released updates and patches
  • Seeded Roles
  • Seeded Privileges
  • Seeded Role to Seeded Privilege memberships

For a successful import, especially while importing seeded role or privilege membership to custom role, keep your source and target instances on same patch level.

Role Information

The IT Security Manager role has access to the export and import data from the relevant Functional Setup Manager tasks.

BI Cloud Connector

Inactive and Unavailable BI View Objects (BIVOs) and BIVO Columns for Exclusion from Extraction in BI Cloud Connector

Beginning with Update 18B, there are BI View Objects and BI View Object columns that are unavailable or marked inactive in Oracle Applications Cloud. The unavailable and inactive objects and columns must be excluded from BICC extracts.

Steps to Enable

Refer to this link for a list of BIVOs and BIVO columns that are unavailable for extraction using BI Cloud Connector (BICC).

Extensibility

Configure the Availability of Work Area Page Entries in Mobile Devices

You can now use the Structure work area to specify whether a page entry for opening a work area will be available for mobile devices when the home page layout is set to News Feed. This setting isn't applicable for the panel or banner layouts.

Steps to Enable

No steps are required to enable this feature.

Enhancements to the Appearance Work Area

You can now use the Appearance work area to configure the icon color of the landing pages for all work areas related to employees, for example Personal Information. More options are now available for you to choose from if you want to configure the background shape, color, and opacity of home page icons for the News Feed home page layout.

Steps to Enable

No steps are required to enable this feature.

Reporting and Analytics

Armor Flag to Encrypt File in ASCII Armor Format During SFTP Delivery

You can now chose Armor flag option for armored PGP Key to deliver a file in ASCII armor format when selecting PGP Encryption for SFTP delivery.

Steps to Enable

Configure FTP server to use the PGP encrypted files in ASCII armor format

1. Navigate to the BI Publisher Administration page.
2. In the Delivery section, click the FTP link to open the FTP page.
3. Add a new FTP Server and click Test Connection to test it. The Filter Command field is read-only and is updated automatically when you select a PGP key.
4. Select the armored PGP Key ID of the key you uploaded from the list.
5. Select the ASCII Armored Output checkbox. The Filter Command is updated with a '-a' or '-armor' parameter
6. You can choose to sign the encrypted document by selecting the checkbox to Sign Output. If you select this check box, a '-s' parameter is added to the existing filter command.
7. Test the connection again to confirm that an encrypted test file is sent to the remote directory. The FTP delivery channel can now be used in a scheduled job to encrypt and deliver a file using ASCII armor format.

Tips And Considerations

To download BI Publisher Public Key in ASCII armor format

• In the Administration > PGP Keys page, click the Download BI Publisher Key [name] (ASCII armored)  link.

Audit and Performance Monitoring Now Available and Turned On by Default

Audit and Performance Monitoring will be turned on by default for all Fusion Application Pillars. You can un-select the checkbox from BI Publisher Administration page to turn off Audit and Monitoring. You can as well turn off Audit ONLY by selecting Audit Level as NONE. So if Audit is turned ON (by selecting Audit Level as MEDIUM), performance monitoring will always be ON.

Henceforth you do not require to make any change to Enterprise Manager Console or restart of any services for Audit and Performance Monitoring. The following changes to Audit tables have been introduced to improve Audit Report Details:

• Report request and schedule request events have been enhanced to record start and end of events
• Request ID attribute has been added to keep track of relationship between request start, report execution events and request end for a report request event.
• For each event, more attributes are added to capture additional data related to performance monitoring and diagnostic
• User session events (user login and user logout) are temporarily not being logged due to technical constraint

Steps to Enable

Navigate to Server Configuration page under BI Publisher Administration page.

