Update 21B

Revision History

This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:

Date	Product	Feature	Notes
27 MAY 2021	Financial Reporting Compliance	Copy, Delete, Archive, and Filter Assessment Batches	Updated document. Revised feature information.
19 MAR 2021			Created initial document.

Overview

This guide outlines the information you need to know about new or improved functionality in this update, and describes any tasks you might need to perform for the update. Each section includes a brief description of the feature, the steps you need to take to enable or begin using the feature, any tips or considerations that you should keep in mind, and the resources available to help you.

Give Us Feedback

We welcome your comments and suggestions to improve the content. Please send us your feedback at oracle_fusion_applications_help_ww_grp@oracle.com.

Feature Summary

Common

Ability to Identify User Groups with No Eligible Members

In the security-assignment page of a record, a warning icon is displayed if an assigned group has no eligible members. This is the same warning that exists in the User Assignment Groups page.

To access the security-assignment page, navigate to any secured record (for example, a risk) and select the Security Assignment button.

User Group Warning Icon

As you assign a group to records, it's important to know if none of its members are eligible for those records. If not, it grants no access to them.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

Record owners should routinely review the membership of groups assigned to their records. They can either go to the User Assignment Group page or define and review an OTBI report on user-group membership.

Prevention of Assignment of User Groups with No Eligible Members

As you secure any record, user groups with no members eligible for that record are no longer available for selection.

This feature prevents users from mistakenly assigning user groups with no eligible members. 

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

If a known user group is not displayed in the list of values, most likely it has no eligible members. Ensure there is at least one eligible member by editing the user group itself. Once that's done, the user group can be assigned.

Notification Jobs

In earlier releases, a Notification job alerted users to tasks that required their attention. Now that job is split in three, one to announce tasks for each of Advanced Controls, Financial Reporting Compliance, and Access Certifications. You don't run these jobs directly. Instead, they are launched by the Security Synchronization job when you run it.

Notification Jobs

This streamlines the jobs that need to be scheduled since they're all kicked off by one job now.

Steps to Enable

You don't need to do anything to enable this feature.

Limit Purging of Jobs

You can purge jobs in the Monitor Jobs page. Only jobs in the following statuses are eligible to be purged:

• Completed
• Failed
• Canceled

Over time the list of jobs that have been run can become both long and nonessential to keep. This will now allow for the removal of the noise these jobs create.

Steps to Enable

You don't need to do anything to enable this feature.

More Details in Mass Edit Security Job Summary

In the Monitor Jobs page, the record for a run of the mass-edit security job now shows the selected parameter values, the records that were updated, and the records that were not updated due to errors. Below is an example of each:

Parameter Details

Records Processed with No Errors

Records Processed with Errors

With the additional details you can know the parameters that were used to run the job and feel confident about the records that were updated verses any that have errors and need to be resolved.

Steps to Enable

You don't need to do anything to enable this feature.

Mass Edit Security Page Offers Separate Searches for Ineligible and Missing Authorizations

In the Mass Edit Security Assignment page, you can use filters to select records that need editing. Among them, a Missing or Ineligible User by Authorization filter has been separated in two:

• Missing Eligible Users or Groups by Authorization searches for records with no eligible users or groups with no eligible members for a specified authorization. For example, Control A has no eligible owner and the owner user group assigned to it has no eligible members.

• Ineligible Users or Groups by Authorization identifies records with at least one assigned user or groups who are no longer eligible.  For example, Control A has one eligible user and one ineligible user.

Mass Edit Security Assignment Filters

This feature will improve the ability to search for those records whose security assignments require updating.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

Navigate to Risk Management > Data Security Administration, then click the Mass Edit Security tab.

Because this search enhancement is nuanced, it's important to understand how to use each one. 

• Missing Eligible Users or Groups by Authorization: Use this filter if you want to know which records don't have even one eligible user (owner, editor, or viewer).   For example, select the viewer authorization if you want to know which records don't have any eligible viewers.  This may be important if your policy is to have an executive viewer group assigned to all records so that their reports are complete and accurate.

