1. Implementing Risk Management
  2. Set Up Data Sources

Set Up Data Sources

Access models and controls can analyze data from two data sources, Oracle Cloud and EPM-ARCS.

  • The Oracle Cloud data source supplies information about assignments of roles or privileges that grant access to Oracle Fusion Cloud applications.

  • The EPM-ARCS data source supplies information about assignments of roles that grant access to Oracle Enterprise Performance Management Account Reconciliation.

You don't have to do anything to set up the Oracle Cloud data source; it's available by default. To use the EPM-ARCS data source, however, you must establish a connection to your EPM-ARCS server. You must also run an External Access Synchronization job, which brings in data about user-role assignments in EPM Account Reconciliation.

One step in connecting to your EPM-ARCS server is to provide authentication details, and those details depend on which of two authentication protocols you use:

  • You can use a basic authentication protocol for any EPM deployment.

  • You can use an Open Authorization 2.0 (OAuth2) protocol, but only if you deploy EPM in Oracle Cloud Infrastructure (OCI) and pair the EPM instance with an Oracle Identity Cloud Service (IDCS) instance. This protocol is recommended for production.

In either case, you'll use a setup page to provide authentication details for the data source. Before you begin the setup procedure, you should determine what these values are. You may need to consult with your EPM-ARCS system administrator.

If you use the basic protocol, authentication details include the following four values:

  • API Credentials > User Name: The name for a user account set up in the EPM system. This user must have the Service Administrator role. Risk Management uses this account to connect to EPM-ARCS to fetch data for analysis.

  • API Credentials > Secret Key: The password paired to the User Name. This password may be subject to expiration. If so, update it when it expires, then rerun the setup procedure, entering the new password value as you do.

  • Authorization > Protocol Type: The correct protocol type is Basic authentication.

  • Authorization > Host: The https URL of the EPM-ARCS server.

If you use the OAuth2 protocol, provide the following values.

  • API Credentials > API Key: The client ID for the REST client application registered in the IDCS system.

  • Authorization > Protocol Type: The correct protocol type is Open authorization 2.0. It's the default value.

  • Authorization > Authorization Scope: The authorization scope for the EPM instance.

  • Authorization > Host: The https URL of the EPM-ARCS server.

  • Authorization > Token URL: The token URL for the IDCS instance paired with the EPM instance. For IDCS this value is the base URL, with the following value added: /oauth2/v1/token

  • Authorization > Grant Type: The correct grant type is JWTAssertion. It's the default value.

  • Ignore any other fields in the API Credentials and Authorization sections of the setup page.

If you use the OAuth2 protocol, you must also use an Assertion section of the setup page to specify two values, a Client Assertion and a User Assertion. You can, but typically shouldn't, supply these assertion values directly. Instead, you can supply values in the following five fields, from which the application generates the assertions.

  • Assertion > User Name: The name for a user account set up in the EPM system. This user must have the Service Administrator role. Risk Management uses this account to connect to EPM-ARCS to fetch data for analysis.

  • Assertion > Key Alias: The alias for the public certificate imported into IDCS.

  • Assertion > Audience List: The audience list value for generating OAuth2 assertions. For IDCS this value is: https://identity.oraclecloud.com/

  • Assertion > Public Certificate: The public certificate value imported into IDCS for validating OAuth2 assertions.

  • Assertion > Private Key: The private key value for generating OAuth2 assertions.

More about these assertions:

  • The application saves the two assertion values, but not the other values, in the Fusion credential store. The assertion values eventually expire. By default, they remain in force for one year. To create new assertions, you would rerun the setup procedure, and would reenter all of the required values to do so. The application doesn't save them because they're considered to be sensitive data.

  • You would supply the assertion values directly, in Client Assertion and User Assertion fields, only if you want to change the default behavior of the assertions, for example by designating a shorter time until expiration. But you would have to create them. You can use a tool called OpenSSL to do so. However, this would require you to have an in-depth understanding of OpenSSL and assertions.

