Oracle Governance, Risk and Compliance: User Guide Release 8.6.4.3000
Oracle Governance, Risk and Compliance: User Guide Release 8.6.4.3000
User Guide
Release 8.6.4.3000
Part No. E36191-02
September 2012
Oracle Enterprise Governance, Risk and Compliance Controls User Guide
Part No. E36191-02
Copyright © 2012 Oracle Corporation and/or its affiliates. All rights reserved.
Primary Author: David Christie
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of
their respective owners.
The software and related documentation are provided under a license agreement containing restrictions on use
and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license
agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit,
distribute, exhibit, perform, publish or display any part, in any form, or by any means. Reverse engineering,
disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If
you find any errors, please report them to us in writing.
If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of
the U.S. Government, the following notice is applicable.
1 Introduction
Suggested Limits ............................................................................. 1-2
GRC and Language......................................................................... 1-3
Navigation ....................................................................................... 1-3
Home Page ..................................................................................... 1-4
Setting User Preferences ................................................................ 1-4
2 Perspective Management
Viewing Perspective Hierarchies ..................................................... 2-1
Managing Perspective Hierarchies .................................................. 2-2
Using the Create Hierarchy Page .................................................... 2-2
Set Details................................................................................. 2-2
Create a Root Node .................................................................. 2-3
Create Other Nodes .................................................................. 2-3
Define the Hierarchy ................................................................. 2-4
Save or Submit Your Work........................................................ 2-4
Using the Edit Perspective Hierarchy Page ..................................... 2-4
3 Security Management
Managing Roles............................................................................... 3-2
Creating Duty Roles .................................................................. 3-2
Creating Data Roles .................................................................. 3-2
Creating Job Roles and Job Duty Roles ................................... 3-4
Editing or Copying a Role ......................................................... 3-5
Contents iii
Managing Users ............................................................................... 3-5
Creating User Accounts............................................................. 3-5
Editing or Copying User Accounts ............................................. 3-6
Unlocking User Accounts .......................................................... 3-7
Importing Users from an LDAP Repository ................................ 3-7
4 Reporting
Running Reports .............................................................................. 4-3
Managing Report Parameters .......................................................... 4-4
Reviewing Scheduled Reports ......................................................... 4-5
5 Application Configuration Management
GRC Properties................................................................................ 5-1
Worklist Values ................................................................................ 5-2
Setting Security Values .................................................................... 5-2
Analytics........................................................................................... 5-3
User Integration ............................................................................... 5-4
Configuring Notifications .................................................................. 5-4
Purging Incidents ............................................................................. 5-5
6 Application Datasources and Libraries
Configuring Datasources.................................................................. 6-1
Synchronizing Data .......................................................................... 6-3
Uploading Business Objects ............................................................ 6-3
Uploading Patterns .......................................................................... 6-4
Uploading Connectors...................................................................... 6-5
7 Other Setup Options
Managing Lookup Tables ................................................................. 7-1
Managing Content Types ................................................................. 7-2
Managing Installation Options .......................................................... 7-2
Managing Assessment Results ........................................................ 7-3
Managing URL Repositories ............................................................ 7-3
8 Module Management
Managing Modules........................................................................... 8-1
Configuring Module Objects ............................................................. 8-2
Contents v
vi Oracle Governance, Risk and Compliance User Guide
Preface
This Preface introduces the guides and other information sources available to help
you more effectively use Oracle Fusion Applications.
An Oracle Governance, Risk and Compliance (GRC) platform hosts two products
— Oracle Enterprise Governance, Risk and Compliance Controls (EGRCC) and
Oracle Enterprise Governance, Risk and Compliance Manager (EGRCM). EGRCC,
in turn, consists of two subsidiary products, Application Access Controls Governor
(AACG) and Enterprise Transaction Controls Governor (ETCG).
The GRC platform runs modules. “Financial Governance” is the name of an EGRCM
module, and users may create other EGRCM modules. “Continuous Control Moni-
toring” (CCM) is the name of the module in which EGRCC runs. (Moreover, GRC
“Tools” offer functionality used by both EGRCM and EGRCC.)
For each of EGRCM, AACG, and ETCG, a product-specific user guide addresses
features particular to the product.
