How to upgrade Oracle GRC, AACG – practical steps

Oracle GRC upgrade
Upgrade Oracle GRC

Don’t lose SoD controls as you upgrade EBS and beyond.

This post is going to discuss how upgrading to Oracle e-Business Suite R12.2 impacts controls and what are some of the things to look out for if you are using Oracle GRC (AACG, CCG, TCG, PCG) today. It will also discuss some of the upgrade considerations as you move to 12.2. Access management, and continuous controls monitoring are the key areas where ‘legacy’ Oracle GRC provides value to you today.

If we think about the R12 journey, Oracle introduced 12.1 in 2009. The latest version, as of September 2020 is 12.2.10. Premier support for 12.1 is ending in 2021. However, 12.2 will continue until 2030. This factor is driving a number of EBS customers to plan their upgrades and take advantage of some of the benefits for 12.2.  Staying compliant with the latest supported version is important for financial reporting, operations and IT in general.

What are some of the enhancements that are driving customers to upgrade, besides just the support issue?

There are several functional innovations that you may want to evaluate as you consider moving forward to create a higher return on investment than just the ‘lift and shift.’ Some of the functional benefits include: the ability to do more predictive analysis, the ability to extend some of your applications to cloud. If you're not ready to move to the cloud, you may want to consider some of the integration with cloud applications. A number of EBS clients are considering recruitment or talent management in the cloud first and then depending on success and adoption will move more and more to the cloud. It's a good interim step, especially for organisations that have mandates to maintain their own data centres or their own control over their data. There's also a lot of mobile and mobile service, that makes it a better user experience. Customers will see more HTML pages versus the legacy forms that 11i was built on. It has a similar look and feel to Oracle ERP Cloud. It's a good way to gently move customers onto a modern platform, without having to completely lift and shift to the cloud.

There are significant operational efficiencies. Functional and overall UI changes while they're important, don't impact as much the decision to move as does the operational efficiency. Online patching is the big change. With online patching, you don't have to have as much downtime, you can keep running your environment and patch up, but you do have to prepare for that. You do have to upgrade some middleware etc… Application management and cost to managing the application goes down. You can improve your testing as a result of that as well as modernize your IT infrastructure as part of this process.

There are many benefits of moving to 12.2 beyond just the supported platform. Online patching also allows for business continuity, the ability to continuously run the business. As we are more global and more connected this enables users to continue operating in different time zones, for example, while your applications are patched. Log time is very limited, therefore the amount of time it used to take, DBAs can actually work during peak hours when they're most productive. It's more predictable. You can manage your patching process. Our clients have really good SDLC controls or Lifecycle Management controls. However, unfortunately, most of them are manual. Organizations have monthly or weekly meetings to decide what patches to put into the system and what impact that has. That can really slow things down. As year-end approaches, many clients go into a dark period where they don't really make any changes to the system, for the risk of impacting financial reporting – there are freezes on patches and so forth. It makes it very difficult when a problem occurs during those windows. With 12.2. it makes it easier for you to deal with change and adopt a more agile approach to change management while maintaining those controls that are so important for financial reporting and overall reporting in operations and IT in general. Once you consider the benefits, it makes a strong case to move forward.

Oracle EBS 12.2 Architecture

Database support  is for 11G R2. It has significant benefits in terms of scalability, portability, and tolerance. Most of the changes are in the middleware where WebLogic Server and related JSP and listeners become part of the core technology for Oracle. These were optional if you recall in 12.1 and previous. You could use Tomcat and many customers have already converted to WebLogic. Oracle GRC, also supports WebLogic but you have to make sure the versions are compatible. This change enables you to build a more scalable model that you can roll out your applications for many other use cases, or users, to really move transform your business to more of a digital business. That’s the benefit you get by having a more robust and scalable middleware.

GRC Controls/ Advanced Controls

GRC controls are basically application controls that automate some of the activities within e-Business Suite to help you mitigate risks. Application Access Controls is probably the most popular product that was adopted by Oracle on- premise customers over the past 10 or 12 years. This enables you to find segregation of duty violations and other risks in your access and entitlements. It helps you determine what users can do, and what type of transaction activities they can perform. For example, can they create a supplier and pay suppliers? A potential risk that violates your segregation of duty policies. 

