1. Implementing Compliance and Regulation
  2. Setting Up Transactions

10Managing Audit Policies

Implementation Concepts for Audit Policies

This topic discusses audit configuration for business object attributes.

Audit enables tracking the change history of particular attributes of a business object. However, those objects and their attributes must be selected for audit and auditing must be enabled for that application. Your configuration settings determine which attributes to audit for a given object, and when the audit starts and ends. Auditing takes into account all the operations performed on an object and its attributes, such as create, update, and delete. To configure audit business object attributes, use the Manage Audit Policies task in the Setup and Maintenance work area.

Selecting an Application

To set up auditing, you must select a web application that contains the required business objects that can be audited. From the list of business objects, select those business objects that you want to audit. Selecting a business object also displays its attributes that are enabled for auditing.

Selecting Attributes

For each selected business object to be audited, select the corresponding attributes to include in the audit. All attributes that belong to that object are by default selected for audit and appear on the user interface. However, you can add or remove attributes from the list. When you remove an attribute from the list, you stop auditing it even when the parent object is selected for audit. So, if you want an attribute to be audited, you must add it to the list. If the object selected in an audit hierarchy is also a part of several other audit hierarchies, the attribute configuration for that object is applicable to all the hierarchies in that application.

Tip: For business objects based on flexfields, select the Flexfields (Additional Attributes) check box to view and add or remove flexfield attributes, to include or exclude them from the audit.

Starting and Stopping Audit

The business object is ready for audit after you select its attributes and save the configuration changes. However, to start auditing, the audit level for Oracle Applications Cloud must be set to Auditing on the Manage Audit Policies page.

To stop auditing an object, you can deselect the entire object and save the configuration. As a result, all its selected attributes are automatically deselected and are not audited. To continue to audit the business object with select attributes, deselect those attributes that are not to be audited. When users view the audit history for an application, they can specify the period for which they want the results. Therefore, make a note of when you start and stop auditing an application.

For example, users intend to view the audit history of an object for the previous week, but auditing for that object was stopped last month. They wouldn't get any audit results for that week, because during the entire month that object wasn't audited. Even if you enable audit for that object today, users can't get the wanted results because audit data until today isn't available.

Audit Configuration for Oracle Fusion Middleware Products

To set up auditing for Oracle Applications Cloud, select the Manage Audit Policies task from the Setup and Maintenance work area within your offering. To set up auditing for Oracle Fusion Middleware products, select the level of auditing mapped to a predefined set of metadata and the events that have to be audited. Information about configuring audit for Oracle Fusion Middleware products is provided in Oracle Fusion Middleware guides.

You can also create a configuration file and deploy it to audit a specific Oracle Fusion Middleware product. The configuration details for Oracle Fusion Middleware products are available as audit-specific assets that you can use to create the config.xml configuration file. To get a list of audit-specific assets, see Audit Events for Oracle Applications Cloud Middleware (Doc ID 2114143.1) on My Oracle Support at https://support.oracle.com.

  • Oracle Fusion Middleware Products

    Configure business objects to enable auditing in Oracle Fusion Middleware products. Refer to the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  • Oracle Fusion Security Products

    Configure business objects to enable auditing in Oracle Fusion security products. Refer to Oracle Fusion Middleware Application Security Guide.

Using Auditing to Monitor Changes

You can enable business objects to allow auditing, recording, and retrieving information about when the objects were created, modified, and removed.

Audit Policies Overview

Auditing is used to monitor user activity and all configuration, security, and data changes that have been made to an application. Auditing involves recording and retrieving information pertaining to the creation, modification, and removal of business objects. All actions performed on the business objects and the modified values are also recorded. The audit information is stored without any intervention of the user or any explicit user action.

Use audit policies to select specific business objects and attributes to be audited. The decision to create policies usually depends on the type of information to be audited and to the level of detail required for reporting.