This Governance, Risk and Compliance User Guide covers most functionality common
to EGRCM and EGRCC (although the Governance, Risk and Compliance Installa-
tion Guide covers some setup and administration topics). Refer to these guides as
well as the appropriate product-specific user guide as you use a GRC product.
Additionally, implementation guides discuss concepts you should consider as you
set up GRC products for use. One implementation guide exists for each of AACG,
ETCG, and EGRCM, and a distinct implementation guide covers GRC security.
Consult these documents as you initiate GRC processing.
Disclaimer
The information contained in this document is intended to outline our general
product direction and is for informational sharing purposes only, and should be
considered in your capacity as a customer advisory board member or pursuant to
your beta trial agreement only. It is not a commitment to deliver any material, code,
or functionality, and should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality described in this
document remains at the sole discretion of Oracle. This document in any form,
software or printed matter, contains proprietary information that is the exclusive
property of Oracle. Your access to and use of this confidential material is subject to
the terms and conditions of your Oracle software license and service agreement,
Preface vii
which has been executed and with which you agree to comply. This document and
information contained herein may not be disclosed, copied, reproduced or
distributed to anyone outside Oracle without prior written consent of Oracle. This
document is not part of your license agreement nor can it be incorporated into any
contractual agreement with Oracle or its subsidiaries or affiliates.
My Oracle Support
Oracle customers have access to electronic support through My Oracle Support. For
information, visit http://www.oracle.com/support/contact.html or visit
http://www.oracle.com/accessibility/support.html if you are hearing impaired.
Use the My Oracle Support Knowledge Browser to find documents for a product area.
You can search for release-specific information, such as patches, alerts, white papers,
and troubleshooting tips. Other services include health checks, guided lifecycle advice,
and direct contact with industry experts through the My Oracle Support Community.
Documentation Accessibility
For information about Oracle’s commitment to accessibility, visit the Oracle
Accessibility Program website at http://www.oracle.com/us/corporate/accessibility
/index.html.
Oracle Governance, Risk and Compliance (GRC) is a set of components that regulate
activity in business-management applications:
• Oracle Enterprise Governance, Risk and Compliance Controls (EGRCC) com-
prises two elements, Application Access Controls Governor (AACG) and Enter-
prise Transaction Controls Governor (ETCG). These enable users to create models
and controls and to run them within business applications to uncover and resolve
segregation of duties violations and transaction risk.
• Oracle Enterprise Governance, Risk and Compliance Manager (EGRCM) forms
a documentary record of a company’s strategy for addressing risk and complying
with regulatory requirements. In enables users to define risks to the company’s
business, controls to mitigate those risks, and other objects, such as business
processes in which risks and controls apply.
• Fusion GRC Intelligence (GRCI) provides dashboards and reports that present
summary and detailed views of data generated in EGRCM and EGRCC.
GRC components run as modules in a shared platform. EGRCC runs as a Continu-
ous Control Monitoring (CCM) module. EGRCM provides a Financial Governance
module by default, and users may create other EGRCM modules to address other
areas of the company’s business.
Because these components share a common platform, they also share some function-
ality. This User Guide documents these shared features:
• Perspective management. A perspective is a set of related values. Users can
associate individual perspective values with individual objects (such as risks,
models, or controls). Perspectives can serve as filtering values in reports or in
the pages in which users manage objects, but they also play an important role in
GRC security.
• Security management. Users are assigned job roles, which consist of duty roles
and data roles. These provide a granular, flexible means of safeguarding access
to GRC functionality and data.
• Reporting. Apart from the reports and dashboards provided by GRCI (if it is
implemented), a Report Management option displays a variety of reports on
EGRCC and EGRCM activity.
Introduction 1-1
• Application setup. Although many GRC setup tasks are completed during instal-
lation, administrators can set language, security, notification, and other values at
any time. (Some setup tasks, such as connecting to “datasources,” are specific to
EGRCC. Others, such as creating “lookup” entries or “content types,” are spe-
cific to EGRCM. Nevertheless, these component-specific setup tasks are dis-
cussed in this User Guide.)
• Module management. Most module-management features pertain specifically to
EGRCM, because it alone enables users to create modules other than those de-
livered with the product. However, aspects of module management — managing
module perspectives and data migration — are common to EGRCC and
EGRCM.
• Jobs and scheduling. Users can schedule and manage background tasks such as
updating a “data analytics schema,” evaluating EGRCC continuous controls,
exporting results, or generating reports.