The next most popular product that was adopted by e-Business Suite customers is Configuration Controls. Configuration controls enabled you to maintain that change management process that's so important to safeguard the process integrity itself. The way the process flows through an application is based on how you configure that application. Three-way match is one of the parameters or controls that you have. When you configure that in e- Business Suite, and you run your procure to pay cycle, and then run the transactions, if the control is violated, in other words, invoice doesn't match the PO and receipts, the system will automatically put that on hold or require you to force prove that. The main point is that configurations are very important for the integrity of the process. Many of our customers have implemented that to streamline their change management process, for example, going from dev, test and prod, they have used this capability to compare results between dev and test, test and prod so that when they apply patches or renew the upgrade, they run what's called a snapshot before and after. It also supports continuous monitoring - being able to see all changes to supplier bank accounts, because Oracle only records the last change through the record detail in the table. This gives you that audit ability without having to turn on the complete audit trail in the database, which is obviously very costly and impacts performance. You cannot put audit on transaction tables generally without losing significant performance. These two products were acquired by Oracle in around 2008. It's been a long journey and they’ve seen their life extended several times.

Transaction controls is probably less popular, but we do see a lot of customers still using it. It's metadata driven as well like configuration monitor. This looks for risky transactions or suspicious transactions such as similar invoice numbers, similar payment dates and to identify duplicate payments. We had the honor of working with the state of Pennsylvania in the US and helped them save $30 million, leveraging some of the capabilities and technology of big data that's behind transaction controls.

Preventive controls was a popular product in the early days, especially on 11i platform before Oracle had advanced capabilities that aren't personalizations that were introduced in 12. The only drawback for this product is that it only works with the legacy forms, it does not work with HTML. But where it works, it has significant advantages because it can basically put the transactions on hold, such as duplicate invoices, then send a workflow to an approver to review that anomaly/transaction in the system. If the approval is granted, then the hold is released. It's a very powerful tool, especially the flow capability or the approval capability that you can build into your application to really put preventive controls in the application in the process, which are much better than having to detect a risk and then remediate. If you can prevent the risk in the in the first place, that's much more powerful. But unfortunately, it only works on forms. With 12.2, we see less and less forms which becomes a challenge.

These are the four products that most Oracle e-Business suite customers have adopted over the last 10 years in various degrees depending on their business risks. SafePaaS had the chance to help many of those customers implement Oracle GRC software therefore this is one of our core competencies and expertise we possess.

What has happened since?

Most of these products came to general availability back over a decade ago. Premier support ended some time ago, which is not alarming. The newer releases such as Access Controls Governor was in September 2016 when the premier support ended. The same thing with configuration controls and transaction controls. Preventive control actually ended a little bit sooner in 2015. We saw a big drop in usage, but many customers still use it because of the benefits it provides - a couple of customers are still implementing preventive controls. There are some challenges but what's happened since then is as these products have gone into the sustaining support. The level of support from Oracle is limited to severity one. If you have a production system that is unable to operate, for example, your preventive control is not working, the approval workflow is not working and it's impacting your business, Oracle will respond to a severity one, but there are no enhancements. If you know Oracle Support policy, there have been no enhancements for the past three years in any of these products and four years for the case of Preventive Governor. That's the concern that customers have today that your EBS is supported till 2030 or beyond, but your GRC support ended some three years ago, and the indefinite support is limited.

How does this impact your infrastructure?

Access control and transaction controls both sit on a separate environment. The middleware or the application server required for that is WebLogic which is good news or it works also for Tomcat.

One thing to do when you upgrade to 12.2 is to take a look at your infrastructure. You want to make sure that your application server after the upgrade is also upgraded so that you can leverage the latest platform from Oracle and the same thing with database. Take a look at the compatibility matrix from Oracle and make sure if you're using a database cluster, that you don't get yourself in a position where your database for AACG and TCG can no longer work with your database cluster for EBS.

Configuration controls has got its own presentation layer, just like just like AACG and TCG and it has its own database. So again, the same considerations or assessments around infrastructure should take place. Many times people assume that these products somehow sit inside EBS, but they don't, they have their complete infrastructure. There's a cost to maintaining that infrastructure and making sure they're in the current levels. Your DBAs will ask if they can leverage the clustering capabilities in the new database and put them all in one database. That doesn't work, the compatibility levels are different. You have to ensure that you maintain that segregation within this infrastructure.