Enabling Audit Functionality

For Oracle Applications Cloud, you must configure the business objects and select the attributes before enabling audit. If you enable audit without configuring the business objects, auditing remains inactive. By default, auditing is disabled for all applications. To enable and manage audit, ensure that you have a role with the assigned privilege Manage Audit Policies (FND_MANAGE_AUDIT_POLICIES_PRIV). For appropriate assignment of roles and privileges, check with your security administrator.

If you don't want an object to be audited, you can stop the audit process by setting the Audit Level option to None.

Auditing Public Sector Compliance and Regulation Data

You use auditing to monitor data changes that have been made to data within the Public Sector offerings.

To enable auditing for Public Sector Compliance and Regulation data:

  1. Sign in as a setup user.

  2. Select Setup and Maintenance and go to the following:

    • Offering: Select any Public Sector offering.

    • Functional Area: Application Extensions

    • Task: Manage Audit Policies

  3. In the Manage Audit Policies page, click Oracle Fusion Applications, to configure the required audits.

  4. Click Configure Business Object Attributes.

  5. On the Configure Business Object Attributes page, select Public Sector Common Components from the drop-down list of products.

    Select Public Sector Tech Stack for configuring user-defined business object attributes generated by your intake forms. See Auditing Custom Object Data.

  6. Select from the list of objects in the Audit Name column:

    Objects Category

    Parent Object

    Child Object

    Fees

    Fee Transactions

    (None)

    Fee Schedule

    Fee Schedule

    Fee Items

    Permits, Planning and Zoning, and Business Licenses

    Common Transaction Data

    • Business Licenses Data

    • Business Tax Related Data

    • Permits and Planning and Zoning Data

  7. In the Audited Attributes area, click the Add icon.

    The Select and Add Audit Attributes dialog box opens.

  8. Select the desired attributes.

  9. Click OK.

    The selected attributes are displayed in the Audited Attributes area.

  10. Click Save.

Related Topics

Auditing Custom Object Data

You can use Oracle Fusion Applications auditing features to configure auditing for user-defined business object attributes generated by your intake forms.

This topic describes how to:

  • Configure business object attribute auditing for specific transaction types.

  • Run an audit report for specific transaction types.

You use the Oracle Fusion Applications auditing features to set up auditing for Public Sector Compliance and Regulation business objects.

Transaction-Specific Auditing Scope

A specific transaction type, such as a permit or a planning application are the business objects you can audit. Each transaction type, such as a permit, contains a limited set of fields that you can audit, which include:

  • User-defined fields. These are the fields you added manually to your intake form.

  • Fields from the base view object for that transaction type. These fields are the same for all transaction types, and they appear in the attributes list regardless if they appear in the intake form or not.

The transaction types included for custom object auditing are:

  • Permits

  • Planning and Zoning

  • Business Licenses

Note: You will see Code Enforcement business objects in the list, but these objects are not supported for auditing at this time. You can select them but the attributes list will be empty.

You can audit other aspects of transaction data, such as changes to fee schedules and fee items, which is discussed in another topic. For more information, see Auditing Public Sector Compliance and Regulation Data.

Note: The fields added to your intake forms by the field groups you’ve added are not currently available to be audited. Fields added to the intake form by field groups reside in a child table to the base view object for the transaction type. Auditing fields in child tables is not currently supported.

To determine what fields in a specific transaction are able to be audited, you can use any REST client to submit a describe for that transaction type. For example, you can send a GET request using the following URL:

https://servername.fa.us2.oraclecloud.com/fscmRestApi/resources/11.13.18.05/LNPFENCEPERMIT_c/describe

Where FENCEPERMT is the name of the transaction type. LNP is prepended and _c is appended automatically by the Intake Form Designer.

The attributes appearing in the returned payload of the describe that can’t be audited appear within the FieldGroups section. For example:

“FieldGroups” : {
         “discrColumnType” : false, 
			“title” : “Permit Details”,
			“attributes” : [ {
			...

Configuring Business Object Attribute Auditing for a Specific Transaction Type

Note: Before you can begin setting up auditing for a specific transaction type, the intake form needs to be published.