Suggested Limits
GRC performs optimally if you observe the following restrictions on objects you
can create. The following lists include objects discussed in this manual, as well as in
user guides for Application Access Controls Governor, Enterprise Transaction Con-
trols Governor, and Enterprise Governance, Risk and Compliance Manager.
In GRC as a whole, the following are suggested maximum amounts:
• Perspectives: Fifteen per application, of which no more than five are for secu-
rity (excluding system perspectives).
• Perspective depth: Eight levels.
• Perspective nodes: Ten thousand.
• Perspective Nodes per record: Fifteen
• Attachment size: Ten megabytes. (Attachments are files that may be associated
with perspectives, EGRCC incidents, and EGRCM objects.)
• Description field length: Ten thousand characters.
In EGRCM, the following are suggested maximum amounts:
• Custom modules: Three.
• User defined attributes: Twenty per module object.
In EGRCC, the following are suggested maximum amounts:
• Entitlements per control: Two (AACG).
• Access points per entitlement: Fifteen (AACG).
• Business objects per control: Five (ETCG).
• Global path conditions per datasource: Thirty (AACG).
• CCM Result Management page: Optimize for 10,000 or fewer rows.
• Datasources per control: Two.
Navigation
Click on a Navigator link near the upper left of any GRC page to display links to
work areas you can use. The links you see depend on the rights granted to you by
your roles. A Tools list provides access to features shared by EGRCC and EGRCM,
and features in this list are the focus of this User Guide.
Introduction 1-3
(Additionally, a Financial Governance list offers links to pages in which users can
manage objects within that EGRCM module; a comparable list appears for each
custom EGRCM module. A Continuous Monitoring list offers links to EGRCC
features.)
If the Navigator contains three or fewer modules, the links you can select are visible;
simply click on one to navigate to a feature you want to use. If the Navigator con-
tains four or more modules, they are “collapsed”; only the module names are visible.
Click on the icon next to a module name to display its links (and then click on a link
to navigate to a feature you want to use)
Home Page
Your home page (the one that opens when you log on to GRC) contains several
listings of tasks that await your attention — worklists, notifications, and a watchlist.
• A worklist is both a record of a task that has been assigned to you and a link to
the GRC page on which you can complete the task.
To view your worklists, select the Worklists tab in the Pending Activities area
of your home page. You can search for worklist entries. Each of the standard
search fields assumes a “Starts With” operator — the search returns all values
starting with the text you enter. You can select an Advanced search to use other
search operators.
• A notification is a record of a task in which you have an interest, but for which
no action is required from you. Like a worklist, a notification is also a link to
the page on which the task has been undertaken. To view your notifications,
select the Notifications tab in the Pending Activities area of your home page or
any object overview page. You can search for notifications in the same way you
search for worklists.
• The watchlist is a summary of your worklist entries, categorized by module and,
within each module, by activity type. You can expand or collapse sets of watch-
list entries so that you can focus only on a particular set. The watchlist appears
near the upper left corner of your home page.
If your EGRCM instance includes Oracle Fusion GRC Intelligence (GRCI), and if
your roles give you access to GRCI, your home page also includes an Intelligence
tab. Click on it to view GRCI dashboards and reports.
To return to the home page from any other page in EGRCM, click on the Home link
near the upper right of any page.
Introduction 1-5
1-6 Oracle Governance, Risk and Compliance User Guide
2
Perspective Management
A perspective defines a context in which objects exist. That context may be organi-
zation, region, regulatory code, or any other concept the company determines to be
meaningful. Each perspective is a set of related values. The values are hierarchical
— they have parent/child relationships to one another. Users associate individual
values with individual objects, in effect cataloging them. In EGRCM, these objects
include processes, other base objects, risks, and controls. In EGRCC, they include
models, continuous controls, and incidents.
For example, an Organization perspective might contain values that map the struc-
ture of your company. Divisions, for instance, might be immediate children of the
organization; each division might be the parent of a set of operating units; and so
on. This would enable users to associate individual risks, controls, or other objects
with the divisions, units, or other corporate entities to which they apply.
Perspectives also play a part in GRC security. Users are assigned job roles, which
contain duty roles that define functionality available to users, and data roles that de-
fine sets of data available to users. A data role may be associated with a perspective
value, and if so would grant access only to data concerning objects associated with
that perspective value. To use the Organization example, a data role might be asso-
ciated with the perspective value for a specific operating unit within a particular
division. That role would grant access only to data pertaining to that operating unit.
