Sie sind auf Seite 1von 8

Oracle ® Enterprise Governance, Risk and Compliance

Release Notes Release 8.6.5.9500 Part No. E66309-02

Oracle ® Enterprise Governance, Risk and Compliance Release Notes Release 8.6.5.9500 Part No. E66309-02 September 2015

September 2015

Oracle Enterprise Governance, Risk and Compliance Release Notes

Part No. E66309-02

Copyright © 2015 Oracle Corporation and/or its affiliates. All rights reserved.

Primary Author: David Christie

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

The software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable.

U.S. GOVERNMENT RIGHTS

Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are commercial computer softwareor commercial technical datapursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

The software is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications which may create a risk of personal injury. If you use this software in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software in dangerous applications.

The software and documentation may provide access to or information on content, products and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third party content, products and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third party content, products or services.

Release Notes

Contents

Oracle Database 12 c Support

1-1

Resolved Issues

1-1

Known Issue

1-3

Documentation

1-3

Installation

1-4

Release Notes

Oracle Enterprise Governance, Risk and Compliance (GRC) is a set of components that regulate activity in business-management applications:

Oracle Application Access Controls Governor (AACG) and Oracle Enterprise Transaction Controls Governor (ETCG) enable users to create models and continuous controls.These uncover segregation of duties (SOD) conflicts and transaction risk within business applications. AACG and ETCG belong to a set of applications known collectively as Oracle Advanced Controls.

Oracle Enterprise Governance, Risk and Compliance Manager (EGRCM) forms a documentary record of a companys strategy for addressing risk and comply- ing with regulatory requirements. Users can define business processes, risks that impact those processes, and controls that address the risks.

Fusion GRC Intelligence (GRCI) provides dashboards and reports that present summary and detailed views of data generated in EGRCM, AACG, and ETCG.

These GRC components run as modules in a shared platform. AACG and ETCG run as a Continuous Control Monitoring (CCM) module. EGRCM provides a Financial Governance module by default, and users may create custom EGRCM modules to address other areas of the companys business. A customer may license only EGRCM, only AACG, or only ETCG; any combination of them; or all of them.

Oracle Database 12 c Support

With version 8.6.5.9500, GRC is certified for use with Oracle Database 12c. (This resolves issue 20010751.)

Resolved Issues

Version 8.6.5.9500 resolves issues in which the interaction of several components produced unexpected results. These components are AACG preventive analysis, AACG global conditions, and multi-org access control (MOAC) in Oracle E- Business Suite Release 12.

AACG analysis may be “preventive,” meaning that access controls uncover SOD conflicts at the moment a person is assigned new access. Depending on how a con- trol is configured, preventive analysis may suspend access pending approval. Sus- pended provisioning requests are listed for review in a Manage Access Approvals page.

An AACG global condition is a set of filters that select records to be exempted from SOD analysis by all access models or controls evaluated on a given datasource. Each filter selects records in which the value of a specified “attribute” meets a specified requirement, for example that Operating Unit (the attribute) equals a specific name (the requirement). The resolved issues all involve “within same” attributes, which focus analysis on conflicts either only within, or only across, individual items such as operating units.

MOAC enables Oracle EBS users to access multiple operating units within a single responsibility. Security profiles define the scope of access.

Preventive analysis returned unexpected results in these circumstances:

Issue 21100851: A provisioning request was for access to two responsibilities, each was associated with a distinct security profile, and a global condition using the “Within Same MO: Security Profile” attribute was in force.

Issue 21096153: A provisioning request was for access to two responsibilities, each was associated with a distinct operating unit (designated by a distinct secu- rity profile), and a global condition using the “Within Same Operating Unit” attribute was in force.

Issue 21094518: A provisioning request was for access to two responsibilities, each was associated with a distinct ledger (designated by a distinct security pro- file), and a global condition using the “Within Same Ledger/Set of Books” attribute was in force.

Version 8.6.5.9500 also resolves the following issues:

Issue 21883530: AACG failed to recognize exclusions configured in Oracle E- Business Suite. For example, when an exclusion for a submenu was created in Oracle E-Business Suite, AACG continued to generate an incident for a func- tion available from the excluded submenu. See “Installation,” page 1-4.

Issue 21385136: Control analysis produced a “Cannot Create Transaction” exception in the GRC log file. This error occurred as an access control was processed under certain conditions.

Issue 21242272: Version 8.6.5.9500 supports the ability to process an increased volume of approval requests generated by preventive analysis.

