4 Managing and Supporting CSR Cases

Oracle Adaptive Access Manager provides a set of tools for creating and supporting Customer Service Representatives (CSR) cases. This chapter provides information to CSR and CSR Managers for managing cases and contains the following sections:

• Introduction and Concepts

• CSR and CSR Manager Role Permissions

• Getting Started

• Cases Search Page

• Case Details Page

• Viewing Case Activity

• Viewing Customer's Sessions

• Creating a CSR Case

• Performing Customer Resets

• Performing Challenge Question Resets

• Enabling a Temporary Allow

• Performing Case Actions

• Configuring Expiry Behavior for CSR Cases

• Reporting

• Multitenancy

• Use Cases

• Best Practices and Recommendations

4.1 Introduction and Concepts

This section provides an introduction to CSRs and CSR Managers and a high-level view of how they might use the Oracle Adaptive Access Manager set of tools for creating and supporting cases. It includes the following sections:

• Case

• Customer Service Representative (CSR)

• CSR Manager

• Fraud Investigator

• Fraud Investigation Manager

• Locked Status

• Temporary Allow

• Case Status

• Severity Level

• Expiration Date

• Customer Resets

4.1.1 Case

A case is a record of all the actions performed by the CSR to assist the customer as well as various account activities of the customer. Each case is allocated a case number, a unique case identification number. The Case Management feature of Oracle Adaptive Access Manager is used in two ways.

• Users of the enterprise using Oracle Adaptive Access Manager can call up the enterprise asking for assistance with user-facing features of Oracle Adaptive Access Manager such as images, phrases or challenge questions, or any issues with their account. The CSR uses the Case Management feature to create a case which records all the actions performed by the CSR to assist the user as well as various account activities of the user.

• The Case Management feature is also used by Fraud Investigators to investigate potentially fraudulent activity performed in user accounts.

4.1.1.1 CSR Cases

CSR cases are used in customer service situations associated within the normal course of doing business online and over the phone when providing assistance to customers. A CSR case is created for a specific user.

4.1.1.2 Escalated Cases

CSR escalates a case when he cannot resolve a case and needs further investigation by an investigator or when he determines there is suspicious activity associated with the specific user and he wants further investigation by an investigator. Once escalated the case is treated as an Agent case, which is no longer visible to the CSR. However, any agent can work on the escalated case.

4.1.2 Customer Service Representative (CSR)

Customer service representatives are employed by many different types of companies to serve as a point of contact for customers who call. They are responsible for ensuring that their company's customers receive an adequate level of service and help for low risk issues originating from customer calls. In handling customers' complaints, they must attempt to resolve the problem according to guidelines established by the company. These procedures may involve opening a case, entering notes as they are speaking to customers, asking questions to determine the validity of a complaint, making changes or updates to a customer's profile information, and, if required, passing the case on to a CSR Manager who has the appropriate privileges to respond. In a Multitenant deployment, CSRs only have access to cases limited to an Organization.

4.1.3 CSR Manager

The CSR Manager is in charge of overall management of CSR-type cases. A CSR Manager has all the access and responsibilities of a CSR and access to more operations, such as:

• bulk edit cases

• temp allow users

• extend expiration

The CSR does not have the permissions to perform these actions. A CSR Manager routinely searches through the CSR cases to check on status and clean up if needed.

4.1.4 Fraud Investigator

A Fraud Investigator investigates a specific fraud scenario or suspicious pattern. The Fraud Investigator works on escalated cases.

4.1.5 Fraud Investigation Manager

A Fraud Investigation Manager has access to actions that the Fraud Investigator does not have.

4.1.6 Locked Status

If the user fails a challenge, he is locked out of the account. The status of the account is Locked. The Locked status is only used if the Knowledge Based Authentication (KBA) or One Time Password (OTP) facility is in use.

• Knowledge Based Authentication (KBA): For online challenges, a customer is locked out of the session after the Online Counter reaches the maximum number of failures. For phone challenges, a customer is locked out when the maximum number of failures is reached and no challenge questions are left.

• One Time Password: OTP sends a single-use password to the user through a configured delivery method, and if the user exceeds the number of retries when attempting to put in his OTP code, his account becomes locked.

After the lock out, a CSR must reset the status to Unlocked before the account can be used to enter the system.

4.1.7 Temporary Allow

A temporary allow grants temporary account access to a customer who is being blocked from logging in or performing a transaction. A customer is blocked when a security rule is triggered. For example, a customer may be traveling on business and attempting to log in from a blacklisted country and the system has blocked him or her.

4.1.8 Case Status

Case Status is the current state of a case. Status values used for the case are New, Pending, Escalated, or Closed. When a case is created, the status is set to New by default. CSRs cannot Authentication a closed case. CSR Managers and Investigators can Authentication a closed case. Escalated cases cannot be created.

4.1.9 Severity Level

The Severity Level is a marker to communicate to case personnel how serious the case is. The severity level is set by whomever creates the case. The available severity levels are High, Medium, and Low.

4.1.10 Expiration Date

Note:

Depending on the type of the case, the terminology used and behavior may be different.

The expiration date is the date when a case expires. By default, the length of time before a case expires is 24 hours, but is configurable.

• CSR cases: For CSR cases, the status of the case changes from the current status to Expired. The case could have any status when it expires. The CSR can open the case but cannot perform any actions on it. The CSR Manager can extend an expired case.

• Escalated cases: For escalated cases, the status of the case changes from the current status to Expired. When the case is expired, an expired flag is set for the case to let managers know that the case requires their attention. For example, if escalated cases are set to 24 hours and if the case is open and has not been accessed in more than 24 hours, the flag is set to Expired. When the Fraud Investigator accesses the expired case, it is reactivated and the expiration date is extended for another 24 hours (or however long it has been configured for). The expired behavior is configurable using the Properties Editor. CSRs cannot change the expiration date of escalated cases.

  For information, refer to Section 4.13, "Configuring Expiry Behavior for CSR Cases."

4.1.11 Customer Resets

Oracle Adaptive Access Manager uses images and phrases on virtual authentication devices as part of the personalization to help prevent fraud. The Customer Resets feature enables you to reset the customer's image and phrase and unregister his device. The Customer Reset feature is not be available for a closed, an escalated or an expired case.

4.2 CSR and CSR Manager Role Permissions

Customer Service personnel can access various functionality in Oracle Adaptive Access Manager based on the role to they are assigned. The out-of-box roles are CSR and CSR Manager. A CSR has limited access to the OAAM Administration Console. Their primary function is to resolve low risk customer issues originating from customer calls.

A CSR Manager has all the access and responsibilities of a CSR and access to more sensitive operations. The CSR Manager is in charge of the overall management of CSR type cases.

Table 4-1 CSR and CSR Manager Role Permissions

Action	CSR Permissions	CSR Manager Permissions
Search Cases	Search for CSR cases Search for open and closed cases.	Search for CSR cases Search for open and closed cases.
New Case	Create only CSR cases	Create only CSR cases
View Case Details	View closed case details View Transactions in Sessions tab (CSRs do not have access to Session details from Queries)	View closed case details View Transactions in Sessions tab
Edit Case	Add notes to closed cases (view only for everything else) Perform all customer and KBA resets on a CSR case Perform KBA phone challenge on a CSR case Change status and severity on a CSR case	Authentication closed cases Add notes to CSR cases Change status and severity on a CSR case Bulk edit CSR cases Temp allow users Extend expiration Perform all customer and KBA resets Perform KBA phone challenge

4.3 Getting Started

Before using the case tools, read through Section 4.1, "Introduction and Concepts"—the section is useful in helping you to understand the concepts presented in this chapter. To perform the operations listed earlier, log in as a CSR or CSR Manager. When you log in, you are redirected to the Cases Search page; CSRs do not have access to other applications (Navigation tree and Policy tree).