In EGRCC, perspectives also help determine which users resolve incidents gener-
ated by continuous controls. As a continuous control is created, perspective values
are assigned to it. A user can review its incidents if his job role contains a data role
associated with perspective values that match values assigned to the control. (The
job role would also need to contain a duty role with the privilege for incident review.)
To work with perspectives, select Perspective Management under Tools in the
Navigator.
Set Details
First, enter values in a Details panel: Name and Type are required. Also select a status
(Active or Inactive) for the hierarchy as a whole, and optionally write a description
of the hierarchy.
You may select a given Type value for any number of hierarchies, but all values
(nodes) for a given type must be unique — hierarchies of a given type may not
share values. A given value may be used in more than one hierarchy only if the
hierarchies are of different types. (Values available in the Type LOV are created at
the Manage Lookups page, available in the Setup and Administration tasks. If no
existing type is appropriate for the perspective you are creating, have a new type
created in the Manage Lookups page.)
GRC assigns individual users distinct combinations of rights to data and to func-
tionality. To define access to functionality, it uses these components:
• A “privilege” is a specific feature GRC can make available to users.
• A “duty role” is a set of privileges. Each duty role defines one or more tasks a
user can complete in GRC — for example creating controls, or approving
changes to them.
• A “job duty role” is a set of duty roles. It encompasses the functionality a user
needs to do a large-scale job such as Control Manager or Risk Manager.
To define access to data, GRC uses these components:
• A “primary data role” defines a narrowly focused set of data. Each primary data
role sets at least three conditions: data must belong to a specified module; exist
at one or more specified states; and be subject to specified actions.
If a primary data role supports assessment activities in EGRCM, it sets a fourth
condition: data must be associated with a specified value for a seeded perspec-
tive called Activity Type.
If a primary data role supports work with models, continuous controls, or inci-
dent results in EGRCC, it sets a fourth condition: data must be associated with a
value for a seeded CCM Type perspective, which distinguishes between data for
use by AACG and data for use by ETCG.
• A “composite data role” is a set of primary data roles. It defines the data to
which a user can apply the functionality granted in a job duty role. Users may
create “custom perspective data roles,” each of which combines a composite
data role with a filter that allows access only to data associated with a specified
perspective value.
To combine functionality and data access, GRC uses these components:
• A “job role” comprises a job duty role and a composite data role (or custom
perspective data role).
• Each GRC user is assigned one or more job roles.
As you configure GRC security, consult not only this chapter, but also the Oracle
Governance, Risk and Compliance Security Implementation Guide.
Managing Users
A Manage Users page provides information, in read-only format, about GRC user
accounts. To open the Manage Users page, select Setup and Administration in the
Navigator, then Manage Users under Security.
Its upper panel, labeled Manage Users, displays a list of existing user accounts,
together with summary information about each — the username (by which the user
identifies herself as she logs on); the user’s given name, surname, and email
address; the user’s status; and the date and time at which the account was last updated.
In the Manage Users panel, select (click on) the row for a user whose information
you wish to review. A lower panel, labeled User Roles, lists the job roles assigned
to the user (together with a description and status for each role).
Alternatively, click on a user’s username, and a View User page opens, providing
full details for the user, with a list of roles the user has been assigned. From this
page, you can select an option to edit the user account. (Otherwise, select a Cancel
button to return to the Manage Users page.)
You can use options available from the Manage Users page to create, edit or copy,
or unlock user accounts, or import them from an LDAP repository.
From a Report Management page, you can run ad hoc reports or schedule them to be
run at intervals over a period that you define. The Report Management page saves the
scheduled reports it generates, enabling you to view them at any time. To open the
page, select Report Management in the Tools section of the Navigator.
Then, under Report Management in the Tasks panel, select the type of report you
want to run. The selection available to you depends on whether you use EGRCM,
EGRCC, or both (and on the access granted to you by your data roles).
CCM Control Management reports include the following:
• The Control Detail Extract Report provides information about continuous
controls. For each control, it gives the processing logic, conditions, and other
values that define it; users who created or updated it, and when they did so; and
perspectives and result investigators associated with it.