To configure auditing for a specific transaction type:

  1. Access Functional Setup Manager.

  2. Open your licensed offering from the Setup list, such as Public Sector Permits or Public Sector Planning and Zoning.

  3. Select the Application Extensions functional area, and click the Manage Audit Policies task.

    Note: You can use the Search Tasks feature as well to navigate to the Manage Audit Policies task.

  4. On the Manage Audit Policies page, locate the Oracle Fusion Applications group box.

  5. To enable auditing, set Audit Level to Auditing.

  6. Click Configure Business Object Attributes.

  7. On the Configure Business Object Attributes page, select Supply Chain Management Common Components from the Product drop-down list, and expand the FscmCustomReferenceAuditAM node.

    Note: The Public Sector Compliance and Regulation offering resides in the Oracle Fusion Applications Financials and Supply Chain (FSCM) database. When searching for Public Sector Compliance and Regulation custom business objects, you will find them within the Supply Chain Management Common Components section. If you are also an Oracle FSCM customer, you will see FSCM business objects mixed with your Public Sector Compliance and Regulation products within the FscmCustomReferenceAuditAM node.

  8. Click the business object for which you want to configure auditing.

    The business object name is the same as your transaction type code, such as the Permit Type value on the Permit Type page.

  9. With the business object selected, select Actions > Create in the Attribute column on the right.

  10. In the Select and Add Audit Attributes dialog box, select the attributes you want to audit.

    Note: The attributes available are limited to the base view object values and the custom fields you have added to your form.

  11. Click OK.

  12. Save your changes.

For more information, see the Oracle Fusion Applications documentation on business object auditing.

Running an Audit Report

To run an audit report:

  1. Select Navigator > Tools > Audit Reports.

  2. For Date, specify a date or date range for your audit report.

  3. Select Supply Chain Management Common Components from the Product drop-down list.

  4. From the Business Object Type drop-down list, select the permit type name for which you enabled auditing.

  5. Use the Date, User, and Event Type criteria to refine your search, as needed.

  6. Click Search.

For more information see the Oracle Fusion Applications documentation for audit reports.

Viewing Audit History

You use audit history to view changes to the application data such as the business objects that were created, updated, and deleted.

Before you begin, you must have a role with the assigned privilege View Audit History (FND_VIEW_AUDIT_HISTORY_PRIV). For appropriate assignment of roles and privileges, check with your security administrator.

To view the Fee Schedule audit history or to create a report:

  1. To open the Audit History work area, select Setup and Maintenance > Navigator > Tools > Audit Reports.

  2. Enter the following search values:

    Audit Reports Search Field

    Value

    Date

    Enter the date for the audit results you want to see.

    Product

    Select Public Sector Common Components.

    Business Object Type

    • Fee Transactions

    • Fee Schedule

    • Common Transaction Data

  3. Select the option to Include child objects.

The default search displays a summary of the audit history in the search results table. It includes key data such as date, user, product, event type, business object type, and description. For a detailed report, search again with modified search criteria. You can export the report summary to Microsoft Excel.

Search Parameter

Result of Selection

Business Object Type

Note: This parameter is applicable only for the business objects that belong to Oracle Applications Cloud.

  • Narrows the search results to that specific business object within the selected product.

  • Enables the Show Attribute Details check box.

Include Child Objects

Displays all the child objects that were listed for that business object when audit was set up. For example, a sales order object that contains several items as child objects.

Note: Displays the objects at the immediate parent-child level only. To view the children at subsequent levels, select the child object as the business object type and search again.

Show Impersonator

Displays the details of the impersonator who modified the objects during an impersonation session.

Show Attribute Details

Enables the attribute list so that users can select either all attributes or a specific attribute to view the changes. Based on the selection, the search results indicate whether the attribute is created, updated, or deleted, and the corresponding old and replaced values.

Show Additional Object Identifier Columns

Displays the instances (contexts) in which the business object was used. The context values identify the objects and the transactions in which they were used. Each context is unique and assigns a unique description to the business object.
Note: The default report displays a standard set of columns that contain prominent details of the audit history. To view additional details, you can change the display of columns.