AACG: Update Entitlements and Access Points

How to do impact analysis before the upgrade. 

Procure to Pay AACG

In the case of AACG, this is how you would set up an AACG segregation of duty control. You pick a process such as procure to pay, you identify a risk, ie. creating a policy, create payments and create suppliers - you don't want the same person to be able to create a supplier and pay them because that creates fraud risk, financial fraud risk, and also can create other risks, for example, financial misstatement risk, which is very important to our clients. Now that policy is basically driven off these entitlements - creating a payment or creating a supplier is an entitlement, which makes up the policy. The entitlement is made up of access points. Access points are, in most cases for Oracle e-business customers, functions. These functions like payment, action payment, batch sets, payments, are then mapped into these technical functions. That's how you create a policy. If you're running AACG today, you may have 50 or 100 policies. They’re based ultimately on these functions in Oracle R12.1. Now we have done the analysis, when you go to 12.2, you get hundreds of new functions. One thing we look for in audit and your auditor will look for is a completeness test. your auditor will point out that even though you're running this control for 12.1, it’s no longer effective for 12.2, because you have not done the full analysis of all the new entry points or access points that have been introduced in the modules for the sake of additional functionality, UI capabilities, etc…. Let's say there's a new way now to be able to create a payment off a mobile device through a project. You have people in the field that are taking in payments, and you have a mobile device, that's a new function. Mobile and IoT are coming into the application with new functionality. Functionality means new function. If you've missed that, that means you're missing out on the risk. You'll fail a completeness test for your audit. Be sure to go and review those and not just lift and shift these rule sets. That takes some effort to get that right. It’s better to do it early on rather than wait for the auditors to bring in their auditors and find these kinds of issues because remediation can be costly and reputational risk is usually associated with that, too.

The way you do that in AACG is you would go to these access points, for example, invoices and look for what functions are currently mapped to an access point and which additional functions have been introduced to be able to do, for example, mobile invoices. Being able to search for all the invoice functions, and then attach them. Be sure you do this as soon as you have 12.2.8 or 12.2.9, whatever you're planning to upgrade to, or anything in the future and make sure you update your entitlements, because Oracle is not going to provide you those entitlements. That's checklist number one.

CCG Metadate Update for Oracle EBS R12.2 Tables

CCG basically is your snapshot comparison and change tracking. It's all driven off metadata. Metadata consists of, essentially the tables or objects in e- Business Suite. If you do a comparison, a three-way match, basically what you're doing is looking at a three- way match object in your 12.1, comparing that with 12.2, if you're tracking it, you're basically in 12.2 saying who changed it last, what was the previous value, last value, new value. It was a very handy tool for doing upgrades and tracking changes. If you have that tool, one of the things you're going to have to do is take a look at the metadata. Depending on which modules you've enabled, for example, these are three different applications that I can licence here 12.1, 12.0.3 and 12.11.5. You will notice that you don't have 12.2. That's not going to be supported because it's under sustained support. If you want to use 12.2, you will have to build your own metadata, or take the chance that 2.1 objects hopefully are the same as 2.2. so maybe in certain areas, you can get away with it but for the majority of the areas where CCG works, you'll have to build your own objects from scratch, which can be fairly time consuming.

SafePaaS has helped clients do this because Oracle, even in the last 12.1 support has really limited the objects to a few key modules. For example, inventory, fixed assets, and HR are common ones that are not available to 12.1 customers and as you move to 12.2 you’re on your own. We recommend you log an SR, log a ticket, confirm that with Oracle, (SafePaaS doesn't speak for Oracle but that's what we're seeing in the market, that there are no objects certified with 12.2 yet.) This module, which you relied on, your auditor relied on, would have to be updated or upgraded with building new objects and building what we call custom schemas. For the 12.2 objects, if they've changed, or if you want to continue to monitor them, you have to use what's called a meta builder and build those objects. That's the checklist item for CCG.