• The Conditions Report provides information about three sorts of condition that
may be set in AACG: A global condition specifies objects exempted from con-
trols on a given datasource; the report lists global conditions by datasource. A
global path condition excludes one access point from another, exempting paths
including both points from analysis; the report identifies each excluded access
point and its parent. A control-specific condition is like a global condition, but
applies to only one control; the report lists controls that contain conditions.
• The Entitlement Report lists access points belonging to each in a set of
entitlements (an entitlement being a set of access points that may be included in
a model or continuous control).
CCM Result Management reports include the following:
• The Access Approvals report displays records of role assignments in business-
management applications which, because they violated Approval Required
controls, were suspended until a control participant could review them.
• The Result Summary Extract Report lists incidents generated by access and
transaction controls, providing summary details for each. These include an
“Incident Information” value — the path by which a user can reach one in a
conflicting pair of access points, or the value of the first attribute selected
(during model configuration) to characterize a suspect transaction.
Reporting 4-1
• The Access Incident Details Extract Report lists incidents generated by access
controls, providing not only the information that would be included in the Result
Summary Extract Report, but also additional details.
• The Transaction Incident Details Extract Report lists incidents generated by a
transaction control. It provides not only the information that would be included
in the Result Summary Extract Report, but also values for all attributes selected
to characterize suspect transactions. These attributes vary from one control to
another, so each run of the report must focus on a single control.
• The Access Point Report lists paths to access points involved in conflicts. Each
record in the report is not a conflict in itself, but rather one path (potentially
among many) to one of the access points involved in a conflict.
• The Access Violations by User Report lists ten users with the greatest number
of conflicts, the number of conflicts for each, and information about those
conflicts.
• The Access Violations Within a Single Role (Intra-Role) Report lists roles for
which access controls generate conflicts between privileges granted within a
role, so that the role cannot be assigned to any user without a conflict occurring.
• The Intra-Role Violations by Control Report lists access controls that generate
intra-role conflicts for which incidents exist at the Assigned, Remediate,
Authorized, or Accepted status. For each control, it also lists the roles for which
the conflicts are generated.
• The Global Users Report provides information about global users — IDs
created by EGRCC, each of which identifies one person, and correlates to any
number of potentially varying IDs that person may have in business applications
subject to access controls.
• The Result by Control Summary Extract Report lists access and transaction
controls that have generated pending incidents, and provides information about
each control.
• The Users with Access Violations by Control Report lists access controls that
have generated incidents at the Assigned, Remediate, Authorized, or Accepted
status. For each control, it lists users whose work assignments have violated the
control.
GRCM Assessment Management reports include the following:
• The Assessment Details Report displays information about assessments
conducted against selected objects.
• The Control Assessment Extract Report is an Excel report that lists controls and
their related assessment activities.
• The Control Assessment Report is a PDF report that lists controls and their
related assessment activities.
GRCM Control Management includes a single report: The GRCM Control Details
Report provides information about GRCM controls. For each control, it gives the
name, description and other values that define it, the users who created or updated
it, and when they did so.
Running Reports
Once you’ve selected a category of reports from the Tasks panel for the Report
Management page, the upper panel of the page lists a set of reports.
1. Click in the row for the report you want to run.
2. Click on Actions > Run Now or Actions > Schedule.
3. A Parameters pop-up window opens. In it, select parameter values. (See
“Managing Report Parameters” on page 4-4).
4. If you selected Run Now in step 2, the Parameters window displays a Generate
Report button. Click on it to generate the report.
If you selected Schedule in step 2, this button is replaced by a Schedule
Information button. Click on this button to produce a Schedule Parameter pop-
Reporting 4-3
up window. Enter values that set a name for a schedule, the date and time at
which it should start, the regularity with which the report should run, and the
date and time (if any) on which the schedule should expire. Then click on the
Schedule button.
Reporting 4-5
4-6 Oracle Governance, Risk and Compliance User Guide
5
Application Configuration Management
The Manage Application Configurations page is divided into tabs, in each of which
you can set options that determine how GRC works. In pages opened from some tabs
(as noted below), some values are entered during installation and are not expected to
be changed subsequently. You may choose to modify other settings from time to time.
To open the Manage Application Configurations page, select Setup and Adminis-
tration under Tools in the Navigator, then Manage Application Configuration under
Setup.