• Ineligible Users or Groups by Authorization: Use this filter if you want to know which records have at least one ineligible user (owner, editor, or viewer).  For example, select the owner authorization if you want to know which records are assigned any ineligible owners. Even if a record has one eligible owner but also has an ineligible owner, that record will be returned.

Ability to Use Drag and Drop for Uploading of Attachments

Users can now use drag and drop to upload attachments throughout the entire product suite. This is in addition to the existing capability to browse for files to upload; this capability will remain.

Drag and Drop Attachments

The ability to drag and drop files as attachments simplifies the ease of use within the applicaiton.

Steps to Enable

You don't need to do anything to enable this feature.

Ability to Use REST API to Mass-Edit Incidents

A new REST API feature enables you to perform mass edit on incident results generated by an advanced control.  The new API is advancedControlMassEditIncidents.

This feature will enable customers to use REST services to perform a mass edit of advanced control incidents.

Steps to Enable

Review the REST service definition in the REST API guides, available from the Oracle Help Center > your apps service area of interest > REST API. If you're new to Oracle's REST services you may want to begin with the Quick Start section.

Financial Reporting Compliance

Data Migration Enhancements

Multiple changes to the data migration feature have been implemented:

• Flexfield validation has been applied. The flexfield values applied to the import template must match the value type selected during the creation of the flexfield.
• Risk analysis and evaluation records can no longer be imported.
• A new summary page displaying the status of the import job is included.

The new summary page provides a summary of what records have been imported successfully.

Import Data File Summary Page

These enhancements further streamline the data migration process, by providing additional data validation and an import data summary to state the number of records that loaded successfully.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

Once the import data file process has begun, you can follow its progress within the Setup and Administration > Monitor Jobs page. In the event the import data file finishes running but generated errors, you should contact Oracle Support to assist in resolving the cause. The Records Inserted Successfully value documents the records that were loaded successfully and which records must be imported into the application. Since the application commits the data systematically, you may need to export the successfully imported data and apply the system ID to the appropriate records.

Copy Feature Copies Security Assignment

By default, when the user copies an existing object record, the record is copied along with its security assignments. The user can use the current security assignment feature to change the default security.

The ability to copy a record and its security assignment provides the user a complete duplication of the record. This saves time in entering in metadata with a few modifications. From that point, the user can make the modifications necessary to define the new record.

Steps to Enable

You don't need to do anything to enable this feature.

Copy, Delete, Archive, and Filter Assessment Batches

Multiple enhancements improve the overall management of assessment batches and their assessment records. To use them, navigate to Assessments > Assessment Batches. Select an assessment batch record and expand the Actions menu. The actions available to you depend on the state of the batch you've selected.

• Copy assessment batches.
• Delete assessment batches.
• Archive assessment batches and the associated assessment records.
• Filter by perspectives as you assign assessment record security.

COPYING AN ASSESSMENT BATCH

You can copy an assessment batch if you are one of its owners. Here are the items you can copy:

• Defined details, except the name, description, due date, and survey name prefix when applicable. (The remaining assessment details are read only.)
• Selection criteria (read only).
• Perspective criteria (read only).
• Proposed records.
• Assessment batch security assignment.
• Assessment records security assignment.

If you need to change the assessment batch criteria, you must create a new assessment batch.

A copy of an assessment batch includes new object records that meet the assessment criteria. Object records that no longer meet the assessment batch criteria aren't included. The application flags those records, so you can quickly identify records that are no longer proposed to be assessed.

Proposed Records to Be Assessed

New proposed records appear at the top of the list of proposed records to be assessed, and they're not selected by default. In addition, the initial count of excluded records reflects the number of new records. To include any of these new records, you, as owner, must select them manually.

A new ineligible records count has been added. Click on that number to refresh the page so that it displays all records that are no longer eligible to be assessed.

Ineligible Records to Be Assessed

DELETING ASSESSMENT BATCHES 

You can permanently delete an assessment batch, but only prior to its being initiated. You would select a batch whose state is New or Finalize Record Security, then select a delete option from the Actions menu. All associated assessment records and surveys are also deleted.