If you have the appropriate permissions, you can open to the Cases Search page by double-clicking Cases in the Navigation tree. Alternatively, you can open the Cases Search page by:

• Right-clicking Cases in the Navigation tree and selecting List Cases from the context menu.

• Selecting Cases in the Navigation tree and then choosing List Cases from the Actions menu.

• Clicking the List Cases button in the Navigation tree toolbar.

The Cases Search page is the starting place for managing CSR cases. From the Cases Search page, you can:

• create new cases

• create like cases

• bulk edit cases

• perform searches

If you are a CSR, you can open only one case at a time. CSR Managers, Investigators, and Investigation Managers can open multiple case tabs.

4.4 Cases Search Page

The Cases Search page contains the search tools to help you find cases that you are interested in. An example Cases Search page is shown in Figure 4-1.

Figure 4-1 CSR Cases Search page

4.4.1 Searching for Cases

When a customer telephones with a question or problem, you can search all customers and cases quickly through any combination of factors. For example, you can search for a customer's open case by entering his User ID and New, Pending, and Escalated for his case status. Another example is searching for CSR cases created between a month ago and yesterday.

To search cases:

1. From the Cases Search page, specify criteria in the Search Filter.

   The filters are shown in Table 4-2.

   Table 4-2 Search Filters

   Filter	Description
   Organization ID	To locate cases for an organization, select the Organization ID. In a Multitenant deployment, CSRs only have access to cases limited to an Organization. Organization names to which the user has access are presented.
   User Name	To locate cases for a specific user, enter his user name or part of a user name in the User Name field.
   User ID	To locate a case by the user identifier.
   Case ID	To locate a specific case, enter the Case ID.
   Description Keyword	To locate a case by a keyword that is in the description, enter the word you want.
   Case Type	To filter cases by case type, select CSR.
   Severity Level	To filter cases by severity level, select Low, High, or Medium.
   Case Status	To filter cases by case status, select New, Pending, Closed, Escalated.
   Expired	To filer the list by expired, select the option you want. The options available are: Hide Expired Show Only Expired
   Created Date	To locates cases created within a given create date range, enter the start and end dates you want for the range.
   Disposition	To filter cases by dispositions, you can select: Confirmed Fraud Duplicate False Negative False Positive Issue Pending Issue Resolved Not Fraud The disposition describes the way in which the issue was resolved in a case. Cases only have dispositions when they are closed. If a case has any status besides closed, the disposition is left blank.
   Last Action	Search based on the last action that was taken in case.
   Notes	Search for cases that contain specific keywords in their log. For example, if you search for all cases that contain the word "chargeback," a case with a note that contains "The device used seems to be related to a number of chargebacks" would return in the list of cases.
   Created by	Search by user name of the agent who created the case.
   Current Owner	Search by user name of the agent who is working on this case currently (who performed the last action)

   
   

2. Click Search.

There is a link on the case number. To view the case details, click the link. You can get the case detail for cases that belonged to any user belonging to the group you have access to. If the user does not belong to the group you have access to, you do not see that case in search results.

4.4.2 Viewing a List of Cases

Depending on the criteria entered for the search, the Search Results table can display a list of cases. In a multitenant environment, if the user does not belong to an organization you have access to, you do not have access to his case. If you had been assigned to one organization previously and created cases for users in that organization and serviced them, when you are reassigned to another organization, you only see cases for the new organization when you log in again, regardless of whether you serviced them or not.

4.4.3 Viewing a List Cases You are Currently Working On

From the Cases Search page, enter your user name in the Current Owner field to locate cases that you are currently working on and click Search. The Search Results table displays the list of cases you are currently working on.

4.4.4 Searching for Open and Closed Cases

1. From the Cases Search page, search by Case Status:

   • New, Pending, and Escalated to locate open cases

   • Closed to locate closed cases

   For information, see Section 4.4.1, "Searching for Cases."

2. Click the case number of the case you want.

   The Case Details page is displayed (Figure 4-2).

   When the CSR or CSR Manager opens the case

   • The current owner becomes the CSR or CSR Manager.

   • The Created By field remains the same.

   • The status of the case is "Pending."

3. Next, the CSR or CSR Manager can perform the necessary actions such as granting a temporary allow, performing challenge question resets, and other actions.

4.4.5 Searching Case by Description Keyword

Searching by description keywords would display all cases with any matching words in that was entered as a description during case creation.

1. From the Cases Search page, enter the description keyword to locate cases that contains the Description Keyword and click Search.

2. Click the case number of the case you want.

   The Case Details page appears (Figure 4-2).

4.4.6 Viewing a List of Cases

Searching by description keywords would display all cases with any matching words that was entered as a description during case creation.

4.5 Case Details Page

By clicking the case number on the Cases Search page, you can review the details of a specific case perform various actions on cases. The Case Details page provides such general details about the case as the customer's user name, status, severity level, and description. For information, see Section 4.5, "Case Details Page."

Figure 4-2 Case Details

4.5.1 Case Actions

Case Details also provides access to the actions that can be taken, a log of case activity, and a list of customer sessions. From the Case Details page, the following options are available:

• Add Notes

• Ask Question

• Customer Resets

• Temporary Allow (CSR Manager Only)

• Change Severity

• Change Status

• Extend Expiration Date (CSR Manager Only)

• Escalate Case (CSR Manager Only)

You can only act on those case that you can access in the details page. You can open the case only when you have access to the user's group.

4.5.2 Viewing Case Details

The following information is displayed in Case Details.

• Case Status - The current state of a case. Status values used for the case are New, Pending, Escalated, or Closed.

• Severity Level - The available severity levels are High, Medium, and Low. For information about severity levels, see Section 4.1.9, "Severity Level."

• Description - The details for the case. A description is required.

• Case Created - The date and time the case was created.

• Last Case Action - The last action executed in the CSR case.

• Date of Last Case Action - The date when last action occurred.

• Last Global Case Action - The last action that occurred for this user in all CSR cases. Escalated cases are not taken into account.

• Date of Last Global Case Action - The last action performed against the user online.

• Expiration Date (for CSR cases) - The date when a case expires. For information about expiration dates, see Section 4.1.10, "Expiration Date."

• Disposition - The description of how the issue was resolved when the case was closed. Cases only have dispositions when they are closed. If a case has any status besides closed, the disposition is left blank.

4.5.3 Viewing User Details

The following information is displayed in User Details.

• User Name - Identifier a user uses to log in

• Organization ID - The unique identifier for the organization the user belongs in

  The combination of User Name and Organization ID is the unique identifier for a user accessing an application. In a multitenant deployment, CSRs only have access to cases limited to an Organization.

• Completed Registration - If the user has completed registration, this field shows Yes; otherwise it shows No. To be registered a user may need to complete all of the following tasks: Personalization (image and phrase), registering challenge questions/answers and email/cellphone.

• Personalization Active - When the user has an image, a phrase and questions active, this field would display Yes. If any one of these are reset, this field would display No.

• Questions Active - If user has completed registration, but questions have been reset, and the user has not gone back and registered new ones, this field would display No. This field shows Yes if the user has completed registration and questions exists by which he or she can be challenged.

• OTP Active - If supported OTP delivery channels are registered, the field shows Yes.

• Last Online Action - The last action that the user executed. For example, Block is displayed if the user is blocked.

• Date of Last Online Action - The date when the last online action was executed.

• Temporary Allow Active - If temporary allow is active, this field shows Yes; otherwise the field shows No.

• Temporary Allow Expiration Date - When temporary allow is enabled; this field tells you when it expires. If temporary allow is 7 days, the expiry date is a week from today.

4.6 Viewing Case Activity

OAAM Admin maintains a unique log of every customer service action taken while working on a case. The log is available in the Logs tab of the Case Details page. Each log entry includes the Log ID, User ID of the CSR, create date, action, subaction, and notes. You can use this log while you are on the phone with a customer to view the case history.