PCG Update Update Form Personalization and Workflow

PCG, is a set of rules. It improves the personalization capabilities. When you install PCG if you have it installed, and you have the right responsibility, which is called GRC control, you'll be able to go in and you'll see this extra menu pop up on your screen. Then you'll be able to see all these items prevent, update, prevent, insert, hide a field. These are called form rules. There are four types of rules. Form rules is the popular one. It has always just worked on the legacy forms, it does not work on HTML forms, or the newer JSP pages which is a challenge Fortunately, it's not a new challenge for SafePaaS. When we migrated clients from 11i to 12, we faced the same challenge because as you might know, many of the procurement forms like supplier payments, all that had moved from legacy forms to JSP, or HTML pages. The way we did that for clients back in those days was to help them leverage the personalization that's introduced in 12.1. and help them do that. SafePaaS can help you assess that, or you can take on the journey yourself with internal resources. This is the capability that you will lose when the form becomes an HTML page. To do workflows, if you lose that form, you clearly can't do what's called a form event, which means that you have to build the workflow using the birth workflow developer. If you have those resources in house, you can leverage that - that's always an option. It is time consuming, just like CCG metadata is time consuming. But as part of your upgrade checklist, you may want to include those key workflows, for example, if you're using workflows for financial close - that's one of the most common uses for preventive controls governor is to be able to do special approvals or multi-level approvals, because the journal approval is not sufficient for your business so you've customised it, or using PCG. You could now leverage the capability here, if you can't do that in in PCG. SafePaaS is helping clients migrate their old workflows and 12.2.9 to modern workflows.

TCG Update Models and Objects

The last piece is the transaction controls governor. Just like configuration controls governor this is based on objects. The way this works is, you have a business risk, for example, in your procure to pay cycle, you have unauthorised purchases, overpayments or duplicate payments, those types of risks. The way you address that risk is by setting up some control objectives such as accurate supplier information validation, and then you monitor those against those control objectives. If those monitors fail, ie. somebody does split POs, or purchases of unauthorized items, etc, you get incidents. That's essentially what  transaction controls does. The way it monitors these controls is by having access to the database objects. In 12.2 many of them have changed. It's not that the whole object has changed, supplier is still a supplier, but it has more attributes. If the attributes are different than what the metadata is looking for, it'll fail. That's the part that you need to focus on. Oracle hasn’t completely changed the underlying object name it is the attributes that are changed to incorporate additional functionality.

This is an example of how it works. It traverses through business risk - goes to incidents and as reported back and highlighted to the business.

From a functional standpoint, in TCG there's the data source which will move from 12.1 to 12.2. It uses ODI so you may want to make sure that your ODI layer is at the correct level as well so you don't lose the ETL capability (ETL is extract translate load) the Oracle product that's behind the scenes which extracts the data from e- Business Suite. It's built on objects. These are the objects that it is built on, for example accounting calendar, accounting events, applications, asset books, asset calendar etc... so all of these objects essentially are then applied, drawn in from left to right. This is where you get the get the view of the model logic where you can then apply it to an attribute some kind of model logic. For example, an invoice over 10,000 that is greater than 10,000 has a currency US - it will filter out all those invoices that are over 10,000 and provide us the data for a simple rule just to demonstrate the point that it's all object driven. These objects may have to be updated in the underlying table. You can see in this example,  378 objects. Oracle has provided quite a few objects across key modules, financial modules specifically, that would have to be updated. As for CCG that used tool called meta data, or data builder for metadata, for TCG Oracle used a third-party tool to build these objects, which we have helped our clients use to help build additional objects which requires some Java knowledge to be able to build them.


Recommended Resources

Replace Oracle GRC

Upgrade on-premise Oracle GRC to SafePaaS

Learn how many Oracle customers are replacing Oracle GRC with SafePaaS. Oracle E-Business Suite customer successfully upgrades Segregation of Duties Controls from on-premise GRC to SafePaaS Cloud.

SafePaaS Blog Box

Segregation of Duties Insight for Oracle

The SafePaaS SoD Insight is designed to quickly and reliably help customers identify segregation of duties risk in their Oracle E-Business Suite  and ERP Cloud environments. This automated healthcheck makes it easy to isolate and analyse these risks so that clients can build a remediation plan to address areas of concern. 

Oracle Access Management

Secure ERP Access 

Business Application Access is becoming more of a concern due to the increased risk from providing ERP users capabilities or functionality that may be in conflict with the organizations’ access policies. With this in mind, this comprehensive ebook outlining some of the major considerations in establishing and managing user application access.