Assessment Batch Delete Action

CLOSING ASSESSMENT BATCHES

As an owner, you can close assessment batches once all assessment records are completed or canceled.

ARCHIVING ASSESSMENT BATCHES

As an owner, you can archive assessment batches and their assessment records. You would select a batch whose state is Closed or Canceled, then select an archive option from the Actions menu. Two additional assessment batch states have been implemented: Archived - Closed and Archived - Canceled. The state Archived - Closed means the assessment batch's previous state was Closed prior to archiving the assessment batch. The state Archived - Canceled means the assessment batch's previous state was Canceled prior to archiving the assessment batch. These additional states enable you to archive prior assessment batches and hide them from the default and saved searches.

Assessment Archive Action

FILTERING ASSESSMENT RECORDS 

In the Assessment Records Security Assignment page, you can now filter records by the values of the perspectives you have selected for the assessment. This is in addition to the current filtering and sorting options, Name and Sort By. You can use only one filtering option at a time.

Filter by Perspective Name

The ability to copy a prior assessment batch streamlines the process to manage assessment batches. Owners of a prior assessment batch can copy the batch, and all scoping and assessment security assignments are copied. This eliminates the manual security assignment for the assessment records. Owners have the opportunity to update the assignment for any assessment record.

The ability to only close an assessment batch, enforces that all required assessment records within a batch have been completed.

The addition of two additional actions, Delete and Archive, enables better management of assessment batches.

Often assessment batches include an array of object records requiring specific user authorization, which is often derived from the relationship to a perspective. With the ability to filter by perspective name, the owner can quickly filter groups of records and assign the appropriate assessment authorization.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

• When you create a copy of a prior assessment batch, consider that the copy feature will copy the prior assessment batch's security authorization.

• Consider documenting an archiving schedule procedure for prior assessments to enable users to leverage default state filtering parameters on assessment pages. If you exclude assessments at the two archived states, these will not render.

• The delete assessment batch feature enables you to remove any unwanted batches. Therefore, you ensure the assessment batch is warranted prior to initiating the batch.

• In order to close an assessment batch if some assessments are not yet complete, the incomplete assessments in the batch can be canceled and then when task has been done the completion will be 100% and they you can proceed with closing the assessment batch.

Ability to Send Email Reminders

Owners can send email reminders for objects at any state other than draft or closed.

• Surveys: Email is sent to all survey participants who haven't submitted their survey responses. Owners simply navigate to the Surveys > Surveys (tab) > select the survey > Actions >  Send Email Reminder.

• Assessments: Email is sent to all assessment actors who have outstanding tasks to complete, for example complete, review, or approve an assessment task. Owners simply navigate to Assessments > Assessment Batches > select the assessment batch > Actions > Send Email Reminder.

• Issues: Email is sent to all authorized users who can take action on an active issue. Owners simply navigate to Issues > Issues (tab) > Issue Details > Actions > Send Email Reminder. The owner does not need to drill into the record, but can also send an email reminder by navigating to Issues > Issues (tab) > select the issue > Actions > Send Email Reminder.

• Remediation Plans: Email is sent to all authorized users who can take action on an active remediation plan. Owners simply navigate to Issues > Remediation Plans (tab) > Remediation Plan Details > Actions > Send Email Reminder. The owner does not need to drill into the record, they can also send an email reminder by navigating to Issues > Remediation Plans > select the remediation plan > Actions > Send Email Reminder.

By default each message has predefined subject and body content. The owner can update both of these prior to the email being sent. The email also provides a direct link to the task that needs to be completed. The state of a record does not impact the predefined subject or body content of the email message. The email content is based on the object type: survey, assessment, issue, or remediation plan.

Example Email Reminder for an Active Survey

Often the owner of a task must send email reminders for those tasks to be completed. The email reminder feature provides a simple way to generate those reminders.

Steps to Enable

You don't need to do anything to enable this feature.

Advanced Access Controls

New and Updated Delivered Model Content

Oracle delivers three new models to detect separation-of-duties conflicts.