Figure 4-3 Logs Tab

4.6.1 Viewing the Case History

To view the case history:

1. From the Cases Search page, specify criteria in the Search Filter.

   For information, see Section 4.4.1, "Searching for Cases."

2. Click the case number of the case you want.

   View the activity log for that case (Figure 4-3).

4.6.2 Searching the Log of a Case

To search the log of a case:

1. Display the log for the case you want to search, as described in Section 4.6.1, "Viewing the Case History."

2. Enter the search criteria and click Search.

   Table 4-3 Log Search Filters

   Filter	Description
   Notes Keyword	Keyword in notes describing why an action was taken in a case. For example, suspected fraud.
   ARM ID	The type of agent that performed the action. For example, csrm1
   Created Date	The date of the case action.
   Action	The action taken for the case. For example, escalation.

   
   

4.6.3 Viewing Escalated Case Logs and Notes

To view the log and notes of an escalated case:

1. In the Cases Search page, search by the case status and by other filters to locate the case.

   For example, search for Agent cases for Alex's user name. For information, see Section 4.4.1, "Searching for Cases."

2. Click the case number of the case you want.

   The Case Details page appears (Figure 4-2).

3. Click the Log tab.

   The activity log for that case appears.

4. Enter the search criteria and click Search.

4.7 Viewing Customer's Sessions

OAAM Admin maintains a history of a customer's sessions. Each session entry includes the Session ID, authentication status, login time, Device ID, location, transactions, and alerts. Sessions information is available in the Sessions tab of the Case Details page. You can use the Sessions tab while you are on the phone with a customer to view the sessions history (a list of that customer's previous sessions).

Figure 4-4 Sessions Tab

4.7.1 Viewing a Customer's Session History

To view a customer's session history:

1. From the Cases Search page, specify criteria in the Search Filter.

   For information, see Section 4.4.1, "Searching for Cases."

2. Click the case number of the case you want.

   The Case Details page appears.

3. Click the Sessions tab (Figure 4-4).

4.7.2 Searching for a Customer's Sessions

To search for a customer's sessions:

1. Display the list of sessions for the case, as described in Section 4.7.1, "Viewing a Customer's Session History."

2. Enter search criteria and click Search.

   Table 4-4 Sessions Search Filters

   Filter	Description
   Session ID	The identifier for the session. For example, 11702.
   Device ID	The identifier for the device. For example, 1803.
   Auth Status	The authentication status. For example, Success.
   Alert Level	The alert level. For example, Info
   Transactions	The transaction performed.
   Login Time	The time the customer logged in to perform the transaction. For example, 5/11/09.

   
   

You can search sessions belonging to the users that belong to the organizations that you have access to.

4.7.3 Searching for a Customer's Sessions by Device ID or Date Range

To search for a customer's sessions by Device ID or date range:

1. Display the list of sessions for the case, as described in Section 4.7.1, "Viewing a Customer's Session History."

2. To search the sessions by Device ID, enter the ID of the device.

3. To search the sessions by login date range, click the calendar icons and select the start date and the end date.

4. Click Search.

4.7.4 Filtering the Session History by Authentication Status or Alert Level

To filter the list of customer's sessions by authentication status or alert level

1. Display the list of sessions for the case, as described in Section 4.7.1, "Viewing a Customer's Session History."

2. To filter the sessions by authentication status, select the authentication status you want.

3. To filter the sessions by alert level, select the alert level you want.

4. Click Search.

4.7.5 Viewing Transactions in the Sessions History

To view the customer's transactions.

1. Display the list of sessions for the case, as described in Section 4.7.1, "Viewing a Customer's Session History."

2. Filter the log by transactions.

3. Click Search.

4.8 Creating a CSR Case

A CSR case is a record of related customer care events and actions for a single customer. Multiple cases also provide a way of segregating unrelated issues and actions for a customer. CSR cases are used by the CSR while assisting a customer. Procedures are described in this section for creating new and like cases.

4.8.1 Creating a Case

The CSR is only able to create cases for users of the organizations he has permissions for. A new CSR case is created by a CSR Manager or CSR when a customer care situation occurs either online or through a phone call. The CSR or CSR Manager searches for cases by the Organizations ID and user name.

In a Multitenant deployment, CSRs only have access to cases limited to an Organization. He is not be able to see the case if the user belongs to an organization he does not have permission for.

Depending on the case, the CSR or CSR Manager decides if a new case must be created or if it can be handled with an existing case for that user.

To create a new case:

1. In the Cases Search page, click New Case.

   The Create Case screen appears.

   You could also open the Create Case screen by right-clicking Cases in the Navigation tree and selecting New Case from the context menu that appears.

   Figure 4-5 Create Case

   
   

2. Select the Organization ID.

   A list of Organization IDs for which you have access to is provided. From the list you can select one Organization ID.

   You can select an Organization ID and enter a user name or enter the User ID.

3. Enter the user name.

   User name is the identifier a user uses to log in. The combination of user name and Organization ID is the unique identifier for a user accessing an application. The unique Organization ID and user name combination must be available in the system. The user name is case-sensitive. If the user name is invalid or does not use the correct uppercase and lowercase, an error message appears when you press Create.

4. Enter the User ID.

   User ID is unique identifier generated by the system for the user.

5. Select a severity level from the Severity Level list

   The available severity levels are High, Medium, and Low.

6. Enter a description in the Description field, or select a description from the Canned Description list, or both.

   Description is a required field. You can select multiple descriptions from the Canned Description list for the same case, one at a time for any number of times. Each description selected from the list is appended to the previous description. If you are entering a description, the Description field can contain alphanumeric and special characters.

7. Click Create or Cancel.

   The Create button is disabled until all the fields are entered. No fields can be left blank.

   If an invalid parameters were entered, an error message is displayed and the new case is not created. If you click Cancel, the Cases Search page appears. If you click Create, a new case is created, and you are directed to the Case Details page of the newly created case.

   When the Case Details page is displayed:

   • The Case Status shows Pending.

   • The Created By field shows the user name of the CSR who created the case.

   • The Current Owner field shows his user name because he is the current owner of the case.

4.8.2 Creating a Case Like Another Case

To create a new case that is similar— or "like"—an existing case:

1. From the Cases Search page, select a case by clicking in the checkbox next to case in the Search Results table.

2. Click the Create Like button.

   The Create Like button is disabled if you select multiple rows in the Search Results table. The Create Case Like screen appears with pre-populated data from the original case. If you had chosen a closed case, the Create Case Like screen shows pre-populated data from the case except the Case Status is New.

   If you had chosen an escalated case, the Create Like screen shows pre-populated data from the case except the Case Status is New and the Case Type is CSR.

   Figure 4-6 Create Like

   
   

3. Enter a description in the Description field, or select a description from the Canned Description list, or both.

   Description is a required field. You can select multiple descriptions from the Canned Description list for the same case, one at a time for any number of times. Each description selected from the list is appended to the previous description. If you are entering a description, the Description field can contain alphanumeric and special characters.

4. Edit any of the other fields if you want.

   Do not leave any fields blank.

5. Click Create or Cancel.

   If you click Cancel, the Cases Search page appears. If you click Create, a new case is created with data from the original case and your changes, and you are directed to the Case Details page of the newly created case.

4.9 Performing Customer Resets

Authenticator uses images and phrases on its virtual authentication devices as part of the personalization to help prevent fraud. Customer Resets enable you to reset the customer's image and phrase and unregister his device. Customer Resets are not be available for a closed, escalated or expired case.

4.9.1 Resetting Image

If you reset a customer's image, OAAM Admin randomly assigns a new image to the customer. After resetting the image, you can inform the customer that the authenticator will display a new image at the next log in to the Web site. The same phrase will continue to be used. If a customer is not registered and does not have an image to reset, an error message appears if you try to reset his image.