• To enable both Audit and Monitoring, select checkbox for "Enable Audit and Monitoring" and select Audit Level as MEDIUM
• To enable Monitoring only, select checkbox for "Enable Audit and Monitoring" and select Audit Level as NONE
• To disable both Audit and Monitoring, un-select the checkbox for "Enable Audit and Monitoring"

Tips And Considerations

To access the BI Publisher Audit Data:

1. Configure the AuditDB data source

• Navigate to Administration page
• Under Data Sources select JNDI Connection
• Click Add Data Source, and enter the following:
  • Data Source Name: AuditViewDB
  • JNDI Name: jdbc/AuditViewDB
• Click Test Connection to confirm the connection
• Move roles from the Available Roles list to the Allowed Roles list as necessary.
• Click apply

2. Download and Use Audit Reports available from Oracle Technology Network (OTN)

• Download the Sample Audit Report zip file from OTN BI Publisher download page: https://www.oracle.com/technetwork/middleware/bi-publisher/downloads/index.html under section "Sample Audit & Usage Reports"
• Extract the Audit.xdrz file from the zip file to your local machine
• Login to BI Server using the URL as https://servername/xmlpserver
• Navigate to Catalog page and select the path under Custom Folder where you would like to upload the Audit Report
• Click on Upload from the accordion pane and select the Audit.xdrz file from your local machine
• Add security and permission as necessary to access the Audit Folder

3. Generate Audit Report

• It is recommended to run the Audit Report through scheduler as the data size may be large, therefore
  • Click on Schedule Report from Catalog Page
  • Select "Date From" and "Date To" parameter values for the report. This is a required value else report output will be blank.
  • Add a destination if the audit report is intended to be delivered to any specific user through mail or to any server through SFTP. You can even opt to run the report on server and not select any destination. 
  • Submit the job to run immediately, or you can schedule to run at a future date and time, or even submit as a recurring event.
  • Once the Job completes, you can view the report at the delivered destination (such as Email or SFTP etc.). You can also view the report in the Job History Page.

4. Customize Layout (optional)

• You can add new layout to the existing report or create a new report against the existing data model
• Customizing the data model is not recommended. You can raise an SR if the data model does not bring the data as you needed. Please provide the details of how you want the data and we will enhance the data model or add new data model for the requirement.

NOTE:

1. For REL13 19.01 environment please make sure PB4 patch bundle is applied that includes ER 29345269 fix.

2. Performance monitoring data will be available in a future release.

3. If you have created any customization of the Audit Report, please keep a backup of the report. The report may get overwritten if you re- upload Audit.xdrz file.

Email Delivery Will Use Cloud Notification Service (CNS) for OCI Based SaaS Pods

All your scheduled Jobs that uses SMTP to deliver reports using Email Delivery channel will now use Cloud Notification Service (CNS). CNS server will be configured as a default for all OCI based SaaS Pods. For Non OCI Pods, the SMTP option will be available same as before.

Steps to Enable

User can schedule a report with email delivery same as before by selecting email as destination under output tab.

Tips And Considerations

To configure the email address for delivery notification:

1. Log in as an administrator.
2. In the BI Publisher home page, click Administration, and then click the "Delivery Configuration" tab.
3. Enter the email addresses in the "Email From Address" and "Delivery Notification Email From Address" fields.
4. Enter the email subject text in the following fields:

• Success Notification Subject     
• Warning Notification Subject        
• Failure Notification Subject        
• Skipped Notification Subject   

CNS Limitations:

• 15 MB limit for sending file as attachment
• Read notification and email delivery notification not available

Include Images and Charts in Your Report for Offline Viewing Using Auto Option

When a report is delivered as Scheduled Job, the report is viewed offline. If the report contains images or charts, they are either included as a URL or are embedded in the HTML output as streamed content. We have a runtime property that allows us to set "Embed images and charts in HTML for offline viewing" as True or False. When True, all charts and images in the HTML output are embedded, i.e. they are included as streamed binary data. When False, all charts and images in the HTML output are URL links in the HTML output.

Now you can select a third option as "Auto" which enables display of images and charts as included in the Template by the report author. So, with this option, report author can include images and charts in a mixed way within the same report

Steps to Enable

BI Service Administrator can log in to BI Administration page > Runtime Properties (to set this at server level)

or

Report Author can set this under Report Properties (to set this at report level)

You can choose from the drop down value for "Embed images and charts in HTML for offline viewing" property:

• True - All charts and images in the HTML output are embedded (streamed binary data).
• False - All charts and images in the HTML output are URL links in the HTML output.
• Auto - Charts and images in the HTML output retain the format (embedded or URL link) defined by the report author.