GRC Properties
The Properties tab opens a page in which you can set values required for GRC to
connect to its database. You can also select performance and language options, and
download or upload a GRC database schema.
Fields in the Installation Configuration section of the Properties page record data-
base connection settings. Fields in the Performance Configuration section record
settings that may optimize GRC performance. Typically, fields in both sections are
completed during GRC installation and are not changed subsequently. For more
information on values appropriate for these fields, see the Governance, Risk and
Compliance Installation Guide.
In the Language Preferences section, choose languages in which GRC users may
work. Select their check boxes, then select Actions > Save. Once selected here,
languages are available to administrators as they create GRC user accounts, or to
GRC users as they set user preferences.
Use the Schema Import Export section to download the GRC database schema to a
file, or to upload a copied schema from a file. A download copies the schema whose
settings are recorded in the Installation Configuration fields. For a schema file to be
uploaded, an empty schema must be created to accept the contents of the file (and a
tablespace must be created for that schema). Moreover, before the Schema Import
Export fields have any effect, you must complete a setup procedure. This setup is
typically performed during installation; for more information about it, see the
Governance, Risk and Compliance Installation Guide.
Worklist Values
Fields available in the page opened from the Worklist tab apply only if GRC is
installed with Service Oriented Architecture (SOA). Typically, these fields are set
during installation and would not be changed subsequently. See the Governance,
Risk and Compliance Installation Guide for information on setting these fields.
Analytics
GRC may incorporate Oracle Fusion GRC Intelligence (GRCI), which provides
dashboards and reports that present summary and detailed views of EGRCM or
EGRCC data. If so, GRCI makes use of a “data analytics” (DA) schema, which is
distinct from the principal GRC database schema. Moreover, GRCI makes use of
Oracle Business Intelligence Enterprise Edition (OBIEE).
The Analytics tab of the Manage Application Configurations page records values
that embed GRCI within a GRC instance: In the Data Analytics Configuration sec-
tion, an administrator enters values that establish a connection to the DA schema. In
the GRC Intelligence Configuration section, an administrator enters values that set
up OBIEE for use with GRC. In the Intelligence Page Configuration section, an
administrator selects, and optionally renames, the GRCI dashboards that are to
appear in the GRC instance.
Typically the fields in all these sections are completed during GRC installation (and
their completion is dependent on other procedures being performed). Typically they
are not changed subsequently. See the Governance, Risk and Compliance Installa-
tion Guide.
However, during installation or at any time afterward, you can create or modify a
schedule on which the DA schema is refreshed. Click on the Schedule Data
Analytics Update button (in the Data Analytics Configuration section). A Schedule
Parameter dialog opens. Enter values that set the name of the schedule, its start date
and time, the regularity with which the DA schema should be refreshed, and an end
date (if any). Then click on the Schedule button. Finally, click on Actions > Save.
Configuring Notifications
You can set up GRC to alert users when tasks within GRC require their attention —
when worklists are generated in EGRCM or EGRCC.
EGRCC can alert result investigators not only when incidents await their review,
but also when AACG preventive analysis requires approval of a role assignment to a
business-application user. In the latter case, you can also configure EGRCC to
inform that user of the approval decision.
GRC uses your email system to alert users to pending worklists. To establish a
connection with your SMTP server and set a schedule on which email messages are
sent, click the Notification tab and enter the following values:
• Notification Server
– User Name: The user name with which one would log on to the SMTP
server. This value is required only if access to the SMTP server requires
authentication.
– Password: The password with which one would log on to the SMTP server.
This value is required only if access to the SMTP server requires authenti-
cation.
– Confirm Password: The SMTP server password entered in the Password
field. This value is required only if access to the SMTP server requires
authentication.
– Port Number: The port number at which the SMTP server communicates
with other applications.
– Server Name: The host name for the SMTP server your company uses for
sending email.
– Sender Email Address: An address that appears in the “From” line of email
messages generated by the Notification function.
– Application URL: The URL for your instance of GRC. This takes the form
http://host:port/grc, in which host is the fully qualified domain
name of your GRC server, and port is the port number selected for it when
its web application server was configured during installation.
– Enable SSL Authentication: Select this check box if access to your SMTP
server requires authentication; clear the check box if it does not. If authenti-
cation is required, the User Name, Password, and Confirm Password fields
must also be populated (see above).