To reset a customer's image:

1. From the Cases Search page, search for an existing case for resetting the image for the customer, and if it does exist, click the case number in the results table.

2. If the case does not exist, create one for resetting the customer's image.

3. On the menu bar of the Case Details page, click Customer Resets.

   The Customer Resets screen is displayed.

   Figure 4-7 Customer Resets

   
   

4. In the User Item list, select Image.

5. In the Canned Notes list, select the note you want to add.

6. Edit the note describing why you are taking the action, if necessary.

7. Click Submit.

4.9.2 Resetting Phrase

When the customer's phrase is reset, a new one is randomly assigned to the customer. After resetting the phrase, you can inform the customer that the authenticator will display a new phrase the next time he or she logs in to the Web site. The same image will continue to be used.

To reset a customer's phrase:

1. From the Cases Search page, search for an existing case for resetting the phrase for the customer, and if it does exist, click the case number in the results table.

2. If the case does not exist, create one for resetting the customer's phrase.

3. On the menu bar of the Case Details page, click Customer Resets.

   The Customer Resets screen is displayed.

4. In the User Item list, select Phrase.

5. In the Canned Notes list, select the note you want to add.

6. Edit the default notes in the Notes field.

7. Click Submit.

   An error message appears if the customer is not registered and does not have a phrase to reset.

4.9.3 Resetting Image and Phrase

If you reset a customer's image and phrase, OAAM Admin generates a new image and phrase and assigns them to the customer. Afterward, you can inform the customer that the authenticator will display a new personal image and phrase at the next log in to the Web site.

To reset a customer's image and phrase:

1. From the Cases Search page, search for an existing case for resetting the image and phrase for the customer, and if it does exist, click the case number in the results table.

2. If the case does not exist, create one for resetting the customer's image and phrase.

3. On the menu bar of the Case Details page, click Customer Resets.

   The Customer Resets screen is displayed.

4. In the User Item list, select Image and Phrase.

5. In the Canned Notes list, select the note you want to add.

6. Edit the default notes in the Notes field.

7. Click Submit.

   An error message appears if the customer is not registered and does not have a phrase and an image to reset.

4.9.4 Unregistering Devices

When you unregister devices, OAAM Admin unregisters all of a customer's devices. The customer can register another device if he wants.

To unregister a customer's devices:

1. From the Cases Search page, search for an existing case for unregistering the device for the customer, and if it does exist, click the case number in the results table.

2. If the case does not exist, create one for unregistering the customer's device.

3. On the menu bar of the Case Details page, click Customer Resets.

   The Customer Resets screen is displayed.

4. In the User Item list, select Unregister Devices.

5. In the Canned Notes list, select the note you want to add.

6. Edit the default notes in the Notes field.

7. Click Submit.

4.9.5 Resetting OTP Profile

When a customer's OTP profile is reset, the system deletes the contact information that is used to send the OTP. Out of the box, the user is asked to register contact information on next login, if the OTP profile is reset. OAAM deployments may choose to use both KBA and OTP. If that is the case, if the OTP profile is reset, but questions are still active, the customer is asked to reregister OTP information at the next login.

To reset a customer's OTP profile:

1. From the Cases Search page, search for an existing case for resetting the OTP profile for the customer, and if it does exist, click the case number in the results table.

2. If the case does not exist, create one for resetting the customer's OTP profile.

3. On the menu bar of the Case Details page, click Customer Resets.

   The Customer Resets screen is displayed.

4. In the User Item list, select Reset OTP profile.

5. In the Canned Notes list, select the note you want to add.

6. Edit the default notes in the Notes field.

7. Click Submit.

OTP Delivery Method Reset Example

Jacob calls the CSR and requests that his OTP delivery method be reset and change from phone to SMS and provides a phone number for SMS.

Carl the CSR performs these steps:

1. Carl searches for Jacob's logins and verifies with him about last login time and place.

2. Carl creates a case for Jacob and resets his OTP delivery method.

3. He asks Jacob to login again and verify the new OTP delivery method.

4. After he is done and confirms the new OTP working fine, Carl goes ahead and closes the case.

4.9.6 Resetting Virtual Authentication Device

A customer may sometimes ask to have the virtual authentication device reset.

To reset a customer's virtual authentication device:

1. From the Cases Search page, search for an existing case for resetting the virtual authentication device for the customer, and if it does exist, click the case number in the results table.

2. If the case does not exist, create one for resetting the customer's virtual authentication device.

3. On the menu bar of the Case Details page, click Customer Resets.

   The Customer Resets screen is displayed.

4. In the User Item list, select Reset Authentication Pad.

5. In the Canned Notes list, select the note you want to add.

6. Edit the default notes in the Notes field.

7. Click Submit.

4.9.7 Unlocking OTP

The CSR unlocks the customer who calls because he or she has been OTP-locked. Unlocking the customer resets the customer's OTP failure counter to 0.

To unlock OTP for the customer:

1. From the Cases Search page, search for an existing case for unlocking the OTP for the customer, and if it does exist, click the case number in the results table.

2. If the case does not exist, create one for unlocking the customer's OTP.

3. On the menu bar of the Case Details page, click Customer Resets.

   The Customer Resets screen is displayed.

4. In the User Item list, select Unlock OTP.

5. In the Canned Notes list, select the note you want to add.

6. Edit the default notes in the Notes field.

7. Click Submit.

4.9.8 Resetting All Registration Data, Challenge Counters, and OTP Contact and Delivery Information

The Customer (All) option resets all user registration information including security phrase, image, challenge questions, challenge (question and OTP) counters, and OTP profile.

To reset all registration data, challenge counters, and OTP profile information:

1. From the Cases Search page, search for an existing case for resetting all registration data, challenge counters, and OTP contact and delivery information for the customer, and if it does exist, click the case number in the results table.

2. If the case does not exist, create one for the customer.

3. On the menu bar of the Case Details page, click Customer Resets.

   The Customer Resets screen is displayed.

4. In the User Item list, select Customer (All).

5. In the Canned Notes list, click the note you want to add.

6. Edit the default notes in the Notes field.

7. Click Submit.

4.10 Performing Challenge Question Resets

Authenticator uses questions as additional credentials to help prevent fraud. You can perform question-related actions for the customer when necessary. The Challenge Questions feature enables you to reset the following items for a customer:

• Reset Questions

• Next Question

• Reset Question Set

• Unlock Customer

• Ask Question

4.10.1 Performing Challenge Questions Related Actions

Open the Challenge Questions screen by following these instructions:

1. From the Cases Search page, search for an existing case for performing the reset for the customer, and if it does exist, click the case number in the results table.

2. If the case does not exist, create one for the customer.

3. On the menu bar of the Case Details page, select More Actions, and then click Challenge Questions.

   The Challenge Questions screen appears.

   Figure 4-8 Challenge Questions

   
   

4.10.2 Resetting Challenge Questions

Resetting challenge questions deletes the existing questions and answers and generates a new question set for the customer to register from. The customer is informed that registration of challenge questions (select new questions and answers from his or her question set) is required at the next log in to the Web site.

To reset a customer's challenge questions:

1. Open the Challenge Questions screen, as described in Section 4.10.1, "Performing Challenge Questions Related Actions."

2. In the Item list, select Reset Questions.

3. In the Canned Notes list, select the note you want to add.

   For example, you could select the Forgot Question/Answers.

4. Click Submit.

   After completing the task, you can enter a note about the actions that were taken (Section 4.12.1, "Adding Notes to Cases") and change the status of the case if necessary (Section 4.12.3, "Changing Status of a Case").

Question Reset Example

Martha calls the CSR and requests that her questions be reset since she has forgotten answers to her challenge questions.