NEW MODELS

• 6925: Enter Journals and Post Journal Entry and Manage Accounting Period Statuses for General Ledger
• 6926: Enter Journals and Post Journal Entry and Manage Journal Sources
• 6927: Enter Journals and Post Journal Entry and Setup General Ledgers

REVISED ENTITLEMENT

• Manage Worker

The privilege Manage Data Exchange Work Area has been removed from the Manage Worker entitlement. The Manage Data Exchange Work Area privilege just provides a list of tasks that could be accessed directly by quick actions, but in itself provides benign access. Because this is removed from content, extraneous incidents will no longer be identified (and any existing incidents for this privilege will be closed if you choose to update your existing entitlement to remove this privilege).

Affected Models

• 4056: Manage Worker and Manage Payroll
• 4057: Manage Worker and Manage Payroll Batch Processes
• 4058: Manage Worker and Manage Payroll Costing
• 4070: Manage Worker and Manage Compensation
• 4075: Manage Worker and Manage Time and Labor

The content library is continually reviewed by experts in relevant business areas to provide the most accurate and comprehensive SoD and sensitive access control definitions. Consider uptaking these new models and entitlement changes based on your business requirements.

Steps to Enable

You don't need to do anything to enable this feature.

Removed Some Access Condition Attributes

In its Important Actions and Considerations section, the What's New document for 20D gave a heads-up. The following attributes of the Access Condition Business Object were not supported, and would be removed in a future release: Country, Department, Legal Employer, and Location. In 21B, they have been removed. (The 20D document also said the Reference Data Set attribute would be removed, but it has been retained for now.)

Now, a more accurate list of attributes are available for use.

Steps to Enable

You don't need to do anything to enable this feature.

Added Exclusions for Procurement Agent Actions

For certain privileges to grant functional access, a user must be granted both the privilege and a corresponding "action" as a "procurement agent" for a business unit. For example, a person may be set up as a procurement agent, but unless granted the privilege to "Change Supplier Site" and the action to "Manage Purchase Orders," that person will not be able to transact for that privilege. Advanced Access Controls automatically excludes privileges related to actions a procurement agent has not been granted access to perform. Twenty additional privileges are now excluded during analysis if not granted via a procurement agent. If the actions corresponding to these privileges are not set to allowed for that procurement agent, then no incident will be generated.

Action	Access Point
Manage Purchase Agreements	Freeze Purchase Agreement
Manage Purchase Agreements	Hold Purchase Agreement
Manage Purchase Agreements	Finally Close Purchase Agreement
Manage Purchase Agreements	Cancel Purchase Agreement
Manage Purchase Agreements	Acknowledge Purchase Agreement
Manage Purchase Agreements	Create Blanket Purchase Agreement Line from Catalog
Manage Purchase Agreements	Transfer Blanket Purchase Agreement to Catalog Administrator
Manage Purchase Agreements	Transfer Blanket Purchase Agreement to Supplier
Manage Purchase Orders	Acknowledge Purchase Order
Manage Purchase Orders	Hold Purchase Order
Manage Purchase Orders	Finally Close Purchase Order
Manage Purchase Orders	Freeze Purchase Order
Manage Purchase Orders	Cancel Purchase Order
Manage Purchase Orders	Cancel Purchase Order as Procurement Requester
Manage Purchase Orders	Close Purchase Order
Manage Purchase Orders	Reassign Purchasing Document
Manage Purchase Orders	Purge Purchasing Document Open Interface
Manage Purchase Orders	Change Supplier Site
Manage Purchase Orders	Create Purchase Order Line from Catalog
Manage Purchase Orders	Change Purchase Order Line Negotiated Indicator

In the example below, because Manage Purchase Agreements is not granted, even if a user has a role with the Freeze Purchase Agreement functional privilege an incident will not be generated because the user isn't actually allowed to use that functionality.

Procurement Agent Actions

These automatic exclusions minimize false positives by only returning incidents for privileges a user has the ability to perform.

Steps to Enable

You don't need to do anything to enable this feature.

Result Records Now Include Role Codes

Job roles and duty roles can have display names that are not unique. When one of these names appears in a model result or a control incident, it's difficult to know which role is referenced. The unique role code is now available in a new column called Incident Information Codes.