  • If you supply the two assertions, leave the other five fields blank. If you supply values in the other five fields, leave the two assertion fields blank.

Complete these steps to set up your EPM-ARCS data source:

  1. Navigate to Risk Management > Setup and Administration > Advanced Controls Configuration.

  2. Expand the Manage Other Data Sources panel, and locate a row for the EPM-ARCS data source. It displays a Not set up status badge. Click the Set Up button in this row.

    Note: The Advanced Controls Configuration page displays rows for the EPM-ARCS data source and for other external data sources. All but EPM-ARCS are considered to be in an early-adopter state; work with Oracle Product Management to connect to any of them. Only the EPM-ARCS data source is generally available.

  3. An Enter Authentication Details page opens. In it, a Protocol Type field defaults to the value Open authorization 2.0. Accept that value if you use the OAuth2 protocol; if not, select Basic authentication. Depending on your selection in the Protocol Type field, the page presents fields appropriate for your protocol. In either case, enter the authentication details you've determined are correct for your EPM-ARCS data source.

  4. Click the Test Connection button. When a message confirms that your authentication details are valid, click the Update button.

  5. The focus returns to the Advanced Controls Configuration page. Expand the Manage Other Data Sources panel once again. In the row for the EPM-ARCS data source, the status badge now reads Not started.

    Click the EPM-ARCS row. With that row selected, expand the More Actions menu near the top of the Manage Other Data Sources panel. Click its Run Access Sync option. (This runs the External Access Synchronization job.)

  6. A message displays a job number. Make a note of the number and close the message. Click the Monitor Jobs tab and locate the row for your job number to track the progress of the job.

  7. When the job has finished running, click the Advanced Controls Configuration tab again. In the Manage Other Data Sources panel, confirm that the badge in the EPM-ARCS row now reads Completed.

Once the synchronization is complete, fields in the data-source row show the dates and times of the most recent successful and attempted synchronizations. (Initially these dates and times are the same, but they may differ if a later job run results in errors.) The last-attempt-date field also provides a link to job details.

Complete Additional Tasks

After setup is complete, you can create a synchronization schedule, and you can set data-source preferences. Begin by selecting the EPM-ARCS row in the Manage Other Data Sources panel, then expanding the More Actions menu near the top of panel.

You're expected to run the External Access Synchronization job regularly. The recommended frequency is once per day. As time passes, this captures information about role assignments to new users and changes in role assignments to existing users. You can create a schedule on which the job runs automatically.

  1. In the More Actions menu, click Schedule Access Sync.

  2. A Schedule Parameters dialog opens. In it, enter values that set the name of the schedule, its start date and time, the intervals at which the job should run, and an end date (if any).

  3. Click the Schedule button.

You can instead click the Run Access Sync option in the More Actions menu. This runs the sync job immediately, but doesn't affect the schedule if you've set one. The job runs again when its schedule next determines that it should.

To set other options, click Set Data Source Preferences in the More Actions menu. A Set Data Source Preferences dialog opens. In it, you can:

  • Change the name of the data source. Enter a new name in the Data Source field. The new name replaces the text "EPM-ARCS" as the data source name in the Other Data Sources panel.

  • Choose default business objects. A user who creates a model selects business objects for it; they provide data for the model to evaluate. Each data source has its own set of three business objects for access analysis. In the page to create a model, the business objects for one data source are available by default. You can designate the business objects for the EPM-ARCS data source to be the defaults. If you don't, the Oracle Cloud business objects are the defaults.

    To designate the EPM-ARCS objects as the defaults, click the Default access business objects check box in the Set Data Source Preferences dialog. Then click the OK button. To restore Oracle Cloud business objects as the defaults, repeat these steps but clear the Default access business objects check box.

  • Inactivate the data source. In the Set Data Source Preferences dialog, clear the Active check box next to the Data Source field, then click the OK button. The application informs you of any models, controls, or other objects that depend on the EPM-ARCS data source being active. The authentication details entered during data-source setup remain valid. To reactivate the data source, click the Active check box.