Carl the CSR performs these steps:

1. Carl searches for Martha's logins and verifies with her about last login time and place.

2. Carl creates a case for Martha and resets her questions.

3. He asks Martha to login again and register the questions.

4. After she is done and confirms the new questions are registered, Carl goes ahead and closes the case.

4.10.3 Resetting Challenge Questions and the Question Set

Resetting the challenge question set resets the challenge questions and the question set that the customer can register questions from. The customer is informed that registration of challenge questions is required at the next log in to the Web site.

To reset a customer's challenge questions and the set of questions to pick from:

1. Open the Challenge Questions screen, as described in Section 4.10.1, "Performing Challenge Questions Related Actions."

2. In the Item list, select Reset Question Set.

3. In the Canned Notes list, select the note you want to add.

4. Click Submit.

   After completing the task, you can enter a note about the actions that were taken (Section 4.12.1, "Adding Notes to Cases") and change the status of the case if necessary (Section 4.12.3, "Changing Status of a Case").

4.10.4 Incrementing a Customer to His Next Question

If you reset the customer's next question, OAAM Admin advances the customer to the next challenge question in his list of registered questions. So if he is currently being asked question A, he is now asked question B or C. The customer is informed that he will be asked a different challenge question the next time he logs in to the Web site.

To increment a customer to his next question:

1. Open the Challenge Questions screen, as described in Section 4.10.1, "Performing Challenge Questions Related Actions."

2. In the Item list, select Next Question.

3. In the Canned Notes list, select the note you want to add.

4. Click Submit.

   After completing the task, you can enter a note about the actions that were taken (Section 4.12.1, "Adding Notes to Cases") and change the status of the case if necessary (Section 4.12.3, "Changing Status of a Case").

4.10.5 Unlocking a Customer (KBA)

When you unlock a customer, he or she is forced to register new questions and answers the next time he successfully logs in.

To unlock the customer:

1. Open the Challenge Questions screen, as described in Section 4.10.1, "Performing Challenge Questions Related Actions."

2. In the Item list, select Unlock Customer.

3. In the Canned Notes list, select the note you want to add.

4. Click Submit.

   After unlocking the user you can close the case if desired (Section 4.12.3, "Changing Status of a Case").

4.10.6 Performing KBA Phone Challenge

Users can be authenticated over the phone using their registered challenge questions. This option is not available for unregistered users or in deployments not using KBA.

To use a customer's challenge questions for phone authentication:

1. Open the Challenge Questions screen, as described in Section 4.10.1, "Performing Challenge Questions Related Actions."

2. In the Item list, select Ask Question.

3. In the Canned Notes list, select User Challenged.

   If you select User Challenged, the Notes field contains the phrase, Request for customer question, which you can edit to describe why you are taking the action.

4. Click Submit.

5. In the confirmation dialog, click OK.

   The Ask Question screen appears displaying a challenge question to ask the customer and a field to enter customer's response.

6. Ask the customer the question.

7. Enter the customer's answer in the Answer field.

8. Click Submit.

   Failure counters are used to lock out fraudsters so that they are unable to obtain the answers/questions.

   The maximum number of questions the user is allotted is 3 by default. The maximum number of attempts per question is 3 by default for phone challenges. In phone challenges the CSR enters the user's answers for him. If you enter an incorrect answer for the user, left the field blank, or closed the screen for the user, the failure counter is incremented. The same challenge question remains on the screen until the maximum number of attempts per question is reached. Then, another question is displayed.

   Since the customer is given three attempts per question, a maximum of nine attempts is allowed for the phone challenge. If a question is answered correctly, the failure counter is reset and the system automatically takes appropriate actions depending on the status such as unlocking the customer. If the customer does not provide correct answers and exceeds the maximum number of failures, he is locked out.

   Figure 4-9 Ask Question Flow

   
   

Ask Questions Example

1. Log in as a CSR and create a case for the customer and ask KBA questions through using the Ask Question case action.

   Enter the user's answers until he answers correctly or is locked out.

2. If the user answers the question correctly, inform the user he must register new questions online next time he logs in.

3. Verify reset questions works for user after asking challenge questions.

   You need to actually verify this by doing logins before and after the reset action to verify that the user is asked to register.

4.11 Enabling a Temporary Allow

To enable a temporary allow:

1. From the Cases Search page, search for an existing case for granting a temporary allow for the customer, and if it does exist, click the case number in the results table.

2. If the case does not exist, create one for the customer.

3. Click Temporary Allow on the menu bar.

4. In the Allow list, select the desired temporary allow.

   • Single Login

   • Two Hours

   • Select End Date

     If you select Select End Date, click the calendar icon and click the end date you want.

   • Cancel

     If you want to terminate an active allow for a customer, select Cancel to remove it

5. In the Canned Notes list, select the type of note you want.

6. Edit the note to add information about the action you are taking.

   For example, you can add notes about the actions taken and that the customer is on his trip for three months and should receive an exception for that time.

7. Click Submit.

Temporary Allow Example

Rita is blocked user and cannot login to bank account and is on vacation in Mexico. She needs to login in next 2 hours to transfer some money to her account since her mortgage payment is coming up. She calls Carl (CSR) and requests to let her login for next 2 hours only.

Carl performs these steps:

1. Carl searches for Rita's logins and asks her when she logged in last time and from where.

2. He crosschecks that information with session data that he sees.

3. Carl creates a case for Rita.

4. He opens that case and creates a temporary allow for Rita for 2 hours.

4.12 Performing Case Actions

You can perform the following case actions:

• Adding Notes to Cases

• Changing Severity Level of a Case

• Changing Status of a Case

• Extending Expiration

• Escalating a Case

• Escalating a CSR Case to an Agent Case

• Bulk-Editing CSR Cases

4.12.1 Adding Notes to Cases

Each time you take an action in a case you should enter a note describing why you are taking the action. The notes are saved to the case log.

To add notes to cases:

1. From the Cases Search page, search for the case from the Cases Search page.

   For information, see Section 4.4.1, "Searching for Cases."

2. Click the case number of the case you want.

   The Case Details page appears (Figure 4-2).

3. Click Add Notes on the menu bar.

   The Add Notes screen appears.

   Figure 4-10 Add Notes

   
   

4. Select or enter a note.

5. Click Submit.

   If you click Cancel, the Add Notes screen is dismissed.

   If you click Submit, the notes are saved to the case log.

4.12.2 Changing Severity Level of a Case

When a case is created it is assigned a severity level to indicate its importance and allow administrators to filter cases. The severity level is shown on the Case Details page.

1. Search for the case from the Cases Search page.

   For information, see Section 4.4.1, "Searching for Cases."

2. Click the case number of the case you want.

   The Case Details page appears (Figure 4-2).

3. On the menu bar, click More Actions, and then click Change Severity.

   The Change Severity screen appears.

4. In the Severity List, click the severity level you want.

   The available severity levels are High, Medium, and Low. If a customer suspects fraud, then the severity level assigned would be High. If the customer wants a different image, then the severity level assigned would be Low. You can escalate or deescalate the severity level of a case when necessary.

5. In the Canned Notes list, select the type of note you want.

6. Edit the note to add information about the action you are taking.

7. Click Submit.

4.12.3 Changing Status of a Case

Status refers to the current state of a case. The status of a case can be new, pending, or closed. OAAM Admin automatically assigns the status of New to each case when it is created. You must change the status to Pending after the case is escalated.

1. Search for the case from the Cases Search page.

   For information, see Section 4.4.1, "Searching for Cases."

2. Click the case number of the case you want.

   The Case Details page appears (Figure 4-2).

3. In the menu bar, click More Actions, and then click Change Status.

   The Change Status screen appears.

4. In the Status list, click the status you want.

   You can select New, Pending, or Closed.

   Table 4-5 Case Status

   Status	Definition
   New	The status of a case when it is created.
   Pending	The status of a case that is not yet resolved.
   Closed	The status of a case when the issue is resolved.
   Escalated	The status of a case that has been escalated.

