Oracle Application Access Controls Governor Release Notes Release 8.0.1 May 2008
Oracle Application Access Controls Governor Installation Guide Copyright 2007, 2008 Oracle Corporation and/or its affiliates. All rights reserved. Primary Author: David Christie The Programs (which include both the software and the documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose. If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United States Government, the following notice is applicable. U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are commercial computer software or commercial technical data pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial Computer Software Restricted Rights (June 1987). Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065. The Programs are not intended for use in any nuclear, aviation, mass transit, medical or other inherently dangerous applications. It shall be the licensee s responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs. The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsible for the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. If you choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, including delivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for any loss or damage of any sort that you may incur from dealing with any third party. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Contents 1 Release Notes Access Policy Creation... 1-1 Conflict Analysis... 1-2 Administration... 1-3 Contents iii
iv Oracle Application Access Controls Governor
Release Notes Oracle Application Access Controls Governor implements access policies in Oracle E-Business Suite, PeopleSoft Enterprise, and other business-management applications. Each policy identifies access points to these applications that are considered to conflict with one another because, in combination, they would enable individual users to complete transactions that may expose a company to risk. Policies further designate policy types, which determine whether conflicts should be prevented, monitored, or made subject to approval by reviewers. Once conflicts are generated, analysts can assign status to individual conflict paths, each of which determines how a user s role (an access point directly assigned to a user, such as an Oracle responsibility) leads to a privilege (an access point actually included in an access policy). Version 8.0.1 of Application Access Controls Governor (AACG) introduces enhancements in the creation of access policies, the analysis of the conflicts they generate, and in administrative features. In addition to the features described below, version 8.0.1 introduces performance tuning for improved performance with large data sets. Access Policy Creation In version 8.0, a policy written to regulate access to Oracle E-Business Suite could include roles, responsibilities, menus, and functions as access points. In version 8.0.1, such an access policy may also include concurrent programs as access points. In version 8.0.1, the author of an access policy may designate an owner and any number of observers. By default, an owner is assigned to review all paths to conflicts generated by the policy he owns (although the paths may be reassigned to other users). An observer is a person who has some interest in the conflicts generated by a policy, although no default responsibility for resolving them. Both owner and observers may receive email messages when the policy generates conflicts. AACG users may create entitlements collections of access points and use them in access policies in place of, or in addition to, access points. When a user edits an entitlement, the policies configured to use that entitlement may be adversely affected. Version 8.0.1 introduces edit impact messaging an attempt to save an Release Notes 1-1
edited entitlement produces a warning message identifying the access policies already configured to use the entitlement. Both the panels in which policies are defined and entitlements are created include a new Comments column. One may enter any information in this column. However, a migration utility may be used to convert version-7.x SOD rules into version-8.0.1 access policies. If so, each SOD rule was assigned a control type (equivalent to a version-8.0.1 policy type). Two control types Allow with Rules and Approve with Rules associated SOD rules with form rules, which alter the properties of Oracle EBS forms in ways that mitigate conflicts. If you have migrated an SOD rule of either control type, AACG 8.0.1 displays the name of the associated form rule in the Comments field. Each access policy is assigned a status Active or Inactive. In version 8.0, a user could update the status of only one policy at a time. In version 8.0.1, the user can update the status of any number of policies in a single operation. Conflict Analysis An access policy may contain any number of access points, but it also directs the AACG engine to evaluate them in distinct combinations, each of which is known as a subpolicy. A Conflict Analysis panel presents a subpolicy-level view of conflicts, sorting conflict paths by specific combinations of access points within a policy that produce conflicts. In version 8.0.1, it adds several new columns that provide information about policies that produce individual conflict records not only the policy name (which was available in version 8.0 as well), but also the policy type, priority (a numeric value that rates the importance of a policy in comparison with others), the datasource (the business-management application in which the conflict exists), and the entitlements used by the policy. A Work Queue consists of two panels, one of which enables users to assign conflict paths to reviewers, and the other of which enables reviewers to assign status to those paths. Each panel comprises two sections: one enables users to drill down to a set of paths pertaining to a specific role, policy, and user, and the other displays those paths. In version 8.0.1: The drill-down portion adds these pieces of information: for a role, the datasource (once again, the business-management application in which the conflict exists), and for a policy, its priority. Users can resize each of the drill-down and path sections of either Work Queue panel by dragging the border between them. In the panel in which reviewers assign status, they can also reassign paths to other reviewers. A Heat Map enables analysts to select parameters that divide conflicts into increasingly narrowly focused sets. Through its use, analysts can evaluate trends in the generation of conflicts and prioritize their resolution. In version 8.0, the Heat Map displayed, by default, conflicts generated in the latest run of a Find Conflicts program, but enabled users to select earlier runs. In version 8.0.1, the Heat Map defaults to a cumulative display a view of conflicts generated by all runs of the Find Conflicts program but enables users to select any individual run. 1-2 Oracle Application Access Controls Governor
A Navigation panel provides links to the features available in AACG, and so enables users to select among them. In version 8.0, the Heat Map was available from two links on the Navigation panel; in version 8.0.1, it is available only from the Home link (and remains, as a result, the feature one sees upon opening AACG). Administration In version 8.0, the Navigation panel was a fixed size. In version 8.0.1, it can be enlarged, or it can be closed entirely (in which case the frame in which a user works is expanded). The ability to configure AACG user accounts is greatly enhanced. User information is encrypted; passwords must consist of characters from multiple data sets, making them more secure; and the user account adds tracking information such as email addresses, phone numbers, and physical addresses. Owners and observers of policies, and reviewers of conflict paths, may receive email notifications when conflicts require their attention. AACG consolidates queued notifications so that each recipient receives one message for the conflict paths awaiting his review. Version 8.0.1 provides the capability to configure a connection to your email server so that these notifications can be sent, and to schedule their delivery. (Notifications are sent to email addresses associated with owners, observers, and reviewers when their user accounts are configured.) In an Application Configuration panel, one can configure parameters required for AACG to connect to its database. Version 8.0.1 consolidates these parameters (thus reducing their number), assigns them plain-language names, and provides a tool for testing the connection before the parameters are saved. Version 8.0.1 of Application Access Controls Governor includes an application program interface (API) through which external applications, such as Identity Manager, can implement access policies created in AACG. Release Notes 1-3
1-4 Oracle Application Access Controls Governor