Purging Incidents
Ordinarily, records of EGRCC incidents remain in the Incident Management page
even after they have reached an end status (Resolved, Control Inactive, or Closed).
The potential exists, therefore, for the number of incidents available for viewing to
become large and unwieldy. To remedy this, you can use a Maintenance tab in the
Manage Application Configurations page to purge incidents (at all statuses) gener-
ated before a date that you specify. The Maintenance tab applies only to EGRCC
(the CCM module), not to EGRCM (the Financial Governance and custom modules).
Note the following:
• When an incident is purged, all change history associated with the incident is
also purged.
• Although an incident may be purged in GRC, the risk it represents may continue
to exist in a business-management application: a user may still have access to
conflicting access points, or a risky transaction may remain unresolved. If so,
the next run of continuous controls will regenerate the incident in GRC. However,
any status or comments assigned to the incident before it was purged are lost.
• A simulation feature enables users to forecast the effect of AACG incident
cleanup in business-management applications. If you purge a set of AACG
Use the Manage Application Datasources page to set up Oracle EBS, PeopleSoft,
Oracle Fusion, and other datasources for use with EGRCC, and to synchronize data
for those datasources. To open the Manage Application Datasources page, select
Setup and Administration under Tools in the Navigator, then Manage Application
Datasources under Setup.
Use a Manage Application Libraries page to upload business objects or patterns,
both for use in EGRCC models and controls, or connectors to link GRC to data-
sources other than Oracle EBS or PeopleSoft (for which GRC uses a default con-
nector). To open the Manage Application Libraries page, select Setup and Adminis-
tration under Tools in the Navigator, then Manage Application Libraries under
Setup.
Both of these pages apply to EGRCC. If you use EGRCM exclusively, information
in this chapter does not apply to you.
Configuring Datasources
To set up an Oracle EBS or PeopleSoft datasource, you need only supply values for
fields on the Manage Application Datasources page.
For Fusion, you must first install a connector and perform other configuration pro-
cedures (see the Governance, Risk and Compliance Installation Guide). Moreover,
the values you enter for a Fusion datasource differ from those you would enter for
an Oracle EBS or PeopleSoft datasource. The Fusion values reflect an interaction
between GRC, Oracle Identity Management, and Oracle Internet Directory (OID),
an LDAP repository whose identity store is managed by Oracle Identity Manage-
ment.
To configure a new datasource:
1. In the Manage Application Datasources page, click on Actions > Create New. A
Create Datasource pop-up window opens.
2. Enter the following values:
• Datasource Name: Create a name for the datasource. (This name appears in
a Manage Datasource window, in which users select datasources as they
Uploading Patterns
“Patterns” are statistical functions, supplied by Oracle, that may be used in transac-
tion models and controls. Independently of GRC releases, Oracle may issue files (in
.jar format) that contain patterns. To upload these files:
1. In the Manage Application Libraries page, click on the Patterns tab.
2. Click on Actions > Import.
3. An Import File pop-up window opens. Click on its Browse button.
4. A file-upload opens. In it, navigate to and select the file you want to upload.
The path and name of the file then populate the field next to the Browse button
in the Import File window.
5. Click on the Upload File button. A pop-up message reports the status of the
upload operation. Click on its OK button to clear it, and then click on the Close
button in the Import File window.
In the Patterns page, rows display information about patterns you’ve uploaded —
for each, the name, description, and version.
Use certain setup pages to manage lookup tables, manage content types, manage
installation options, manage URL repositories, and manage assessment results.
Among these tasks, managing lookup tables and managing content types apply both
to EGRCC and EGRCM; the others apply to EGRCM only.
To open any of these pages, select Setup and Administration under Tools in the
Navigator, then select the applicable option in the Setup list of tasks.
For EGRCM, you can configure the default Financial Governance module, and you
can use a standard template to create new modules. You can also create user-defined
attributes (UDAs) — information added to a given object within a module, to extend
its definition.
EGRCC runs as a Continuous Control Monitoring (CCM) module, but you cannot
create other EGRCC modules.
So, most module-management functionality applies to only to EGRCM. One excep-
tion is Manage Module Perspectives (page 8-4). In both EGRCM and EGRCC, a
perspective hierarchy is unavailable for use until it is associated with object types.