New MAC Algorithm Support for SFTP Delivery Channel

Following new Message Authentication Code (MAC) algorithms have been added to configure SSH for FTP delivery channel

• hmac-sha1
• hmac-sha2-256
• hmac-sha2

Steps to Enable

The MAC algorithm can be selected when configuring the SSH for SFTP configuration

Tips And Considerations

NOTE: When upgrading from REL 13 18.05 to REL 13 18.10 you may experience Job failure with a message "Server's host key fingerprint did not match the supplied value". The reason for this failure is the difference of host-key algorithm picked up as priority by BI Publisher. In REL 13 18.05 the host key algorithm picked up by BI Publisher was ssh-rsa which in REL 13 18.10 may be ssh-dss.

To resolve this you need to save the SFTP connection or recreate the SFTP connection to resolve the issue. The steps are:

1. Login to BI Publisher
2. Follow the path and save the SFTP connection    

Administration->FTP-> Open the SFTP connection -> Save it.

There is no automated way to save the connection.

OTBI Direct Database Query Privilege is Disabled by Default for Authenticated Users

OTBI Direct Database Query privilege is disabled by default for authenticated users.

Prior to update 19A, BI Administrator has the privilege to create and run Direct Database Query in BI Answers.  In update 19A, this feature has been disabled by default.  Two privileges that control direct database query access, namely ‘Edit Direct Database Analysis’ and ‘Execute Direct Database Analysis’, have been denied for authenticated users.

Reports created with ‘Direct Database Query’ option prior to update 19A will receive a system error when executed in update 19A.  To prevent the system error, customers can revert the update 19A privilege changes by granting BI Administrator privilege to both ‘Edit Direct Database Analysis and ‘Execute Direct Database Analysis’.

FUTURE PRODUCT DIRECTION

Direct database query is not a supported OTBI feature for building reports.  Customers are encouraged to use BI Answers to create interactive analyses, use BI Publisher for fixed-format reports and use BI Cloud Connector (BICC) for data extraction.  If customers have created OTBI reports with Direct Database Query option, Oracle development strongly recommends migrating those reports to use OTBI subject areas as Direct Database Query will be deprecated in OTBI in 12 months.

Steps to Enable

HOW TO REVERT THE CHANGE?

BI Administrator can modify direct database analysis privileges in BI Administration -> Manage Privileges page.  To grant BI Administrator access to direct database query, customers can remove ‘Authenticated User’ that has ‘Denied’ permission from the seeded privileges and add a new role of ‘BI Administrator Role’ with ‘Granted’ permission.  Below is a screenshot of ‘Edit Direct Database Analysis’ permission for BI Administrator.  Repeat the same step to grant ‘BI Administrator Role’ to ‘Execute Direct Database Analysis’ privilege.

Edit Direct Database Analysis and Execute Direct Database Analysis Privilege Setting

Restrict Printer Access by Security Role

BI Service Administrator can now restrict access to a printer by role. A user can be given access to the printer by adding him to the role.

Steps to Enable

1. BI Service Administrators can navigate to BI Administration page > Delivery Channel section > Printers
2. Add a Printer
3. Specify the allowed roles in the Security section of the printer server configuration page

Set a Default Printer for a User

User can now select a default printer for his profile under "My Account". As a pre-requisite, the Printer needs to be configured and tested in the BI Publisher Administration page under Delivery Channel section by a BI Service Administrator.

Steps to Enable

As a BI Service Administrator:

1. Go to BI Publisher Administration page > Printer Tab
2. Add a Printer

As a User:

1. Go to My Account
2. Select a default printer from the drop down list

Upload Center to Upload Configuration-Specific Files

Now BI Service Administrator can upload configuration specific files listed below from BI Publisher Administration page.

• Custom Fonts
• Digital Certificate
• ICC Profile
• SSH Private Key
• SSL Certificate 

Steps to Enable

To upload and manage the configuration–specific files:

1. On the Administration page, under System Maintenance, select Upload Center.
2. Click Browse and select the file you want to upload.
3. Select the configuration file type.
4. If you want to overwrite an existing file with the new file, select Overwrite.
5. Click Upload.

To delete an uploaded file, select the file in the Manage Uploaded Files section, and click the corresponding delete icon.

Use the Filter By Type field to filter the files in the table.