1. Securing Risk Management
  2. Required Security Update

Required Security Update

Release 24C added new security technology that introduced elements called "permission groups." Certain predefined job roles need to be updated for permission groups to be available to users of certain features. If you have custom job roles based on those predefined roles, the custom roles need to be updated as well.

If you made the updates in release 24C, you need do nothing further. If you haven't made the updates, but want to use the features they support, these are the predefined roles you may update:

  • Access Certification Administrator. The updates to this role and related custom roles are required if your organization plans to use the enhanced certifier worksheet in Advanced Access Certifications.

  • Risk Administrator, Advanced Access Controls Analyst, and Advanced Transaction Controls Analyst. The updates to these roles and related custom roles are required if your organization plans to set up EPM-ARCS as an external data source for risk analysis in Advanced Controls.

To begin, set a profile value that prepares the Security Console to work with permission groups and related objects:

  1. Click Navigator > My Enterprise > Setup and Maintenance.

  2. Expand the Tasks panel tab and click Search.

  3. In the Search Tasks field, enter Manage Administrator Profile Values. Click the Search icon.

  4. In the list returned by the search, click the Manage Administrator Profile Values item.

  5. The Search area of the Manage Administrator Profile Values page includes a Profile Option Code field. In it, enter ORA_ASE_SAS_INTEGRATION_ENABLED. Click the Search button.

  6. A record of the ORA_ASE_SAS_INTEGRATION_ENABLED profile value appears. In the row for the Site profile level, select Yes in the Profile Value field.

  7. Click Save and Close.

Next, use the Security Console to update your job roles. For procedures to edit or create a role, see two topics: Create Risk Management Roles in the Security Console and Copy or Edit Risk Management Roles in the Security Console. But add this information:

  • Search for the role you want to update and click Actions > Edit.

  • The Basic Information page now includes an Enable Permission Groups button. Click it. A dialog opens, showing the name of the role you're updating. Click its Enable Permission Groups button. If you're working with a predefined job role, that's all you need to do (apart from saving the role, of course).

    Note: The Basic Information page displays a message saying not to modify a predefined role. In general, you shouldn't. Enabling permission groups is an exception.

  • If you're working with a custom job role, there's a second step. Once you've enabled permission groups, go to the Role Hierarchy page and, in it, select the Roles and Permission Groups tab. Click Add Roles. An Add Role Membership dialog opens; use it to search for and add a duty role that contains the permission groups appropriate for the job role you're updating. You'll add one of these:

    • General Stakeholder Access (ORA_DR_GTG_GEN_RISK_STAKEHOLDER_ACCESS_DUTY), if you're working with a role that supports the enhanced certifier worksheet.

    • Risk Stakeholder Administrative Access (ORA_DR_GTG_RISK_STAKEHOLDER_ADMIN_ACCESS_DUTY), if you're working with a role that supports the use of external data sources.

  • As a result of your selecting the Enable Permission Groups option in the Basic Information page, a Permission Groups page becomes active. Don't do anything in it.

  • The Users page retains the user assignments for the job role you're updating. The effect of saving the updated role is to assign appropriate permission groups to those users. If you want to modify the user assignments, you must do so in the Users page.