Manage Module Perspectives enables you to configure these associations. A second
exception is Data Migration (page 8-4), which you can use to import all types of
operational data into EGRCM, and perspectives into EGRCC.
Managing Modules
To create a module, select Manage Modules in the Module Management tasks under
Setup and Administration; then select Actions > Create Module. A Create Module
page opens.
1. Name the module and select the standard template.
2. In the Select Module’s Objects area, click on the check box for each of the base,
risk, and control objects you want to include in the module.
3. A square representing each object appears in the Select Object Relationships
area of the page. In each object, select check boxes to establish relationships
with other objects. (For example, you select Base Object A and Risk Object A.
The square representing Base Object A contains a check box labeled Risk
Object A. Click it to indicate that Risk Object A is related to Base Object A.) Or
clear check boxes to sever relationships.
4. Relabel the objects you’ve selected. This is optional, but recommended, so that
objects have names that are meaningful to you. Click the Relabel button and, a
Relabel Objects pop-up appears. In it, type a new name for each object in its
Relabeled Value field, then click the OK button.
5. Save your work.
Data Migration
A Data Migration utility enables you to upload operational data for the Financial
Governance module or any new EGRCM module, or perspective data for the CCM
module. The procedure involves generating an XML template that reflects the
specific configuration of the module, updating the template with your operational
data, and running an import process.
Operational data includes object specifications, how objects are associated to one
another, transactions against the objects (such as issues, remediation plans for
issues, action items for base objects, risk analysis and evaluation, and assessments),
and attachments.
Managing Jobs
Each row in the Manage Jobs page presents the following information about one
occasion when a job was run. Values include:
• Job ID: An identification number assigned internally to the job by GRC.
• Name: The name of the job that was run.
• Start Date and End Date: The dates and times on which the job began to run and
finished running.
• Status: The current state of a job. Most statuses are assigned by GRC. These include
Not Started, Started, Queued, Pause Requested, Paused, Completed, and Error.
GRC updates the status until a final state (either Completed or Error) is reached.
GRC prioritizes jobs. The Pause (or Pause Requested) status indicates that GRC
has suspended (or is attempting to suspend) a job in order to undertake a higher-
priority job. Only GRC can pause jobs or request that they be paused; there is
no way for a user to do so.
Users may, however, cancel jobs. When a user does, the job status changes to
Cancel Requested or, ultimately, to Canceled.
• Message: An informational message about the job status. When the job has
finished running, the Message field displays a “Job completed” link; click on it
to open a Job Detail window, which displays information about the job. The Job
Detail window may also contain a link to the download file created by an export
Canceling a Job
If you have update permission to the Manage Jobs page, you can cancel a job whose
status indicates that it is still in progress. Click on the Row identifying the job, click
on the Cancel Job button, and respond to a message asking you to confirm the can-
cellation. In this case, the status changes to Cancel Requested or, ultimately, to
Canceled.
Managing Schedules
A job may be scheduled to run, and typically the schedule is created in the page to
which the job applies; the job may be run manually from that page as well. For
example, one may update a data analytics schema, or schedule it to be updated, from
the Manage Application Configurations page. However, any schedule created else-
where is listed in the Manage Scheduling page, where you may modify schedules or
run jobs manually.
To open this page, select Tools > Setup and Administration > Administration >
Manage Scheduling.
Viewing Schedules
In the Manage Scheduling page, each row presents information about a job sched-
uled to run in the future.
Values include:
• Schedule Name: The name assigned to the schedule when it was configured.
• Name: The name of the job itself — for example, the name of a report if the
scheduled job is to generate the report.
• Last Run Date: The date and time on which this schedule last caused the job to
be run.
• Next Run Date: The date and time on which this schedule will next cause the
job to be run.
• Scheduled By: The user name of the EGRCC user who created the schedule.
Modifying Schedules
If you have update permission to the Manage Scheduling page, you can modify or
discontinue a schedule:
1. Click on the row for a schedule, then click the Edit button. A Schedule
Parameter dialog opens. Each schedule is specific to the type of job being
scheduled, and each dialog is specific to the schedule it is designed to set.
2. Do either of the following:
• Enter new values in fields, and make new selections among radio buttons,
to define a new schedule, and click on the Reschedule button. Then new
schedule is then in force.
• Click on the Unschedule button. All values are then removed from the
Schedule Parameter dialog, and the job is no longer scheduled to be run.