1. Implementing Risk Management
  2. Set Up Data Sources

Set Up Data Sources

Access models and controls can analyze data from two data sources, Oracle Cloud and EPM-ARCS.

  • The Oracle Cloud data source supplies information about assignments of roles or privileges that grant access to features of Oracle Fusion Cloud applications.

  • The EPM-ARCS data source supplies information about assignments of roles that grant access to features of Oracle Enterprise Performance Management Account Reconciliation.

You don't have to do anything to set up the Oracle Cloud data source; it's available by default. To use the EPM-ARCS data source, however, you have to set it up. This involves establishing a connection to your EPM-ARCS server and running an External Access Synchronization job, which brings in information about user-role assignments in EPM Account Reconciliation.

One step in connecting to your EPM-ARCS server is to provide authentication details, and those details depend on which of two authentication protocols you use:

  • You can use a basic authentication protocol for any EPM deployment.

  • You can use an OAuth2 protocol, but only if you deploy EPM in Oracle Cloud Infrastructure (OCI) and pair the EPM instance with an Oracle Identity Cloud Service (IDCS) instance. This protocol is recommended for production.

In either case, you'll provide values that are specific to your implementation. Before you begin the setup procedure, you should determine what these values are. You may need to consult with your EPM-ARCS system administrator.

If you use the basic protocol, authentication details include the following three values:

  • User Name: The name for a user account set up in the EPM system. This user must have the Service Administrator role. Risk Management uses this account to connect to EPM-ARCS to fetch data for analysis.

  • Secret Key: The password paired to the User Name. This password may be subject to expiration. If so, update it when it expires, then rerun the setup procedure, entering the new password value as you do.

  • Host: The https URL of the EPM-ARCS server.

If you use the OAuth2 protocol, provide the following values. (You may want to work with the IDCS administrator to determine the first four of these values.)

  • API Key: The API key for the REST client application registered in the IDCS system.

  • Public Certificate: The public certificate value for validating OAuth2 assertions.

  • Key Alias: The key alias for the public certificate imported into IDCS.

  • Private Key: The private key value for generating OAuth2 assertions.

  • Authorization Scope: The authorization scope for the EPM instance.

  • Token URL: The token URL for the IDCS instance paired with the EPM instance.

  • Host: The https URL of the EPM-ARCS server.

  • User Name: The name for a user account set up in the EPM system. This user must have the Service Administrator role. Risk Management uses this account to connect to EPM-ARCS to fetch data for analysis.

  • Audience List: The audience list value for generating OAuth2 assertions.

Here are some further considerations about requirements for the OAuth2 protocol:

  • Two values, a client assertion and a user assertion, must exist. They fetch an OAuth2 access token. You can, but typically should not, supply these assertion values directly. When you don't, the application generates the assertions. To do so, it uses the values you supply in the User Name, Key Alias, Audience List, Public Certificate, and Private Key fields.

  • The application saves the two assertion values, but not the other values, in the Fusion credential store. The assertion values eventually expire. By default, they remain in force for one year. To create new assertions, you would rerun the setup procedure, and would reenter all of the required values to do so. The application doesn't save them because they're considered to be sensitive data.

  • You would supply the assertion values directly (in Client Assertion and User Assertion fields) only if you want to change the default behavior of the assertions, for example by designating a shorter time until expiration. But you would have to create them. You can use a tool called OpenSSL to do so. However, this would require you to have an in-depth understanding of OpenSSL and assertions.

Complete these steps to set up your EPM-ARCS data source:

  1. Navigate to Risk Management > Setup and Administration > Advanced Controls Configuration.

  2. In the Manage Other Data Sources panel, a row for the EPM-ARCS data source displays a Not set up status badge. Click the Set Up button in this row.

  3. An EPM-ARCS page opens. In it, a Protocol Type field defaults to the value Open authorization 2.0. Accept that value if you use the OAuth2 protocol; if not, select Basic authentication. Depending on your selection in the Protocol Type field, the page presents fields appropriate for your protocol. In either case, enter the authentication details you've determined are correct for your EPM-ARCS data source.

  4. Click the Test button. When a message confirms that your authentication details are valid, click the Update button.

  5. The focus returns to the Advanced Controls Configuration page. In the Manage Other Data Sources panel, the badge in the EPM-ARCS row now reads Not started. Click the Run Sync button. (This runs the External Access Synchronization job.)

  6. A message displays a job number. Make a note of the number and close the message. Click the Monitor Jobs tab and locate the row for your job number to track the progress of the job.

  7. When the job has finished running, click the Advanced Controls Configuration tab again. In the Manage Other Data Sources panel, confirm that the badge in the EPM-ARCS row now reads Completed.

Once the synchronization is complete, fields in the EPM-ARCS row show the dates and times of the most recent successful and attempted synchronizations. (Initially these dates and times are the same, but they may differ if a later job run results in errors.) The last-attempt-date field also provides a link to job details.

After setup is complete, you're expected to run the External Access Synchronization job regularly. The recommended frequency is once per day. As time passes, this captures information about role assignments to new users and changes in role assignments to existing users. You can create a schedule on which the job runs automatically.

  1. In the Manage Other Data Sources panel, select the EPM-ARCS row.

  2. Click the Schedule button.

  3. Enter values that set the name of the schedule, its start date and time, the intervals at which the job should run, and an end date (if any).