Below is an example of the new column in the model result page.

Incident Information Codes Column

Now it is quicker to determine the unique role that has been identified. Previously, you had to go to the visualization graph to determine the role code.

Steps to Enable

You don't need to do anything to enable this feature.

Ability to Autogenerate Provisioning Rules

As roles are created in the Security Console, advanced-control provisioning rules analyze them for potential separation-of-duty issues. In addition to creating provisioning rules manually, you can also generate them automatically, based on active access controls. Although manual and autogenerated rules can coexist, you can distinguish them easily, because the Provisioning Rules page groups them in distinct regions. 

Autogenerate Provisioning Rules

When creating or editing a job or duty role, a person may want to see if the access granted by the role would cause separation-of-duty violations. In the past, conflicting-role rules (i.e., provisioning rules) could be created only manually. In many cases this led to a duplication of efforts. Since the organization most likely already deployed advanced access controls, it has already determined how the conflicting access should be defined, and would like the application to generate the conflicting-role rules based on those definitions.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

Navigation: Risk Management > Advanced Controls > Provisioning Rules

Autogenerated provisioning rules are based on access controls that are active at the time the autogeneration job is run. The list of these controls can change over time. So can the access points included in the entitlements used by these controls. So users should plan to run the job on a periodic basis.

Mass Edit Security for Results

You can now mass-edit security for incidents you own no matter how you select them. Previously, an owner could mass-edit security for a full or filtered list of incidents generated by a control, but not for incidents selected from that list. (Note, though, that a list of incidents may include some you own, some for which you're editor, and some for which you're viewer. It remains true that you can mass-edit security only for those you own, you can mass-edit other details only for those for which you're an owner or editor, and you can't mass-edit those for which you're a viewer.)

Now the radio button to mass-edit security settings is available even if you select incidents individually.

Select Incidents

Mass Edit Security

With this enhancement, specific record selections can be made for security updates.

Steps to Enable

You don't need to do anything to enable this feature.

Limit Ability to Purge Control Incident Results to Control Owners

You can purge incident results generated by a control only if you are an owner of the control.

This feature prevents users who are not the designated owners of a control from purging incidents related to those controls.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

Control owners are responsible for maintaining the incidents generated from controls that are relied on for the duration of the corporate retention policies.

Access Certification

Certification Attachments Supported

You can now use the Firefox browser to add attachments in the certifier worksheet.

This feature provides the user with different browser options.

Steps to Enable

You don't need to do anything to enable this feature.

Advanced Financial Controls

Changes Are Made to Business Objects

In this release there are additions and updates to business object attributes.

NEW BUSINESS OBJECT ATTRIBUTES

The Expense Report Information business object was updated to add the following attribute:

• Report Creation Method

The Purchase Order business object was updated to add the following attribute:

• Requisition Distribution ID

The Requisition business object was updated to add and rename the following attributes:

• Line: Agreement ID
• Line: Blanket PO Line Number was renamed to Line: Agreement Line ID

The Audit - Person Allocated Checklist business object was updated to add the following attributes:

• AssignmentId
• BackgroundImageUrl Old
• BackgroundImageUrl New

The Audit - Supplier business object was updated to add the following attributes:

• Alternate Name Deleted Old
• Alternate Name Deleted New
• Alias Deleted Old
• Alias Deleted New

ATTRIBUTE NAME CHANGES

Business objects have attributes that correspond to various business areas such as Expenses, Procurement, General Ledger and so on. In an effort to align the attribute labels shown in the Advanced Financial Controls business objects to labels defined in the corresponding application pages, several are updated.