   
   

5. If status is changed to New or Pending, extend the expiration date.

6. If status is changed to Closed, enter the disposition.

7. Enter a note describing the issue.

   You can select from existing notes or enter a new note.

8. Click Submit.

   A confirmation dialog is displayed.

9. Click OK.

4.12.3.1 Changing Case Status to Pending

Pending is the status of a case that is not yet resolved. To change the case status to pending.

1. In the Navigation tree, double-click Cases.

   The Cases Search page is displayed.

2. For Case Status, select New.

   For information, see Section 4.4.1, "Searching for Cases."

3. Click the case number of the case you want.

   The Case Details page is displayed (Figure 4-2).

4. In the menu bar, click More Actions, and then click Change Status.

   The Change Status screen appears.

5. For Status, select Pending.

6. Enter a note describing the issue.

   Select a description from the Canned Notes list or enter a new note.

7. Click Submit.

   A confirmation dialog is displayed.

8. Click OK.

4.12.3.2 Closing a Case

Closed is the status of a case when the issue is resolved. To close a case:

1. In the Navigation tree, double-click Cases.

   The Cases Search page is displayed.

2. For case status, select New or Pending.

   For information, see Section 4.4.1, "Searching for Cases."

3. Click the case number of the case you want.

   The Case Details page appears (Figure 4-2).

4. Click More Actions on the menu bar, and select Change Status.

   The Change Status screen appears.

5. For Status, select Closed.

6. Select a disposition from the Disposition list.

7. Enter a note describing the issue.

   Select a description from the Canned Notes list or enter a new note.

8. Click Submit.

   A confirmation dialog is displayed.

9. Click OK.

4.12.3.3 Authenticating Closed Cases

To authenticate a closed case:

1. In the Navigation tree, double-click Cases.

   The Cases Search page is displayed.

2. Search cases by case status Closed.

   For information, see Section 4.4.1, "Searching for Cases."

3. Click the case number of the case you want.

   The Case Details page appears (Figure 4-2).

4. Click More Actions on the menu bar, and select Change Status.

   The Change Status screen appears.

5. In the Status list, select New or Pending.

6. Extend the expiration date.

7. Enter a note describing the issue.

   You can select from existing notes or enter a new note.

8. Click Submit.

4.12.4 Extending Expiration

To extend expiration:

1. In the Navigation tree, double-click Cases. The Cases Search page is displayed.

2. Search for the case from the Cases Search page.

   For information, see Section 4.4.1, "Searching for Cases."

3. Click the case number of the case you want.

   The Case Details page appears (Figure 4-2).

4. Click More Actions on the menu bar, and select Extend Expiration Date.

5. In the Extension list, select the length of time you want the expiration to be extended to.

6. In the Canned Notes list, click the note you want you want to add.

7. Click Submit.

4.12.5 Escalating a Case

To escalate a case:

1. In the Navigation tree, double-click Cases. The Cases Search page is displayed.

2. Search for the case from the Cases Search page.

   For information, see Section 4.4.1, "Searching for Cases."

3. Click the case number of the case you want.

   The Case Details page appears (Figure 4-2).

4. On the toolbar, click More Actions and then select Escalation.

   The Escalation screen is displayed.

5. In the Type list, select the type of case you want the case to be escalated to.

6. Provide notes for the case.

   You can provide notes by selecting notes from the Canned Notes list or entering notes in the Notes box, or both.

   • From the Canned Notes list, select a note to describe the reason for the escalation.

   • In the Notes box, enter notes if further details are needed.

7. Click Submit.

4.12.6 Escalating a CSR Case to an Agent Case

To escalate a case so that Investigators can review it:

1. In the Navigation tree, double-click Cases. The Cases Search page is displayed.

2. Search for the case from the Cases Search page.

   For information, see Section 4.4.1, "Searching for Cases."

3. Click the case number of the case you want the Investigator to review.

   The Case Details page appears (Figure 4-2).

4. On the toolbar, click More Actions and then select Escalation.

   The Escalation screen is displayed.

5. In the Type list, select Escalate to Agent Case.

6. Provide notes for the case.

   Notes are required.

   You can provide notes by selecting notes from the Canned Notes list or entering notes in the Notes box, or both.

   • From the Canned Notes list, select a note to describe the reason for the escalation.

   • In the Notes box, enter notes if further details are needed.

7. Click Submit.

   The case is escalated to an Agent case and as a CSR, you no longer have permissions to see the case.

4.12.7 Bulk-Editing CSR Cases

The Cases Search page enables you to change the severity, and status, and extend the expiration date for multiple cases at once. For example, you can close all cases more than a year old.

When the status of the case is set to New or Pending, you are able to extend the expiration. The option of changing the disposition is not available. When the status of the case is set to Closed, you can change the Disposition. The option of changing the expiration is not available.

To change the case settings for multiple cases at once:

1. In the Navigation tree, double-click Cases. The Cases Search page is displayed.

2. Select the cases you want.

   For example, you can search cases by type, expiration, and date.

   For information, see Section 4.4.1, "Searching for Cases."

3. Click Bulk Edit Selected.

   The Bulk Edit screen is displayed.

   Figure 4-11 Bulk Edit

   
   

4. Change the case settings you want and add notes.

5. Click OK to perform the bulk edit.

   A confirmation dialog appears with a message that the bulk editing operation was performed successfully.

6. Click OK to dismiss the dialog.

Bulk Editing Example

Jackie needs to cleanup case back log.

1. She goes ahead and searches for all the expired cases and closes them all.

2. She also goes to all overdue cases and updates the status to pending again.

4.13 Configuring Expiry Behavior for CSR Cases

The default setting is for CSR cases to expire after 24 hours. After a CSR case expires, a CSR cannot access them. CSR Managers have to extend the expiration time so that the CSR can access them.

The properties for setting and disabling expiry behavior are as follows:

To set expiry behavior for CSR cases (default setting), modify the following properties:

customercare.case.expirybehavior.enum.csrcase.behavior = expiry 
customercare.case.expirybehavior.enum.csrcase.label = Expired
customercare.case.expirybehavior.enum.csrcase.durationInHrs = 24
customercare.case.expirybehavior.enum.csrcase.resetonaccess = false

To disable the expiry behavior for CSR cases, modify the following property:

customercare.case.expirybehavior.enum.csrcase.behavior = none 

Note:

You do not need to change the other parameters.

For information on modifying properties, see Chapter 28, "Using the Properties Editor."

4.14 Reporting

For information on how CSRs use the reporting functionality of Oracle Adaptive Access Manager, see Chapter 25, "Configuring BI Publisher Reports."

4.15 Multitenancy

In multitenant deployment the CSR's access is limited to only those organizations to which they are supposed to be servicing. CSRs can work with the cases that are associated to the users of only those organizations that they service. Agents do not see and work on cases for the users of other groups for which they do not have access.

4.15.1 Enabling Multitenancy

To turn on the access control in OAAM Admin for multitenant deployments, you must set the bharosa.multitenant.boolean property to true. By default, the value is set to false.

4.15.2 Changing Permissions

The Security Administrators of the OAAM application can set up access control for the CSRs. CSRs cannot change their own access permissions. Only system administrators are able to change access permissions.

4.15.3 Access to Cases

CSRs can access cases for the users of groups that they have access permissions to. They cannot access cases for the users of groups that they do not have access to Agent cases cannot be accessed by CSRs.

If multitenancy is disabled, the CSR Manager, Investigator and Investigation Manager have access to details screens (links do not appear). If multitenancy is enabled, the CSR Manager, Investigator and Investigation Manager do not have access to details screens (links do not appear). The CSR never has access to details screens.