Issue 20982521: If an AACG preventive analysis job was initiated while an AACG control analysis job was running, neither job ran to completion.

Issue 20937011: An attempt to upgrade GRC from version 8.6.4.7000 (build 7181) to 8.6.5.1000 (build 1616) produced the following error: ORA-01452:

cannot CREATE UNIQUE INDEX; duplicate keys foundon index GRC_ISSU_ CTRL_H_XREF_U1. This occurred when an EGRCM issue was linked both to a control and to a control assessment.

Issue 20673473: If an EGRCM assessment was saved, then reopened, an attempt to work with it or submit it generated an error.

Issue 20361775: The status of an incident (a record of a CCM control violation) is Authorized if its control triggered a provisioning request during preventive analysis, the request was approved, and the control was subsequently run. If the request resulted in access being granted to a responsibility, later that access reached its end date, and the control was run again, status of the incident should have changed to Closed. Instead, it remained Authorized.

Issue 19904927: An attempt to edit a draft EGRCM assessment generated an error.

Issue 19646780: A perspective is a set of related, hierarchically organized values. GRC users can assign individual perspective values to individual GRC objects, establishing a context in which objects exist.

As one step in initiating an assessment, a user specifies selection criteria (which may include perspective values that match values assigned to assessable objects), then selects a Generate option in a Components page.

If a perspective value was associated with a process, a distinct value was associated with a control, and selection criteria for the assessment of a control included either value, then the Generate option fetched the control. It should have fetched the control only if selection criteria included the one value assigned to the control.

Issue 16887266: From a Manage Jobs page, a user could not cancel a CCM control-analysis job while it was in progress. Version 8.6.5.9500 restores this capability.

Known Issue

The following issue is known to exist in version 8.6.5.9500 of GRC, and will be addressed in a future release.

Issue 21645758: If a user creates an assessment from the Assessment tab of the Manage page for a process, risk, or control, then navigates from that page to the object Overview page, the application displays error messages. After clearing the error messages, the user can continue working as if the errors had not occurred. Or, to avoid the errors, the user can navigate to the Overview page via another path.

Documentation

Documentation written expressly for release 8.6.5.9500 of GRC includes these Release Notes and an Installation Guide (part number E66310-02). Otherwise, doc- uments written for GRC release 8.6.5.1000 (as well as Release Notes for 8.6.5.2000 through 8.6.5.8000) apply also to release 8.6.5.9500. Documents include user guides for GRC itself as well as AAGC, ETCG, EGRCM, and GRCI; and implementation guides for GRC security, AACG, ETCG, and EGRCM. These documents are avail- able on Oracle Technology Network at http://www.oracle.com/technetwork.

Installation

You can install GRC 8.6.5.9500 only as an upgrade from version 8.6.5.8000. Be sure to back up the transaction ETL repository and GRC schema from your earlier version before you upgrade to 8.6.5.9500.

Issue 21883530 was indentified in an original release of GRC 8.6.5.9500. The cur- rent 8.6.5.9500 release fixes that issue and replaces the original 8.6.5.9500 release. If you applied the original 8.6.5.9500 patch, you must roll back your environment and install the newer 8.6.5.9500 patch.

If you use CCM, after you upgrade you must complete the following procedures in the order indicated:

Perform access synchronization on all datasources used for AACG analysis. (Ordinary synchronization updates GRC with data for records that are new or have been changed since the previous synchronization job.)

Perform a graph rebuild on all datasources used for ETCG analysis. (A graph rebuild is a comprehensive form of synchronization. Available only to ETCG, it discards existing data and imports all records for all business objects used in all existing ETCG models and controls.)

Run all controls that compile data for user-defined objects (controls for which the result type is Dataset).

Run all models and all controls that generate incidents (controls for which the result type is Incidents).

Note: You may be upgrading through several releases (for example, from version 8.6.5.7000 to 8.6.5.8000 to 8.6.5.9500). If so, synchronize access data, rebuild the graph for transaction data, and run controls and models only once, after the final upgrade is complete.

As you install GRC 8.6.5.9500, you will use a file called grc.ear (if you run GRC with WebLogic) or grc.war (if you run GRC with Tomcat Application Server). You will be directed to validate the file by generating a checksum value, and comparing it with a value published in these Release Notes.

Your checksum value should match one of the following:

grc.ear: eec15ec8 fcd951bb834d09a6ebc5f165

grc.war: 271e43128b9ae0a6df32764ab7146df5

For more information, see the Enterprise Governance, Risk and Compliance Installation Guide.