Business Object	Old Attribute Name	New Attribute Name
Audit - Document Records	DocumentsOfRecordId	Document Record ID
Audit - Document Records	DocumentsOfRecordId Old	Document Record ID Old
Audit - Document Records	DocumentsOfRecordId New	Document Record ID New
Audit - Document Records	PersonId Old	Person ID Old
Audit - Document Records	PersonId New	Person ID New
Audit - Document Records	PublishDate Old	Publish Date Old
Audit - Document Records	PublishDate New	Publish Date New
Audit - Document Records	AssignmentId Old	Business Title Old
Audit - Document Records	AssignmentId New	Business Title New
Audit - Person Other Communication Methods	CommDlvryFkId Old	Account  Name Old
Audit - Person Other Communication Methods	CommDlvryFkId New	Account  Name New

BUSINESS OBJECT NAME CHANGES

A couple of business object names have also changed, and they include:

• Audit - Assignment Eligible Job was renamed to: Audit - Worker Assignment Eligible Job
• Audit - Seniority Date was renamed to: Audit - Worker Seniority Date

Updates to business objects provide additional attribute criteria for your controls, and those updated for audit maintain alignment to Manage Audit Policies data source.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

For renamed attributes and business objects, you don't need to do anything to models or controls that reference these names. Just be aware they have changed.

Mass Edit Security for Results

You can now mass-edit security for incidents you own no matter how you select them. Previously, an owner could mass-edit security for a full or filtered list of incidents generated by a control, but not for incidents selected from that list. (Note, though, that a list of incidents may include some you own, some for which you're editor, and some for which you're viewer. It remains true that you can mass-edit security only for those you own, you can mass-edit other details only for those for which you're an owner or editor, and you can't mass-edit those for which you're a viewer.)

Now the radio button to mass-edit security settings is available even if you select incidents individually.

Select Incidents

Mass Edit Security

With this enhancement, specific record selections can be made for security updates.

Steps to Enable

You don't need to do anything to enable this feature.

Limit Ability to Purge Control Incident Results to Control Owners

You can purge incident results generated by a control only if you are an owner of the control.

This feature prevents users who are not the designated owners of a control from purging incidents related to those controls.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

Control owners are responsible for maintaining the incidents generated from controls that are relied on for the duration of the corporate retention policies.

Transactional Business Intelligence for Risk Management

Subject Area Enhancements

Two dimensions have been added to Risk Management Cloud - Assessment Results Real Time subject area:

• Issue Details
• Remediation

Additional attributes have been applied to the Risk Management Cloud - Assessment Results Real Time subject area:

Control Test Plan Results:

• Collected Size
• Sample Size

Survey Details:

• Object Name
• Component Type
• You can now report on the combination of Question Response Comment value, Question Responses, and Respondent.

Additional attributes have been applied to the Risk Management Cloud - Compliance Real Time subject area:

Risk Analysis:

• Evaluation Risk Criteria Rating

The additional dimensions will enable users to create reports to view issues and remediation plans, specifically rendering issues created during an assessment.

Steps to Enable

You don't need to do anything to enable this feature.

IMPORTANT Actions and Considerations

FINANACIAL REPORTING COMPLIANCE

Update Custom Roles

In release 21A, a new capability was introduced: the owner of a record can use Mass Edit Security Assignment to add, remove, or append multiple individuals or user groups. But if you use Financial Reporting Compliance, this new capability requires a new View Monitor Jobs privilege. If you've customized any of the following duty roles, you must add the privilege to them. All the duty roles belong to the Risk Activities Manager job role. Predefined duty roles are updated automatically.

• Control Assessment Manager Duty
• Control Assessor Duty
• Control Manager Duty
• Issue Manager Duty
• Process Assessment Manager Duty
• Process Assessor Duty
• Process Manager Duty
• Remediation Plan Manager Duty
• Risk Assessment Manager Duty
• Risk Assessor Duty
• Risk Manager Duty

FYI Notifications Will Not Be Sent

FYI notifications will no longer be sent during workflow, or in the event a record or task has been terminated. This includes the following objects:

• Process
• Risk
• Risk Analysis
• Risk Evaluation
• Risk Consequence
• Risk Event
• Control
• Issue
• Remediation Plan
• Assessment
• Survey

ADVANCED FINANCIAL CONTROLS

Model Content

Due to changes in several relationships between business objects used in model 30002: Duplicate Suppliers and Sites, it may return inconsistent results. An update to the delivered model will be provided in a future release.  Prior to its delivery, if you require information on the updated model contact Oracle Support.