From the Session Details page the Investigator cannot get to the Detail screens if multitenancy is on (links are disabled). Multitenant access control only applies for CSRs and Investigators. Security Administrators and System Administrators have full access to cases.

4.15.4 Searching Sessions

CSRs and Investigators can only view sessions from organizations they have access to. If Investigators have access to multiple organizations, they should be able to apply the search filters to view sessions from specific organizations. If you have access to an organization, you can search their sessions by Organization ID, Session ID, Alert Level, User Name, Device ID, IP Address, Authentication Status, and Login Time.

4.15.5 Examples of Multitenancy in OAAM

The following examples illustrate the user seeing restricted amounts of data on the customer care screens based on permissions.

Table 4-6 CSR Access

Organization	Application Users	Admin Users
Default	demouser1 demouser2 demouser3	democsr1 democsr2 democsr3
Org2	org2user1 org2user2 org2user3	org2csr1 org2csr2
Both organizations		supercsr1 supercsr2
No organization		democsrm1

In the examples, there are two organizations: default and Org2.

4.15.5.1 CSR Creates a Case

CSR named "democsr1" has permission for group "Default."

1. The CSR "democsr1" logs in to the system.

2. He selects the Organization ID, "Default."

   He can choose "Default" because he has access only to "Default."

3. He enters "demouser1" in the User Name field and other attributes.

   A case for "demouser1" is created.

   The Case Details page appears.

   • The Case Status is "Pending."

   • The Created By field shows "democsr1."

   • The Current Owner field shows "democsr1."

4. He searches for the case in the Log tab, and sees the "Create Case" action with ARM ID "democsr1."

5. A session corresponding to the case exists.

6. The CSR, "democsr1" adds notes to the case. (CSRs can add notes to a case.)

7. He goes back to the Logs tabs, and the action for the case is now "Add Notes."

4.15.5.2 CSR is unable to Create Case Successfully for Organization and Login Combination

CSR named "org2csr1" has permission for group "Org2."

1. The CSR logs in to the system.

2. The only Organization ID he can choose from is "Org2" because he has access only to "Org2."

3. He tries to create a case for "demouser1."

   • He selects the Organization ID, "Org2"

   • He enters "demouser1" as the user name.

     demouser1 is a member of "Default."

4. An error is displayed:

   "Invalid application Org2 and login demouser1 combination.

4.15.5.3 CSR is able to Create Case Successfully for Organization and Login Combination

CSR named "org2csr1" has permission for group "Org2."

1. The CSR logs in to the system.

2. The only Organization ID he can choose from is "Org2" because he has access only to "Org2."

3. He tries to create a case for "demouser1."

   • He selects the Organization ID, "Org2"

   • He enters "org2user1" as the user name.

     org2user1 is a member of "Org2."

4. The case is created successfully.

4.15.5.4 CSR Has Access to More Than One Organization ID Is Unable to Create Case

CSR named "supercsr1" has permission for groups "Org2" and Default.

1. The CSR logs in to the system.

2. Both Organization IDs "Org2" and "Default" are available from the dropdown.

3. He tries to create a case for "org2user1."

   • He selects the Organization ID, "Default"

   • He enters "org2user1" as the user name.

     org2user1 is a member of "Org2."

4. An error appears with information that he cannot choose Default as the Organization ID and create a case for a Org2 user.

4.15.5.5 CSR Has Access to More Than One Organization ID is able to Create Case Successfully

CSR named "supercsr1" has permission for groups "Org2" and Default.

1. The CSR logs in to the system.

2. Both Organization IDs "Org2" and "Default" are available from the dropdown.

3. He tries to create a case for "org2user1."

   • He selects the Organization ID, "Org2"

   • He enters "org2user1" as the user name.

     org2user1 is a member of "Org2."

4. The case is created successfully.

4.15.5.6 CSR Who Cannot Access Any Organization Tries to Create Case

CSR named "democsrm1" cannot access any organization.

1. The CSR logs in to the system.

2. He tries to create a new case, but he cannot select any Organization ID because he does not have access to any organization. He cannot create a new case with the necessary attribute.

3. When he tries a search, there are no results.

4.15.5.7 CSR Acts On Case

CSR named "org2csr1" has permission for group "Org2."

1. The CSR logs in to the system.

2. He performs a search.

   1. The Organization ID dropdown presents all the Organization IDs which he has access to.

   2. CSR selects the desired Organization IDs.

   3. CSR provides the data required for his search.

3. The results are Org2 users only.

   The CSR gets back the result which has only those cases whose users belong to group that he has access to.

4.15.5.8 CSR Views Case Details

CSR named "org2csr1" has permission for group "Org2."

1. The CSR finishes scenario "CSR Acts On Case".

2. From the search screen, CSR clicks one of the Case IDs.

   1. CSR is able to see the details of the case.

   2. In the bottom half of the tab he sees action logs for the case.

4.15.5.9 CSR Searches Sessions

CSR named "org2csr1" has permission for group "Org2."

1. The CSR finishes scenario "CSR Views Case Details".

2. From the case details page, CSR clicks Search Sessions.

   CSR is able to see only the Organization IDs that he has access to in the search query.

3. CSR selects the Organization IDs he is interested in, fills in the other data for the filters, and performs the search.

   Only the results of the sessions of the users of the groups that he has access to is shown.

4.15.5.10 Agent Creates a Case

For information, refer to Section 5.5.5, "Creating an Agent Case Manually."

4.15.5.11 CSR Searches Cases

For information, refer to Section 5.4, "Searching for Cases."

4.16 Use Cases

The following sections provide scenarios of how Oracle Adaptive Access Manager's investigation tools are used.

4.16.1 Use Case: Customer Session Search and Case Creation

Carl is Dollar Bank CSR.

Tim calls Carl because he unable to login because he is blocked.

1. Carl searches for blocked sessions by user to determine if any belong to Tim and creates a case when he finds none for Tim.

   1. Carl must search sessions for users with blocked logins.

   2. Carl must search first the session for "Tim" and see his logins history for last one month.

   3. He then must search for cases that might be there for Tim.

      Carl finds no cases for Tim.

2. Carl creates a case by choosing out-of-the-box texts for blocked login.

   Some days pass and Tim calls again to find out about the case.

3. Carl finds the case and sees that it has expired.

4. Carl escalates the case. After escalation he no longer sees the case in the search.

Jackie is CSR Manager.

1. She logs in and searches for escalated cases.

2. She finds Tim's case and views it.

3. She looks at the action logs of the case and figures who created and acted on it.

4. She adds notes to the case saying she is working on it.

4.16.2 Use Case: Reset Challenge Questions

You are Jerry, a customer service representative at Acme Corp. You answer phones at the call center and assist users with issues they may be experiencing. You received a call from Henry, a user who has forgotten the answers to his challenge questions. You must verify his personal information before you can reset his answers.

Directions: Part A: Authenticate Henry in another system by verifying personal information such as home address and last four digits of his Social Security Number. His User ID is xxxx.

Directions: Part B: Then, open a new CSR case for Henry and reset his challenge questions.

Directions: Part C: Now, close the case with a resolved disposition and notes.

1. Log in to OAAM Admin as a Customer Service Representative.

2. In the Navigation tree, double-click Cases. The Cases Search page is displayed.

3. In another system enter Henry's User ID and verify his home address and last four digits of his Social Security Number.

4. Search open cases by user.

   Search for Henry's open cases by entering xxxx into the User ID field and selecting New, Pending, and Escalated for his case status.

   New, pending, and escalated cases do not exist for Henry; therefore, you must create a new case.

5. Create a new case.

   1. In the Cases Search page, click the New Case button.

      The Create Case screen is displayed.

   2. Enter the Henry's user name, xxxx, in the User ID field and select the Organization ID (group Henry belongs to).

   3. For severity level, select Low from the Severity Level list

      The available severity levels are High, Medium, and Low.

   4. Select Forgot question answers from the Description list.

   5. Click Create.

      The Create button is disabled until all the fields are entered.

      If invalid parameters were entered, an error message is displayed and the new case is not created.

      If you click Create, the new case is created.

      A confirmation message appears.

   6. Click OK to dismiss the confirmation message.

6. Reset Henry's questions.

   1. To reset Henry's questions, in the Case Details page, select More Actions and then select Challenge Questions.

      Authenticator uses questions as additional credentials to help prevent fraud. From the Challenge Questions screen, you can perform questions-related actions for the customer when necessary.

   2. In the Item list, select Reset Questions as the question-related action to perform.

   3. In the Canned Notes list, select Forgot Question/Answers.

   4. Click Submit to reset Henry's questions.

      When you reset a customer's challenge questions, OAAM Admin deletes the existing questions and answers and generates a new question set for customers to register from.

      A confirmation message appears.

   5. Click OK to dismiss the dialog.

7. Add notes on the case.

   Each time you take an action in a case you should enter a note describing why you are taking the action. The notes are saved to the case log.

   1. Click Add Notes on the menu bar to add notes on the case.

   2. Enter a note that Henry's challenge questions were reset.

   3. Click Submit.

      If you click Submit, the notes are saved to the case log.

      A confirmation message appears.

   4. Click OK.

8. Inform Henry that he will go through challenge questions registration (select new questions and answers from his question set) the next time he logs in.

9. Close the case with a disposition.

   1. To close the case, in the Case Details page, click More Actions and select Change Status.

      Case status refers to the current state of a case.

   2. In the Status list, click Closed.

      Closed is the status of a case when the issue is resolved.

   3. For the disposition select Issue Resolved.

   4. Select Issue Resolved from the Notes list as the note describing the issue.

      You can select from existing notes or enter a new note.

   5. Click Submit.

      A confirmation message appears.

   6. Click OK to dismiss the dialog.

4.16.3 Use Case: Reset Image and Phrase

You answer a call from Nancy, a user who does not like the virtual device personalization she registered. She would like you to change it for her. You explain that Nancy can do this herself on the User Preferences page of the Authenticator, but she insists that you reset her image and phrase.

Directions: Part A: Open a new CSR case for Nancy and reset her image and phrase. You tell her that her virtual authentication device will show a new image and phrase the next time she logs in.

Directions: Part B: Then, close the case with a resolved disposition and enter some pertinent notes.

1. Log in to OAAM Admin as a Customer Service Representative.

2. In the Navigation tree, double-click Cases. The Cases Search page is displayed.

3. Search open cases by user.

   Perform a search by case number or by Nancy's User ID and a Case Status of Open, Pending, or Escalated to find out whether a case already exists.

   Since an open case to reset her personalization does not exist, you create a new case.

4. Open a new case.

   1. Click New Case to create a new case.

      The Create button is disabled until all the fields are entered. No fields can be left blank.

   2. Enter the required details.

   3. Click Create.

      If invalid parameters were entered, an error message is displayed and the new case is not created.

      If you click Create, a new case is created and a confirmation dialog is displayed with the Case ID number.

   4. Click OK in the Create Case confirmation dialog.

      The Case Details page for the newly created case is displayed.

5. Reset the user's image and phrase.

   1. In the menu bar of the Case Details page, select Customer Resets. The Customer Resets screen appears.

   2. In the User Item list, select Image and Phrase.

   3. In the Canned Notes list, select the type of note you want to add.

   4. In the Description field, modify the description to suit your needs.

   5. Click Submit. A confirmation dialog is displayed with the message that the customer has been assigned a new image and phrase.

   6. In the confirmation dialog, click OK.

      When you reset a customer's image and phrase, OAAM Admin generates a new image and phrase and assigns them to the customer.

6. Tell Nancy that her virtual authentication device will show a new image and phrase the next time she logs in.

7. Close the case with a disposition.

   1. In the menu bar, click More Actions, and then click Change Status.

      The Change Status screen appears.

   2. In the Status list, click Closed.

   3. For the disposition, select Issue Resolved.

   4. Enter a note describing the issue.

      You can select from existing notes or enter a new note.

   5. Click Submit. A confirmation dialog is displayed with the message that the case status was successfully saved.

   6. Click OK to dismiss the dialog.

4.16.4 Use Case: Bulk Edit CSR Cases

You are Mike, a customer service manager at Acme Corp. The company policy for CSR cases is that cases should be closed as soon as the user issue is resolved. After a month you close out any CSR cases that have been left open by mistake. Directions: Today is the end of the month, so you are going to bulk-close any cases older than 24 hours and newer than a month ago.

To bulk edit CSR cases:

1. Log in to OAAM Admin as a Customer Service Representative Manager.

2. In the Navigation tree, double-click Cases.

   The Cases Search page is displayed.

3. Search the pending CSR cases created between a month ago and yesterday.

   1. In the Case Status field, select Pending.

   2. For Created Date, enter the date and time for the last day of the previous month.

   3. For End Date, enter the date and time 24 hours ago.

   4. Click Search.

4. Select all cases and close them with a disposition and notes.

   1. Select all cases listed in the Search Results table.

   2. Click the Bulk Edit icon on the Search Results toolbar.

      The Bulk Edit screen appears.

   3. In the Status list, click Closed.

   4. For the disposition, select Issue Resolved.

   5. Enter a note that says that the case was left open by mistake.

   6. Click OK. A confirmation dialog is displayed with the message that the bulk editing operation was performed successfully.

   7. Click OK to dismiss the dialog.

4.16.5 Use Case: CSR Manager Bulk Case Edit

Carl is Dollar Bank CSR manager. He comes into work each morning and searches through the CSR cases to check on status and clean up if needed. First he runs a search for CSR cases that are expired. There are four cases with the Expired status, so Carl looks at the creation dates for each. All are more than two days old. One of them has a High severity and the last action was a Temp Allow. The other three were Low severity cases with Phone Challenge as the last action. He selects these three and closes them with a disposition of expired and resolved. Carl opens the high severity case to look at the log. He sees that the temporary allow is active for another week so he leaves the case in the expired status as a marker.

1. Log in to OAAM Admin.

2. In the Navigation tree, double-click Cases. The Cases Search page is displayed.

3. In the Expired field, select Show Only Expired.

4. In the Case Type field, select CSR.

5. Click Search

   There are four cases with the Expired status.

6. View Created Date column for the four cases in the Search Results table.

   • All are more than two days old. (View Created Date)

   • One of them has a High severity and the last action was a temp allow. (View Case Severity and Last Action Type columns.

7. Select the three cases and click Bulk Edit.

8. In the Status field, select Closed.

9. In Deposition field, select Issue Resolved.

10. In Notes, enter expired and resolved.

11. Click the Case ID for the High severity case.

12. In the Case Details page, view the log for log code and notes.

4.16.6 Use Case: CSR - Ask Questions

User "customer" is a registered user. He has not been challenged for the past 30 days and when he had to answer a challenge question, he completely forgot the answer to this question. He is sure he remembers the answers to his other questions. User answers the question incorrectly all 3 times. Before he could try it out, he is blocked. He calls customer support, and the CSR creates a case and asks challenge questions. She enters the user's answers until he answers correctly or is locked out. He answers the question correctly. He is unlocked and is able to login successfully. The CSR informs the user he must register new questions online next time he logs in. The CSR closes the case.

4.17 Best Practices and Recommendations

This section provides best practices and recommendations:

• A Fraud Investigator looks into suspicious situations either escalated from customer service or directly from OAAM Admin alerts.

• A Fraud Investigation Manager determines which cases must be given attention by his team.

• If a customer suspects fraud, then the severity level assigned is High. For example, if the customer wants a different image, then the severity level assigned is Low. Severity levels of a case can be escalated or deescalated when necessary. Anyone can change the severity of cases.